White House, Congress, and Federal Agencies Move To Limit Foreign Adversaries’ Access To Sensitive Personal and Government Data

The federal government is moving rapidly to address concerns about access by foreign adversaries to certain personal and other sensitive U.S. data. In late February, President Biden issued an Executive Order titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (Order). This Order has broad implications for companies handling large amounts of personal data (personal data) and/or information derived from that personal data. In parallel, the National Security Division of the Department of Justice (DOJ) issued an Advance Notice of Proposed Rulemaking (ANPRM)¹ seeking public comment on specific regulatory provisions that it may promulgate to implement the Order. And, on March 20, 2024, the House of Representatives unanimously approved the proposed “Protecting Americans’ Data from Foreign Adversaries Act of 2024” (H.R. 7520), which would ban “data brokers” from selling or transferring certain personal information to countries statutorily designated as foreign adversaries (which currently includes China, Russia, North Korea, and Iran²) or companies controlled by them. 

All of these moves indicate that the United States is heading toward implementing policies on cross-border data transfers already imposed by a number of other countries, including in Europe. As stated in the Order, the Biden administration believes that “certain countries of concern” are seeking access to Americans’ Sensitive Personal Data and U.S. Government-Related Data “to engage in a wide range of malicious activities.” According to the Order, such countries may use certain technologies, including artificial intelligence (AI), to analyze and manipulate Bulk U.S. Sensitive Personal Data to engage in espionage, identify potential strategic advantages over the United States, and engage in other activities that pose serious national security and foreign policy threats. The Order aims to address these threats by directing DOJ, the Department of Homeland Security (DHS), other federal agencies, and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Service Sector (Team Telecom) to take actions, including promulgating regulations and standards, that can prevent adverse collection, use, and disclosure of U.S. Sensitive Personal Data and U.S. Government-Related Data.

Below we focus primarily on the details of the DOJ ANPRM. For reference and further clarification, key terms defined within the ANPRM can be found at the end of this Advisory. Comments on the ANPRM are due on April 19, 2024.

Overview of the DOJ ANPRM

The ANPRM sets forth a potential regulatory regime under which certain transactions allowing access to Bulk U.S. Sensitive Personal Data or Government-Related Data would be either prohibited (because it poses an unacceptable risk to national security) or restricted (because it would pose an unacceptable risk without additional safeguards). Because the ANPRM is so broadly written, however, it appears that it would, as currently written, have unintended consequences for many companies working globally. In any event, this shift in the United States’ traditional disfavoring of restrictions on cross-border data flows and outstanding additional rules that other agencies have been tasked with creating will require vigilance by companies who may be impacted (including, importantly, life sciences and health care companies for whom many transactions could be affected). In addition, companies should start now thinking about how to incorporate these types of restrictions into existing privacy or compliance programs and how to build due diligence processes to address the risks.

Prohibited and Restricted Transactions

Under DOJ’s contemplated rules, any “U.S. person” would be prohibited from knowingly³ engaging in (1) a “Covered Data Transaction” with a “Country of Concern” or a “Covered Person”; (2) a Covered Data Transaction involving “data brokerage”⁴ with any Foreign Person (unless the U.S. Person implements certain contractual requirements); or (3) any Covered Data Transaction with a Country of Concern or Covered Person that provides access to a certain threshold of bulk U.S. human genomic or biospecimen data — whether in a single transaction or aggregated across Covered Data Transactions. U.S. Persons also would be prohibited from aiding or inducing any such transactions, whether through conspiracies or otherwise. Simply put, these types of transactions wouldn’t be permissible under any circumstances because they pose an unacceptable risk to national security that cannot be mitigated.

Similar to prohibited transactions, restricted transactions also pose an unacceptable risk to national security, however are distinguishable because they can be mitigated with certain security measures. Specifically, restricted transactions would include transactions relating to (1) vendor agreements,⁵ (2) employment agreements,⁶ and (3) investment agreements⁷ to the extent they involve Countries of Concern or Covered Persons and Bulk U.S. Sensitive Personal Data, unless certain security requirements are implemented.

