In a comprehensive and coordinated effort across federal agencies, the U.S. government has made significant strides to prevent access to data that could potentially be misused to undermine national security. On February 28, 2024, President Biden signed an executive order, accompanied by a fact sheet, outlining restrictions on foreign access to Americans' personal data and U.S. government-related information. The following day, the Department of Justice (DOJ) issued an Advance Notice of Proposed Rulemaking (ANPRM, factsheet here) seeking comment on a regulatory regime that prohibits or restricts transactions that pose an unacceptable risk of access to or misuse of sensitive data. Announced. by “Countries of Concern” (including the People's Republic of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela) or their affiliates; He has until April 19, 2024 to comment on the proposed rule.
The executive order attempts to explain the threat while balancing the response with supporting the free flow of data. As large amounts of data about Americans proliferate through digital devices, the participation of data brokers and access to data through commercial, investment, employment, and other means represents an increasing vulnerability to U.S. national security. Masu. U.S. authorities have reported that these data have been misused for purposes such as hacking, espionage, blackmail, identifying strategic advantage, and training artificial intelligence systems.
While countries such as China and the European Union restrict the transfer of their citizens' data, the United States has long advocated an open internet and the free flow of data across borders. US regulation in this area is primarily the work of the Committee on Foreign Investment in the United States (CFIUS). CFIUS is an interagency agency authorized to determine whether and how foreign parties can access certain categories of U.S. data, but only within the United States. Investment context. As a result, many commercial transactions remain unregulated at the federal level, including the bulk sale and licensing of U.S. data unrelated to investments, and access to that data by overseas employees and vendors of U.S. companies. The executive order aims to fill these and other gaps.
The system proposed in the ANPRM is ambitious and would be administered by the Department of Justice, but it draws on rules set by CFIUS, the Treasury Department's Office of Foreign Assets Control (OFAC), and the Department of Commerce's Bureau of Industry and Security.
Ministry of Justice data protection regime
The ANPRM requires that U.S. Ban or limited Prohibits related countries or persons from engaging in certain types of “subject data transactions” in which they have access to “large amounts of sensitive U.S. personal data” or “government-related data.” Certain transactions within that scope may be permitted if they comply with certain conditions, such as future security or reporting requirements.
Parties to prohibited covered data transactions may rely on the applicable general license or seek a specific license from the Department of Justice.specific data transactions as well. exempted, including general financial transactions. Transactions conducted pursuant to grants, contracts, or other agreements with the U.S. Government. Transactions protected by the First Amendment (borrowing a concept from OFAC).
This diagram shows the proposed regime at a high level.
Large amounts of sensitive US personal and government data
The executive order authorizes the Attorney General to prohibit or restrict U.S. persons from engaging in certain transactions involving “large amounts of sensitive U.S. personal data” or “government-related data.”
“Sensitive personal data” is proposed to include the following specific data:
(1) “Target personal identifier” that can be used to identify individuals from datasets
(2) Precise location information data
(3) Biometric identifier
(4) Human genome data
(5) Personal health data
(6) Personal financial data
Each category of data is proposed to range from the devices of 100 to 1 million people in the United States, based on the associated threats, vulnerabilities, and impacts associated with such data. , a certain amount or “bulk” threshold is applied.
In some cases, the proposed definition of “sensitive personal data” is broader than the CFIUS regulatory concept of the same name. For example, the Department of Justice collects contact data (such as first and last name and email address), account username, MAC address, advertising ID, and social security number. Accordingly, many U.S. companies are wondering whether they collect or maintain “sensitive personal data” (as the concept is defined by CFIUS) or whether other state or federal privacy laws impact their operations. , but these analyzes need to be reconsidered based on the definitions applied here.1
On the other hand, “government-related data” do not have Data subject to the volume threshold is: (1) Sensitive personal data that is linked or sold as linkable to current or former employees, contractors, or senior U.S. federal government officials; (2) Suggested as precise geolocation data regarding a sensitive location or geographic location. Areas identified in government-related location data lists.
“Countries of Concern” and “Target Persons”
As mentioned above, “Countries of Concern” are proposed to include the People's Republic of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
“Target” includes: (1) An entity that is 50% or more owned by, organized in, or has its principal place of business in a covered country. (2) An entity in which such entity owns 50% or more of his or her interest. (3) A natural person, if he or she is an employee or contractor of such entity. (4) A natural person primarily residing in the covered country. or (5) any natural or legal person designated by the Attorney General to be included in a new list established for this purpose.
