National Security Division; Provisions Regarding Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern
| Published date | 05 March 2024 |
| Record Number | 2024-04594 |
| Citation | 89 FR 15780 |
| Court | Justice Department |
| Section | Proposed rules |
Federal Register, Volume 89 Issue 44 (Tuesday, March 5, 2024)
[Federal Register Volume 89, Number 44 (Tuesday, March 5, 2024)]
[Proposed Rules]
[Pages 15780-15802]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-04594]
========================================================================
Proposed Rules
Federal Register
________________________________________________________________________
This section of the FEDERAL REGISTER contains notices to the public of
the proposed issuance of rules and regulations. The purpose of these
notices is to give interested persons an opportunity to participate in
the rule making prior to the adoption of the final rules.
========================================================================
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 /
Proposed Rules
[[Page 15780]]
DEPARTMENT OF JUSTICE
28 CFR Part 202
[Docket No. NSD 104]
RIN 1105-AB72
National Security Division; Provisions Regarding Access to
Americans' Bulk Sensitive Personal Data and Government-Related Data by
Countries of Concern
AGENCY: National Security Division, Department of Justice.
ACTION: Advance notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Executive order of February 28, 2024, ``Preventing Access
to Americans' Bulk Sensitive Personal Data and United States
Government-Related Data by Countries of Concern'' (the Order), directs
the Attorney General to issue regulations that prohibit or otherwise
restrict United States persons from engaging in any acquisition,
holding, use, transfer, transportation, or exportation of, or dealing
in, any property in which a foreign country or national thereof has any
interest (``transaction''), where the transaction: involves U.S.
Government-related data or bulk U.S. sensitive personal data, as
defined by final rules implementing the Order; falls within a class of
transactions that has been determined by the Attorney General to pose
an unacceptable risk to the national security of the United States
because it may enable access by countries of concern or covered persons
to Americans' bulk sensitive personal data or U.S. government-related
data; and meets other criteria specified by the Order. This advance
notice of proposed rulemaking (ANPRM) seeks public comment on various
topics related to the implementation of the Order.
DATES: Written comments on this ANPRM must be received by April 19,
2024.
ADDRESSES: You may send comments, identified by Docket No. NSD 104, by
either of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for sending comments.
Mail: U.S. Department of Justice, National Security
Division, Foreign Investment Review Section, 175 N Street NE, 12th
Floor, Washington, DC 20002.
Instructions: We encourage comments to be submitted via https://www.regulations.gov. Please submit comments only and include your name
and company name (if any) and cite ``Provisions Pertaining to
Preventing Access to Americans' Bulk Sensitive Personal Data and U.S.
Government-Related Data by Countries of Concern'' in all
correspondence. Anyone submitting business confidential information
should clearly identify the business confidential portion at the time
of submission, file a statement justifying nondisclosure and referring
to the specific legal authority claimed, and provide a non-confidential
version of the submission. For comments submitted electronically
containing business confidential information, the file name of the
business confidential version should begin with the characters ``BC.''
Any page containing business confidential information must be clearly
marked ``BUSINESS CONFIDENTIAL'' at the top of that page. The
corresponding non-confidential version of those comments must be
clearly marked ``PUBLIC.'' The file name of the nonconfidential version
should begin with the character ``P.'' Any submissions with file names
that do not begin with either a ``BC'' or a ``P'' will be assumed to be
public and will be posted without change, including any business or
personal information provided, such as names, addresses, email
addresses, or telephone numbers.
To facilitate an efficient review of submissions, the Department of
Justice encourages but does not require commenters to: (1) submit a
short executive summary at the beginning of all comments; (2) provide
supporting material, including empirical data, findings, and analysis
in reports or studies by established organizations or research
institutions; (3) consistent with the questions below, describe the
relative benefits and costs of the approach contemplated in this ANPRM
and any alternative approaches; and (4) refer to the numbered
question(s) herein to which each comment is addressed. The Department
of Justice welcomes interested parties' submissions of written comments
discussing relevant experiences, information, and views. Parties
wishing to supplement their written comments in a meeting may request
to do so, and the Department of Justice may accommodate such requests
as resources permit. Additionally, in consultation with other United
States Government agencies, the Department of Justice expects to seek
additional opportunities to engage in discussions with certain
stakeholders, including foreign partners and allies.
FOR FURTHER INFORMATION CONTACT: Email (preferred):
[email protected]. Otherwise, please contact: Lee Licata,
Deputy Chief for National Security Data Risks, Foreign Investment
Review Section, National Security Division, U.S. Department of Justice,
175 N Street NE, Washington, DC 20002; telephone: 202-514-8648.
SUPPLEMENTARY INFORMATION:
I. Background
On February 28, 2024, the President issued the Order pursuant to
his authority under the Constitution and laws of the United States,
including the International Emergency Economic Powers Act (50 U.S.C.
1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et
seq.) (NEA), and section 301 of title 3, United States Code. In the
Order, the President expanded the scope of the national emergency
declared in Executive Order 13873 of May 15, 2019 (Securing the
Information and Communications Technology and Services Supply Chain),
and further addressed with additional measures in Executive Order 14034
of June 9, 2021 (Protecting Americans' Sensitive Data from Foreign
Adversaries). The President determined that additional measures are
necessary to counter the unusual and extraordinary threat to U.S.
national security posed by the continuing efforts of certain countries
of concern to access and exploit Americans' bulk sensitive personal
data and U.S. Government-related data (``government-related data'').
Unrestricted transfers of bulk sensitive personal data and
government-related data to countries of concern, through commercial
transactions or otherwise, present a range of threats to
[[Page 15781]]
U.S. national security and foreign policy. Countries of concern can use
their access to Americans' bulk sensitive personal data to engage in
malicious cyber-enabled activities and malign foreign influence, and to
track and build profiles on U.S. individuals, including members of the
military and Federal employees and contractors, for illicit purposes
such as blackmail and espionage. Countries of concern can also use
access to U.S. persons' bulk sensitive personal data to collect
information on activists, academics, journalists, dissidents, political
figures, or members of non-governmental organizations or marginalized
communities in order to intimidate such persons; curb political
opposition; limit freedoms of expression, peaceful assembly, or
association; or enable other forms of suppression of civil liberties.
The Office of the Director of National Intelligence (ODNI) has made
clear that ``[o]ur adversaries increasingly view data as a strategic
resource. They are focused on acquiring and analyzing data--from
personally identifiable information on U.S. citizens to commercial and
government data--that can make their espionage, influence, kinetic and
cyber-attack operations more effective; advance their exploitation of
the U.S. economy; and give them strategic advantage over the United
States.'' \1\ Advanced technologies--including big-data analytics,
artificial intelligence (``AI''), high-performance computing, and other
capabilities--increasingly enable countries of concern to exploit bulk
amounts of Americans' sensitive personal data and government-related
data to achieve these goals.
---------------------------------------------------------------------------
\1\ Office of the Director of National Intelligence, Annual
Threat Assessment of the U.S. Intelligence Community at 26 (Feb. 6,
2023), https://www.odni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf [https://perma.cc/4B2Y-7NVD].
---------------------------------------------------------------------------
As ODNI has assessed, countries of concern are ``increasing their
ability to analyze and manipulate large quantities of personal
information in ways that will allow them to more effectively target and
influence, or coerce, individuals and groups in the United States and
allied countries.'' \2\ Countries of concern ``almost certainly are
already applying data-analysis techniques to hone their efforts against
U.S. targets.'' \3\ For example, AI is making it easier to extract, re-
identify, link, infer, and act on sensitive information about people's
identities, locations, habits, and desires, as outlined in Executive
Order 14110 of October 30, 2023 (Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence).\4\ Likewise, as the
National Counterintelligence and Security Center has explained, ``[t]he
combination of stolen [personally identifiable information], personal
health information, and large [human] genomic data sets collected from
abroad'' gives countries of concern ``vast opportunities to precisely
target individuals in foreign governments, private industries, or other
sectors for potential surveillance, manipulation, or extortion.'' \5\
Moreover, access to bulk sensitive personal data can fuel the creation
and refinement of AI, big-data, and other analytical capabilities, the
development of which requires large amounts of human data--ultimately
compounding the risks.
---------------------------------------------------------------------------
\2\ National Intelligence Council, Assessment: Cyber Operations
Enabling Expansive Digital Authoritarianism at 3 (Apr. 7, 2020)
(declassified Oct. 5, 2022), https://www.dni.gov/files/ODNI/
documents/assessments/NICM-Declassified-Cyber-Operations-Enabling-
Expansive-Digital-Authoritarianism-20200407_2022.pdf [https://perma.cc/ZKJ4-TBU6].
\3\ Id.
\4\ See also id. at 4-5 (explaining that China's ``commercial
access to personal data of other countries' citizens, along with AI-
driven analytics,'' can ``enable it to automate the identification
of individuals and groups,'' and ``China can draw on ample Western
commercial models for large-scale algorithm-driven delivery of
targeted content and behavior-shaping microincentives'').
\5\ National Counterintelligence and Security Center, China's
Collection of Genomic and Other Healthcare Data From America: Risks
to Privacy and U.S. Economic and National Security at 4 (Feb. 2021),
https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/NCSC_China_Genomics_Fact_Sheet_2021revision20210203.pdf [https://perma.cc/BL4H-WJSW].
---------------------------------------------------------------------------
These risks are not merely hypothetical and have been tested. As a
recent study has explained, for example, ``[a]ggregated insights from
location data'' could be used to damage national security \6\--such as
in 2018, when the publication of a global heatmap of users' location
data collected by a popular fitness app enabled researchers to quickly
identify and map the locations of military and government facilities
and activities.\7\ Similarly, in 2019, New York Times writers were able
to combine a single set of bulk location data collected from cell
phones and bought and sold by location-data companies--which was
anonymized and represented ``just one slice of data, sourced from one
company, focused on one city, covering less than one year''--with
publicly available information to identify, track, and follow
``military officials with security clearances as they drove home at
night,'' ``law enforcement officers as they took their kids to
school,'' and ``lawyers (and their guests) as they traveled from
private jets to vacation properties.'' \8\
---------------------------------------------------------------------------
\6\ Justin Sherman et al., Data Brokers and the Sale of Data on
U.S. Military Personnel at 15 (Nov. 2023), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf [https://perma.cc/M9S8-MYAA].
\7\ E.g., Richard P[eacute]rez-Pe[ntilde]a and Matthew
Rosenberg, Strava Fitness App Can Reveal Military Sites, Analysts
Say, The New York Times (Jan. 29, 2018), https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html [https://perma.cc/VZF9-X7LJ]; Jeremy Hsu, The Strava Heat Map and the End of Secrets,
WIRED (Jan. 29, 2018 7:14 p.m.), https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy [https://perma.cc/B9KT-E75J].
\8\ Stuart A. Thompson and Charlie Warzel, Twelve Million
Phones, One Dataset, Zero Privacy, The New York Times (Dec. 19,
2019), https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html [https://perma.cc/X3VB-429P].
---------------------------------------------------------------------------
Countries of concern can also exploit access to government-related
data, regardless of volume. As one report has explained, for example,
tracking location data on individual military or government targets can
``reveal sensitive locations--such as visits to a place of worship, a
gambling venue, a health clinic, or a gay bar--which again could be
used for profiling, coercion, blackmail, or other purposes,'' or could
reveal ``reputationally damaging lifestyle characteristics'' that could
be exploited, ``such as infidelity.'' \9\
---------------------------------------------------------------------------
\9\ Sherman et al., supra note 6, at 15.
---------------------------------------------------------------------------
Accordingly, transactions that may enable countries of concern to
access bulk amounts of Americans' sensitive personal data or
government-related data, as defined by the Order, pose particular and
unacceptable risks to national security and foreign policy. This risk
of access to U.S. persons' bulk sensitive personal data and government-
related data is not limited to transactions directly involving the
governments of countries of concern. Persons who are owned by,
controlled by, or subject to the jurisdiction or direction of a country
of concern may enable the government of that country to indirectly
access such data. For example, countries of concern may have cyber,
national security, and intelligence laws that, without sufficient legal
safeguards, can obligate such persons to provide that country's
intelligence services access to U.S. persons' bulk sensitive personal
data and government-related data.
Countries of concern can leverage their access to Americans' bulk
sensitive personal data and government-related data to engage in a
variety of nefarious activities, including malicious cyber-enabled
activities, espionage, and blackmail. Countries of concern can exploit
Americans' bulk sensitive personal data and government-related data to
track and build profiles on U.S.
[[Page 15782]]
persons, including Federal employees and contractors, military
servicemembers, and members of the Intelligence Community to support
espionage operations and to identify and exploit vulnerabilities for
malicious cyber activities. Countries of concern can also access U.S.
persons' bulk sensitive personal data and government-related data to
collect information on activists, academics, journalists, dissidents,
political figures, and members of non-governmental organizations and
marginalized communities to intimidate opponents of countries of
concern, curb dissent, and limit Americans' freedom of expression and
other civil liberties. The risks posed by access to Americans' bulk
sensitive personal data and government-related data are exacerbated by
AI and other data processing tools that exploit large datasets in
increasingly sophisticated and effective ways to the detriment of U.S.
national security. These tools, and the access to Americans' bulk
sensitive personal data and government-related data upon which the
tools rely, enable countries of concern to target U.S. persons more
effectively by recognizing patterns across multiple, unrelated datasets
to identify individuals whose links to, for example, the Federal
Government, would be otherwise obscured in a single database.
As the President affirmed in the Order, the United States remains
committed to promoting an open, global, interoperable, reliable, and
secure internet; promoting open, responsible scientific collaboration
to drive innovation; protecting human rights online and offline;
supporting a vibrant, global economy by promoting cross-border data
flows to enable international commerce and trade; and facilitating open
investment. Accordingly, the Order authorizes the Attorney General to
take specific, carefully calibrated actions to minimize the risks
associated with access to Americans' bulk sensitive personal data and
government-related data by countries of concern and persons that are
``owned by, controlled by, or subject to the jurisdiction or direction
of'' countries of concern, while minimizing disruption to commercial
activity. For example, the Order exempts certain classes of
transactions that are less likely to pose these unacceptable national-
security risks, including financial-services transactions, and
authorizes the Attorney General to exempt additional classes of
transactions. Also consistent with the Order, this ANPRM does not
propose generalized data-localization requirements either to store
Americans' bulk sensitive personal data or government-related data
within the United States or to locate computing facilities used to
process Americans' bulk sensitive personal data or government-related
data within the United States. Nor does it seek to broadly prohibit
U.S. persons from conducting commercial transactions with entities and
individuals located in countries of concern or impose measures aimed at
a broader decoupling of the substantial consumer, economic, scientific,
and trade relationships that the United States has with other
countries. This carefully calibrated action instead reflects the U.S.
Government's longstanding support for the concept of ``Data Free Flow
with Trust,'' in recognition of its importance to the economy and human
rights online.
The Order has two primary components relevant to this ANPRM. First,
it directs the Attorney General, in coordination with the Secretary of
Homeland Security and in consultation with the relevant agencies, to
issue regulations identifying for prohibition specific classes of
transactions that may enable access by countries of concern or covered
persons to defined categories of Americans' bulk sensitive personal
data or government-related data, and that the Attorney General
determines pose an unacceptable risk to U.S. national security and
foreign policy. Second, it instructs the Attorney General, in
coordination with the Secretary of Homeland Security and in
consultation with the relevant agencies, to issue regulations
identifying specific classes of transactions that will be required to
comply with security requirements, to be established by the Secretary
of Homeland Security through the Director of the Cybersecurity and
Infrastructure Security Agency, that mitigate the risks of access to
Americans' bulk sensitive personal data or government-related data by
countries of concern. As previewed in this ANPRM, the security
requirements could include (1) organizational requirements (e.g., basic
organizational cybersecurity posture), (2) transaction requirements
(e.g., data minimization and masking, use of privacy-preserving
technologies, requirements for information-technology systems to
prevent unauthorized disclosure, and logical and physical access
controls), and (3) compliance requirements (e.g., audits).\10\
---------------------------------------------------------------------------
\10\ The Order contains other provisions, which are not directly
relevant to this ANPRM, to enhance existing authorities to address
data-security risks, including directing the Committee for the
Assessment of Foreign Participation in the United States
Telecommunications Services Sector to take certain actions with
respect to submarine cables; instructing the Secretaries of Defense,
Health and Human Services, and Veterans Affairs, and the Director of
the National Science Foundation, to consider taking certain steps
regarding the provision of Federal assistance; and encouraging the
Consumer Financial Protection Bureau to take consider taking steps
to address the role that data brokers play in contributing to the
national-security risks.
