What is the headline? On February 28, 2024, the Biden administration released Executive Order (EO) 14117 and an Advance Notice of Proposed Rulemaking (ANPRM) that ultimately would: (1) prohibit or restrict U.S. persons from (2) transferring certain bulk sensitive personal data or U.S. government-related data to (3) China and certain other countries of concern and persons or entities affiliated with such countries.
Why was the EO issued? The EO is driven by U.S. government concern that such data can be used for malicious cyber activities and to target U.S. individuals, including government employees and members of the military, for blackmail and espionage.
What will be prohibited or restricted? The EO requires the Attorney General, in consultation with other relevant federal agencies, to issue implementing regulations to restrict or prohibit transactions that, in the AG’s determination, would permit countries of concern or covered persons (as determined by the AG) to access bulk sensitive personal data or United States government related data. In addition to authorizing the DOJ to define sensitive personal information as it deems appropriate, the EO specifically requires that the forthcoming regulation includes six categories of bulk data (personal identifiers, financial data, and health data; precise geolocation data; biometric identifiers; and human genomic data). Among other requirements relating to data brokerage and health information, the EO also authorizes the Secretary of Homeland Security to draft security requirements that would be applicable to certain agreements with countries of concern and covered persons (vendor agreements, employment agreements, and investment agreements).
Key considerations and takeaways:
- The EO is targeted to managing risk related to countries of concern. It is not general data privacy regulation, and the White House stresses it is not seeking to create localization requirements or force general commercial decoupling, as the EO expressly notes.
- Companies can already begin assessing the applicability of the expected requirements to their own activities. Companies regularly engaged in commercial transactions with likely countries of concern would benefit from auditing their possession and handling of sensitive personal data and any government data that falls within the categories referenced above.
- Companies should assess the degree to which current compliance and governance controls can be extended into this domain to maintain consistency across governance frameworks. For example, do they have sufficient visibility into data management and controls around data processing decisions, particularly involving foreign transactions, to ensure ongoing compliance even after the forthcoming regulations become effective?
- The EO imposes diligence and threshold requirements, and Companies can prepare now to ensure they have sufficient processes in place to prove compliance with these requirements. The ANPRM requests public comment specifically on the type of diligence that should be required. This is a critical concern because Companies may not be as well-positioned as the U.S. government to assess the potential identity of Covered Persons.
- This will not remove data transactions from the scope of CFIUS review. The ANPRM contemplates that requirements under the rule would apply to foreign investment transactions until CFIUS reviews the transaction and implements tailored mitigation, which may go beyond what is required in the rule. If CFIUS does not require mitigation, the EO-based requirements would continue to apply. It is therefore possible that CFIUS may deem it unnecessary to adopt mitigation in transactions where it deems the generally applicable requirements to be sufficient. However, in practice, some CFIUS agencies may prefer to take action in the CFIUS context when a data risk is identified in a transaction, even if those risks arguably are or can be mitigated under the forthcoming data regulations.
- Companies would risk civil penalties for violations of the rules. While the underlying statutory authority provides for criminal penalties, it appears that DOJ is contemplating only civil penalties at this time.
Background and Key Concepts
Countries of Concern
EO 14117’s associated ANPRM defines a “country of concern” as one identified by the Attorney General, with concurrence from the Secretaries of State and Commerce, as (1) engaging in a long-term or serious pattern of conduct adverse to U.S. national security and (2) posing a significant risk to defined U.S. sensitive data. The ANPRM contemplates six countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
Covered Persons
The EO identifies four categories of covered persons and authorizes DOJ to supplement these categories by designating specific entities or persons. DOJ intends to publish and regularly update a non-exhaustive list of designated persons.
The categories of covered person, as contemplated in the ANPRM, are:
- An entity that is 50 percent or more owned by, directly or indirectly, by a country of concern, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
- An entity that is 50 percent or more owned, directly or indirectly, by an entity described in (1) or a person described in (3), (4), or (5);
- A foreign person who is an employee or contractor of a country of concern or an entity described in (1), (2), or (5);
- A foreign person who is primarily resident in a territorial jurisdiction of a country of concern; or
- Any person designated by the Attorney General that meets specific criteria.
Covered Transactions
The ANPRM identifies two types of highly sensitive data transactions: prohibited transactions and restricted transactions.
The ANPRM further contemplates two categories of prohibited transactions: (1) data-brokerage transactions and (2) genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived. These transactions are categorically prohibited.
Restricted transactions may proceed subject to security requirements (to be established by DHS’s Cybersecurity and Infrastructure Security Agency) to mitigate data access by countries of concern. The ANPRM contemplates three such categories: (1) vendor agreements involving the provision of goods and services (including cloud-service agreements); (2) employment agreements, and (3) investment agreements.
The EO also exempts certain categories of transactions and contemplates licensing authorities and advisory opinions to seek exemptions or confidence in the applicability of the rules. Finally, although beyond the scope of our brief summary, the EO also takes additional steps to enhance existing authorities to address data-security risks relating to telecom, health care, and consumer protection.
Penalties
The ANPRM contemplates imposing civil monetary penalties for noncompliance, making material misstatements or omissions, making false certifications, or submissions, among other factors. The ANPRM cites the processes followed by the Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS) as similar to those under consideration. These would include mechanism for pre-penalty notice, an opportunity to respond, and a final decision.
Timeline
There is a 45-day public comment period in response to the ANPRM, closing on April 19, 2024, which will be followed by a notice of proposed rulemaking (NPRM) and eventually a final notice.