The contemplated security requirements would likely include, at a minimum, (1) basic organizational cybersecurity posture requirements; (2) data minimization and masking; (3) use of privacy-preserving technologies; (4) logical and physical access controls; and (5) conducting periodic assessments, such as annual testing and auditing by an independent auditor.

Importantly, with respect to “bulk sensitive personal data,” DOJ is considering defining this term to include data that is not necessarily identifiable to a specific individual, such that “bulk sensitive personal data” might be include (or consist entirely of) data that has been anonymized, pseudonymized, de-identified, or encrypted. The Executive Order expresses concern that advances in technology, coupled with access to large data sets, may enable Countries of Concern to re-identify the data, and it appears that DOJ, which is seeking comments on its suggested “bulk sensitive personal data” definition, is aiming for a broad definition to partially address that concern.

Licenses

The ANPRM contemplates the use of licenses authorizing Covered Data Transactions that would otherwise be prohibited or restricted. General licenses would authorize certain types of Covered Data Transactions and may require a cadence reporting. Specific licenses could also be issued and would likely come with ongoing reporting obligations, as well as requirements to provide assurances that data transferred pursuant to the licensed transactions can be recovered, irretrievably deleted, or otherwise rendered non-functional.

Exempt Transactions

DOJ is also considering exempting from the anticipated prohibitions/restrictions transactions related to (1) certain personal communications and informational materials, (2) financial services, payment processing, and regulatory compliance, (3) intra-entity transactions incident to business operations, and (4) transactions required or authorized by federal law or international agreements.

In addition, the DOJ is also considering exempting certain passive investments that do not grant the kind of ownership interest or rights ordinarily linked to risks to national security.

Compliance and Enforcement

As described in the ANPRM, enforcement of the anticipated regulations would involve a risk-based compliance program, similar to OFAC’s International Emergency Economic Powers Act economic sanctions program. Such compliance programs would require U.S. Persons to conduct due diligence, recordkeeping, and reporting as a condition of engaging in a restricted transaction or of obtaining and maintaining a general or specific license. Failure to develop an adequate compliance program might be considered an aggravating factor in any enforcement action. DOJ is also contemplating a process for imposing civil monetary penalties in cases of noncompliance with the regulations, material misstatements, false certifications, or other transgressions.

Other Agency Actions Pursuant to the Order

The Order also directs other federal agencies to adopt measures to achieve its objectives, including:

• The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency, must propose, seek public comment on, and publish security requirements that address the risks posed by restricted transactions. Those requirements, the Order states, must be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology.
• The Secretary of Defense, Secretary of Health and Human Services (HHS), Secretary of Veteran Affairs, and the Director of the National Science Foundation must consider taking steps to prohibit the provision of assistance that enables access by Countries of Concern to Americans’ bulk Sensitive Personal Data, or to impose mitigation measures with respect to such assistance.
• The Director of the Consumer Financial Protection Bureau is “encouraged” to consider taking steps to address risks created by the data brokerage industry and to enhance compliance with federal consumer protection law, including by continuing to pursue the rulemaking proposals identified by the CFPB at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemaking.
• Within 120 days of the DOJ regulations taking effect, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, in consultation with other agencies, must recommend to the National Security Advisor appropriate actions to detect, assess, and mitigate national security risks arising from prior transfers of Americans’ bulk Sensitive Personal Data to Countries of Concern.
• Within one year of the DOJ regulations taking effect, the Attorney General, in consultation with other agencies, must submit a report to the president assessing the effectiveness of the measures and economic impact of the Order.
• Within 120 days of the Order, the National Security Advisor, along with other White House positions and agencies, must submit a report to the president evaluating the risks and benefits of regulating transactions involving types of human ‘omic data other than human genomic data, such as human proteomic data, human epigenomic data, and human metabolomic data.

What Does This All Mean?