---------------------------------------------------------------------------
II. Program Overview
The Department of Justice is considering implementing the Order
through categorical rules that regulate certain data transactions
involving bulk U.S. sensitive personal data and government-related data
that present an unacceptable risk to U.S. national security, pursuant
to section 2(c) of the Order. To that end, the Department of Justice is
considering establishing a program that would (1) identify certain
classes of highly sensitive transactions that would be prohibited in
their entirety (``prohibited transactions''), and (2) identify other
classes of transactions that would be prohibited except to the extent
they comply with predefined security requirements (``restricted
transactions'') to mitigate the risk of access to bulk sensitive
personal data by countries of concern.
Under this framework, the Department of Justice would establish the
program by issuing proposed rulemakings in tranches based on priority,
including the limits of current authorities, and effective
administration of the program. This ANPRM takes the foundational steps
by seeking the input needed to establish the structure of the program,
including, as described in section 2(c) of the Order, identifying
classes of prohibited and restricted transactions that pose an
unacceptable risk to national security, defining relevant terms,
identifying countries of concern, creating processes for administrative
licensing and entity designations, and establishing a compliance and
enforcement regime. This ANPRM is focused on identifying discrete
classes of prohibited transactions that raise the highest national-
security risks, focusing on data transactions between U.S. persons and
countries of concern (or persons subject to their ownership, control,
jurisdiction, or direction where the transaction involves property in
which a foreign country or national thereof has an interest) that pose
direct risks. As contemplated by this ANPRM, the rulemaking would
target only transactions between a U.S. person and a country of concern
(or person subject to its ownership, control, jurisdiction, or
[[Page 15783]]
direction), with one discrete exception described below. The program
would not regulate purely domestic transactions between U.S. persons
(who are not otherwise designated as covered persons acting on behalf
of a country of concern), such as the collection, maintenance,
processing, or use of data by U.S. persons within the United States.
Section 2(f) of the Order authorizes the Department of Justice to
engage in subsequent rulemakings to tailor the regulatory program to
the national-security risks identified in the Order, and to the costs
and benefits of administering and complying with the regulatory
program. Where practical, the proposed program, its structure, and
definitions would be modeled on existing regulations based on IEEPA
that are generally familiar to the public, such as those administered
by the United States Department of the Treasury's Office of Foreign
Assets Control (OFAC) and the United States Department of Commerce's
Bureau of Industry and Security (BIS).
Under section 2(a)(ii) of the Order, the Attorney General is
authorized to determine and identify classes of transactions that
``pose an unacceptable risk to the national security of the United
States because the transactions may enable countries of concern or
covered persons to access bulk sensitive personal data or United States
Government-related data.'' Specifically, the Department of Justice is
considering identifying two classes of prohibited data transactions
between U.S. persons and countries of concern (or covered persons) to
address critical risk areas involving bulk U.S. sensitive personal data
or government-related data: (1) data-brokerage transactions; and (2)
any transaction that provides a country of concern or covered person
with access to bulk human genomic data (a subcategory of human `omic
data) or human biospecimens from which that human genomic data can be
derived. These classes of prohibited data transactions are not directly
regulated under existing Federal authorities, and these types of
transactions necessarily provide access to bulk sensitive personal data
or government-related data directly to countries of concern or persons
subject to their ownership, control, jurisdiction, or direction.
The Department of Justice is also considering identifying three
classes of restricted data transactions to address critical risk areas
to the extent they involve countries of concern or covered persons and
bulk U.S. sensitive personal data: (1) vendor agreements (including,
among other types, agreements for technology services and cloud-service
agreements), (2) employment agreements, and (3) investment agreements.
These classes of restricted transactions represent significant means
through which countries of concern can access bulk U.S. sensitive
personal data or government-related data, but the national-security
risks associated with these transactions can be mitigated through
appropriate security-related conditions.
The program would cover transactions involving six defined
categories of bulk U.S. sensitive personal data--U.S. persons' covered
personal identifiers, personal financial data, personal health data,
precise geolocation data, biometric identifiers, and human genomic
data--and combinations of those categories, as laid out in the Order
and defined below. These categories would be clearly defined and, for
covered personal identifiers, significantly narrower than the broad
categories of material typically implicated by privacy-focused
regulatory regimes.
In addition to addressing data transactions involving bulk U.S.
sensitive personal data, and as also laid out in the Order, the program
would also address the heightened national-security risks posed by U.S.
persons' transactions with countries of concern (or covered persons)
and two kinds of government-related data regardless of volume: (1)
geolocation data in listed geofenced areas associated with certain
military, other government, and other sensitive facilities (which could
threaten national security by revealing information about those
locations and U.S. persons associated with them), and (2) sensitive
personal data that is marketed as linked or linkable to current or
recent former employees or contractors, or former senior officials, of
the U.S. government, including the military and Intelligence Community.
Consistent with the Order, the program would be implemented as a
carefully calibrated national-security authority to address specific
national security threats, including counterintelligence threats, posed
by data-security risks to U.S. persons and government-related data. The
program is not intended as a commercial regulation of all cross-border
data flows between the United States and our foreign partners, or as a
comprehensive program to regulate Americans' data privacy. Also
consistent with the Order, the Department of Justice intends to
implement the program consistent with longstanding U.S. policy to
promote trusted cross-border data transfers among partners that respect
democratic values and the rule of law, as the program would address
only the national-security risks posed by countries of concern because
of their potential to target and misuse Americans' sensitive personal
data.
Importantly, the program is also not intended to impede all U.S.
persons' data transactions with countries of concern or persons subject
to their jurisdiction. The program, under the rulemaking under
consideration, would prohibit or restrict specific classes of data
transactions between U.S. persons and countries of concern (or persons
subject to their ownership, control, jurisdiction, or direction) that
involve either (1) specific categories of sensitive personal data above
certain bulk-volume thresholds or (2) specific categories of
government-related data regardless of volume. The program under
consideration would also identify classes of exempt data transactions
and would provide a process for the Department of Justice to issue
general and specific licenses using procedures that are generally
familiar to the public.
The Department of Justice does not contemplate that the program
will rely on case-by-case review of individual data transactions.
Rather, the Department of Justice will affirmatively identify classes
of prohibited and restricted data transactions. Importantly, the
Department of Justice believes that a categorical approach provides
bright-line rules to data-transaction parties. The program would not
apply retroactively (before the effective date of the final rule).
However, the Department of Justice may, after the effective date of the
regulations, request information about transactions by United States
persons that were completed or agreed to after the date of the issuance
of the Order to better inform the development and implementation of the
program.
III. Issues for Comment
The Department of Justice welcomes comments and views from a wide
range of stakeholders on all aspects of how the Attorney General should
implement this new program under the Order. The Department of Justice
is particularly interested in obtaining information on the topics
discussed below. This ANPRM does not necessarily identify the full
scope of potential approaches the Department of Justice might
ultimately undertake in regulations to implement the Order.
A. Overview
The Order frames the key terms that will be developed through
rulemaking. Under the rules that the Department of Justice is
considering, U.S. persons
[[Page 15784]]
would be prohibited from engaging in classes of covered data
transactions, which (as further defined below) have been determined by
the Attorney General to pose an unacceptable risk to the national
security of the United States because these classes of covered data
transactions may enable countries of concern or covered persons to
access bulk U.S. sensitive personal data or government-related data.
Some otherwise-prohibited covered data transactions may be restricted
and be permitted to proceed only subject to certain conditions,
including security requirements published by the Department of Homeland
Security in coordination with the Department of Justice. Prohibited or
restricted covered data transactions may also be permitted to proceed
based on applicable general or specific licenses. None of the program's
requirements would apply to a U.S. person engaged in an exempt data
transaction.
Definitions under consideration for these and related terms are
italicized and discussed below, along with questions on which the
Department of Justice seeks comment.
B. Bulk U.S Sensitive Personal Data
The Order authorizes the Attorney General to prohibit or otherwise
restrict United States persons from engaging in any transaction where
the transaction involves bulk sensitive personal data and meets other
criteria specified in section 2(a) of the Order. The Order defines
``bulk'' as ``an amount of sensitive personal data that meets or
exceeds a threshold over a set period of time, as specified in
regulations issued by the Attorney General pursuant to section 2 of
th[e] order.'' The Order also defines ``sensitive personal data'' as
``covered personal identifiers, geolocation and related sensor data,
biometric identifiers, human `omic data, personal health data, personal
financial data, or any combination thereof,'' as further defined in
final rules implementing the Order, ``that could be exploited by a
country of concern to harm United States national security if that data
is linked or linkable to any identifiable United States individual or
to a discrete and identifiable group of United States individuals.''
The Department of Justice is considering elaborating on and providing
greater detail to the Order's definitions of ``sensitive personal
data'' and ``bulk.''
Sensitive personal data. The Department of Justice is considering
further defining each of the six categories of sensitive personal data
identified in the Order as follows:
1. Covered personal identifiers. The Order defines ``covered
personal identifiers'' as ``specifically listed classes of personally
identifiable data that are reasonably linked to an individual, and
that--whether in combination with each other, with other sensitive
personal data, or with other data that is disclosed by a transacting
party pursuant to the transaction and that makes the personally
identifiable data exploitable by a country of concern--could be used to
identify an individual from a data set or link data across multiple
data sets to an individual.'' The Department is considering further
defining the term covered personal identifiers as follows.
1(a). With respect to the subcategory of listed classes of
personally identifiable data ``in combination with each other,'' the
term covered personal identifiers would mean any listed identifier that
is linked to any other listed identifier, except:
(a) The term covered personal identifiers does not include
demographic or contact data that is linked only to other demographic
or contact data; and
(b) The term covered personal identifiers does not include a
network-based identifier, account-authentication data, or call-
detail data that is linked only to other network-based identifier,
account-authentication data, or call-detail data as necessary for
the provision of telecommunications, networking, or similar
services.
Listed identifiers would include the following classes of data
determined by the regulations to be ``reasonably linked to an
individual'' under the Order's definition of ``covered personal
identifiers.'' The final rule will include a comprehensive list of
listed identifiers.
Full or truncated government identification or account number
(such as a Social Security Number, driver's license or state
identification number, passport number, or Alien Registration Number)
Full financial account numbers or personal identification
numbers associated with a financial institution or financial-services
company
Device-based or hardware-based identifier (such as
International Mobile Equipment Identity (IMEI), Media Access Control
(MAC) address, or Subscriber Identity Module (SIM) card number)
Demographic or contact data (such as first and last name,
birth date, birthplace, zip code, residential street or postal address,
phone number, and email address and similar public account identifiers)
Advertising identifier (such as Google Advertising ID, Apple
ID for Advertisers, or other Mobile Advertising ID (MAID))
Account-authentication data (such as account username, account
password, or an answer to security questions)
Network-based identifier (such as internet Protocol (IP)
address or cookie data)
Call-detail data (such as Customer Proprietary Network
Information (CPNI))
Under this definition, the term covered personal identifiers would
be much narrower than the categories of material typically covered by
laws and policies aimed generally at protecting personal privacy.\11\
It would not include any combinations of types of data that are not
expressly listed. For example, this definition of covered personal
identifiers would not include an individual's:
---------------------------------------------------------------------------
\11\ Cf., e.g., California Consumer Privacy Act of 2018, Cal.
Civ. Code section 1798.140(v)(1) (defining ``personal information''
in the context of a generalized privacy-focused regime); Regulation
(EU) 2016/679 of the European Parliament and of the Council, ``On
the protection of national persons with regard to the processing of
personal data and on the free movement of such data, and repealing
Directive 95/46/EC'' (General Data Protection Regulation), art. 4(1)
(27 April 2016) (defining ``personal data'' in the context of a
generalized data privacy regime).
Employment history;
Educational history;
Organizational memberships;
Criminal history; or
Web-browsing history.
For purposes of defining covered personal identifiers only, the
Department of Justice is considering defining identifiers as linked
when the identifiers involved in a single covered data transaction, or
in multiple covered data transactions or a course of dealing between
the same or related parties, are capable of being associated with the
same specific person(s). Identifiers would not be considered linked
when additional identifiers or data not involved in the relevant
covered data transaction(s) would be necessary to associate the
identifiers with the same specific person(s). For example, if a U.S.
person transferred two listed identifiers in a single spreadsheet--such
as a list of names of individuals and associated MAC addresses for
those individuals' devices--the names and MAC addresses would be
considered linked. The same would be true if the names and MAC
addresses were transferred to two related parties in two different
covered data transactions, provided that the receiving parties were
capable of determining which names corresponded to which MAC addresses.
On the other hand, a standalone list of MAC
[[Page 15785]]
addresses, without any additional listed identifiers, would not be
covered personal identifiers. That standalone list of MAC addresses
would not become covered personal identifiers even if the receiving
party is capable of obtaining separate sets of other listed identifiers
or sensitive personal data through separate covered data transactions
with unaffiliated parties that would ultimately permit the association
of the MAC addresses to specific persons. The MAC addresses would not
be considered linked to those separate sets of other listed identifiers
or sensitive personal data.
The Department of Justice currently intends the category of covered
personal identifiers to apply as follows:
Example 1. A standalone listed identifier in isolation
(i.e., that is not linked to another listed identifier, sensitive
personal data, or other data that is disclosed by a transacting party
pursuant to the transaction that makes the personally identifiable data
exploitable by a country of concern)--such as a data set of only Social
Security Numbers or only account usernames--would not constitute
covered personal identifiers.
Example 2. A listed identifier linked to another listed
identifier--such as a data set of first and last names linked to Social
Security Numbers, driver's license numbers linked to passport numbers,
device MAC addresses linked to residential addresses, account usernames
linked to first and last names, or mobile advertising IDs linked to
email addresses--would constitute covered personal identifiers.
Example 3. Demographic or contact data linked only to
other demographic or contact data--such as a data set linking first and
last names to residential street addresses, email addresses to first
and last names, or customer loyalty membership records linking first
and last names to phone numbers--would not constitute covered personal
identifiers.
Example 4. Demographic or contact data linked to other
demographic or contact data and to another listed identifier--such as a
data set linking first and last names to email addresses and to IP
addresses--would constitute covered personal identifiers.
Example 5. Account usernames linked to passwords as part
of a sale of a data set would constitute covered personal identifiers.
Those types of account-authentication data are not linked as part of
the provision of telecommunications, networking, or similar services.
1(b). With respect to the subcategory of listed classes of
personally identifiable data ``in combination . . . with other
sensitive personal data,'' the Department is considering treating these
combinations as combined data subject to the lowest bulk threshold
applicable to the categories of data present, as separately discussed
below with respect to the definition of the term bulk U.S. sensitive
personal data.
1(c). With respect to the subcategory of listed classes of
personally identifiable data ``in combination . . . with other data
that is disclosed by a transacting party pursuant to the transaction
that makes the personally identifiable data exploitable by a country of
concern,'' the Department does not intend to impose an obligation on
transacting parties to independently determine whether particular
combinations of data would be ``exploitable by a country of concern'';
rather, the Department intends to identify specific classes of data
that, when combined, would satisfy this standard. The Department seeks
comment on other ways in which it can further define this subcategory.
As context, the Department intends this subcategory to apply to
scenarios such as the following:
Example 6. A foreign person who is a covered person asks a
U.S. company for a list of MAC addresses from devices that have
connected to the wireless network of a U.S. fast-food restaurant
located in a particular government building. The U.S. company then
sells the list of MAC addresses, without any other listed identifiers
or sensitive personal data, to the covered person. The data disclosed
by the covered person's inquiry for MAC addresses from ``devices that
have connected to the wireless network of a U.S. fast-food restaurant
located in a particular government building'' makes the list of MAC
addresses exploitable by a country of concern.
Example 7. A U.S. company sells to a country of concern a
list of full names that the company describes (in a heading in the list
or to the country of concern as part of the transaction) as ``members
of a country of concern's opposition political party in New York
City,'' or as ``active-duty LGBTQ+ military officers'' without any
other listed identifiers or sensitive personal data. The data disclosed
by the U.S. company's description of the list of names as ``members of
a country of concern's opposition political party in New York City'' or
``active-duty LGBTQ+ military officers'' makes the list of names
exploitable by a country of concern.
