With the publication of a recent Notice of Proposed Rulemaking (NPRM), the Department of Justice National Security Division will soon become an important new regulator of transactions involving the transfer of sensitive U.S. data to “countries of concern”, such as China and Russia. The new regime being created will impact vendor engagements, employment agreements, investment activity, and any other transaction in which a U.S. business gives entities from “countries of concern” access to:

• "Human genomic data” of more than 100 U.S. persons;
• “Biometric identifiers” and “precise geolocation data” of more than 1,000 U.S. persons;
• “Personal health data” and “personal financial data” of more than 10,000 U.S. persons; or
• “Covered personal identifiers” of more than 100,000 U.S. persons.

The new rule includes certain transactions that are prohibited without a license and other transactions that may occur so long as specially identified cybersecurity standards are satisfied.

The rule contemplates substantial new investigative and enforcement authorities for the Department of Justice through audits, civil investigative demands, and even criminal inquiries. The proposed rule has a 30-day comment period after the date of publication in the Federal Register (the rule is scheduled to be published on October 29). Once the new rule goes into effect, companies engaged in cross-border transactions involving covered data will need to establish compliance programs that include transaction diligence and data retention policies.

To stay up to date on notable state privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

Background

On October 21, 2024, the Department of Justice (DOJ) issued a NPRM related to the disclosure of certain categories of data to “countries of concern” or “covered persons” associated with countries of concern. The NPRM follows President Biden’s Executive Order 14117 (the EO) on February 28, 2024, under the authority of the International Emergency Economic Powers Act (IEEP), to address the risk posed by access to “Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern” (see our previous blog post here). The proposed rule would establish a new regulatory regime for certain data transactions that pose an unacceptable security risk.

Earlier this year, in tandem with the EO, DOJ released an Advance Notice of Proposed Rulemaking (ANPRM) to outline its plan for these regulations. As previewed in the ANPRM, the proposed rule for a new national-security program builds on the EO by defining the six categories of “sensitive personal data” that could be exploited by a country of concern to harm U.S. national security. These six categories are:

1. covered personal identifiers;
2. precise geolocation data;
3. biometric identifiers;
4. human genomic data;
5. personal health data; and
6. personal financial data.

The proposed rule also categorically excludes certain categories of data from the definition of the term “sensitive personal data.”

Below we summarize the key concepts and terms from the NPRM and consider the impact of the proposed rule on various sectors.

Countries of Concern and Covered Persons

The NPRM identifies six “Countries of Concern”: Russia, Iran, China, North Korea, Venezuela, and Cuba.

The proposed rule defines “country of concern” as any foreign government that has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons and poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons.

The proposed rule explains that “covered persons” are:

• a foreign person that is an entity (“foreign entity”) 50% or more owned, directly or indirectly, by a country of concern, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
• subsidiaries and affiliates 50% or more owned by the foreign entity, foreign individual employees or contractors of a country of concern or entity deemed to be a covered person;
• foreign individuals who primarily reside in the territorial jurisdiction of a country of concern; or 
• any person who is, has been or likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern as determined by the Attorney General.

Of note, the proposed rule empowers the Attorney General to designate specific individuals as “covered persons”, essentially creating a sanctions-type list for covered transactions in the future.  
Critically, the proposed rule would generally exempt from the definition of covered persons citizens of countries of concern located in third countries (i.e., not located in the United States and not primarily resident in a country of concern). Instead, the proposed rule treats such individuals resident in a third country as a covered person if the individual is working for the government of a country of concern or for an entity that is a covered person.

For example, Chinese or Russian citizens located in the United States would be treated as U.S. persons and would not be covered persons (except to the extent individually designated). They would be subject to the same prohibitions and restrictions as all other U.S. persons with respect to engaging in covered data transactions with countries of concern or covered persons. Further, citizens of a country of concern who are primarily resident in a third country, such as Russian citizens primarily resident in a European Union would not be covered.

