The EO aims to establish generally applicable rules for engaging in specific categories of data transactions involving personal data of U.S. citizens and certain U.S. Government-related data. While detailing the serious national security implications for such transactions, the EO also explained that the Administration supports open and secure data flows across borders. On the same day the EO was issued, the Department of Justice’s (DOJ) National Security Division issued an advance notice of proposed rulemaking (“Notice”) setting forth a regulatory framework for transactions involving the large-scale transfer of Americans’ personal data. The Notice sets an April 15, 2024, deadline for public comment on 114 separate questions.
While the scope of the restrictions is intended to be narrow, it will be important for all U.S. companies that collect, store, research or sell the personal data of U.S. citizens to monitor the development of regulations, assess their own compliance risk and begin thinking about appropriate risk-based compliance regimes.
The EO directs DOJ, in consultation with the Departments of State, Commerce, Treasury, Homeland Security and other agencies, to issue regulations that prohibit or otherwise restrict the large-scale transfer of Americans’ personal data to “countries of concern” and designated “covered persons” subject to their jurisdiction. The Notice identifies six countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela. The EO also defines “covered persons” as persons to whom the sale of American’s data would be regulated under the program.
The EO identifies four categories of entities and individuals: (1) “an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern”; (2) “a foreign person who is an employee or contractor of such an entity”; (3) “a foreign person who is an employee or contractor of a country of concern”; and (4) “a foreign person who is primarily resident in the territorial jurisdiction of a country of concern.” The EO also explains that this is a non-exhaustive list and authorizes DOJ to supplement these categories if additional persons or entities meet certain criteria that indicate they are controlled by a country of concern.
With respect to the type of data covered, the EO outlines six categories of “sensitive personal data”: (1) specifically listed categories and combinations of covered personal identifiers (not all personally identifiable information); (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data; (5) personal health data; and (6) personal financial data. The EO directs DOJ to refine these categories further and provides that data that is a matter of public record would not constitute “sensitive personal data.”
With respect to category (1): “covered personal identifiers,” the EO defines the term as meaning “specifically listed classes of personally identifiable data that are reasonably linked to an individual…” The “specifically listed” language here is critical, as the Notice explains that the “final rule will include a comprehensive list of listed identifiers.” Even before issuing a final rule, the Notice provides that the definition of covered personal identifiers would be “much narrower than the categories of material typically covered by laws and policies aimed generally at protecting personal privacy.” Specifically, the Notice cites California and the EU’s data privacy laws as examples of regimes much broader than this program, as currently contemplated. For example, the Notice provides that “covered personal identifiers” would not include an individual’s employment and educational history, organizational memberships or criminal history. Covered personal identifiers would also not include web-browsing history.
A Low PII Threshold Proposed
While the EO does not propose regulating all transactions involving the above six categories of “sensitive personal data.” Instead, the program aims to regulate only sensitive personal data transactions that exceed prescribed bulk volumes (i.e., a threshold number of U.S. persons or U.S. devices). Notably, however, this bulk volume cutoff would not apply to transactions involving certain U.S. Government-related data—all such data transfers would be regulated regardless of volume. CFIUS’ PII data storage threshold for PII is 1,000,000 or more data subjects. While DOJ’s high-end thresholds reach that figure in some instances, most of the ranges are significantly lower.
The EO also noted that there would be at least two types of data transactions that would be banned outright. These transactions would include where a country of concern or covered person was involved and the transaction is a (1) data-brokerage transactions, or (2) genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived. On the other hand, (1) vendor agreements involving the provision of goods and services (including cloud-service agreements), (2) employment agreements, and (3) investment agreements would be permitted subject to restrictions to be established by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency.
The EO and Notice also outline several critical exemptions to the proposed regime. The program’s requirements would not apply to a U.S. person engaged in such a transaction. They are:
(1) ordinarily incident to and part of financial services, payment processing and regulatory compliance (such as banking, capital markets or financial-insurance activities, financial activities under the purview of other regulators, the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services and legal and regulatory compliance);
(2) ordinarily incident to and part of ancillary business operations (such as payroll or human resources) within multinational U.S. companies;
(3) activities of the U.S. Government and its contractors, employees and grantees (such as federally funded health and research activities, which the funding agencies will regulate themselves); or
(4) transactions required or authorized by federal law or international agreements (such as exchanging passenger-manifest information, INTERPOL requests and public health surveillance).
This list is not exhaustive, and the Notice contemplates other potential exemptions for investments that do not pose security risks.
Implementation: The Devil is in the Details
The EO and Notice make clear that there would not be a case-by-case review of individual data transactions. Instead, the program eyes a categorial approach—giving parties bright-line rules for data transactions. This approach is similar to what the Government is proposing for the review of some outbound investments. The program, as initially outlined, also contemplates establishing processes for DOJ to issue general and specific licenses and advisory opinions. The idea is that general licenses would authorize otherwise regulated transactions, and specific licenses would allow companies to apply for an exemption to the rules to engage in a particular data transaction. The Notice also explains that DOJ would make licensing decisions with the concurrence of the Departments of State, Commerce, and Homeland Security.
The EO and Notice are the first steps in the process toward a final rule and do not impose any immediate new legal obligations. The Notice makes clear that any adopted rules would not apply retroactively. Moving forward, the Notice explains that the contemplated program would not prescribe general due diligence requirements, affirmative recordkeeping requirements or affirmative reporting requirements across the U.S. economy. Such affirmative requirements would only be required in discrete circumstances, for example, as a condition for receiving a license. Instead, companies would be expected to develop compliance programs tailored to their individual risk factors, including their customer makeup, counterparties and geographic location. Finally, the EO authorizes DOJ to investigate violations of the regulations, including pursuing civil and criminal remedies available under the International Emergency Economic Powers Act.
Critically, the EO also explains that anyone who is a U.S. citizen, or any entity organized solely under U.S. laws or jurisdiction, along with other similarly situated entities and individuals, would not fall into these categories of covered persons. This means that—unless a U.S. person is acting on behalf of a country of concern—the EO does not regulate the domestic collection, processing and use of data in the United States.
Finally, the Notice contemplates proactive measures to prohibit efforts to evade the EO by preventing situations where data is transferred to a person who is not a covered person and then is later resold to a country of concern or covered person.
Key Takeaways
- The EO and the Notice represent the first step in a lengthy rulemaking process.
- With DOJ taking the lead, this may become an area of robust enforcement.
- Companies transacting in the types of data described in the EO and Notice should:
- Familiarize themselves with the EO and the Notice and decide whether to file comments by April 15.
- Consider conducting a risk assessment to determine whether new or additional internal compliance measures are needed.
If you have questions about the EO, the Notice or its impact on your business, please contact Mike Walsh or Matt Modell.