This week we are pleased to have a guest post by Robinson+Cole Business Transaction Group lawyer Tiange (Tim) Chen.

On February 28, 2024, the Justice Department published an Advanced Notice of Proposed Rulemaking (ANPRM) to seek public comments on the establishment of a new regulatory regime to restrict U.S. persons from transferring bulk sensitive personal data and select U.S. government data to covered foreign persons.

The ANPRM was published as a response to a new White House Executive Order (EO), issued pursuant to the International Emergency Economic Powers Act (IEEPA), which requires the Justice Department to propose administrative regulations within 6 months to respond to potential national security threats arising from cross-border personal and government data transfers.

Covered Data Transactions

Under the ANPRM, the Justice Department may restrict U.S. persons from engaging in a “covered data transaction,” which may refer to:

  • (a) a “transaction”: acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest;
  • (b) that involves (1) bulk U.S. sensitive personal data; or (2) government-related data; and
  • (c) that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.

Bulk Sensitive Personal Data. According to the ANPRM, the term “sensitive personal data” includes:

(1) specifically listed categories and combinations of covered personal identifiers (not all personally identifiable information), (2) precise geolocation data, (3) biometric identifiers, (4) human genomic data, (5) personal health data, and (6) personal financial data.

Only transactions exceeding certain “bulk,” or threshold volume, will be subject to the relevant restrictions based on the number of U.S. persons or U.S. devices involved.

Government-related Data. According to the ANPRM, the term means (1) any precise geolocation data, regardless of volume, for any geofenced location within an enumerated list, and (2) any sensitive personal data, regardless of volume, that links to current or former U.S. government, military or Intelligence Community employees, contractors, or senior officials.

Prohibited, Restricted, and Exempted Transactions

The EO and ANPRM propose a three-tier approach to differentiate the types of restrictions subject to the proposed rules.

Prohibited Transactions. The ANPRM generally prohibits a U.S. person to knowingly engage in a “covered data transaction” with a country of concern or covered person.

Restricted Transactions. The ANPRM provides that for U.S. persons involved in “covered data transactions” relating to a vendor, employment or investment agreement, such transactions may be permissible if adequate security measures are taken consistent with relevant rules to be promulgated by the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.

Exempted Transactions. The ANPRM proposes to exempt certain types of transactions, including: (1) data transactions involving personal communication, information or information materials carved out by IEEPA, (2) transactions for official government business, (3) financial services, payment processing or regulatory compliance related transactions, (4) intra-entity transactions incident to business operations, and (5) transactions required or authorized by federal law or international agreements.

Licensing Regime. The EO authorizes the Justice Department to grant specific (entity or person-specific transaction) and general (that cover broad classes of transactions) licenses for U.S. persons to engage in prohibited and restricted transactions. The Justice Department is considering establishing a licensing regime modeled on the economic sanctions licensing regime managed by the Treasury Department’s Office of Foreign Asset Control.

Countries of Concerns and Covered Persons

Countries of Concerns. The ANPRM proposes to identify China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as the countries of concern.

Covered Persons. The ANPRM proposes to define the “covered persons” as (1) an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, (2) a foreign person who is an employee or contractor of such an entity, (3) a foreign person who is an employee or contractor of a country of concern, and (4) a foreign person who is primarily resident in the territorial jurisdiction of a country of concern. The Justice Department may also designate specific persons and entities as “covered persons.”

Implementations

The regime will only become effective upon the publication of final administrative rules. The scope of the final rules may significantly differ from the proposals published in the ANPRM. In addition, the EO affords significant discretions to the Justice Department and other agencies to issue interpretative guidance and enforcement guidelines to further clarify and refine the process and mechanisms for complying with the final rules, including potential due diligence, record keeping, or voluntary reporting requirements.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.