New Federal Efforts Aim to Restrict Access to Sensitive Data by Countries of Concern

Read Time: 8 minutes
Key Takeaways: President Biden introduced a new federal commitment to safeguarding Americans’ sensitive data with the issuance of the February 28, 2024, Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Following the Executive Order, in March 2024, the Department of Justice released an Advance Notice of Proposed Rulemaking to implement data transfer restrictions and the House of Representatives passed a bill that would prohibit data brokers from selling sensitive data to foreign adversaries.


Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern

On February 28, 2024, President Biden issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the “Executive Order”) aimed at prohibiting data brokers from disclosing Americans’ sensitive personal data to foreign adversary countries such as China, Russia, Iran, and North Korea.

Key Directives of the Executive Order:

  1. The Department of Justice (“DOJ”) will promulgate regulations establishing robust protections for Americans’ sensitive personal data, preventing access and exploitation by countries of concern. This includes safeguards for genomic data, biometric data, personal health data, geolocation data, personal financial data, and specific personal identifiers.
  2. The DOJ will issue additional regulations to further protect sensitive government related data, encompassing measures to secure geolocation information on sensitive government sites and military members.
  3. The DOJ and Department of Homeland Security will collaborate to establish strict security standards, with the primary objective of preventing the countries of concern from accessing Americans’ data through various commercial channels.
  4. The Assessment of Foreign Participation Committee will consider the threats to Americans’ sensitive personal data in its review of submarine cable licenses.
  5. It is emphasized that the activities set forth should not stop the exchange of necessary information for the purpose of financial services activities or that they impose measures that aim at separating trade relationships between the United States and other countries.

Advanced Notice of Proposed Rulemaking Published by the Department of Justice

In connection with the Executive Order, on March 5, 2024, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) to seek public comment on the potential establishment of new administrative regulations to prevent U.S. entities and individuals from transferring bulk sensitive data and selected government data to covered foreign persons.

Regulated Data

The ANPRM utilizes the sensitive data definition set forth in the Executive Order. The DOJ intends to identify categories of highly sensitive data transactions that would be entirely prohibited as well as categories of restricted transactions that may proceed on the condition that they comply with specific security requirements to mitigate access to the data by countries of concern.

The ANPRM proposes identifying two categories of prohibited transactions between U.S. persons and countries of concern or covered persons: 1) data-brokerage transactions, and 2) genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived. Three categories of transactions would be permitted only where specific security requirements are met: 1) vendor agreements involving the provision of goods and services (including cloud-service agreements); 2) employment agreements; and 3) investment agreements. The specific security requirements will be established by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency. The ANPRM will also establish exemptions for certain categories of data transactions, such as transactions that are ordinarily incident to and part of ancillary business operations (such as payroll or human resources) within multinational U.S. companies; and those that are ordinarily incident to and part of financial services, payment processing, and regulatory compliance such as banking, capital markets, or financial insurance activities.

The regulations would apply to specified categories of data transactions in the six categories of sensitive personal data only if the transactions exceed prescribed bulk volumes (i.e., a threshold number of U.S. persons or U.S. devices). However, those bulk volumes would not apply to transactions involving certain U.S. government-related data. Transactions involving sensitive personal data of U.S. Government personnel or locations would be regulated regardless of the volume of such data.

Covered Countries and Persons

The ANPRM addresses six countries of concern: China, Russia, Iran, North Korea, Cuba, and Venezuela. In addition, data transactions with certain classes of entities and individuals subject to the jurisdiction, direction, ownership, or control of countries of concern because, as a legal and practical matter, providing data to these persons will place that data within the reach of the countries of concern (“covered persons”) will be subject to the new requirements. Covered persons consist of 1) an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern; 2) a foreign person who is an employee or contractor of such an entity; 3) a foreign person who is an employee or contractor of a country of concern; and 4) a foreign person who is primarily resident in the territorial jurisdiction of a country of concern.

Licenses and Advisory Opinions

The ANPRM contemplates establishing processes for the DOJ to issue general and specific licenses and advisory opinions. General licenses would provide the DOJ flexibility to exempt, alter the conditions for, or allow wind-down periods for certain categories of otherwise-regulated transactions. Specific licenses would give companies and individuals an opportunity to apply for an exception to the rules to engage in a specific data transaction, and the DOJ would make licensing decisions in connection with the Departments of State, Commerce, and Homeland Security. Companies and individuals would also be able to request advisory opinions about the application of the regulations to specific transactions.

Next Steps

Comments to the ANPRM are due within 45 days of publication in the Federal Register (approximately April 15, 2024). The DOJ must issue a proposed rule by August 27, 2024 (180 days from the issuance of the Executive Order).

Protecting Americans’ Data from Foreign Adversaries Act of 2024 Passed by the House

In a bipartisan initiative on March 5, 2024, Representative Cathy McMorris Rodgers, R-Wash. and Representative Frank Pallone, Jr., D-N.J. introduced the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the “Act”). The primary aim of this legislation is to safeguard Americans’ sensitive personal data by prohibiting data brokers from selling, licensing, renting, trading, or otherwise providing sensitive data or the personal data of U.S. military personnel to foreign adversaries or entities controlled by foreign adversaries. The Act was unanimously passed by the U.S. House on March 20, 2024, and will now head to the U.S. Senate for consideration.

Sensitive Data

The definition of sensitive data used in the Act is more expansive than the definition used under existing state privacy laws. While the standard state law sensitive data categories of government identifiers, health diagnosis information, biometric information, genetic information, and precise geolocation information are included, the definition under this Act also includes calendar information, address book information, and phone or text logs, information revealing the video content requested by the individual, information identifying an individual’s online activities over time and across websites or online services, and information that reveals that status of an individual as a member of the Armed Forces.

Regulated Entities and Activities

An entity would be considered to be “controlled by a foreign adversary” if a) the entity is a foreign person headquartered and organized under the laws of a foreign adversary country; b) an entity as described in a) directly or indirectly owns at least a 20 percent stake in the entity; or b) the entity is a person subject to the control of a foreign person or entity as described in a) and b). A foreign adversary country is any country listed in section 4872(d)(2) of title 10, United States Code, which currently includes North Korea, Cuba, China, Russia, Iran, and Venezuela.

A “data broker” is defined as an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals, that the entity did not collect directly from such individuals, to another entity that is not acting as a service provider. This does not include entities that a) transmit data at the request or direction of the individual, b) provide a product or service with respect to what the sensitive data or access to such data is not itself the product or service, or c) report, publish, or otherwise make available new or information that is available to the general public, such as information in a phone book or online directory, through television, internet, or radio programs, news media, or an internet site that is available to the general public on an unrestricted basis.

Enforcement

Under the Act, a violation of the prohibition would constitute an unfair or deceptive act or practice under the Federal Trade Commission Act. The Federal Trade Commission (“FTC”) would be granted enforcement authority, empowering the agency to take action against data brokers found in violation. The FTC would also be authorized to seek civil penalties of more than $50,000 for each violation.

Koley Jessen will continue to monitor developments related to international transfers of sensitive data. As new information becomes available, we will provide guidance accordingly. If you have questions regarding your business’s use or transfer of sensitive data, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for support.

*Special thanks to Data Privacy & Cybersecurity Support Specialist Briseyda Garcia-Ticas for her contributions to this article.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.