By contrast, the Department does not intend this subcategory to
apply to scenarios such as the following:
Example 8. A covered person asks a U.S. company for a bulk
list of birth dates for ``any American who visited a Starbucks in
Washington, DC in December 2023.'' The U.S. company then sells the list
of birth dates, without any other listed identifiers or sensitive
personal data, to the covered person.
Example 9. A U.S. company sells to a covered person a list
of full names that the company describes (in a heading in the list or
to the covered person as part of the transaction) as ``Americans who
watched more than 50% of episodes'' of a popular TV show, without any
other listed identifiers or sensitive personal data.
2. Geolocation and related sensor data. The Department of Justice
currently intends for its first rulemaking to regulate covered data
transactions involving geolocation and related sensor data only to the
extent that such transactions involve precise geolocation data. Precise
geolocation data would mean data, whether real-time or historical, that
identifies the physical location of an individual or a device with a
precision of within [number of meters/feet] based on electronic signals
or inertial sensing units.
3. Biometric identifiers. The term biometric identifiers means
measurable physical characteristics or behaviors used to recognize or
verify the identity of an individual, including facial images, voice
prints and patterns, retina and iris scans, palm prints and
fingerprints, gait, and keyboard usage patterns that are enrolled in a
biometric system and the templates created by the system.
4. Human `omic data. The Department of Justice currently intends
for its first rulemaking to regulate covered data transactions
involving human `omic data only to the extent that such transactions
involve human genomic data. The term human genomic data means data
representing the nucleic acid sequences that comprise the entire set or
a subset of the genetic instructions found in a human cell, including
the result or results of an individual's ``genetic test'' (as defined
in 42 U.S.C. 300gg-91(d)(17)) and any related human genetic sequencing
data.
5. Personal health data. The term personal health data means
``individually identifiable health information'' (as defined in 42
U.S.C. 1302d(6) and 45 CFR 160.103), regardless of whether such
information is collected by a ``covered entity'' or ``business
associate'' (as defined in 45 CFR 160.103).
[[Page 15786]]
6. Personal financial data. The term personal financial data means
data about an individual's credit, charge, or debit card, or bank
account, including purchases and payment history; data in a bank,
credit, or other financial statement, including assets, liabilities and
debts, and transactions; or data in a credit or ``consumer report'' (as
defined under 15 U.S.C. 1681a).
With respect to the definition of the term sensitive personal data,
the Department of Justice is considering or further defining
categorical exclusions to the extent that data consists of:
i. Public or nonpublic data that does not relate to an
individual, including such data that meets the definition of a
``trade secret'' (as defined in 18 U.S.C. 1839(3)) or ``proprietary
information'' (as defined in 50 U.S.C. 1708(d)(7));
ii. Data that is lawfully available to the public from a
Federal, State, or local government record or in widely distributed
media (such as court records or other sources that are generally
available to the public through unrestricted and open-access
repositories);
iii. Personal communications that do not transfer anything of
value (see 50 U.S.C. 1702(b)(1)); or
iv. Information or informational materials (see 50 U.S.C.
1702(b)(3)), which would be defined further in the regulations. The
Department of Justice anticipates interpreting the phrase
``information or informational materials'' as including expressive
information, like videos and artwork, and excluding non-expressive
data, consistent with the speech-protective purpose of 50 U.S.C.
1702(b)(3).
Bulk thresholds. The program would establish volume-based
thresholds for each category of sensitive personal data and for
combined datasets. The Department of Justice is considering the
following approach to determine the bulk thresholds.
To the maximum extent feasible, the bulk thresholds would be set
based on a risk-based assessment that examines threat, vulnerabilities,
and consequences as components of risk. In the context of the bulk
thresholds, a risk-based assessment would account for the
characteristics of datasets that affect the data's vulnerability to
exploitation by countries of concern and that affect the consequences
of exploitation. These characteristics may include both human-centric
characteristics (which describe a data set in terms of its potential
value to a human analyst) and machine-centric characteristics (which
describe how easily a data set could be processed by a computer
system). The framework's human-centric characteristics may include how
many individuals a data set covers (size), how the data could be used
(purpose), how easy it is to deliberately change the data
(changeability), who tracks and manages the data (control), and how
easy the data is to obtain (availability). The framework's machine-
centric characteristics may include the number of data points in a
dataset (volume), how quickly the dataset evolves (velocity), how
specifically a data set targets a sensitive group (correlation), and
how much processing is required to use the data (quality). Applying
this style of framework would allow for a particularized assessment of
the relative sensitivity of each of the six categories of sensitive
personal data and would inform the volume threshold applicable to each
category.
Based on a preliminary risk assessment, the Department of Justice,
in consultation with other agencies, is considering adopting bulk
thresholds within the following ranges, and would welcome additional
analysis about the costs and benefits of specific thresholds for each
category:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Precise geolocation Personal financial Covered personal
Human genomic data Biometrics identifiers data Personal health data data identifiers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Low:
More than 100 U.S. persons..... More than 100 U.S. persons (for biometric
identifiers) or U.S. devices (for precise
geolocation data).
More than 1,000 U.S. persons. More than 10,000 U.S.
persons..
--------------------------------------------------------------------------------------------------------------------------------------------------------
High:
More than 1,000 U.S. persons... More than 10,000 U.S. persons (for biometric
identifiers) or U.S. devices (for precise
geolocation data).
More than 1,000,000 U.S. persons. More than 1,000,000
U.S. persons..
--------------------------------------------------------------------------------------------------------------------------------------------------------
The Department of Justice proposes to operationalize these bulk
thresholds as follows:
The term bulk U.S. sensitive personal data means a collection or
set of data relating to U.S. persons, in any format, regardless of
whether the data is anonymized, pseudonymized, de-identified, or
encrypted and that includes, at any point in the preceding twelve
months, whether through a single covered data transaction or
aggregated across covered data transactions involving the same
foreign person or covered person:
(i) Human genomic data collected or maintained on more than
[number of] U.S. persons;
(ii) Biometric identifiers collected or maintained on more than
[number of] U.S. persons;
(iii) Precise geolocation data collected or maintained on more
than [number of] U.S. devices;
(iv) Personal health data collected or maintained on more than
[number of] U.S. persons;
(v) Personal financial data collected or maintained on more than
[number of] U.S. persons;
(vi) Covered personal identifiers collected or maintained on
more than [number of] U.S. persons; or
(vii) Combined data, meaning any collection or set of data that
contains more than one of categories (i) through (vi), or that
contains any listed identifier linked to categories (i) through (v),
that meets the threshold number of persons or devices collected or
maintained in the aggregate for the lowest number of U.S. persons or
U.S. devices in any category of data present.
The ANPRM seeks comment on this topic, including:
1. In what ways, if any, should the Department of Justice
elaborate or amend the definition of bulk U.S. sensitive personal
data? If the definition should be elaborated or amended, why?
2. Should the Department of Justice treat data that is
anonymized, pseudonymized, de-identified, or encrypted differently?
If so, why?
3. Should the Department of Justice consider amending the
definitions applicable to any of the six categories of sensitive
personal data? If the definition should be elaborated or amended,
why?
4. Are there categories of bulk U.S. sensitive personal data
that should be added to the definition? Are there categories
proposed that should be removed? Please explain.
5. The Executive order directs a report and recommendation
assessing the risks and benefits of regulating transactions
involving other specified types of human `omic data. Should data
transactions involving these other types of human `omic data be
regulated? If so, which types of human `omic data? What risks,
scientific value, and economic costs should be considered?
6. What, if any, possible unintended consequences could result
from the definition (including the bulk thresholds) under
consideration? In particular, to what extent would the approach
contemplated here affect individuals' rights to share their own
biospecimens and health, genomic, and other data?
[[Page 15787]]
7. What thresholds for datasets should apply with respect to
each category of bulk U.S. sensitive personal data under
consideration, and why is each such threshold appropriate? Should
any category of sensitive personal data (e.g., covered personal
identifiers) have different thresholds for different subtypes or
specific fields of data based on sensitivity, purpose, correlation,
or other factors?
8. Are there other factors or characteristics that the
Department of Justice should evaluate as part of the proposed
analytical framework for determining the bulk thresholds?
9. What data points, specific use cases, or other information
should the Department of Justice consider in determining the bulk
thresholds for bulk U.S. sensitive personal data?
10. At what level should the Department of Justice set the
precision (i.e., numbers of meters/feet) in defining precise
geolocation data? What are common commercial applications of
geolocation data, and what level of precision is required to support
those applications? When geolocation data is ``fuzzed'' in some
commercial applications to reduce potential privacy impacts, what
are common techniques for ``fuzzing'' the data, what is the
resulting reduction in the level of precision, and how effective are
those techniques in reducing the sensitivity of the data? To what
extent should the definition be informed by the level of precision
for geolocation data used in certain state data-privacy laws, such
as a radius of 1,850 feet (see, e.g., Cal. Civ. Code section
1798.140(w)) or a radius of 1,750 feet (see, e.g., Utah Civ. Code
section 13-61-101(33(a)))?
11. Should the Department of Justice consider changing any of
the categorical exclusions to the definition of sensitive personal
data? How should the program define the exclusion for data that is
lawfully a matter of public record, particularly in light of data
that is scraped from the internet or data points that are themselves
public but whose linkage to the same individual is not public? What
types of data are generally available to the public through open-
access repositories?
12. How do businesses use each category of sensitive personal
data, particularly in the cross-border context, and how would the
ranges of bulk thresholds under consideration affect businesses'
ability to engage in data transactions with countries of concern or
covered persons?
13. Should the classes of listed identifiers, such as for
government identification numbers and financial account numbers,
include truncated versions of the full numbers? If so, how should
``truncated'' be defined?
14. With respect to defining linked for purposes of covered
personal identifiers, should the Department of Justice consider
placing a time limit on when listed identifiers would be considered
linked to address a scenario in which, for example, a U.S. person
sells a bulk list of names to a covered person on day one (which
would not be a covered data transaction) and then sells a list of
Social Security Numbers associated with those names years later?
Would the lack of such a time limit require or encourage U.S.
companies, such as data brokers, to retain sensitive personal data
that they would otherwise purge in the normal course of business?
15. With respect to defining the term covered personal
identifiers, how should the Department define the subcategory of
listed classes of personally identifiable data ``in combination . .
. with other data that is disclosed by a transacting party pursuant
to the transaction that makes the personally identifiable data
exploitable by a country of concern''?
16. How should the Department define information or
informational materials? What factors should the Department take
into account in its definition? What relevant precedents from other
IEEPA-based programs should the Department take into account when
defining the term?
C. Government-Related Data
In addition to authorizing the Attorney General to address the
national-security risks posed by transactions involving bulk sensitive
personal data, the Order also authorizes the Attorney General to
prohibit or otherwise restrict U.S. persons from engaging in certain
transactions involving government-related data regardless of volume.
The Order defines the term ``United States Government-related data'' as
sensitive personal data that, regardless of volume, the Attorney
General determines poses a heightened risk of being exploited by a
country of concern to harm United States national security and that (1)
a transacting party identifies as being linked or linkable to
categories of current or recent former employees or contractors, or
former senior officials, of the Federal Government, including the
military, as specified in regulations issued by the Attorney General
pursuant to section 2 of the order; (2) is linked to categories of data
that could be used to identify current or recent former employees or
contractors, or former senior officials, of the Federal Government,
including the military, as specified in regulations issued by the
Attorney General pursuant to section 2 of the order; or (3) is linked
or linkable to certain sensitive locations, the geographical areas of
which will be specified publicly, that are controlled by the Federal
Government, including the military.
The Department of Justice is considering further defining the term
government-related data to include two data categories: (1) any precise
geolocation data, regardless of volume, for any location within any
area enumerated on a list of specific geofenced areas associated with
military, other government, or other sensitive facilities or locations
(the Government-Related Location Data List), or (2) any sensitive
personal data, regardless of volume, that a transacting party markets
as linked or linkable to current or recent former employees or
contractors, or former senior officials, of the U.S. government,
including the military and Intelligence Community.
With respect to the location subcategory, the Government-Related
Location Data List would be created through an interagency process in
which each agency identifies any geofenced areas relative to its
equities for inclusion on the list, and DOJ would maintain and publish
the list.
The Department of Justice currently intends the personnel
subcategory to apply to scenarios such as the following:
Example 10. A U.S. company advertises the sale of a set of
sensitive personal data as belonging to ``active duty'' personnel,
``military personnel who like to read,'' ``DoD'' personnel,
``government employees,'' or ``communities that are heavily connected
to a nearby military base.''
Example 11. In discussing the sale of a set of sensitive
personal data with a foreign counterparty, a U.S. company describes the
data set as belonging to members of a specific organization, which
restricts membership to current and former members of the military and
their families.
The ANPRM seeks comment on this topic, including:
17. In what ways, if any, should the Department of Justice
elaborate or amend the definition of government-related data,
including with respect to ``recent former'' employees or
contractors, and ``former senior officials''?
18. Are there categories of government-related data that should
be added to the definition? Are there categories proposed that
should be removed? Please explain.
19. How should the Department of Justice define data that is
``marketed as linked or linkable'' to current or recent former
employees or contractors, or former senior officials, of the U.S.
Government (including the military or Intelligence Community)? What
are the current industry practices?
20. How would the contemplated definitions of bulk sensitive
personal data and government-related data affect health and related
research activities, such as genomic research on deceased U.S.
persons who were former senior U.S. officials or recent former
employees or contractors? To what extent do such activities involve
covered data transactions with countries of concern or covered
persons that would be prohibited or regulated under this program?
Should the Department of Justice consider a general license for such
activities, and if so, what should the parameters be for such a
license?
21. What, if any, possible unintended consequences could result
from the definition of government-related data under consideration?
[[Page 15788]]
D. Covered Data Transactions
The Order authorizes the Attorney General to prohibit or otherwise
restrict United States persons from engaging in transactions meeting
several criteria and requires the Attorney General to identify classes
of transactions subject to those prohibitions or restrictions. With
respect to defining what would constitute a covered data transaction,
the Department of Justice proposes to carefully tailor the program to
achieve the Order's intent and effect. Consequently, the Department of
Justice is considering adopting the following definitions relevant to
the concept of a covered data transaction. A transaction is any
acquisition, holding, use, transfer, transportation, exportation of, or
dealing in any property in which a foreign country or national thereof
has an interest. A covered data transaction is any transaction that
involves any bulk U.S. sensitive personal data or government-related
data and that involves: (1) data brokerage; (2) a vendor agreement; (3)
an employment agreement; or (4) an investment agreement.
Under this definition of covered data transactions and the
definition of access below (which includes both actual, as well as
``the ability to'' exercise, physical or logical access), prohibited
transactions would be those covered data transactions that are
categorically determined to pose an unacceptable risk to national
security because they may enable countries of concern or covered
persons to access bulk U.S. sensitive personal data or government-
related data. Likewise, under these definitions, restricted
transactions would be those covered data transactions that are
categorically determined to pose an unacceptable risk to national
security because they may enable countries of concern or covered
persons to access bulk U.S. sensitive personal data or government-
related data unless the security requirements are implemented. The
program would take a categorical approach to regulating covered data
transactions; it would not rely on transacting parties or the
government to determine whether specific covered data transactions
within the classes of prohibited and restricted transactions
individually pose unacceptable risks of access.
Basic terms. The Department of Justice is considering defining the
term access to mean ``logical or physical access, including the ability
to obtain, read, copy, decrypt, edit, divert, release, affect, alter
the state of, or otherwise view or receive, in any form, including
through information-technology systems, cloud-computing platforms,
networks, security systems, equipment, or software.'' The Department of
Justice is considering defining the term U.S. device to mean ``any
device that is linked or linkable to a U.S. person.'' The Department of
Justice is also considering defining the terms entity, foreign person,
person, and U.S. person as follows, consistent with the definitions of
those terms in other IEEPA-based regulations, including those contained
in relevant sections of title 31 of the Code of Federal Regulations:
The term entity means a partnership, association, trust, joint
venture, corporation, group, subgroup, or other organization.
The term foreign person means any person that is not a U.S.
person. (For clarity, a foreign branch of a U.S. company would
generally be treated the same as the U.S. company itself--as a U.S.
person, not a foreign person.)
The term person means an individual or entity.
The term U.S. person means any United States citizen, national,
or lawful permanent resident; or any individual admitted to the
United States as a refugee under 8 U.S.C. 1157 or granted asylum
under 8 U.S.C. 1158; or any entity organized solely under the laws
of the United States or any jurisdiction within the United States
(including foreign branches); or any person in the United States.
