Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

Navigating the DOJ’s Proposed Sensitive Data Rules: What You Need to Know

Data Privacy 13 November 2024

On October 21, 2024, the U.S. Department of Justice (DOJ) released a Notice of Proposed Rulemaking, Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (NPRM).  The NPRM addresses the national security threat posed by certain countries' access to and exploitation of U.S. sensitive personal and government-related data by identifying a set of prohibited and restricted transactions involving those countries. 

  • Who is in scope?  The NPRM applies to any entity that collects and/or processes U.S. sensitive personal data or government-related data, as well as entities that do so on behalf of third parties, including data brokers.
  • What data is covered?  The NPRM focuses on transactions involving “bulk” sensitive data or government-related data whose access by countries of concern could create a risk to national security.
  • What are the notable requirements?

- Prohibitions on covered data transactions involving data brokerage with (1) any country of concern or covered person; and (2) foreign persons that are not covered persons (unless the U.S. person contractually imposes limitations and reporting obligations on such foreign person).

- Restrictions on vendor agreements, employment agreements, and non-passive investment agreements with any country of concern or covered person, unless such agreements comply with certain requirements, including specific security requirements issued by CISA.

  • What’s next? The NPRM is open for comment until November 29, 2024, after which there may further rounds of feedback and revision before the rule becomes final.  It also remains to be seen what impact (if any) the impending change in administration will have on the rulemaking process.
  • What should I do now?  Companies that collect and/or process sensitive personal data from U.S. persons and/or government-related data should begin considering what impacts the rules will have on their operations, including by:

- Identifying and analyzing any data brokerage agreements in place to determine if such data is transferred to countries of concern, covered persons, and/or foreign persons;

- Reviewing any contractual arrangements with vendors and employees involving the collection and/or processing of U.S. sensitive personal data and/or government-related data; and

- Assessing existing cybersecurity policies, measures, and controls, including reporting and auditing functions, and implement or refine such policies, measures, and controls as necessary to prepare for potentially heightened obligations when the rules come into effect.

Companies that do business in or otherwise operate in countries of concern should take note of the potential impacts the NPRM would have on their data processing activities.  In particular, the NPRM could have significant impacts on companies that use data processing vendors located in a country of concern—notably, China.

The remainder of this article provides additional detail about key aspects of the NPRM. 

NPRM Overview

The NPRM follows in the footsteps of the Advanced Notice of Proposed Rulemaking of March 2024 (ANPRM) and expands on many ANPRM requirements, including security and compliance provisions and thresholds for "bulk" sensitive data.   For our prior analysis of the ANPRM see here.   

The NPRM intends to be tailored in its approach and consistent with broader U.S. principles, such as an open internet and respect for human rights.  It also aims for consistency with sensitive personal data restrictions imposed in other contexts, and the DOJ expects to closely coordinate with other government agencies to minimize conflicts and duplicative enforcement (e.g., coordinating with the Committee on Foreign Investment in the United States or CFIUS). 

On the other hand, the DOJ declined to incorporate aspects of privacy laws in the NPRM because privacy constructs can undermine the NPRM's national security focus.

Countries of Concern and Covered Persons

The NPRM identifies six countries of concern and four classes of covered persons that would trigger the rules’ prohibitions and restrictions:

  • Countries of concern can be any foreign government that: (1) has engaged in a “long-term pattern or serious instances of conduct” significantly adverse to the security of the United States or U.S. persons; and (2) "poses a significant risk of exploiting” government-related data or bulk U.S. sensitive personal data to the detriment of the security of the United States or U.S. persons.  The DOJ has initially identified six countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
  • A covered person is: (1) a foreign entity that is at least 50% owned by, is organized under the laws of, or has a principal place of business in, a country of concern; 2) a foreign entity that is at least 50% owned by a covered person; (3) a foreign employee or contractor of a country of concern or a covered person; (4) a foreign individual who is a primary resident in a country of concern; or (5) any person designated by the DOJ as a covered person.

Covered Data

The NPRM identifies several types of covered data, including:

  • Sensitive personal data relating to U.S. persons that exceeds certain bulk thresholds.  This is defined to be: (1) covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data; (5) personal health data; and (6) personal financial data, as well as any combination of the above.  The NPRM further designates precise geolocation data, biometric identifiers, and human genomic data as the most sensitive types of data.
  • Government-related data in any volume, including: (1) precise geolocation data associated with military or other government-related functions; and (2) sensitive personal data linked or linkable to current or former employees, contractors or senior officials of the U.S. government. 

