United States: Regulating International Bulk-Data Transactions: An Analysis Of The DOJ's Newly Proposed Regulations, And What It May Mean For Businesses Involved In Such Transactions

Overview

The Department of Justice (DOJ) has released an Advance Notice of Proposed Rulemaking (ANPRM) regarding President Joe Biden's February 28, 2024, executive order meant to regulate the international transaction of America's bulk sensitive personal data. The ANPRM serves as a platform for soliciting public feedback on proposed rulemaking for information, data, ideas, or suggestions on developing regulations. After sufficient feedback, the DOJ will release the Proposed Rule, which will lay out how the government plans to address these transactions and request further comments before the Final Rule is implemented. This article explores the potential impact of the DOJ's proposed rule disclosed in the March 5, 2024, ANPRM titled, "Provisions Regarding Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern."

The ANPRM outlines the DOJ's plan to implement a comprehensive program to identify 1) "prohibited transactions" and 2) "restricted transactions," or transactions that would be prohibited if the transactors fail to comply with predefined security requirements. Specifically, this ANPRM is focused on defining and identifying prohibited transactions, countries of concern, and covered persons that may pose a direct national security risk to U.S. bulk sensitive personal information.

Definitions

1. "Sensitive Personal Data" and "Bulk Threshold"

Notably, the DOJ disclosed its proposed definition for 'sensitive personal data' and the 'bulk threshold'." 89 Fed. Reg. 15784 (March 5, 2024). "Sensitive personal data" is defined as: 1) covered personal identifiers, 2) geolocation and related sensor data, 3) related sensor data, 4) biometric identifiers, 5) human' omic data, 6) personal health data, 7) personal financial data, or any combination of all seven. For the "bulk threshold," the DOJ is considering "the relative sensitivity of each of the six categories of sensitive personal data and would inform the volume threshold applicable to each category." Id. at 15786. Thus, the DOJ is considering adopting the thresholds shown below as the volume threshold applicable to each category.

2. "Covered Data Transactions," "Countries of Concern," and "Covered Persons."

"Covered Data Transactions" are defined as transactions between U.S. persons or entities and a country of concern or covered person "that involves any bulk U.S. sensitive personal data or government-related data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement." Id. at 15788. To mitigate ambiguity, the ANPRM also provides various examples of each type of transaction. Id. at 15788-90.

For "countries of concern," the DOJ is contemplating adopting the countries from Executive Order 13873, wherein the countries below were "identified . . . as having engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of the United States." Id. at 15790.

In the same regard, "covered persons" are defined as ''an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern." Id. It also includes a foreign person who is an employee or contractor of the entity or one of the countries of concern. Id. As a catch-all, a "covered person" is also any person designated by the Attorney General as being owned or controlled by the entity or a country of concern. Id.

3. Parties must "knowingly" engage in covered transactions.

The program prohibits "knowingly engag[ing] in a covered data transaction with a country of concern or covered person." Id. The "knowingly" language applies to "persons who knew or should have known of the circumstances of the transaction." Id. These prohibitions encompass transactions such as data brokerage, access to bulk human genomic data, and transactions entailing heightened national security risks.

Exempt Transactions

Certain data transactions may obtain exemption from the program. The DOJ is contemplating making the following types of transactions exempt from the program.

1. Transactions involving statutorily exempt data
2. Official U.S. Government business transaction
3. Financial Services, Payment Processing, and Regulatory-Compliance-Related Transaction
4. Intra-entity transactions Incident to Business Operations such as those part of ancillary business operations, and
5. Transactions mandated or authorized by federal law or international agreement

Proposed Compliance and Enforcement Model.

To promote compliance, the DOJ is considering "a compliance and enforcement program modeled on the Department of the Treasury's International Emergency Economic Powers (IEEPA) based economic sanctions which are administered by the [Office of Foreign Assets Control,] OFAC." Id. at 15790. Compliance measures will include due diligence, reporting obligations, audits, initiating investigations, and, when necessary, enforcement actions. Id. at 15797-98. The proposed program will utilize a risk-based approach, where U.S. individuals subject to regulation would "implement compliance programs based on their individualized risk profiles." Id. at 1580. To ensure compliance, the DOJ will likely collaborate with relevant agencies and company stakeholders.

The DOJ encourages compliance with the Basic Organizational Cybersecurity Posture requirements. This will likely involve implementing data minimization techniques, privacy-preserving technologies, and robust access controls. The DOJ may also introduce both general and specific licensing systems for covered data transactions that would otherwise be restricted.

Conclusion

To conclude, the DOJ endeavors to craft comprehensive regulations that effectively address national security threats while fostering economic growth and innovation through public feedback. Public feedback from the perspective of stakeholders that deal in international data transactions will play a pivotal role in shaping the final regulations and ensuring their efficacy in safeguarding U.S. national security and maintaining economic growth. To read the Advance Notice of Public Rulemaking, please see the link below.¹

Footnote

1. https://www.govinfo.gov/content/pkg/FR-2024-03-05/pdf/2024-04594.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.