Example 12. An individual is a citizen of a country of
concern and is in the United States. The individual is a U.S.
person.
Example 13. An individual is a U.S. citizen. The
individual is a U.S. person, regardless of location.
Example 14. An individual is a dual citizen of the
United States and a country of concern. The individual is a U.S.
person, regardless of location.
Example 15. An individual is a citizen of a country of
concern, is not a permanent resident alien of the United States, and
is outside the United States. The individual is a foreign person.
Data brokerage. The program would define data brokerage as the sale
of, licensing of access to, or similar commercial transactions
involving the transfer of data from any person (the provider) to any
other person (the recipient), where the recipient did not collect or
process the data directly from the individuals linked or linkable to
the collected or processed data. The Department of Justice currently
intends data brokerage to apply to scenarios such as the following:
Example 16. A U.S. company sells bulk U.S. sensitive
personal data to an entity headquartered in a country of concern.
Example 17. A U.S. company enters into an agreement that
gives a covered person a license to access government-related data held
by the U.S. company.
Example 18. A U.S. organization maintains a database of
bulk U.S. sensitive personal data and offers annual memberships for a
fee that provide members a license to access that data. Providing an
annual membership to a covered person would constitute a prohibited
data brokerage.
Vendor agreement. The contemplated program would define a vendor
agreement as any agreement or arrangement, other than an employment
agreement, in which any person provides goods or services to another
person, including cloud-computing services, in exchange for payment or
other consideration. Cloud-computing services would be defined as
services related to the provision or use of ``cloud computing,''
including ``Infrastructure-as-a-Service (IaaS),'' ``Platform-as-a-
Service (PaaS),'' and ``Software-as-a-Service (SaaS)'' (as those terms
are defined in NIST Special Publication 800-145). The Department of
Justice currently intends vendor agreements to apply to scenarios such
as the following:
Example 19. A U.S. company collects bulk precise
geolocation data from U.S. users through an app. The U.S. company
enters into an agreement with a company headquartered in a country of
concern to process and store this data.
Example 20. A medical facility in the United States
contracts with a company headquartered in a country of concern to
provide IT-related services. The medical facility has bulk personal
health data on its U.S. patients. The IT services provided under the
contract involve access to the medical facility's systems containing
the bulk personal health data.
Example 21. A U.S. company, which is owned by an entity
headquartered in a country of concern and has been designated a covered
person, establishes a new data center in the United States to offer
managed services. The U.S. company's data center serves as a vendor to
various U.S. companies to store bulk U.S. sensitive personal data
collected by those companies.
Example 22. A U.S. company develops mobile games that
collect bulk precise geolocation data and biometric identifiers of U.S.
person users. The U.S. company contracts part of the software
development to a foreign person who is primarily resident in a country
of concern and is a covered person. The software-development services
provided by the covered person under the contract involve access to the
bulk precise geolocation data and biometric identifiers.
[[Page 15789]]
By contrast, the Department of Justice currently does not intend
this category to apply to scenarios such as the following:
Example 23. A U.S. multinational company maintains bulk
U.S. sensitive personal data of U.S. persons. This company has a
foreign branch, located in a country of concern, that has access to
this data. The foreign branch contracts with a local company located in
the country of concern to provide cleaning services for the foreign
branch's facilities. Although the foreign branch is a U.S. person, the
local company is a covered person, and the contract is a vendor
agreement, the services performed under this contract do not
``involve'' the bulk U.S. sensitive personal data and thus would not be
a covered data transaction subject to regulation.
Employment agreement. The program would define an employment
agreement as any agreement or arrangement in which an individual, other
than as an independent contractor, performs work or performs job
functions directly for a person in exchange for payment or other
consideration, including employment on a board or committee, executive-
level arrangements or services, and employment services at an
operational level. The Department of Justice currently intends
employment agreements to apply to scenarios such as the following:
Example 24. A U.S. company that conducts consumer genomic
testing collects and maintains bulk human genomic data from U.S.
consumers. The U.S. company has global IT operations, including
employing a team of individuals that are citizens of and primarily
reside in a country of concern to provide back-end services. Employment
as part of the global IT operations team includes access to the U.S.
company's systems containing the bulk human genomic data.
Example 25. A U.S. company develops its own mobile games
and social media apps that collect the bulk U.S. sensitive personal
data of its U.S. users. The U.S. company distributes these games and
apps in the United States through U.S.-based digital distribution
platforms for software applications. Although the U.S. company's
development team does not employ any covered persons, the U.S. company
intends to hire as CEO an individual designated by the Attorney General
as a covered person because of evidence the CEO acts on behalf of a
country of concern. The individual's authorities and responsibilities
as CEO involve access to all data collected by the apps, including the
bulk U.S. sensitive personal data.
Example 26. A U.S. company has amassed U.S persons' bulk
sensitive personal data by scraping public photos from social-media
platforms and then enrolls those photos in a database of bulk biometric
identifiers developed by the U.S. company, including face-data scans,
for the purpose of training or enhancing facial-recognition software.
The U.S. company intends to hire a foreign person, who primarily
resides in a country of concern, as a project manager responsible for
the database. The individual's employment as the lead project manager
would involve access to the bulk biometric identifiers. The employment
agreement would be a covered data transaction.
Example 27. A U.S. financial-services company seeks to
hire a data scientist who is a citizen of a country of concern who
primarily resides in that country of concern and who is developing a
new AI-based personal assistant that could be sold as a standalone
product to the company's customers. As part of that individual's
employment, the data scientist would have administrator rights that
allow that individual to access, download, and transmit bulk quantities
of personal financial data not ``ordinarily incident to and part of''
the company's underlying provision of financial services to its
customers.
Investment agreement. The program would define an investment
agreement as any agreement or arrangement in which any person, in
exchange for payment or other consideration, obtains direct or indirect
ownership interests in or rights in relation to (1) real estate located
in the United States or (2) a U.S. legal entity. The Department of
Justice currently intends investment agreements to apply to scenarios
such as the following:
Example 28. A U.S. company intends to build a data center
located in a U.S. territory. The data center will store bulk personal
health data on U.S. persons. A foreign private-equity fund located in a
country of concern agrees to provide capital for the construction of
the data center in exchange for acquiring a majority ownership stake in
the data center.
Example 29. A foreign technology company subject to the
jurisdiction of a country of concern and that the Attorney General has
designated as a covered person enters into a shareholders' agreement
with a U.S. business that develops mobile games and social media apps,
acquiring a minority equity stake in the U.S. business. These games and
apps systematically collect bulk U.S. sensitive personal data of its
U.S. users. The investment agreement explicitly gives the foreign
technology company the ability to access this data.
Example 30. Same as Example 29, but the investment
agreement either does not explicitly give the foreign technology
company the right to access the data or explicitly forbids that access.
The investment agreement would still fall into the class of restricted
covered data transactions that have been determined to pose an
unacceptable risk to national security because they may enable
countries of concern or covered persons to access the bulk U.S.
sensitive personal data; whether the specific investment agreement
poses a risk of access does not affect whether the agreement is
restricted.
By contrast, the Department of Justice does not intend to restrict
investment agreements in scenarios such as the following:
Example 31. Same as Example 29, but the U.S. business does
not maintain or have access to any bulk U.S. sensitive personal data or
government-related data (e.g., a pre-commercial company or start-up
company). Because the data transaction does not involve any bulk U.S.
sensitive personal data or government-related data, this investment
agreement does not meet the definition of covered data transaction.
The Department of Justice is considering categorically excluding
certain passive investments that do not convey the ownership interest
or rights (including those that provide meaningful influence that could
be used to obtain such access) that ordinarily pose an unacceptable
risk to national security because they may give countries of concern or
covered persons access to bulk sensitive personal data or government-
related data. Specifically, the Department of Justice is considering
categorically excluding, from the definition of investment agreement,
any investment that:
(1) I made:
(a) Into a publicly traded security, with ``security'' defined
in section 3(a)(10) of the Securities Exchange Act of 1934, Public
Law 73-291 (as codified as amended at 15 U.S.C. 78c(a)(10)),
denominated in any currency that trades on a securities exchange or
through the method of trading that is commonly referred to as
``over-the-counter,'' in any jurisdiction;
(b) Into an index fund, mutual fund, exchange-traded fund, or a
similar instrument (including associated derivatives) offered by an
``investment company'' (as defined in section 3(a)(1) of the
Investment Company Act of 1940, Public Law 76-768, as codified as
amended at 15 U.S.C. 80a-3(a)(1)) or by a private investment fund;
or
[[Page 15790]]
(c) As a limited partner into a venture capital fund, private
equity fund, fund of funds, or other pooled investment fund, if the
limited partner's contribution is solely capital into a limited
partnership structure or equivalent and the limited partner cannot
make managerial decisions, is not responsible for any debts beyond
its investment, and does not have the formal or informal ability to
influence or participate in the fund's or a U.S. person's decision-
making or operations;
(2) Gives the covered person less than [a de minimis threshold]
in total voting and equity interest in a U.S. person; and
(3) Does not give a covered person rights beyond those
reasonably considered to be standard minority shareholder
protections, including (a) membership or observer rights on, or the
right to nominate an individual to a position on, the board of
directors or an equivalent governing body of the U.S. person, or (b)
any other involvement, beyond the voting of shares, in substantive
business decisions, management, or strategy of the U.S. person.
Finally, the Department of Justice is considering how the program
should address investment agreements that are ``covered transactions''
subject to the jurisdiction of the Committee on Foreign Investment in
the United States (CFIUS) under section 721 of the Defense Production
Act of 1950, Public Law 81-774, as codified as amended at 50 U.S.C.
4565. This topic is discussed separately in the section on
``Coordination with Other Regulatory Regimes.''
The ANPRM seeks comment on this topic, including:
22. What modifications to enhance clarity, if any, should be
made to the definitions under consideration for data brokerage,
vendor agreements, employment agreements, and investment agreements?
23. With respect to the exclusion from the definition of
investment agreements for certain low-risk investments, what de
minimis threshold of voting or equity interest should the Department
of Justice consider establishing?
24. Are there any elements of the data brokerage ecosystem that
would not be included in the definition of data brokerage under
consideration?
25. Are there any additional scenarios or types of data
transactions that would be helpful to identify whether or not they
would be restricted?
E. Countries of Concern
The Order requires the Attorney General to identify countries of
concern. The Order defines ``country of concern'' as any foreign
government that, as determined by the Attorney General with the
concurrence of the Secretaries of State and Commerce, ``(1) has engaged
in a long-term pattern or serious instances of conduct significantly
adverse to the national security of the United States or security and
safety of United States persons, and (2) poses a significant risk of
exploiting bulk U.S. sensitive personal data or United States
Government-related data to the detriment of the national security of
the United States or the security and safety of U.S. persons, as
specified in regulations issued by the Attorney General pursuant to
section 2 of th[e] order.''
The Department of Justice is considering adopting the Order's
definition of the term country of concern without elaboration or
amendment. The Department of Commerce, in implementing Executive Order
13873--in which the President declared a national emergency stemming
from foreign adversaries' ability to exploit information and
communications and technology services to, among other things, engage
in malicious cyber-enabled activities--identified the following
countries as having engaged in a long-term pattern or serious instances
of conduct significantly adverse to the national security of the United
States or security and safety of the United States: the People's
Republic of China, along with the Special Administrative Region of Hong
Kong and the Special Administrative Region of Macau; the Russian
Federation; the Islamic Republic of Iran; the Democratic People's
Republic of Korea; the Republic of Cuba; and the Bolivarian Republic of
Venezuela. See 15 CFR 7.4. This Order expands the scope of the national
emergency declared by the President in Executive Order 13873.
Accordingly, the Department of Justice is considering identifying the
same countries as countries of concern under the Order, as will be
explained further in the notice of proposed rulemaking.
The ANPRM seeks comment on this topic, including:
26. Should the Department of Justice further elaborate in any
way on the definition of country of concern to provide greater
clarity?
27. Are there other factors or considerations relating to the
abilities of the proposed countries of concern to access and exploit
bulk sensitive personal data or government-related data to engage in
nefarious activities that the Department of Justice should take into
account when determining whether to identify the same countries as
countries of concern?
F. Covered Persons
The Order requires the Attorney General to identify classes of
covered persons, as appropriate, for the purposes of the Order.
``Covered person'' is defined by the Order as ``an entity owned by,
controlled by, or subject to the jurisdiction or direction of a country
of concern; a foreign person who is an employee or contractor of such
an entity; a foreign person who is an employee or contractor of a
country of concern; a foreign person who is primarily resident in the
territorial jurisdiction of a country of concern; or any person
designated by the Attorney General as being owned or controlled by or
subject to the jurisdiction or direction of a country of concern, as
acting on behalf of or purporting to act on behalf of a country of
concern or other covered person, or as knowingly causing or directing,
directly or indirectly, a violation'' of the Order or its implementing
regulations. The Department of Justice is considering an approach that
would identify a covered person as a person that meets the definition
either by (1) falling into one of the classes without having been
individually designated by the Department of Justice or (2) having been
individually designated by the Department of Justice on a public list
maintained and updated by the Department of Justice.
The Department of Justice is considering defining the term covered
person as:
(1) An entity that is 50 percent or more owned, directly or
indirectly, by a country of concern, or that is organized or
chartered under the laws of, or has its principal place of business
in, a country of concern;
(2) An entity that is 50 percent or more owned, directly or
indirectly, by an entity described in category (1) or a person
described in categories (3), (4), or (5);
(3) A foreign person who is an employee or contractor of a
country of concern or of an entity described in categories (1), (2),
or (5);
(4) A foreign person who is primarily resident in the
territorial jurisdiction of a country of concern; or
(5) Any person designated by the Attorney General as being owned
or controlled by or subject to the jurisdiction or direction of a
country of concern, or as acting on behalf of or purporting to act
on behalf of a country of concern or covered person, or knowingly
causing or directing a violation of these regulations.
Under this contemplated definition, citizens of countries of
concern located in third countries (i.e., not located in the United
States and not primarily resident in a country of concern) would not be
categorically treated as covered persons. Instead, only a subset of
country-of-concern citizens in third countries would qualify
categorically as covered persons: those working for the government of a
country of concern or for a covered entity (as described in category 3
above). All other country-of-concern citizens located in third
countries would not qualify as covered
[[Page 15791]]
persons except to the extent that the Attorney General designates them.
The term covered person would thus apply as follows to country-of-
concern citizens:
Example 32. Foreign persons primarily resident in Cuba,
Iran or another country of concern would be categorically treated as
covered persons.
Example 33. Chinese or Russian citizens located in the
United States would be treated as U.S. persons and would not be covered
persons (except to the extent individually designated). They would be
subject to the same prohibitions and restrictions as all other U.S.
persons with respect to engaging in covered data transactions with
countries of concern or covered persons.
Example 34. Citizens of a country of concern who are
primarily resident in a third country, such as Russian citizens
primarily resident in the European Union or Cuban citizens primarily
resident in South America, would not be covered persons except to the
extent they are individually designated or to the extent that they are
employees or contractors of a country-of-concern government or a
covered entity.
Example 35. A foreign person located abroad is employed by
a company headquartered in the People's Republic of China. Because the
foreign person is the employee of a covered entity, the person is a
covered person.
Example 36. A foreign person located abroad is employed by
a company that has been designated as a covered person. Because the
foreign person is the employee of a covered entity, the person is a
covered person.
With respect to individually designated covered persons, the
Department of Justice is considering maintaining a public list of
persons determined to be covered persons, modeled on various sanctions
designations lists maintained by OFAC. Inclusion on the Department of
Justice's covered person list would have no effect on a person's
inclusion on OFAC or other U.S. Government designation lists. As
indicated by the contemplated definition of covered person, this list
would identify ``any person designated by the Attorney General as being
owned or controlled by or subject to the jurisdiction or direction of a
country of concern, or as acting on behalf of or purporting to act on
behalf of a country of concern or covered person, or knowingly causing
or directing a violation of these regulations.'' This designations list
would supplement the defined categories in the definition of covered
person to provide direct and actual notice to regulated parties of
specific designated persons, would inform the public regarding the
specific designated persons subject to this regulation's requirements
regarding prohibited and restricted covered data transactions, and
would serve enforcement purposes. Importantly, however, the public list
would not exhaustively include all covered persons, as any person that
satisfies the criteria contained in the relevant definitions will be
considered a covered person under the regulation, regardless of whether
the person is identified on the public list.
