CLS Blue Sky Blog

Ropes & Gray Discusses Executive Order Limiting Data Transfers to China and Other Nations

On February 28, 2024, President Biden announced an Executive Order (“EO”) directing the Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, and the restrictions would also apply to any entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern as well as any person “knowingly causing or directing, directly or indirectly, a violation” of the regulations.

As directed by the EO, on February 28, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) on topics related to the implementation of the EO soliciting comments up to 45 days after the ANPRM is published in the Federal Register (typically posted a few days after the announcement), which would make comments due around April 15, 2024. The EO directs the DOJ to publish a proposed rule within 180 days of the EO publication, so on or before August 26, 2024.

The Executive Order does not purport to restrict all transactions within its ambit, nor does it establish a mandatory data localization regime. In this regard, it is much more of a national security restriction on certain types of transactions than an attempt to regulate data protection by Executive Order.

Businesses impacted by the forthcoming regulations, however, may need to add these restrictions on international transfers of personal data to the growing list of international transfer restrictions already imposed by data privacy laws, including the European Union’s General Data Protection Regulation, China’s cybersecurity data privacy laws and similar comprehensive privacy laws in other jurisdictions. Significantly, unless appropriate regulatory exceptions are recognized, the restrictions may have important operational impacts on certain international, financial, and life science companies, although it appears that the current intention is that transactions “ordinarily incident to and part of the provision of financial services” will not be covered by the forthcoming regulations.

Executive Order Summary

Prohibited and Restricted Data Transactions

Underscoring that the EO is not primarily driven by data protection concerns, President Biden used his national security authority under the Constitution, the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (“IEEPA”), the National Emergencies Act (50 U.S.C. 1601 et seq.) (“NEA”), and section 301 of title 3, United States Code, to enact the EO. Generally, subject to DOJ regulations, the EO governs transactions involving bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. The EO provides certain definitions and requirements, which are discussed below:

In addition to the above-quoted definitions, the EO provides certain clarifications regarding the scope of the forthcoming regulations that may alleviate some concerns as to their breadth:

Further Agency Guidance

Along with the general direction to DOJ to promulgate rules, the EO also directs DOJ to establish a process to issue licenses authorizing transactions that would otherwise be prohibited transactions or restricted transactions.

The EO directs DHS to publish security requirements, rules, regulations, standards, and interpretive guidance that address the unacceptable risk posed by restricted transactions based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards, as well as directing DOJ to issue enforcement guidance.

The EO addresses the risk of access to bulk sensitive personal data and United States Government-related data where the data transits through a submarine cable owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that connects to the United States and terminates in the jurisdiction of a country of concern. As a result, the EO directs the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector to review existing licenses for submarine cable systems and issue policy guidance regarding reviews of these license applications and existing licenses.

The EO directs the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, and the Director of the National Science Foundation to consider issuing regulations, guidance, or orders authorizing relevant federal assistance programs, to prohibit the provision of assistance that enables access by countries of concern or covered persons to United States persons’ bulk sensitive personal data or to impose mitigation measures with respect to such assistance. Further, the above agencies are directed to publish guidance to assist United States research entities in ensuring protection of their bulk sensitive personal data. The above agencies must publish a report within one year of the EO, so on or before February 28, 2025.

The EO further encourages the Consumer Financial Protection Bureau to address the data brokerage industry enabling access to bulk sensitive personal data and United States Government-related data by countries of concern and covered persons through rulemakings.

Lastly, within 120 days of the effective date of the general DOJ regulations, the EO directs the DOJ, DHS, and the Director of National Intelligence to recommend to the White House (through the APNSA) appropriate actions to detect, assess, and mitigate national security risks arising from prior transfers of United States persons’ bulk sensitive personal data to countries of concern. And then, within 150 days of the effective date of the general DOJ regulations, the APNSA shall review these recommendations and consult with relevant agencies on implementation. Within one year of the effective date of the general DOJ regulations, DOJ shall submit a report to the President assessing the effectiveness and economic impact of the regulations.