Covered Data

Under the proposed rule “covered data” is defined to include:

• “Covered personal identifiers” are “specifically listed classes of personally identifiable data that are reasonably linked to an individual” and could be used to identify an individual.
• “Precise geolocation data” is data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.  Examples of “precise geolocation data” include GPS coordinates and IP address geolocation.
• “Biometric Identifiers” are measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns.
• “Human genomic data” is data representing nucleic acid sequences. DOJ is considering regulating omic data which examines biological processes that contribute to the form and function of cells and tissues.
• “Personal health data” is health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
• “Personal financial data” is data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data, including assets liabilities debts, and transactions in a bank, credit, or other financial statement; or data in a credit report or in a “consumer report”

Government Related Data

The rule imposes strict limitations on the transfer of U.S. “government related data” to covered persons.

The term government-related data means:

1. Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in § 202.1401 which the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there. Such locations may include: (i) The worksite or duty station of Federal Government employees or contractors who occupy a national security position as that term is defined in 5 CFR 1400.102(a)(4); (ii) A military installation as that term is defined in 10 U.S.C. 2801(c)(4); or (iii) Facilities or locations that otherwise support the Federal Government’s national security, defense, intelligence, law enforcement, or foreign policy missions.
2.  Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.

Prohibited Transactions and Restricted “Covered Data Transactions”

The proposed rule defines a “covered data transaction” as any transaction involving any access to any government-related data or bulk U.S. sensitive personal data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement. According to the NPRM, these categories of covered data transactions pose an untenable risk to U.S. national security because they may enable countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data to engage in malicious cyber-enabled activities, track and create profiles of United States individuals for illicit purposes, such as coercion, reputational damage and blackmail.

The term bulk U.S. sensitive personal data means a collection or set of bulk data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. As highlighted above, the proposed rule would set the following bulk thresholds:

• Human genomic data: More than 100 U.S. persons.
• Biometric identifiers and precise geolocation data: More than 1,000 U.S. persons.
• Personal health data and personal financial data: More than 10,000 U.S. persons.
• Covered personal identifiers: More than 100,000 U.S. persons.

Prohibited Transactions

Under the proposed rule, certain types of transactions would be prohibited in cases where the data involved can be used to obtain access to the U.S. persons’ bulk sensitive personal training data.

For many technology companies, the following example is illustrative: “[a] U.S. subsidiary of a company headquartered in a country of concern develops an artificial intelligence chatbot in the United States that is trained on the bulk U.S. sensitive personal data of U.S. persons. While not its primary commercial use, the chatbot is capable of reproducing or otherwise disclosing the bulk sensitive personal health data that was used to train the chatbot when responding to queries. The U.S. subsidiary knowingly licenses subscription-based access to that chatbot worldwide, including to covered persons such as its parent entity. Although licensing use of the chatbot itself may not necessarily “involve access” to bulk U.S. sensitive personal data, the U.S. subsidiary knows or should know that the license can be used to obtain access to the U.S. persons’ bulk sensitive personal training data if prompted. The licensing of access to this bulk U.S. sensitive personal data is data brokerage because it involves the transfer of data from the U.S. company (i.e., the provider) to licensees (i.e., the recipients), where the recipients did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.  This would be a prohibited transaction because the U.S. company knew or should have known that the use of the chatbot pursuant to the license could be used to obtain access to the training data, and because the U.S. company licensed the product to covered persons.”

Similarly, a prohibited transaction may arise from hiring a covered person who would have access to bulk personal financial data. In one example provided, “[a] U.S. company sells goods and collects bulk personal financial data about its U.S. customers. The U.S. company appoints a citizen of a country of concern, who is located in a country of concern, to its board of directors. This director would be a covered person, and the arrangement appointing the director would be an employment agreement. In connection with the board’s data security and cybersecurity responsibilities, the director could access the bulk personal financial data. The director’s employment would be a restricted transaction.”