The Department of Justice would establish a process to add to,
remove from, or modify this list. The process would be similar to the
internal processes used by other United States Government agencies that
make designations based on IEEPA authorities, including interagency
consultation to ensure that agencies with relevant equities and
expertise may weigh in. For example, the Department of Justice would be
free to consider, to the extent compliant with applicable law, any
classified or unclassified information from any Federal agency or other
source. A person would be able to seek administrative reconsideration
of the Department of Justice's determination that they are a covered
person, or assert that the circumstances resulting in the determination
no longer apply, and thus seek to have the designation rescinded
pursuant to applicable administrative procedures. This administrative
appeals process would be based on, and substantially similar to,
analogous programs maintained by other Federal agencies that exercise
IEEPA authorities.
The ANPRM seeks comment on this topic, including:
28. How would the U.S. party to a data transaction ascertain
whether a counterparty to the transaction is a covered person as
defined above? What kind of diligence would be necessary?
29. What are the considerations as to whether a person is
``controlled by[] or subject to the jurisdiction or direction of'' a
country of concern? What, if any, changes should be made to the
definitions above to make their scope and application clearer? Why?
What, if any changes should be made to broaden or narrow them? Why?
30. With respect to the part of the definition of covered person
addressing ``a foreign person who is primarily resident in the
territorial jurisdiction of a country of concern,'' how should the
Department of Justice address temporary travel to or in a country of
concern by foreign individuals who are not citizens of a country of
concern? Should the standard be ``primarily resident in,''
``resident in,'' ``located in,'' or something else?
31. Other than certain lists maintained by OFAC and BIS, are
there other designation lists accessible to industry that the
Department of Justice should consider as a model for identifying
potential covered persons?
32. How should the list be published? How should it be
organized? In what format should the Department of Justice publish
it?
33. How would industry monitor this list? Would it be more
costly for industry if the list were updated continually or only at
certain points in time? If updates were made on an individual basis
or in batches? Please be specific.
34. How quickly after a covered person is added to the list (or
an existing listing is modified) could industry take account of the
new information in its compliance programs?
35. Are there specific sources that the Department of Justice
should consult to identify potential candidates for designation? If
so, which ones?
36. Should the Department of Justice maintain a public-facing
channel for the public to report potential candidates for
designation? Why or why not? If yes, who should be permitted to make
such reports and what information should they be required to
provide? Would it be preferrable that the information submitted be
protected from public disclosure?
37. Are there any aspects of processes used by other Federal
agencies for persons to request or petition for the removal or
modification of a designation or listing that would be especially
useful for this list? If so, which ones and why?
38. Are there any aspects of the IEEPA designations appeals
processes maintained by other Federal agencies that are not
necessary for this list? If so, which ones and why not?
G. Prohibitions
The Order specifically directs the Attorney General to promulgate
regulations to prohibit or otherwise restrict United States persons
from engaging in any acquisition, holding, use, transfer,
transportation, or exportation of, or dealing in, any property in which
a foreign country or national thereof has any interest
(``transaction''), where the transaction:
i. Involves bulk U.S. sensitive personal data or United States
Government-related data, as further defined by regulations issued by
the Attorney General;
ii. Is a member of a class of transactions that has been
determined by the Attorney General, in regulations issued by the
Attorney General, to pose an unacceptable risk to the national
security of the United States because the transactions may enable
countries of concern or covered persons to access bulk U.S.
sensitive personal data or United States Government-related data in
a manner that contributes to the national emergency described in the
Order;
iii. Was initiated, is pending, or will be completed after the
effective date of the regulations issued by the Attorney General;
iv. Does not qualify for an exemption provided in, or is not
authorized by a license issued pursuant to, the regulations issued
by the Attorney General; and
[[Page 15792]]
v. Is not, as defined in final rules implementing the Order,
ordinarily incident to and part of the provision of financial
services, including banking, capital markets, and financial
insurance services, or required for compliance with any Federal
statutory or regulatory requirements, including any regulations,
guidance, or orders implementing those requirements.
The Order further requires the Attorney General to promulgate
regulations that identify classes of transactions that meet the
criteria specified above and are thus prohibited under the Order. The
Order describes additional activities that are, or may be, prohibited.
In particular, any conspiracy formed to violate the regulations and any
action that has the purpose of evading, causes a violation of, or
attempts to violate the Order or any regulation issued thereunder is
prohibited. In addition, the Order provides authority to the Attorney
General to prohibit U.S. persons from ``knowingly directing
transactions'' that would be prohibited transactions pursuant to the
Order if engaged in by a U.S. person. The Department of Justice may at
a future date provide notices of proposed rulemaking to add classes of
prohibited transactions.
For this ANPRM, the Department of Justice is considering the
following five prohibitions for covered data transactions, which would
become effective only upon the effective date of a final rule.
First, the program would contain a general prohibition that is
subject to authorized exemptions. The program would be technology-
agnostic and neutral as to the path or route that bulk U.S. sensitive
personal data or government-related data travels:
``Except as otherwise authorized pursuant to these regulations,
no U.S. person, on or after the effective date, may knowingly engage
in a covered data transaction with a country of concern or covered
person.''
The Department of Justice currently intends for the knowingly
language in this and the other prohibitions to apply to persons who
knew or should have known of the circumstances of the transaction. In
its guidance on what an individual or entity ``should have known'' in
such context, the Department proposes to take into account the relevant
facts and circumstances, including the relative sophistication of the
individual or entity at issue, the scale and sensitivity of the data
involved, and the extent to which the parties to the transaction at
issue appear to have been aware of and sought to evade the application
of these rules. This is not intended to operate as a strict-liability
standard. The knowingly language is also not intended to require U.S.
persons, in engaging in vendor agreements and other classes of data
transactions with foreign persons, to conduct due diligence on the
employment practices of those foreign persons to determine whether they
qualify as covered persons. But persons will be prohibited from evading
or avoiding these prohibitions, including by knowingly structuring
transactions in a manner that attempts to circumvent these
prohibitions.
With respect to the knowingly language, the prohibitions would
therefore not apply in scenarios such as the following:
Example 37. A U.S. person engages in a vendor agreement
involving bulk sensitive personal data with a foreign person who is not
a covered person. The foreign person then employs an individual who is
a covered person and grants them access to bulk U.S. sensitive personal
data without the U.S. person's knowledge or direction. There is no
covered data transaction between the U.S. person and the covered
person, and there is no indication that the parties engaged in these
transactions with the purpose of evading the regulations (such as the
U.S. person having knowingly directed the foreign person's employment
agreement with the covered person or the parties knowingly structuring
a prohibited covered data transaction into these multiple transactions
with the purpose of evading the prohibition).
Example 38. A U.S. company sells DNA testing kits to U.S.
consumers and maintains bulk human genomic data collected from those
consumers. The U.S. company enters into a contract with a foreign
cloud-computing company (which is not a covered person) to store the
U.S. company's database of human genomic data. The foreign company
hires employees from other countries, including citizens of countries
of concern who primarily reside in a country of concern, to manage
databases for its customers, including the U.S. company's human genomic
database. There is no indication of evasion, such as the U.S. company
knowingly directing the foreign company's employment agreements or the
U.S. company knowingly engaging in and structuring these transactions
to evade the regulations). The cloud-computing services agreement
between the U.S. company and the foreign company would not be
prohibited or restricted because that covered data transaction is
between a U.S. person and a foreign company that does not meet the
definition of a covered person. The employment agreements between the
foreign company and the covered persons would not be prohibited or
restricted because those agreements are between foreign persons.
By contrast, the prohibitions would apply in scenarios such as the
following:
Example 39. A U.S. subsidiary of a company headquartered
in a country of concern collects bulk precise geolocation data from
U.S. persons. The U.S. subsidiary is a U.S. person, and the parent
company is a covered person. With the purpose of evading the
regulations, the U.S. subsidiary enters into a vendor agreement with a
foreign company that is not a covered person, which the U.S. subsidiary
knows (or should know) is a shell company that subsequently outsources
the vendor agreement to the U.S. subsidiary's parent company.
Example 40. A U.S. company collects bulk personal health
data from U.S. persons. With the purpose of evading the regulations,
the U.S. company enters into a vendor agreement with a foreign company
that is not a covered person, which the U.S. company knows (or should
know) is a shell company staffed entirely by covered persons.
Second, the contemplated program would include a prohibition
specific to data brokerage to address transactions involving the onward
transfer of bulk U.S. sensitive personal data or government-related
data to countries of concern and covered persons. The Department of
Justice is considering the following prohibition: Except as otherwise
authorized pursuant to these regulations, no U.S. person, on or after
the effective date, may knowingly engage in a covered data transaction
involving data brokerage with any foreign person unless the U.S. person
contractually requires that the foreign person refrain from engaging in
a subsequent covered data transaction involving the same data with a
country of concern or covered person.
This narrow circumstance would be the only instance in which the
contemplated program would regulate third-country covered data
transactions (i.e., U.S. persons' covered data transactions in which a
country of concern or covered person is not a party). The Department of
Justice currently intends this prohibition to apply to scenarios such
as the following:
Example 41. A U.S. business knowingly enters into an
agreement to sell bulk human genomic data to a European business that
is not a covered person. The U.S. business is required to include in
that agreement a limitation
[[Page 15793]]
on the European business's right to resell that data to a country of
concern or covered person.
Third, the contemplated program would include a prohibition to
specifically address the risks posed by covered data transactions
involving access by countries of concern to U.S. persons' bulk human
genomic data and biospecimens from which that data can be derived--such
as covered data transactions involving laboratories owned or operated
by covered persons. The Department of Justice is considering the
following prohibition: Except as otherwise authorized pursuant to these
regulations, no U.S. person, on or after the effective date, may
knowingly engage in any covered data transaction with a country of
concern or covered person that provides that country of concern or
covered person with access to bulk U.S. sensitive personal data that
consists of human genomic data, or to human biospecimens from which
such data could be derived, on greater than [the applicable bulk
threshold of] U.S. persons at any point in the preceding twelve months,
whether in a single covered data transaction or aggregated across
covered data transactions.
Fourth, as in other IEEPA-based regulations, the Department of
Justice is considering rules that will also prohibit evasions, causing
violations, attempts, and conspiracies.
Fifth, the Department of Justice is considering prohibiting U.S.
persons from knowingly directing any covered data transaction that
would be prohibited (including restricted transactions that do not
comply with the security requirements) if engaged in by a U.S. person.
For purposes of this provision, the Department of Justice is
considering defining knowingly to mean that the U.S. person had actual
knowledge of, or should have known about, the conduct, circumstance, or
result. And the Department of Justice is considering defining directing
to mean that a U.S. person has the authority (individually or as part
of a group) to make decisions on behalf of a foreign entity, and
exercises that authority to order, decide, or approve a transaction
that would be prohibited under these regulations if engaged in by a
U.S. person. The program will clarify that certain conduct that is
attenuated from the risks to U.S. national security identified in the
Order, such as the financing or underwriting of a covered data
transaction, the processing, clearing, or sending of payments by a
bank, and legal services, would not be covered as directing a
transaction as defined by the regulations. This approach is narrower
than the authority afforded to the Department of Justice under the
Order.
The Department of Justice intends to use this authority to tailor
the regulations to target the identified national-security threat by
prohibiting U.S.-person activity such as:
Example 42. A U.S. person is an officer, senior manager,
or equivalent senior-level employee at a foreign company that is not a
covered person, and the foreign company undertakes a covered data
transaction at that U.S. person's direction or with that U.S. person's
approval when the covered data transaction would be prohibited if
performed by a U.S. person.
Example 43. Several U.S. persons launch, own, and operate
a foreign company that is not a covered person, and that foreign
company, under the U.S. persons' operation, undertakes covered data
transactions that would be prohibited if performed by a U.S. person.
Example 44. A U.S. person is employed at a U.S.-
headquartered multinational company that has a foreign affiliate that
is not a covered person. The U.S. person changes (or approves changes
to) the operating policies and procedures of the foreign affiliate with
the specific purpose of allowing the foreign affiliate to undertake
covered data transactions that would be prohibited if performed by a
U.S. person.
By contrast, the prohibition in the Order on knowingly directing
transactions would not apply to scenarios such as the following:
Example 45. A U.S. bank processes a payment from a U.S.
person to a covered person, or from a covered person to a U.S. person,
as part of that U.S. person's engagement in a prohibited data
transaction. The U.S. bank's activity would not be prohibited (although
the U.S. person's covered data transaction would be prohibited).
Example 46. A U.S. financial institution underwrites a
loan or otherwise provides financing for a foreign company that is not
a covered person, and the foreign company undertakes covered data
transactions that would be prohibited if performed by a U.S. person.
Example 47. A U.S. person, who is employed at a foreign
company that is not a covered person, signs paperwork approving the
foreign company's procurement of real estate for its operations. The
same foreign company separately conducts data transactions that use or
are facilitated by operations at that real-estate location and that
would be prohibited covered data transactions if performed by a U.S.
person, but the U.S. employee has no role in approving or directing
those separate data transactions.
Example 48. A U.S. company owns or operates a submarine
telecommunications cable with one landing point in a foreign country
that is not a country of concern and one landing point in a country of
concern. The U.S. company leases capacity on the cable to U.S.
customers that transmit bulk sensitive personal data to the landing
point in the country of concern, including transmissions as part of
prohibited covered data transactions. The U.S. company's ownership or
operation of the cable would not be prohibited (although the U.S.
customers' covered data transactions would be prohibited).
The ANPRM seeks comment on this topic, including:
39. How feasible is it to contract with prospective customers to
prevent pass-through sales, re-sale, or onward transfers of bulk
U.S. sensitive personal data or government-related data to countries
of concern or covered persons? Do technical means exist to prevent
such onward sales or transfers? If yes, what are such technical
means?
40. What modifications, if any, should be made to the proposed
definitions above to enhance clarity?
41. What, if any, unintended consequences could result from the
proposed definitions?
42. What, if any, alternate approaches should the Department of
Justice consider to prevent the conduct in the knowingly-directed
example scenarios described above?
H. Exempt Transactions
The Order recognizes that certain transactions will be exempt from
any final rules. The Department of Justice is considering mirroring
OFAC's approach in IEEPA-based sanctions regulations by explicitly
identifying certain classes of data transactions that are exempt from
the scope of its prohibitions and restrictions. As explained below, DOJ
is considering exempting from this program: data transactions involving
certain kinds of data; official business transactions; financial-
services, payment-processing, and regulatory-compliance-related
transactions; intra-entity transactions incident to business
operations; and transactions required or authorized by Federal law or
international agreements.
Data transactions involving certain kinds of data. The program
would exempt two classes of data transactions to the extent that they
involve data that is statutorily exempt from regulation under IEEPA:
personal communications (any postal, telegraphic, telephonic, or other
personal communication that does not involve the transfer of anything
of
[[Page 15794]]
value, as set out under 50 U.S.C. 1702(b)(1)) or information or
informational materials (the importation from any country, or the
exportation to any country, whether commercial or otherwise, regardless
of format or medium of transmission, of any information or
informational materials, as set out under 50 U.S.C. 1702(b)(3)) and as
further interpreted and defined in the contemplated regulations).
Official business. The Order exempts ``transactions for the conduct
of the official business of the United States Government by employees,
grantees, or contractors thereof, [and] transactions conducted pursuant
to a grant, contract, or other agreement entered into with the United
States Government.'' To implement this provision, the Department of
Justice is considering exempting data transactions to the extent that
they are for (1) the conduct of the official business of the United
States Government by its employees, grantees, or contractors; (2) any
authorized activity of any United States Government department or
agency (including an activity that is performed by a Federal depository
institution or credit union supervisory agency in the capacity of
receiver or conservator); or (3) transactions conducted pursuant to a
grant, contract, or other agreement entered into with the United States
Government. Most notably, this exemption would exempt grantees and
contactors of Federal departments and agencies, including the
Department of Health and Human Services, the Department of Veterans
Affairs, the National Science Foundation, and the Department of
Defense, so that those agencies can pursue grant-based and contract-
based conditions to address risks that countries of concern can access
sensitive personal data in transactions related to their agencies' own
grants and contracts, as laid out in section 3(b) of the Order--without
subjecting those grantees and contractors to dual regulation.