ANPRM on Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern

As directed in the EO, on February 28, the DOJ published an ANPRM soliciting comments on various topics related to the implementation of the order. The DOJ is soliciting comments up to 45 days after the ANPRM is published in the Federal Register (typically posted a few days after the announcement), which would make comments due around April 15, 2024. The EO directs the DOJ to publish a proposed rule within 180 days of the EO publication, so on or before August 26, 2024.

ANPRM Summary

Classes of Transactions

The ANPRM further refines requirements laid out in the EO and provides that the DOJ is considering implementation of the EO through categorical rules that regulate certain data transactions involving bulk U.S. sensitive personal data and government-related data that present an unacceptable risk to U.S. national security. As such, the DOJ is considering establishing a program that would (1) identify certain classes of highly sensitive transactions that would be prohibited in their entirety (“prohibited transactions”), and (2) identify other classes of transactions that would be prohibited except to the extent they comply with predefined security requirements (“restricted transactions”). The ANPRM indicates that the DOJ plans to implement this program in tranches based on priority.

Prohibited Transactions

The DOJ is considering two classes of prohibited transactions: (1) data brokerage transactions; and (2) any transaction that provides a country of concern or covered person (defined below) with access to “bulk” human genomic data (a subcategory of human ‘omic data) or human biospecimens from which that human genomic data can be derived.

Restricted Transactions

In addition to the prohibited transactions, the DOJ is considering three classes of restricted data transactions: (1) vendor agreements (including, among other types, agreements for technology services and cloud service agreements), (2) employment agreements, and (3) investment agreements. As noted above, these restricted transactions would be permitted provided that they comply with certain predefined security requirements.

A restricted covered data transaction would be permissible if the U.S. person:

Licenses

The DOJ proposes creating a licensing regime, including general and specific licenses, that would approve, or impose conditions on, covered data transactions that are prohibited or restricted and would include an interagency consultation process to ensure that agencies with relevant equities and expertise may weigh in.

Countries of Concern

The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Covered Persons

The DOJ is proposing defining the term “covered person” as the below:

Bulk U.S. Sensitive Personal Data

The DOJ is proposing six defined categories of bulk U.S. sensitive personal data: U.S. persons’ covered personal identifiers, personal financial data, personal health data, precise geolocation data, biometric identifiers, and human genomic data—and combinations of those categories. The Agency proposes further defining the categories as explained below:

Government-Related Data

The DOJ is proposing two kinds of government-related data regardless of volume: (1) any precise geolocation data for any location within any area enumerated on a list of specific geofenced areas associated with military, other government, or other sensitive facilities or locations (the Government-Related Location Data List), or (2) any sensitive personal data that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government.

For geolocation, the Government-Related Location Data List would be created through an interagency process in which each agency identifies any geofenced areas relative to its equities for inclusion on the list, and the DOJ would maintain and publish the list.

Exempt Data

The DOJ is considering exempting from this program: data transactions involving “personal communications” or “information” as defined under IEEPA; official business transactions, financial services-, payment processing-, and regulatory compliance-related transactions, intra-entity transactions incident to business operations; and transactions required or authorized by federal law or international agreements.

Interpretative Guidance

The DOJ is considering permitting any U.S. person engaging in covered data transactions regulated by the program to request an interpretation of any part of these regulations from the Attorney General.

Compliance & Enforcement

The DOJ is currently considering creating and implementing a compliance and enforcement program modeled on the Department of the Treasury’s IEEPA-based economic sanctions, which are administered by OFAC.

Subsequent Action

The program would not apply retroactively (before the effective date of the final rule). However, the Department of Justice may, after the effective date of the regulations, request information about transactions by United States persons that were completed or agreed to after the date of the issuance of the Order to better inform the development and implementation of the program.

Overlap with National Security Regulations

CFIUS

The Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) is an interagency committee of the U.S. government tasked with assessing whether certain foreign investments in the United States (called “covered transactions”) threaten to impair national security. In cases where CFIUS identifies national security concerns, it can seek to impose mitigation measures, or recommend that the President of the United States formally block a covered transaction.