Individuals residing in the United States are excluded (unless specified on the list). Nationals of covered countries are not automatically covered unless they meet the other criteria listed above (e.g., Chinese nationals who primarily reside outside of covered countries are not eligible to be employed by a covered entity). You are not a “covered person” unless you are an employee or contractor (or otherwise specified on the list).
“Covered data transactions” that are prohibited or restricted
The Department of Justice proposes to define a “covered data transaction” as one that involves large amounts of sensitive U.S. personal or government-related data. The ANPRM includes a general prohibition on U.S. persons knowingly engaging in covered data transactions with such countries or persons. However, certain “restricted subject data transactions” (vendor contracts, employment contracts, investment contracts) will be permitted if they meet “security requirements” to be determined in the future. These security requirements are based on the existing cybersecurity framework, and specific guidance will then be published by the Department of Homeland Security through a separate process. Perhaps because they involve the highest risk, data brokering transactions do not qualify as restricted covered data transactions and are exempt from the general prohibition even if they meet security requirements.
The ANPRM also proposes to prohibit knowingly engaging in the following acts: (1) Target data transactions involving data intermediation with Any foreigner. unless the latter is contractually prohibited from engaging in subsequent subject data transactions involving the same data and related countries or subjects. (2) Covered data transactions with such countries or persons that provide such persons with access to large amounts of sensitive U.S. personal data consisting of human genomic data or human biological specimens from which such data is obtained.
In these prohibitions, “knowingly” applies to a person who knew or should have known about the circumstances of the transaction. This is not intended to be a strict liability standard. The Department of Justice would also develop rules prohibiting evasion, attempt, and conspiracy. knowingly directing a covered data transaction that would be prohibited if it involved a U.S. person; Actions that cause violations by others (in the context of OFAC, prohibitions that grant extraterritoriality to persons not subject to U.S. law).
Exemptions and authorizations
Exempted from the prohibitions and restrictions are certain official functions of the U.S. government, including its employees, grantees, and contractors, and programs receiving federal funding may proceed outside the scope of the new system. This is a potentially expanded category. (However, a pending bill addressing the collection of human genome and other data, known as the BIOSECURE Act, could limit that freedom.) would prohibit U.S. federal funding for the procurement or use of “biotechnology equipment or services” (Entities of Concern).
The Department also intends to exempt certain types of investments from this regulation, including certain “over-the-counter” investments in public securities in all jurisdictions. Investing in index funds, mutual funds, exchange-traded funds, or similar products. or Limited Partner Investments in Funds – Essential Exemption for Substantial Foreign Investments in the United States. To qualify for the exclusion, each of these investments must be passive, subject to to-be-determined limits on the total voting and equity interests acquired, and subject to potential invocation of jurisdiction under the CFIUS regime. There must be governance, influence, and access rights similar to those that exist. For investments in certain U.S. operations.
The financial services industry is also exempt to the extent that the transaction is normally incidental to the provision of financial services.
Industry-agnostic exclusions also permit certain intracompany transactions incidental to business operations (e.g., transfers of human resources data between a U.S. company and its Chinese subsidiary).
Other exemptions include personal communications and information or materials protected by the First Amendment and reflected in OFAC sanctions regulations, and by federal law or international agreements (such as law enforcement requests or public health surveillance). Contains transactions that are requested or allowed.
The executive order directs coordination among U.S. government agencies and allows for the further exclusion of otherwise regulated transactions. For example, the proposed treatment of investment contracts intersects with her CFIUS approach to “covered transactions” involving certain data. The ANPRM seeks comment on how to harmonize the new regulatory regime with the existing CFIUS regime and proposes to exclude only those transactions for which CFIUS has imposed mitigation measures.
The ANPRM also considers a licensing regime within the DOJ (and similar to the OFAC licensing scheme), including a general license available to those who qualify based on conditions, and a This includes both specific licenses applied for. The ANPRM seeks further comment on how to handle requests for interpretive guides.
[1] The proposed regime also appears to reflect the U.S. government's growing distrust of anonymization, or de-identification, techniques whose effectiveness is believed to be undermined by artificial intelligence techniques. We recognize that adversaries can use advanced technology to draw inferences across datasets, allowing them to associate data with specific individuals. This is the so-called Mosaic Theory that President Biden's September 15, 2022 Executive Order formally directed his CFIUS to consider in national security. review.
[View source.]