The Department of Justice proposes that this exemption would apply
to, and thus exempt, scenarios such as the following:
Example 49. A U.S. hospital receives a Federal grant to
conduct research on U.S. persons. As part of that federally funded
human genomic research, the U.S. hospital contracts with a foreign
laboratory that is a covered person, hires a researcher that is a
covered person, and gives the laboratory and researcher access to the
human biospecimens and human genomic data in bulk. The contract with
the foreign laboratory and the employment of the researcher would be
prohibited covered data transactions if they were not part of the
federally funded research.
Financial-services, payment-processing, and regulatory-compliance-
related transactions. Section 2(a)(v) of the Order exempts any
transaction that is, as defined by final rules implementing the Order,
ordinarily incident to and part of the provision of financial services,
including banking, capital markets, and financial insurance services,
or required for compliance with any Federal statutory or regulatory
requirements, including any regulations, guidance, or orders
implementing those requirements. To further define this exemption, the
Department of Justice is contemplating exempting data transactions to
the extent that they are ordinarily incident to and part of the
provision of financial services, including:
(i) Banking, capital-markets, or financial-insurance services;
(ii) A financial activity authorized by 12 U.S.C. 24 (Seventh)
and rules and regulations thereunder;
(iii) An activity that is ``financial in nature or incidental to
a financial activity'' or ``complementary to a financial activity,''
as set forth in section 4(k) of the Bank Holding Company Act of 1956
and rules and regulations thereunder;
(iv) The provision or processing of payments involving the
transfer of personal financial data or covered personal identifiers
for the purchase and sale of goods and services (such as the
purchase, sale, or transfer of consumer products and services
through online shopping or e-commerce marketplaces), other than data
transactions that involve data brokerage; and
(v) Compliance with any Federal laws and regulations, including
the Bank Secrecy Act, 12 U.S.C. 1829b, 1951-1960, 31 U.S.C. 310,
5311-5314, 5316-5336; the Securities Act of 1933, 15 U.S.C. 77a et
seq.; the Securities Exchange Act of 1934, 15 U.S.C. 78a et seq.;
the Investment Company Act of 1940, 15 U.S.C. 80a-1 et seq.; the
Investment Advisers Act of 1940, 15 U.S.C. 80b-1 et seq.; the
International Emergency Economic Powers Act, 50 U.S.C. 1701 et seq.;
the Export Administration Regulations, 15 CFR part 730, et seq.; or
any notes, guidance, orders, directives, or additional regulations
related thereto.
The Department of Justice would consult the Department of the
Treasury and other relevant agencies in interpreting and applying this
exemption, including through guidance, advisory opinions, or licensing
decisions.
The Department of Justice currently intends this exemption to apply
to, and thus exempt, scenarios such as the following:
Example 50. A U.S. company engages in a data transaction
to transfer personal financial data in bulk to a financial institution
that is incorporated in, located in, or subject to the jurisdiction or
control of a country of concern to clear and settle electronic payment
transactions between U.S. individuals and merchants in a country of
concern where both the U.S. individuals and the merchants use the U.S.
company's infrastructure, such as an e-commerce platform. Both the U.S.
company's transaction transferring bulk personal financial data and the
payment transactions by U.S. individuals are both exempt.
Example 51. A U.S. bank or other financial institution
engages in a data transaction with a covered person that is ordinarily
incident to and part of ensuring complying with U.S. laws and
regulations (such as OFAC sanctions and anti-money laundering programs
required by the Bank Secrecy Act).
Example 52. As ordinarily incident to and part of
securitizing and selling asset-backed obligations (such as mortgage and
nonmortgage loans) to a covered person, a U.S. bank provides bulk U.S.
sensitive personal data to the covered person.
Example 53. A U.S. bank or other financial institution, as
ordinarily incident to and part of facilitating payments to U.S.
persons in a country of concern, stores and processes the customers'
bulk financial data using a data center operated by a third-party
service provider in the country of concern.
Example 54. As part of operating an online marketplace for
the purchase and sale of goods, a U.S. company, as ordinarily incident
to and part of U.S. consumers' purchase of goods on that marketplace,
transfers bulk contact information, payment information (e.g., credit-
card account number, expiration data, and security code), and delivery
address to a merchant in a country of concern.
Intra-entity transactions incident to business operations. The
Department of Justice is considering exempting data transactions to the
extent that they are (1) between a U.S. person and its subsidiary or
affiliate located in (or otherwise subject to the ownership, direction,
jurisdiction, or control) of a country of concern, and (2) ordinarily
incident to and part of ancillary business operations (such as the
sharing of employees' covered personal identifiers for human-resources
purposes; payroll transactions like the payment of salaries and pension
to overseas employees or contractors; paying business taxes or fees;
purchasing business permits or licenses; sharing data with auditors and
law firms
[[Page 15795]]
for regulatory compliance; and risk-management purposes).
The Department of Justice currently intends this exemption to apply
to, and thus exempt, scenarios such as the following:
Example 55. A U.S company has a foreign subsidiary located
in a country of concern, and the U.S. company's U.S.-person contractors
perform services for the foreign subsidiary. As ordinarily incident to
and part of the foreign subsidiary's payments to the U.S.-person
contractors for those services, the U.S. company engages in a data
transaction that gives the subsidiary access to the U.S.-person
contractors' bulk personal financial data and covered personal
identifiers.
By contrast, the Department of Justice intends this exemption not
to apply to scenarios such as the following:
Example 56. A U.S. company aggregates bulk personal
financial data. The U.S. company has a non-wholly owned subsidiary that
is a covered person because it is headquartered in a country of
concern. The subsidiary is subject to the country of concern's
national-security laws requiring it to cooperate with and assist the
country's intelligence services. The exemption would not apply to the
U.S. parent's grant of a license to the subsidiary to access the
parent's databases containing the bulk personal financial data for the
purpose of complying with a request or order by the country of concern
under those national-security laws to provide access to that data.
Transactions required or authorized by Federal law or international
agreements. The Department of Justice is considering exempting data
transactions to the extent that they are required or authorized by
Federal law or pursuant to an international agreement (such as the
exchange of passenger-manifest information, INTERPOL requests, and
public-health surveillance).
The ANPRM seeks comment on this topic, including:
43. What modifications, if any, should be made to the proposed
definitions above to enhance clarity?
44. What, if any, unintended consequences could result from the
proposed definitions?
45. Are there other types of data transactions that should be
exempt? Please explain why.
I. Security Requirements for Restricted Transactions
As described above, the Department of Justice is considering
identifying three classes of restricted covered data transactions
(vendor agreements, employment agreements, and investment agreements)
that would be otherwise prohibited unless they meet certain conditions
(security requirements) that mitigate the threats posed by access to
the bulk U.S. sensitive personal data or government-related data by a
country of concern or covered person. While the security requirements
are still under development and will be available to the public at
later date, the Department of Homeland Security, in coordination with
the Department of Justice, has developed an outline of what the
security requirements might entail, and that outline is previewed here
only as context for the rest of the contemplated program and other
topics on which questions are sought in this ANPRM.
The primary goal of the security requirements is to address
national-security and foreign-policy threats that arise when countries
of concern and covered persons can access bulk U.S. sensitive personal
data or government-related data that may be implicated by the classes
of restricted covered data transactions. The contemplated security
requirements would be based on, as applicable and appropriate, existing
performance goals, guidance, practices, and controls, such as the
Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity
Performance Goals (CPG), National Institute of Standards & Technology
(NIST) Cybersecurity Framework (CSF), NIST Privacy Framework (PF), and
NIST SP 800-171 rev. 3 (``Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations''). The Department
of Justice proposes to decline to regulate restricted covered data
transactions until the applicable security requirements are published,
available to the public, and become effective by incorporation into the
final rule. The Department of Homeland Security, in coordination with
the Department of Justice, has outlined the following approach to the
security requirements.
A restricted covered data transaction would be permissible if the
U.S. person:
(1) implements Basic Organizational Cybersecurity Posture
requirements;
(2) conducts the covered data transaction in compliance with the
following four conditions: (a) data minimization and masking; (b)
use of privacy-preserving technologies; (c) development of
information-technology systems to prevent unauthorized disclosure;
and (d) implementation of logical and physical access controls; and
(3) satisfies certain compliance-related conditions, such as
retaining an independent auditor to perform annual testing and
auditing of the requirements in (1) and (2) above, for so long as
the U.S. person relies on compliance with those conditions to
conduct the restricted covered data transaction.
Basic Organizational Cybersecurity Posture requirements applicable
to all restricted covered data transactions could include practices
such as CISA CPG 1.A, 1.B. 1.E, 1.F, 1.I, 2.P, 2.S, 2.Q, 4.A, and 5.A;
NIST PF ID.IM-P1, ID.IM-P2, ID.BE-P1, and CT.DM-P9; and NIST CSF PR.AT-
4 and PR.AT-5. Required controls could include NIST SP 800-171 3.1.1,
3.1.5, 3.3.1, 3.3.2, 3.3.3, 3.9.1, 3.9.2, and 3.14.6.
Data minimization and masking strategies (e.g., tokenization) could
be used to eliminate bulk U.S. sensitive personal data or government-
related data from some organizational scope to which a country of
concern or covered person would have access. Required practices could
include NIST PF CT.PO-P2, CT.DM-P8, CT.DP-P1, and CT.DP-P2.
Privacy-preserving technologies (e.g., based on homomorphic
encryption or traditional encryption) could be deployed to enable
restricted covered data transactions to proceed without exposing the
bulk U.S. sensitive personal data or government-related data itself to
countries of concern and covered persons. Required practices could
include CISA CPG 2.K and 2.L; NIST PF CT.DP-P1; and NST PF/CSF PR DS-P1
and PR DS-P2. Required controls could include NIST SP 800-181 3.13.8,
3.13.10, and 3.13.11, and ones analogous to the controls described in
15 CFR 734.18(a)(5).
Logical and physical access controls could include role-based
access management, such as credentialed access to both data systems and
physical facilities containing bulk U.S. sensitive personal data or
government-related data. Required practices could include CISA CPG 2.B,
2.D, 2.F, 2.G, 2.H, 2.T, 2.U, and 2.V; and NIST PF/CSF PR.AC-P1, PR.AC-
P2, PR.AC-P3, PR.AC-P4, PR.AC-P5, PR.AC-P6, and PR.AC-P7. Required
controls could include NIST SP 800-171 3.1.2, 3.1.3, 3.1.8, 3.1.10,
3.1.11, 3.1.12, 3.5.1, 3.5.3, 3.5.5, 3.5.7, 3.10.1, 3.10.2, and 3.10.7.
Under the contemplated program, a restricted covered data
transaction would become prohibited if the parties fail to comply with
the security requirements.
The Department of Homeland Security will propose and solicit public
comment on the security requirements through a separate process.
J. Licenses
The Order authorizes the Attorney General, in concurrence with the
Departments of State, Commerce, and Homeland Security, and in
consultation
[[Page 15796]]
with other relevant agencies, to issue (including to modify or rescind)
licenses authorizing covered data transactions that would otherwise be
prohibited or restricted. The Department of Justice is considering a
license regime that would be modeled on the licensing regime used by
OFAC and would incorporate both general and specific licenses. These
licenses would approve, or impose conditions on, covered data
transactions that are prohibited or restricted and would include an
interagency consultation process to ensure that agencies with relevant
equities and expertise may weigh in. The Department of Justice is
considering this type of licensing regime because, among other reasons,
it could give regulated parties the ability to bring specific concerns
to the Department of Justice and seek appropriate regulatory relief.
Licensing could also provide the Department of Justice with flexibility
to resolve marginal, unique, or particularly sensitive cases, either
generally or in individual matters.
General licenses. Under the regime that the Department of Justice
is considering, the Attorney General could issue and publish general
licenses authorizing, under appropriate terms and conditions, certain
types of covered data transactions that are subject to the requirements
contained in the rules. Persons availing themselves of certain general
licenses may be required to file reports and statements in accordance
with the instructions specified in those licenses. Failure to timely
file all required information in such reports or statements may nullify
the authorization otherwise provided by the general license and result
in violations of the applicable prohibitions that may be subject to
enforcement action. General licenses could also be used to ease
industry's transition once the rules become effective by potentially,
for example, authorizing orderly wind-down conditions for covered data
transactions that would otherwise be prohibited by the rules.
Specific licenses. The Department of Justice is also considering
whether, as part of the rulemaking, to impose certain requirements that
would apply to all persons who receive specific licenses. Those
requirements could include, for example: (1) an ongoing obligation to
provide reports regarding the authorized transactions; or (2) a
requirement that any person receiving a specific license to transact in
bulk U.S. sensitive personal data or government-related data must, to
the extent feasible, provide assurances that any data transferred
pursuant to such transactions can be recovered, irretrievably deleted,
or otherwise rendered non-functional. The Department of Justice is also
considering requiring applicants for specific licenses to use forms and
procedures published by the Department of Justice, and allowing
applicants and any other party in interest to request reconsideration
of the denial of a license based on new facts or changed circumstances.
The ANPRM seeks comment on this topic, including:
46. Would general and specific licenses be useful to regulated
parties? Why or why not?
47. Should any or all specific licenses be published, provided
that such publication complies with applicable laws and regulations
(e.g., regarding the protection of confidential business
information)? If so, how should they be published? How could the
publication of specific licenses assist or harm regulated parties?
48. How should the Department of Justice assess or evaluate the
purported costs of complying with the conditions of a general
license or a specific license? Are the costs of reporting on
licensed transactions, auditing them, or ensuring that they can be
rendered non-functional if noncompliant likely to scale with
transaction size? With data volume? Based on other factors?
49. What, if any, general licenses would be useful to assist in
the industry's transition once the rules take effect? Why? Please be
specific.
50. How should the Department of Justice assess time limitations
on general licenses or specific licenses? For example, how should
the Department of Justice calculate reasonable wind-down periods?
51. What factors should the Department of Justice assess when
considering whether to grant or deny a specific license application?
52. Are there classes of data transactions that may become the
subject of specific license applications that the Department of
Justice should presumptively grant or presumptively deny? Why?
53. What is the technical feasibility of recovering,
irretrievably deleting, or otherwise rendering non-functional data
transferred pursuant to a licensed covered data transaction? What
technical measures, solutions, or controls could be used for this
purpose?
54. What forms or procedures should the Department of Justice
consider when establishing the requirements for an application for a
specific license?
55. Are there any aspects of the OFAC and BIS licensing
processes that would be especially useful for this program? If so,
which ones and why?
56. Are there any aspects of the OFAC and BIS licensing
processes that would not be useful for this program? If so, which
ones and why not?
K. Interpretive Guidance
The Order requires the Attorney General to ``establish, as
appropriate, mechanisms to provide additional clarity to persons
affected by th[e] order and any regulations implementing th[e] order.''
\12\ The Department of Justice is currently considering creating a
program to provide guidance in the form of written advisory opinions,
similar to processes used by OFAC and BIS, and by the Department of
Justice with respect to the Foreign Corrupt Practices Act (FCPA) and
the Foreign Agents Registration Act (FARA). The Department of Justice
is considering permitting any U.S. person engaging in covered data
transactions regulated by the program to request an interpretation of
any part of these regulations from the Attorney General. Examples of
such requests could include guidance on (1) whether a particular
transaction is a covered data transaction and whether it is prohibited
or restricted; (2) whether the Attorney General would be likely to
issue a license governing a particular data transaction; and (3)
whether a person satisfies the definitions of these regulations (e.g.,
U.S. person, foreign person, covered person). Consistent with other
Federal advisory-opinion programs, the Department of Justice is
considering requiring that advisory opinions may only be requested for
actual--not hypothetical--data transactions, but need not involve only
prospective conduct.
---------------------------------------------------------------------------
\12\ With respect to the security requirements, the Secretary of
Homeland Security, in coordination with the Attorney General, shall
issue any interpretive guidance.
---------------------------------------------------------------------------
The Department of Justice is considering requiring requests for
interpretive guidance to be made using forms and procedures published
by the Department of Justice. These rules may include, for example: (1)
a requirement that all requests must be made in writing; (2) a
requirement that all requests must identify all participants in the
data transaction for which the opinion is being sought (i.e., a
prohibition on anonymous requests); (3) a requirement that the
requesting party cannot use the advisory opinion, or permit it to be
used, as evidence that the United States Government determined that the
data transactions described in the advisory opinion are compliant with
any Federal or State law or regulation other than the rules; and (4) a
requirement that advisory opinions may be requested only for actual,
not hypothetical, conduct.