Notably, anonymized, de-identified, pseudonymized and encrypted data is also considered "covered data"—a break from other regulatory regimes (e.g., privacy laws).

While still subject to comment and revision, the NPRM proposes initial bulk thresholds for each category of sensitive data that would trigger prohibitions and restrictions.  A bulk threshold represents the maximum amount of covered data that can be transferred during a twelve-month period without triggering the proposed rules.  The DOJ created these thresholds through analysis of seven characteristics of data sets that affect vulnerability to, and consequences of, exploitation: data purpose, changeability, control, availability, volume, velocity and quality.  Interestingly, the DOJ has stated that it is also considering regulating other human 'omic data and has requested comment in the NPRM on the desirability and effects of doing so.  'Omics sciences "examine biological processes that contribute to the form and function of cells and tissues" and categories of potentially regulatable data include epigenomic data, glycomic data, lipidomic data, metabolic data and meta-multiomic data.

Covered (and Exempt) Transactions

  • Prohibited Transactions.  The NPRM prohibits U.S. persons from knowingly engaging in or directing a covered data transaction involving data brokerage with:

- a country of concern or a covered person; or

- any foreign person that is not a covered person, unless the U.S. person: (i) contractually requires the foreign person to refrain from engaging in subsequent covered data transactions involving data brokerage with a country of concern or a covered person; and (ii) reports any known or suspected violations.  

Notably, since the ANPRM, the DOJ has added to the list of prohibited transactions data brokerage transactions with any foreign person that is not a covered person, broadening the categories of such transactions that would be prohibited under the proposed rules.

A data brokerage transaction is the sale or licensing of data or a similar transaction where the recipient did not collect or process data directly.  For context, the United States is viewed as the largest data-brokerage market in the world and much of the NPRM's economic impact is on data brokers. Estimates of the size of this market range from $50 billion to $300 billion globally and between $30 billion and $180 billon in the United States.

The NPRM also prohibits U.S. persons from knowingly engaging in or directing any covered data transactions with a country of concern or a covered person, involving access to bulk U.S. human genomic data or to human biospecimens from which such data could be derived.  Interestingly, there is little readily available information on who purchases or resells human genomic data although, according to the NPRM, the sale of this data "appears common and is virtually unregulated."

  • Restricted Transactions.  The NPRM prohibits U.S. persons from knowingly engaging in or directing vendor agreements, employment agreements and non-passive investment agreements with countries of concern or covered persons, unless they comply with certain mandates, including:

-  The Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA)'s Proposed Security Requirements for Restricted Transactions under EO 14117, which include organizational, system-level and data-level requirements.  CISA's requirements build on the ANPRM proposals and is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the NIST Privacy Framework and the CISA Cross-Sector Cybersecurity Performance Goals.  Once finalized, these requirements will be incorporated by reference in the DOJ final rule. 

- Due diligence, recordkeeping, audit and reporting requirements, and a mandate to implement a data compliance program and annually obtain an independent third-party audit of restricted transactions and such compliance program.  

  • Exempt Transactions.  The NPRM contains a broad list of exempt transactions, including personal communications, information or informational materials, data transactions ordinarily incident to travel to any country, data transactions ordinarily incident to and part of telecommunication services, and data transactions incident to financial services.  This list of exemptions is broader than initially proposed in the ANPRM, responding to the initial set of comments to the proposed rules.

Licensing and Guidance

  • Licensing.  The NPRM provides a process for the DOJ to issue general licenses that authorize transaction classes, and specific licenses that authorize individual transactions that would otherwise be prohibited or restricted.  The DOJ has stated that it expects to issue licenses rarely.   Licenses may impose obligations on the recipient, such as certification requirements and due diligence.
  • Advisory Opinions.  The NPRM also establishes a process for the DOJ to publish general forms of interpretive guidance.  Entities may also seek advisory opinions about applicability of the NPRM's rules to specific transactions. 

Enforcement

Violations of the law would be subject to civil and criminal penalties.  The proposed maximum civil monetary penalty is the greater of $368,136 or a number that is twice the amount of the transaction that forms the basis of the violation.  In egregious circumstances, violations can also result in criminal convictions, leading to fines of up to $1 million and imprisonment of up to 20 years.  

Toolkits & Client Log-in