DOJ Issues Proposed Rule to Restrict Foreign Access to Americans' Sensitive Data
DOJ Issues Proposed Rule to Restrict Foreign Access to Americans' Sensitive Data
DOJ Issues Proposed Rule to Restrict Foreign Access to Americans' Sensitive Data
DOJ Issues Proposed Rule to Restrict Foreign Access to Americans' Sensitive Data
DOJ Issues Proposed Rule to Restrict Foreign Access to Americans' Sensitive Data
DOJ Issues Proposed Rule to Restrict Foreign Access to Americans' Sensitive Data
On October 21, 2024, the U.S. Department of Justice ("DOJ") issued a Notice of Proposed Rulemaking (NPRM) to implement President Biden's Executive Order on “Protecting Americans’ Sensitive Personal Data and U.S. Government Data from Foreign Access.” This NPRM updates the Advance Notice of Proposed Rulemaking (ANPRM) released on March 5, 2024, filling gaps from the previous notice. For more information on the ANPRM, see our previous articles: Biden Signs Order to Protect US Data from 'Countries of Concern’ and New Executive Order Targets Access to US Data by 'Countries of Concern’.
The core principles of the NPRM align with those outlined in the ANPRM, with minor adjustments. Key clarifications include establishing bulk thresholds, refining the definition of "sensitive personal data," and revising recordkeeping and due diligence obligations. Additionally, the NPRM outlines procedures for issuing licenses for certain prohibited or restricted transactions. Notably, the NPRM is still in draft form, and the DOJ invites public comments on the proposal over the next 30 days.
1. Background
On February 28, 2024, President Biden signed Executive Order 14117, titled “Protecting Americans’ Sensitive Personal Data and U.S. Government Data from Foreign Access.” The order directs the Attorney General to establish rules to prohibit or restrict U.S. persons from engaging in property transactions involving foreign states or their nationals’ interests, especially when such transactions involve large quantities of sensitive personal data or U.S. government data. Following the Executive Order, the DOJ issued the ANPRM, inviting public feedback on the rule's implementation, which has now been incorporated into the NPRM.
2. Scope
The term “relevant countries” includes China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The NPRM applies to any transaction involving access by these countries to data in the following categories:
- Data brokerage,
- Vendor agreements,
- Employment agreements,
- Investment agreements.
3. Sensitive Personal Information
The definition of sensitive personal information remains aligned with the six types identified in the ANPRM, with slight revisions:
- Personal identifiers,
- Precise geolocation data,
- Biometric identifiers,
- Human genomic data,
- Personal health data,
- Personal financial data.
Each of these categories has specific definitions and requirements.
4. Definition of “Bulk”
The NPRM provides explicit thresholds for “bulk” data, including criteria such as:
- Collecting or maintaining genomic data for more than 100 Americans,
- Collecting or maintaining biometric identifiers for more than 1,000 Americans,
- Collecting or maintaining precise geolocation data for over 1,000 devices,
- Collecting or maintaining health data for more than 10,000 Americans,
- Collecting or maintaining financial data for more than 10,000 Americans,
- Collecting or maintaining personal identifiers for over 100,000 Americans.
5. Restricted Transactions
The NPRM prohibits three types of transactions (vendor agreements, employment agreements, and investment agreements) unless U.S. persons meet specific “security requirements” or obtain a license. The NPRM also introduces exemptions for certain business transactions.
6. Licensing Procedures
In addition to the activities above, the NPRM outlines a licensing process to authorize otherwise restricted transactions. Licensing applications must include a description of the transaction, data types, involved parties, intended data use, and transfer methods. The DOJ aims to respond within 45 days of receiving a request.
7. Reporting Obligations
The NPRM specifies scenarios requiring reporting, such as:
- Annual reports by any U.S. person involved in restricted transactions involving cloud services if 25% or more of the equity is held by a relevant country,
- Reporting within 14 days after declining prohibited data brokerage offers.
8. Penalties
Violations of this rule may result in civil and criminal penalties. Civil fines can reach up to $368,136 or double the transaction value, whichever is greater. Intentional violations carry fines up to $1,000,000 and potential imprisonment of up to 20 years for individuals.
Q&A
1. Does the NPRM only apply to cross-border transfers of U.S. data?
No, the NPRM prohibits "access" broadly, defined to include logical or physical access to data, regardless of transfer.
2. Does the NPRM impose data localization requirements?
No, the rule does not impose a general requirement for data localization.
3. Does the NPRM ban all data transactions with relevant countries?
No, it does not ban all commercial transactions involving data exchange but rather focuses on specific high-risk transactions.
Next Steps
The proposed rule aims to address national security risks associated with access by relevant countries to sensitive personal data of Americans and certain U.S. government data. The DOJ is now requesting public comments on the NPRM. While definitions and details may evolve, the core components of the rule are expected to remain consistent. Kaamel will continue to monitor developments and provide updates.