In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (“FIRRMA”), and the final regulations implementing FIRRMA were issued in February 2020. Pursuant to FIRRMA and its implementing regulations, CFIUS’s jurisdiction was expanded in a number of key respects, including to expand CFIUS’s jurisdiction to include certain non-controlling, non-passive investments in certain categories of U.S. businesses, called “TID U.S. businesses,” because they deal in “critical Technology,” “critical Infrastructure,” or “sensitive personal Data,” each as defined in the CFIUS regulations.

“Sensitive personal data” is defined to include identifiable data on U.S. persons that fits within one of several categories, many of which overlap with the categories of data set forth in the ANPRM. Categories of data that can qualify as “sensitive personal data” for CFIUS purposes include, inter alia, (i) financial data that could be used to assess financial distress or hardship; (ii) insurance-related information; (iii) data relating to the physical, mental, or psychological health of individuals; (iv) geolocation data; (v) biometric enrollment data; (vi) data stored and processed for the purpose of federal government identification; (vii) data relating to U.S. government personnel security clearance status; and (viii) genetic data. In many cases, CFIUS imposes a requirement that a company must collect at least one million records to qualify as a TID U.S. business, though there are exceptions, including that (i) any volume of genetic data is sufficient; (ii) companies that target or tailor offerings to the U.S. government can qualify; and (iii) companies that have a “demonstrated business objective” to collect at least 1 million records can also fall within CFIUS’s jurisdiction.

DOJ is a member agency of CFIUS, and the Committee generally has taken an increasingly broad view of the national security concerns with foreign access to “sensitive personal data.” For example, in his September 2022 Executive Order relating to CFIUS, President Biden underscored that foreign access to sensitive personal data is a key risk area. As such, the ANPRM is consistent with the current focus by CFIUS on data as a national security concern. Of note, however:

Sanctions and Export Controls

Currently, the Office of Foreign Assets Control (“OFAC”) within the U.S. Department of the Treasury and the Bureau of Industry and Security (“BIS”) within the U.S. Department of Commerce implement broad sanctions and export controls. Collectively, these trade regulations, among other things, (i) broadly restrict most dealing with certain countries, such as Cuba, Iran, North Korea, Syria, and contested regions of Ukraine; (ii) impose broad-based restrictions (that do not constitute embargoes) on other countries, such as Russia and Venezuela; and (iii) impose wide-ranging but more targeted export controls targeting other countries and risk areas, including China.

The ANPRM suggests that DOJ intends to align with the general foreign policy restrictions expressed in OFAC sanctions and the Export Administration Regulations (“EAR”), including by defining “country of concern” to target China (inclusive of Hong Kong and Macau), Russia, Cuba, Iran, and Venezuela. Moreover, the ANPRM also suggests that DOJ intends to model the final regulations implementing the ANPRM on the sanctions regulations imposed by OFAC. This means that DOJ is (i) assessing the possibility of general licenses, comparable to those issued by OFAC under its sanctions programs; (ii) contemplating reporting requirements for parties that take advantage of general licenses; and (iii) intending to model its reporting and enforcement requirements on the enforcement mechanisms familiar to U.S. persons who are subject to OFAC’s sanctions jurisdiction.

While further information on the proposed regulations will be required to assess more fulsomely, the references to OFAC and BIS in the ANPRM suggest that DOJ intends to build a fulsome regulatory program with a strong enforcement and monitoring component.

Conclusion

The DOJ is soliciting comments up to 45 days after the ANPRM is published in the Federal Register (typically posted a few days after the announcement), which would make comments due around April 15, 2024. Entities that do business with or are otherwise involved in transactions with countries of concern or covered persons should monitor the rulemaking process closely.

This post comes to us from Ropes & Gray LLP. It is based on the firm’s memorandum, “New Executive Order Would Restrict Transfer of Certain Bulk Sensitive Personal Data and United States Government-Related Data to China and Other Countries of Concern,” available here.

Exit mobile version