This Indicates a Significant Shift in the United States’ Position on Extraterritorial Data Flows

This Order and ANPRM mark a significant shift in U.S. policymaking. In international fora, the U.S. government has historically opposed efforts by other countries to limit extraterritorial data flows for private sector actors. Such restrictions have raised concerns about the economic impacts of excessive limits on the free flow of data across borders. Trade and investment agreements, such as the U.S.-Mexico-Canada Agreement (USMCA) and U.S.-Japan Digital Trade Agreement, prohibit data localization mandates and formalize data flows with Japan and among the North American trading partners. Until recently, the USMCA provisions were also reflected in U.S. negotiating positions at the World Trade Organization. While the Order prohibits DOJ from imposing generalized data localization requirements, it indicates a shift away from U.S. support for unfettered free data flows. Further, a recent decision by the United States Trade Representative (USTR) to withdraw U.S. negotiating positions supporting free flow of data likewise indicates a rethinking of past U.S. government positions. A narrowing of U.S. support for data flows could have implications resulting in more restrictive localization requirements in other countries and could add complexity to business planning and compliance.

An Exemption for Life Sciences Organizations May Be Useful and Further Conversations With HHS and Other Agencies May Be Required

With respect to health care and life sciences-related activities, it is important to note one of the exemptions proposed by DOJ for data transactions conducted pursuant to a grant, contract, or other agreement entered into with the U.S. government. Under this exemption, federal departments and agencies, such as HHS, the Department of Veterans Affairs (VA), the National Science Foundation (NSF), and the Department of Defense (DOD), could use grant- and contract-based conditions to address the risks of access by Countries of Concern to Sensitive Personal Data in transactions conducted pursuant to a federal grant or contract. DOJ anticipates that this exemption might permit a scenario such as a federal research grant awarded to a U.S. hospital to conduct research on U.S. Persons, where the U.S. hospital contracts with a foreign laboratory that is a Covered Person, hires a researcher that is a Covered Person, and provides the lab and/or researcher access to bulk human biospecimen and human genomic data. DOJ has tasked HHS, the VA, NSF, and DOD with considering steps to prohibit grants or other forms of assistance that could enable Countries of Concern to access Americans’ bulk Sensitive Personal Data. Those agencies may be soliciting input from the health care and life sciences industries on the appropriate scope and nature of such prohibitions.

Proactive Internal Assessments and Due Diligence Processes Will Be Key

The Order and ANPRM underscore the importance of conducting or re-conducting a comprehensive assessment of data flows within the organization and with the organization’s customers, suppliers, service providers, and go-to-market partners. While an organization may have already conducted a data flow mapping exercise and assessment for the purposes of data privacy law compliance, the broad definition of sensitive data (encompassing data that may have been treated as not personally identifying in prior data flow assessments) and the different regulatory purposes may call for a refreshed and refocused examination. In addition, the focus of the Order and ANPRM on potential “access” by Countries of Concern may differ from the objective of a traditional privacy mapping exercise and may be closer to the type of assessment that export control and trade sanctions specialists often conduct within an organization for compliance, licensing, and investigative purposes. Companies that may be engaging in what DOJ has proposed to be Covered Data Transactions should begin building processes (or adding to existing processes), including diligence processes, to ensure new transactions (be they employment agreements, vendor agreements, data brokerages, or investment agreements) are lawful and (if lawful) are subject to the required security and privacy controls to allow the transaction to occur.

Next Steps

The Order directs DOJ to publish a proposed rule by August 26, 2024. Once that happens, we expect DOJ to open another comment period, likely for at least 30 days. While timing for issuance of the final rule is unclear, it seems unlikely, given the complexity of the issues involved, that DOJ will be able to finalize the rule prior to the November elections. Companies and individuals will be required to comply with the regulations only as of the effective date of the final rule or such later compliance date that DOJ might prescribe in the final rule.

As mentioned above, comments on the ANPRM are due on April 19, 2024. If you have questions about the Order, the ANPRM, or the House bill, please reach out to any of the authors of this Advisory or your other contacts at Arnold & Porter.