For life sciences companies, the NPRM provides the following illustrative example: “[a] U.S. company that conducts consumer human genomic testing collects and maintains bulk human genomic data from U.S. consumers. The U.S. company has global IT operations, including employing a team of individuals who are citizens of and primarily resident in a country of concern to provide back-end services. The agreements related to employing these individuals are employment agreements. Employment as part of the global IT operations team includes access to the U.S. company’s systems containing the bulk human genomic data. These employment agreements would be prohibited transactions (because they involve access to bulk human genomic data).”

For financial services companies, another example is provided: “[a] U.S. financial-services company seeks to hire a data scientist who is a citizen of a country of concern who primarily resides in that country of concern and who is developing a new artificial intelligence-based personal assistant that could be sold as a standalone product to the company’s customers. The arrangement retaining the data scientist would be an employment agreement. As part of that individual’s employment, the data scientist would have administrator rights that allow that individual to access, download, and transmit bulk quantities of personal financial data not ordinarily incident to and part of the company’s underlying provision of financial services to its customers. The data scientist’s employment would be a restricted transaction.”

Additionally, any transaction that has the purpose of evading the regulations is prohibited. While not all scenario outcomes have yet to be determined, companies can and should consider preparing for the proposed rule to go into effect.

Restricted Transactions

Three types of restricted transactions (vendor agreements, employment agreements, and investment agreements) may be authorized so long as the U.S. person complies with certain security requirements. The security requirements have been developed and proposed by the Cybersecurity and Infrastructure Security Agency (“CISA”) in coordination with the DOJ. The proposed security requirements require U.S. persons engaging in restricted transactions to comply with organizational and system-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and requirements are in place, as well as data-level requirements, such as data minimization and masking, encryption, or privacy-enhancing techniques.

Authorization to conduct restricted transactions is permitted in certain circumstances. For example, a U.S. company engages in an employment agreement with a covered person to provide information technology support. As part of their employment, the covered person has access to personal financial data. The U.S. company implements and complies with the security requirements. The employment agreement is authorized as a restricted transaction because the company has complied with the security requirements.  In contrast, a U.S. company engaging a vendor to store bulk personal health data that implements security requirements differing from the rule’s requirements means that the U.S. person has not complied with the security requirements, the vendor agreement is not authorized and thus is a prohibited transaction even if the U.S. company implementing controls believes it will mitigate the covered person’s access to the bulk personal data.

Exemptions for Certain Types of Data Transactions

The proposed rule exempts certain types of data transactions from the scope of its prohibitions and restrictions, including certain personal communications, financial services, corporate group transactions, transactions authorized by Federal law and international agreements, investment agreements subject to a CFIUS action, telecommunication services, biological product and medical device authorizations, certain clinical investigations regulated by the FDA, and others.

As an example, the corporate group transaction exemption applies to covered transactions to the extent that they are (1) between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and (2) ordinarily incident to and part of administrative or ancillary business operations (such as sharing employees’ covered personal identifiers for human-resources purposes; payroll transactions to overseas employees or contractors; paying business taxes or fees; purchasing business permits or licenses; sharing data with auditors and law firms for regulatory compliance; and risk management).

The proposed rule defines these exempt transactions in further detail.

Consequences of Non-Compliance and Potential Penalties

Violations of the proposed rule may lead to civil or criminal penalties. The proposed rule includes a process for imposing civil monetary penalties similar to those used in contexts implicating the International Emergency Economics Powers Act (IEEPA). The proposed maximum civil monetary penalty for violations would be the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed. The proposed rule establishes a criminal penalty in line with IEEPA requirements, providing that upon conviction, an individual or entity may be fined up to $1,000,000 or may be imprisoned for up to 20 years, or both. Both types of penalties are subject to adjustment.

Potential Implications

In practice, this means that companies using vendors in any “countries of concern” may be limited in their ability to enter into agreements and exchange certain types of data. Although the proposed rule purports to be narrow in scope as it relates to the U.S.’s general support of cross-border data flows, the rule would have broad implications that would increase the requirements for companies engaged in vendor agreements, employment agreements, and investment agreements that qualify as restricted transactions as they will have to comply with the separately proposed security requirements that have been developed by CISA in coordination with the DOJ.