The Department of Justice is also considering whether to publish
some or all advisory opinions once issued, provided that such
publication complies with applicable laws and regulations (e.g.,
regarding the protection of confidential business information).
Finally, in addition to advisory opinions
[[Page 15797]]
addressing specific requests, the Department of Justice is considering
the publication of more general interpretive guidance, such as
Frequently Asked Questions.
The ANPRM seeks comment on this topic, including:
57. Would an advisory opinion process in general be useful? What
effect, if any, should the issuance of an advisory opinion have for
the party or parties who requested it? For third parties?
58. Should industry groups or other associations be permitted to
request advisory opinions or interpretive guidance on behalf of one
or more of their members (noting that such requests would still need
to identify all relevant participants in a data transaction)?
59. Should some or all advisory opinions be published? How might
the possibility of publication affect a request (noting that any
publication would comply with applicable laws regarding confidential
business information and similar topics)?
60. If the Department of Justice decides to publish some or all
advisory opinions, how should it do so?
61. How should the Department of Justice address circumstances
in which an advisory opinion no longer applies (e.g., the relevant
country of concern at the time the opinion was issued no longer
meets the requirements for being a country of concern).
62. What forms or procedures should the Department of Justice
consider when establishing the requirements for an acceptable
advisory opinion request?
63. Are there additional models or other forms of interpretive
guidance that the Department of Justice should consider? For
example, should the Department of Justice be free to issue guidance
even if no party has inquired about the relevant topic? Should these
other forms of guidance be published? If so, how?
L. Compliance & Enforcement
The Order delegates to the Attorney General, in consultation with
relevant agencies, the full extent of the authority vested in the
President by IEEPA, and expressly states that the rules will ``address
the need for, as appropriate, recordkeeping and reporting of
transactions to inform investigative, enforcement, and regulatory
efforts.'' The Department of Justice wishes to achieve widespread
compliance, and to gather the information necessary to administer and
enforce the program, without unduly burdening U.S. persons or
discouraging data transactions that the program is not intended to
address. Any enforcement guidance issued by the Department of Justice
regarding the security requirements will be issued in coordination with
the Department of Homeland Security.
Accordingly, the Department of Justice is currently considering
creating and implementing a compliance and enforcement program modeled
on the Department of the Treasury's IEEPA-based economic sanctions,
which are administered by OFAC.
Due diligence and recordkeeping. With respect to due diligence and
recordkeeping, the Department of Justice is considering a model in
which U.S. persons subject to the contemplated program employ a risk-
based approach to compliance by developing, implementing, and routinely
updating a compliance program. The compliance program suitable for a
particular U.S. person would be based on that U.S. person's
individualized risk profile and would vary depending on a variety of
factors, including the U.S. person's size and sophistication, products
and services, customers and counterparties, and geographic locations.
The Department of Justice is not proposing to prescribe general due-
diligence or affirmative recordkeeping requirements on all U.S. persons
engaged in covered data transactions with foreign persons. The
Department of Justice is considering whether a U.S. person's failure to
develop an adequate due-diligence program would have consequences if
that U.S. person violates the regulations, such as treating this
failure as an aggravating factor in any enforcement action.
The Department of Justice is currently considering imposing
affirmative due-diligence and recordkeeping requirements only as a
condition of engaging in a restricted covered data transaction or as a
condition of a general or specific license. This limited set of
affirmative due-diligence and recordkeeping requirements would include
``know your vendor'' and ``know your customer'' requirements.
Consistent with OFAC's practice in IEEPA-based sanctions programs, the
Department of Justice is considering requiring U.S. persons subject to
the due-diligence requirements to keep records of their due diligence
to assist in inspections and enforcement.
Reporting. Similarly, the Department of Justice is considering
reporting requirements modeled on existing IEEPA-based reporting
requirements. The contemplated program would not prescribe general
reporting requirements for all U.S. persons engaged in data
transactions with foreign persons (or even with all covered persons).
Rather, the Department of Justice is considering requiring reporting
only as conditions of certain categories of U.S. persons that are
engaging in restricted covered data transactions or as conditions of a
general or specific license, or in certain narrow circumstances to
identify attempts to engage in prohibited covered data transactions.
DOJ is considering these reporting requirements to help DOJ identify
covered data transactions that are the highest priority for ongoing
compliance and enforcement efforts. The categories of U.S. persons
subject to affirmative reporting requirements could include:
A U.S. person that (a) is engaged in restricted covered
data transactions involving cloud computing services or licensed
covered data transactions involving data brokerage or cloud-computing
services, and (b) has 25 percent or more of its equity interests owned
(directly or indirectly, through any contract, arrangement,
understanding, relationship, or otherwise) by a country of concern or
covered person; or
Any U.S. person that has received and affirmatively
rejected an offer from another person to engage in a prohibited covered
data transaction involving data brokerage.
Likewise, the Department of Justice is considering requiring any
person granted a license under the rules to provide annual
certifications supported by available documentation that they have
abided by the terms of any license granted.
Audits. To assist in ensuring compliance with the security
requirements for restricted covered data transactions and with licenses
issued pursuant to the rules, the Department of Justice is considering
whether to require a U.S. person to comply with certain conditions in
conducting a restricted covered data transaction (whether conducted
pursuant to a license or not) or a prohibited covered data transaction
pursuant to a license. These conditions may include (i) appointing an
accredited auditor to annually assess compliance with and the
effectiveness of the security requirements or conditions of the
license, and (ii) delivering the results of the audit to the Department
of Justice. The audit will need to address (i) the nature of the U.S.
person's covered data transaction and (ii) whether it is in accordance
with applicable security requirements, the terms of any license issued
by the Attorney General, or any other aspect of the regulations.
Investigation and enforcement. To assist in the investigation of
potential noncompliance with the rules, the Department of Justice is
considering requiring any U.S. person ``to keep a full record of, and
to furnish under oath, in the form of reports or otherwise,'' as may be
required by the Attorney General, ``complete information relative to''
any covered data transaction subject to a prohibition or restriction.
50 U.S.C.
[[Page 15798]]
1702(a)(2). For the avoidance of doubt, neither the Order nor its
implementing regulations will create any new right of access by the
U.S. Government to U.S. persons' sensitive personal data or government-
related data, or give the U.S. Government a new right to monitor U.S.
persons' communications.
The Department of Justice is also considering establishing a
process for imposing civil monetary penalties similar to the processes
followed by OFAC and CFIUS, with mechanisms for pre-penalty notice, an
opportunity to respond, and a final decision. Penalties could be based
on noncompliance with the regulations, making material misstatements or
omissions, making false certifications or submissions, or other actions
or factors. The Department of Justice would, consistent with due-
process requirements, give companies the relevant non-classified
information that forms the basis of any enforcement action and a
meaningful opportunity to respond.
The ANPRM seeks comment on this topic, including:
64. What additional guidance should the Department of Justice
provide in describing what constitutes having ``received and
affirmatively rejected'' a covered data transaction involving data
brokerage for purposes of the reporting requirements?
65. Would reports about rejected covered data transactions
involving data brokerage yield information that the Department of
Justice could use to calibrate regulations, prioritize enforcement,
and identify areas for further guidance in implementing the Order?
66. What new compliance and recordkeeping controls will U.S.
persons anticipate needing to comply with the program as described
in this ANPRM? To what extent would existing controls for compliance
with other United States Government laws and regulations be useful
for compliance with this program? How could the Department of
Justice reduce the paperwork burden of any new compliance
requirements?
67. What additional information will U.S. persons need to
collect for compliance purposes as a result of this program?
68. What types of information would be useful to include in the
know-your-customer and know-your-vendor due diligence described
above? Do customers and vendors generally have this information
readily available?
69. Is this due diligence already being done by U.S. persons in
connection with transactions that would be covered data
transactions--e.g., for other regulatory purposes, prudential
purposes, or otherwise? If so, please explain. What, if any, third-
party services are used to perform due diligence as it relates to
transactions involving the countries of concern more generally?
70. What are the practicalities of complying with this
obligation? What, if any, changes to the way that U.S. persons
undertake due diligence would be required because of this standard?
What might be the cost to U.S. persons of undertaking such due
diligence? Please be specific.
71. For how long should the Department of Justice consider
requiring entities to retain records that the rules require them to
maintain?
72. Are there additional examples of high-priority data
transactions that should be included in the reporting requirement?
Should any of the examples given above be excluded?
73. What should the Department of Justice's role be in
nominating, approving, or otherwise participating in the selection
of an accredited auditor charged with monitoring compliance with the
security requirements or a license under the rules? What should the
Department of Justice consider when reviewing a candidate to be an
auditor under this provision? What types of service providers
currently exist that could play this role?
74. How, if at all, should penalties and other enforcement
mechanisms be tailored to the size, type, or sophistication of the
U.S. person or to the nature of the violation?
75. What factors should the Department of Justice analyze when
determining to impose a civil penalty, as well as the amount?
76. What, if any, additional procedural steps should the
Department of Justice require as part of its process to impose
penalties?
77. Other than noncompliance with the regulations, making
material misstatements or omissions, and making false certifications
or submissions, what other types of actions or factors should the
Department of Justice consider as a predicate for a penalty?
78. What should the Department of Justice consider when deciding
to issue a subpoena or other investigative demand pursuant to the
rules?
79. Have limitations or complications arisen regarding the
service of IEEPA-based subpoenas or investigative demands in the
past under programs administered by other Federal agencies?
80. What transaction sources should the Department of Justice
use to monitor compliance with this program?
M. Coordination With Other Regulatory Regimes
The Order requires the Department of Justice to address, as
appropriate, coordination with other United States Government entities,
such as CFIUS, OFAC, BIS, and other entities implementing relevant
programs, including those implementing Executive Order 13873 of May 15,
2019 (Securing the Information and Communications Technology and
Services Supply Chain) and Executive Order 14034 of June 9, 2021
(Protecting Americans' Sensitive Data From Foreign Adversaries); and
Executive Order 13913 of April 4, 2020 (Establishing the Committee for
the Assessment of Foreign Participation in the United States
Telecommunications Services Sector). The Department of Justice does not
currently intend or anticipate that this program will have significant
overlap with existing authorities. Existing authorities do not provide
prospective, categorical rules to address the national-security risks
posed by transactions between U.S. persons and countries of concern (or
persons subject to their ownership, control, jurisdiction, or
direction) that pose an unacceptable risk of providing those countries
with access to bulk U.S. sensitive personal data or government-related
data.
With respect to investment agreements between U.S. persons and
countries of concern (or covered persons) that are also ``covered
transactions'' subject to CFIUS review, see generally 50 U.S.C. 4565,
the Department of Justice is considering an approach in which this
program would independently regulate, as restricted covered data
transactions, investment agreements that are also ``covered
transactions'' subject to review by CFIUS, unless and until CFIUS
enters into or imposes mitigation measures to resolve national-security
risk arising from a particular covered transaction (a ``CFIUS
Action''). A CFIUS Action could take the form of, for example, a CFIUS
interim order, a CFIUS determination to conclude action with respect to
a covered transaction based on an order or mitigation agreement of
data-security risks, or CFIUS's entry into a mitigation agreement
governing the voluntary abandonment of the covered transaction. Once
such a CFIUS Action occurs, the program proposed under this ANPRM would
cease to apply to the particular investment agreement that constitutes
the covered transaction subject to the CFIUS Action. This exemption in
the regulations would apply categorically for all covered transactions
that are subject to a CFIUS Action; the Department of Justice would not
be required to issue a specific license for each investment agreement
addressed by a CFIUS Action.
This approach would preserve CFIUS's authority to develop bespoke
protections to mitigate risks arising from investment agreements that
also qualify as CFIUS covered transactions--or recommend the President
prohibit such a covered transaction--where CFIUS deems such action
necessary to address national security risk arising from the covered
transaction and would ensure that parties do not have overlapping
obligations under more than one regulatory regime. To the extent that
CFIUS identifies an unresolved national-security risk regarding access
to sensitive personal data that arises from a particular covered
transaction, the program's security requirements
[[Page 15799]]
would set an important baseline for CFIUS to draw on in mitigating the
unresolved risk, consistent with CFIUS's transaction-specific approach.
Under this approach, a CFIUS Action would not be considered to have
occurred where CFIUS has not reviewed a particular investment agreement
or action concludes with respect to an investment agreement without any
mitigation of data-security risks. In those instances, this program
would continue to independently regulate the investment agreement as a
restricted covered data transaction. This approach allows this program
to continue to address risks that may arise outside of CFIUS's reach,
such as (1) risks associated with investment agreements that are not
``covered transactions'' and thus outside of CFIUS's authority (e.g.,
non-controlling investments involving sensitive personal data below
CFIUS's one-million-person threshold or data that is not identifiable);
(2) risks associated with ``covered transactions'' where the risk does
not ``arise[ ] as a result of the covered transaction,'' 50 U.S.C.
4565(l)(3)(A)(i); and (3) risks that may arise in the temporal gap that
occurs after parties enter into an investment agreement but before the
particular covered transaction is filed with CFIUS and becomes subject
to a CFIUS Action.
This proposed approach contemplates that CFIUS would retain its
existing authority to enforce CFIUS Actions, and DOJ would retain the
authority to enforce violations of obligations under the program. Since
the program would no longer apply to a particular covered data
transaction once a CFIUS Action has been taken, CFIUS and the data-
security regulations would not create dual or overlapping obligations:
Violations of the obligations under the data-security regulations could
occur only before the occurrence of the CFIUS Action. DOJ would retain
authority, at any time, to enforce any violations of obligations under
the program that were committed while the program applied to the
covered data transaction, even if the enforcement action occurs after a
CFIUS Action has occurred. In such instances, DOJ would coordinate with
CFIUS.
Regardless of the manner in which the regulations address
investment agreements, the program's other rules for classes of covered
data transactions would still apply. Even if the program proposed under
this ANPRM ceased to apply to a particular investment agreement subject
to a CFIUS Action, U.S. persons would still have to comply with the
program's rules for covered data transactions involving data brokerage,
the provision of bulk human genomic data and human biospecimens, vendor
agreements, employment agreements, and other investment agreements not
subject to a CFIUS Action.
The ANPRM seeks comment on this topic, including:
81. How should the program address investment agreements that
are also ``covered transactions'' subject to the jurisdiction of
CFIUS? What are the pros and cons of the approach under
consideration?
82. In terms of compliance, what are the considerations with the
approach described above where this program would govern unless or
until a CFIUS Action occurs?
83. What other potential overlaps or gaps, if any, may exist
between the program contemplated here and existing authorities? How
should this program address them? In particular, should the
Department of Justice consider any adjustments to the program
contemplated here in light of the consumer-reporting rulemaking
under the Fair Credit Reporting Act that the Consumer Financial
Protection Bureau is considering? See Final Report of the Small
Business Review Panel on the CFPB's Proposals and Alternatives Under
Consideration for the Consumer Reporting Rulemaking (Dec. 15, 2023),
https://files.consumerfinance.gov/f/documents/cfpb_sbrefa-final-report_consumer-reporting-rulemaking_2024-01.pdf [https://perma.cc/K75B-MKR3].
N. Economic Impact
The Department of Justice is committed to ensuring that the
contemplated program is carefully scoped to the kinds of data
transactions that present unacceptable national-security risks and
minimizes unintended economic impacts. The Department of Justice
currently anticipates that this program would have the following
economic impacts.
For each of the two classes of prohibited covered data transactions
(those involving data brokerage and those involving the provision of
human genomic data or human biospecimens from which that data can be
derived), the Department of Justice anticipates that the primary
economic impacts will fall into two categories: (1) direct costs in the
form of the lost economic value of the covered data transactions that
are prohibited or forgone, and (2) indirect costs, such as the
compliance costs to perform due diligence to ensure that transactions
with foreign persons comply with the prohibitions. For each of the
three classes of restricted covered data transactions (vendor
agreements, employment agreements, and investment agreements), the
Department of Justice anticipates that the primary economic impacts
will fall into two categories: (1) direct costs in the form of the lost
economic value of covered data transactions that are prohibited or
forgone, and (2) indirect costs, such as the costs of complying with
the security requirements to conduct restricted covered data
transactions and with the reporting requirements.
Direct costs. As a preliminary matter, there does not appear to be
a complete or reliable estimate of the markets for, or economic value
of, each of these classes of covered data transactions--especially at
the level of granularity required to accurately account for the details
of the contemplated program, such as the specific classes of prohibited
and restricted covered data transactions, the countries of concern, the
kinds of sensitive personal data, the classes of exempt transactions
(such as financial-services transactions), and other carve-outs and
definitions being considered for this program.