Key Terms

For purposes of the ANPRM:

U.S. Person means any United States citizen, national, or lawful permanent resident; or any individual admitted to the United States as a refugee, granted asylum, or any entity⁸ organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person⁹ in the United States.

Foreign Person means any person that is not a U.S. Person.

Countries of Concern include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Covered Person includes an entity owned by, controlled by, or subject to the jurisdiction or direction of a Country of Concern; a Foreign Person who is an employee or contractor of such an entity; a Foreign Person who is an employee or contractor of a Country of Concern; a Foreign Person who is primarily resident in the territorial jurisdiction of a Country of Concern; or any person designated by the Attorney General as being owned or controlled by or subject to the jurisdiction or direction of a country of concern, as acting on behalf of or purporting to act on behalf of a Country of Concern or other Covered Person, or as knowingly causing or directing, directly or indirectly, a violation of the Order or the forthcoming regulations.

Covered Data Transactions are transactions¹⁰ that involve Bulk U.S. Sensitive Personal Data or Government-Related Data and that involve (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.

Sensitive Personal Data includes:

1. Covered personal identifiers, which will include any of the below listed identifiers, linked with any other listed identifier, or with other Sensitive Personal Data:

a. Full or truncated government identification or account number (such as a Social Security Number, driver’s license or state identification number, passport number, or Alien Registration Number)

b. Full financial account numbers or personal identification numbers associated with a financial institution or financial-services company

c. Device-based or hardware-based identifier (such as International Mobile Equipment Identity (IMEI), Media Access Control (MAC) address, or Subscriber Identity Module (SIM) card number)

d. Demographic or contact data ( such as first and last name, birth date, birthplace, zip code, residential street or postal address, phone number, and email address and similar public account identifiers)

e. Advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other Mobile Advertising ID (MAID))

f. Account-authentication data (such as account username, account password, or an answer to security questions)

g. Network-based identifier (such as Internet Protocol (IP) address or cookie data)

h. Call-detail data (such as Customer Proprietary Network Information (CPNI))

2. Precise geolocation data

3. Biometric identifiers

4. Human genomic data

5. Personal health data

6. Personal financial data

Bulk U.S. Sensitive Personal Data means a threshold amount of certain types of Sensitive Personal Data, regardless of the format of the data and regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, if such dataset is accessed through one or more Covered Data Transactions by the same Foreign Person or Covered Person. DOJ is considering what threshold “bulk” amounts would be most appropriate for different types of U.S. Sensitive Personal Data, and seeks comments on the costs and benefits of choosing specific thresholds. Specifically, DOJ is considering, for each of the six types of Sensitive Personal Data identified in the chart below, a “bulk” threshold somewhere within the range of “Low” and “High” amounts listed in the chart below.

In addition, any collection or set of data containing more than one of the six categories of data in the chart above, or that contains any listed identifier linked to any such category, would be “bulk U.S. sensitive personal data” if it met the threshold number of U.S. Persons or U.S. devices in any of the categories of data present.

U.S. Government-Related Data includes Sensitive Personal Data that, regardless of volume, the Attorney General determines poses a heightened risk of being exploited by a Country of Concern to harm United States national security and that:

1. A transacting party identifies as being linked or linkable to categories of current or recent former employees or contractors, or former senior officials, of the federal government, including the military, as specified in regulations issued by the Attorney General pursuant to section two of the Order

2. Is linked to categories of data that could be used to identify current or recent former employees or contractors, or former senior officials, of the federal government, including the military, as specified in regulations issued by the Attorney General pursuant to section two of the Order

3. Is linked or linkable to certain sensitive locations, the geographical areas of which will be specified publicly, that are controlled by the federal government, including the military

DOJ is considering adding as well:

1. Any precise geolocation data, regardless of volume, for any specifically identified geofenced areas associated with military, other government, or other sensitive facilities or locations

2. Any Sensitive Personal Data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including the military and Intelligence Community

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.