For example, with respect to data brokerage, estimates for the
total global data broker market vary widely from around $50 billion to
over $300 billion and do not appear to have clear or reliable
methodologies whose validity can be easily assessed.\13\ The United
States is widely perceived as the largest market for data brokerage;
for instance, major U.S. data brokerage firms report that a majority of
their global revenues come from the domestic market and that Asia-
Pacific revenues (which are not broken down further for markets for
specific countries) account for approximately one to six percent of
their global markets.\14\ Likewise,
[[Page 15800]]
although trade in services data from the U.S. Bureau of Economic
Analysis (BEA) provides an alternative potential approach for
identifying cross-border transactions in sensitive personal data, the
BEA data is not measured in a way that allows any direct comparison to
the program contemplated here. The BEA categories of ``Database and
Other Information Services'' and ``Telecommunications, Computer, and
Other Information Services'' appear to be the two closest. But those
BEA categories are over-inclusive and under-inclusive relative to the
categories of covered data transactions that would be prohibited or
restricted under the contemplated program: These two BEA categories,
for instance, include trade that would be outside the scope of the
contemplated program, such as kinds of data (e.g., web-browser history)
and activities (e.g., computer hardware, dissemination of data and
databases like directories, mailing lists, and web-search portals,
newspaper and periodical subscriptions, and library/archive services).
Similarly, for instance, these two BEA categories exclude transactions
that would be within the scope of the contemplated program, such as
activity from advertising, trade in human genomic data, and exports by
credit bureaus (which report their data exports separately under the
broader heading of ``Financial Services''). Nevertheless, as a point of
comparison, the BEA data suggests that, in 2022, the United States
exported $317 million in ``Database and Other Information Services'' to
China and a combined $3.4 billion in ``Telecommunications, Computer,
and Other Information Services'' to China and Hong Kong.
---------------------------------------------------------------------------
\13\ See, e.g., Catherine Tucker & Nico Neumann, Buying Consumer
Data? Tread Carefully, Harvard Business Review (May 1, 2020),
https://hbr.org/2020/05/buying-consumer-data-tread-carefully
[https://perma.cc/GDY3-AWKQ]; OnAudience, Global Data Market Size:
2017-2021 at 4, 8 (Nov. 2020), http://pressmania.pl/wp-content/uploads/2020/12/Global-Data-Market-Size-2017-2021-OnAudience-Report.pdf [https://perma.cc/7NQS-3TXK]; Knowledge Sourcing
Intelligence, Global Data Broker Market Size, Share, Opportunities,
COVID-19 Impact, And Trends By Data Type (Consumer Data, Business
Data), By End-User (BFSI, Retail, Automotive, Construction, Others),
And By Geography--Forecasts from 2023 to 2028 (June 2023), https://www.knowledge-sourcing.com/report/global-data-broker-market [https://perma.cc/2ED8-WU9K]; Transparency Market Research, Data Brokers
Market (July 2022), https://www.transparencymarketresearch.com/data-brokers-market.html [https://perma.cc/GL3M-MQMR]; Maximize Market
Research, Data Broker Market: Global Industry Analysis and Forecast
(2024-2030) (Jan. 2024), https://www.maximizemarketresearch.com/market-report/global-data-broker-market/55670/ [https://perma.cc/V2VJ-VX9A].
\14\ See, e.g., TransUnion, TransUnion Announces Fourth Quarter
2022 Results (Feb. 14, 2023), https://newsroom.transunion.com/transunion-announces-fourth-quarter-2022-results/ [https://perma.cc/S8QW-D8RS]; Experian, Trading update, first quarter (July 13, 2023),
https://www.experianplc.com/content/dam/marketing/global/plc/en/assets/documents/results-and-presentations/2023/experian-q1-fy24-trading-update.pdf [https://perma.cc/3FCZ-U4CY].
---------------------------------------------------------------------------
For restricted covered data transactions, the net direct lost
economic value will also depend on the extent to which U.S. persons
continue to pursue otherwise-prohibited vendor agreements, employment
agreements, and investment agreements in compliance with the security
requirements. Where U.S. persons determine not to pursue vendor,
employment, or investment agreements with covered persons, the net cost
will depend on the extent to which such agreements can be easily
replaced with vendors, employers, and investors that will not be
subject to such restrictions. It is plausible, for example, that--faced
with higher costs associated with executing a vendor agreement with a
vendor based in a country of concern--a U.S. company will opt to drop
its data-processing contract with that vendor and instead rely on a
vendor based outside of a country of concern. Relative to the current
status quo, this switch could represent a financial loss to the
original U.S. company (which could now face a higher cost for data
processing) while providing a net gain to the alternative data
processing vendor. The opposite could also be true: that the relevant
costs associated with complying with this program would not justify a
U.S. business switching from a vendor based in a country of concern but
instead would justify continuing with that vendor by implementing the
security requirements.
We request economic data to further evaluate these direct costs.
Indirect costs. In addition to the direct costs of prohibited and
restricted covered data transactions, U.S. companies that handle and
transfer bulk U.S. sensitive personal data or government-related data
may also incur costs to ensure that they are complying with the
contemplated program. The universe of firms that transact in bulk U.S.
sensitive personal data is larger than the subset of such firms that
knowingly transfer such data to countries of concern or covered
persons; this larger universe of firms will need to undertake some due-
diligence measures to ensure their typical data transfers are not in
fact going to countries of concern or covered persons (for prohibited
covered data transactions) and to comply with the security requirements
(for restricted covered data transactions). Such compliance costs will
vary by sector and size of firm.
For prohibited covered data transactions, the costs of due
diligence would likely vary significantly across companies, as with the
costs of compliance for economic sanctions, export controls, and other
national-security and law-enforcement regulations. As explained above,
the contemplated program would employ a risk-based approach, like
sanctions and export controls, in which regulated U.S. persons
implement compliance programs based on their individualized risk
profiles. For example, in addition to complying with other aspects of
the contemplated program, the upfront due-diligence compliance costs
for companies with robust existing compliance programs (such as
sanctions and export controls) may be lower, whereas other companies
with less robust compliance programs or no existing compliance programs
may incur greater costs. Any estimate of due-diligence compliance costs
would benefit greatly from more robust information on the size of the
industries for each of the classes of prohibited covered data
transactions, per-company costs, and per-transaction costs.
Similarly, for restricted covered data transactions, the costs of
complying with the security requirements will vary across U.S.
companies depending on the level of cybersecurity maturity. At one end
of the spectrum, many U.S. companies already have foundational baseline
cybersecurity protocols and technology in place, and may face only the
marginal cost of tailoring or re-deploying those existing protocols and
technology against the particular security requirements contemplated
here. At the other end of the spectrum, other U.S. companies with less
mature cybersecurity programs may face greater costs to acquire and
implement baseline cybersecurity protocols and technology. The overall
costs to comply with the security requirements will depend on the
number and distribution of U.S. companies within the markets for the
classes of restricted covered data transactions with countries of
concern. Economic reasoning suggests, however, that companies that
choose to deploy security measures to conduct restricted covered data
transactions would not incur compliance costs that are greater than the
revenue they could realize by implementing these measures.
For U.S. persons that do find they need to invest in additional
due-diligence programs to ensure compliance with the security
requirements, such spending may also create offsetting benefits in the
form of lower risks of data breaches and cyber attacks. For example, a
July 2023 study noted that the global average cost of a data breach was
$4.45 million the previous year and a 15% increase over the previous
three years.\15\
---------------------------------------------------------------------------
\15\ Industrial Cyber, Data breach costs for critical
infrastructure sector exceed $5 million, as time `new currency' in
cybersecurity (July 25, 2023), https://industrialcyber.co/reports/data-breach-costs-for-critical-infrastructure-sector-exceed-5-million-as-time-new-currency-in-cybersecuritydata-breach-costs-for-critical-infrastructure-sector-exceed-5-million-as-time-new/
[https://perma.cc/9QDT-37CN].
---------------------------------------------------------------------------
U.S. persons subject to the reporting requirements may also incur
costs to comply with the reporting requirements--costs that may also
vary by company depending on their individualized risk profile.
The net impact of these indirect costs appears difficult to measure
accurately with available data. We request economic data to support
measurement of these indirect costs.
The ANPRM seeks comment on this topic, including:
[[Page 15801]]
84. To what extent do the current markets for the classes of
covered data transactions involve the categories of sensitive
personal data contemplated here? What is the average estimated
commercial value of these covered data transactions? What are
reliable sources of information on the size, extent, and growth of
the markets for each of the classes of prohibited and restricted
covered data transactions?
85. What is the value of covered data transactions with
countries of concern that would be impacted by this regulation?
86. How many covered data transactions with countries of concern
or covered persons that meet the bulk threshold requirements are
typically conducted each year?
87. What are the economic sectors that will be expected to be
impacted by the regulation? What is the average size, in both
revenue and number of employees, of the firms impacted by the
regulation? What is the expected impact per firm, as a percentage of
overall revenue? What are the program's likely effects on existing
jobs and new employment opportunities for affected firms and
sectors?
88. What specific types of data are involved in covered data
transactions that involve data brokerage? What is the general
purpose of these transactions? How is this data stored? Is U.S.
persons' data that is sold to customers in countries of concern
stored on or retrieved from the same systems used to store or
retrieve U.S. persons' data sold to customers outside the countries
of concern? If not, what segmentation exists?
89. What kinds of best practices do U.S. persons engaged in data
brokerage implement to screen potential customers in the countries
of concern (or markets that present similar risk profiles)? How
widely implemented are these best practices in the industry?
90. What is the estimated economic size of the data brokerage
market? What are the best, most reliable sources of data for the
size, extent, and growth rate of this market? What is the average
value of a covered data transaction involving data brokerage?
91. How can service providers be grouped in the third-party data
brokerage market? What is the difference between a large, medium,
and small broker? How consolidated is the market? What are key
factors, business features or other models that providers use to
differentiate themselves? To what degree are providers
differentiated by features other than the size and scope of
individual data sets?
92. What are the estimated sizes of the global data brokerage
market for each of the six types of data identified in this
contemplated regulation (i.e., covered personal identifiers,
personal financial data, precise geolocation data, personal health
data, biometric identifiers, human genomic data)? What is the
estimated size of each of these markets in the United States and
each of the identified countries of concern?
93. What is the estimated transaction volume for the data
brokerage market (both first-party and third-party brokerage)? What
percentage of these transactions involve one or more of the six
categories of regulated sensitive personal data? What percentage of
these transactions involves a country of concern?
94. How are transactions conducted in the data brokerage market?
What percentage of the economic value of this market involves
transfer of data? What percentage involves subscription access to
centrally managed databases? What percentage involves analyzed or
processed data? What percentage involves access to raw, unprocessed
data?
95. To what extent do U.S. persons engaged in data brokerage use
any service providers in countries of concern connected to their
brokerage activities--such as hiring outsourcing companies for
cleaning and labeling datasets or signing agreements with cloud
service providers to store datasets? What is the estimated economic
value of these services?
96. How many firms will be impacted by the prohibition on the
use of vendors from countries of concern? What will be the average
cost per firm of switching from vendors subject to restrictions to
vendors not subject to restrictions? Which sectors will they be in?
What will be the average size of such a firm?
97. Are there any sectors, markets, or product or service
categories where, after excluding restricted vendors, there is
unlikely to be a sufficient number of firms available to supply the
overall level of service required by the market?
98. What proportion and segments of the cloud-computing services
market will be impacted by this regulation? What will be the
specific impacts on the cloud infrastructure, platform, and services
markets? What will be the impact on U.S. cloud computing companies
seeking to do business in countries of concern?
99. What will be the impact on cloud-computing service companies
based in countries of concern? Are there circumstances under which
U.S. companies may still wish or be required to do business with
cloud-computing service companies based in countries of concern
after the implementation of this regulation? In these circumstances,
will U.S. companies still be able to conduct necessary business
after the implementation of this regulation?
100. What will be the economic impact of prohibiting any covered
data transaction that provides a country of concern or covered
person with access to bulk U.S. human genomic data and human
biospecimens from which that sensitive personal data can be derived,
taking into account the proposed exemptions?
101. What sectors are involved in access to bulk U.S. human
genomic data and human biospecimens? Are there any sectors that
involve access to one, but not both, of these categories? What is
the estimated size of these markets, as well as the overall volume
and value of the covered data transactions involving this type of
data?
102. What types of commercial transactions involve human genomic
data and human biospecimens? Do any of these transactions involve
exchange of the data? Do any of these transactions involve access
to--but not exchange of--this sensitive personal data?
103. Is there sufficient commercial demand available outside
countries of concern to replace demand lost as a result of the
prohibition, and if so, where is such demand located? What is the
timeline for pivoting to meet new demand?
104. What percentage of the U.S. workforce would be affected by
the restrictions on employment agreements? How many firms will be
impacted by this prohibition? Which sectors will they be in? What
will be the average size of such a firm?
105. What will be the major cost components of a regulatory
compliance program? What will be the average cost of each of these
components per firm? Which of these components will be flat cost,
regardless of the size of firm? Which will have a variable, per-
employee cost?
106. What is the estimated cost of implementing the security
requirements contemplated in the regulation on a per-firm basis?
What are the basic components of these costs? Which of these
components are fixed, one-time costs? Which will be ongoing,
recurring costs?
107. How could the Department of Justice mitigate the costs of
compliance, particularly for small- and medium-sized enterprises?
Are there measures that could be taken to reduce the economic impact
of the regulatory regime without altering the fundamental scope or
thresholds associated with the regulation?
108. Are there legitimate commercial reasons for a covered
person to access data or information covered as part of the classes
of restricted covered data transactions? To what degree will an
inability to access this data affect that company's ability to
provide goods or services to U.S. companies and individuals?
109. What would be the commercial impact on U.S. persons if
countries of concern must conduct business in the United States
without access to data covered by restricted covered data
transactions? Are there other economic arrangements by which a
company could obtain the benefits of the data without directly
accessing the data itself?
110. What additional costs and benefits should the Department of
Justice consider, and how should they be estimated? Is there
additional data on the economic costs and benefits that the
Department of Justice should examine?
O. Overarching and Additional Inquiries
111. What additional example scenarios should the Department of
Justice consider, evaluate, and address in a proposed rulemaking to
provide clarity?
112. What time, if any, will U.S. persons that are currently
engaged in the prohibited covered data transactions contemplated
here need to wind-down those transactions? What time, if any, will
U.S. persons that are currently engaged in the restricted covered
data transactions contemplated here need to comply with the security
requirements or else wind-down those transactions?
113. What costs would be incurred by maintaining the status quo
(i.e., forgoing the contemplated regulations) with respect to any of
the classes of prohibited and restricted covered data transactions
under consideration?
114. Are there additional topics on which the Department of
Justice should be seeking
[[Page 15802]]
comment? If so, what are they and what is their relevance?
IV. Regulatory Certifications
This ANPRM has been drafted and reviewed in accordance with the
Principles of Regulation in section 1(b) of Executive Order 12866 of
September 30, 1993 (Regulatory Planning and Review), as amended by
Executive Order 14094 of April 6, 2023 (Modernizing Regulatory Review),
and in accordance with the General Principles of Regulation in section
1(b) of Executive Order 13563 of January 18, 2011 (Improving Regulation
and Regulatory Review). This ANPRM is a ``significant'' regulatory
action pursuant to Executive Order 12866, as amended by Executive Order
14094 and, accordingly, has been reviewed by the Office of Information
and Regulatory Affairs (OIRA) at the Office of Management and Budget
(OMB). This action does not propose or impose any requirements; rather,
this ANPRM is being published to seek information and comments from the
public to inform the notice of proposed rulemaking required to
implement the Order.
The requirements of the Regulatory Flexibility Act do not apply to
this action because, at this stage, it is an ANPRM and not a ``rule''
as defined in 5 U.S.C. 601.
Following review of the comments received in response to this
ANPRM, the Department of Justice will conduct all relevant analyses as
required by statute or Executive order for the notice of proposed
rulemaking required to implement the Order.
Dated: February 28, 2024.
Matthew G. Olsen,
Assistant Attorney General for National Security.
[FR Doc. 2024-04594 Filed 3-4-24; 8:45 am]
BILLING CODE 4410-PF-P
