On October 29, 2024, the Department of Justice (DOJ) published its Proposed Rule outlining prohibitions and restrictions on certain transactions involving bulk U.S. sensitive personal data and U.S. Government-related data. As you may recall from our previous article, this rule stems from recent Executive Order (EO) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Proposed Rule has potential implications for any business that collects, retains, or deals in data on U.S. persons or certain other data relating to the U.S. Government. Here, we discuss some of the more interesting developments in the Proposed Rule and how it could affect your business.
Overview of the Regulation Thus Far
To recap what we discussed in our last article regarding DOJ’s Advanced Notice of Proposed Rulemaking (ANPRM), there are two overarching classes of data this Proposed Rule will regulate: (1) bulk U.S. sensitive personal data and (2) U.S. Government-related data. Bulk U.S. sensitive personal data covers six data types,[1] of which a bulk threshold must be met for the data to be covered by the regulations. For U.S. Government-related data, there is no bulk threshold, and instead, the regulations apply to any data that is either (i) precise geolocation data for certain list locations or (ii) sensitive personal data marketed as linked or linkable to certain government employees or contractors.
Transactions for the sale of this data (“data brokerage transactions”) as well as for the sale of human genomic or biospecimen data, are prohibited with covered parties[2] by the Proposed Rule. Another subset of transactions are restricted when those transactions involve access or potential access by a covered party to the covered data. Those restricted transactions types are vendor agreements, employment agreements, and investment agreements, and these transactions may only occur after certain compliance obligations are met.
What’s New in the Proposed Rule
The Proposed Rule generally aligns with the ANPRM as explained above, but it also lays out some of the important missing details. Below, we highlight key—and perhaps, unexpected—developments from the Proposed Rule.
- A Lower Bulk Threshold. In the ANPRM, the DOJ suggested a wide range being considered for the bulk thresholds associated with sensitive personal data; the Proposed Rule settles in the lower end of the anticipated ranges. For instance, for personal health data and personal financial data, the DOJ was considering a range between 1,000 and 1,000,000 and, in the Proposed Rule, regulators decided that data on 10,000 U.S. persons for these data types would meet the threshold. For businesses with the covered personal identifier data type, likely the most broadly applicable data type, DOJ decided data on 100,000 U.S. persons will be considered bulk. This includes commonly collected customer data, such as contact data (e.g., address, phone number), device-based identifiers (e.g., IMEI, MAC addresses), or network-based identifiers (e.g., IP addresses or cookie data).
- Prohibited Transaction Requirements. As expected, data brokerage transactions with a country of concern or covered party are prohibited per the Proposed Rule. Directing or conspiring to conduct a prohibited transaction is also prohibited. The Proposed Rule introduces new requirements for data brokerage transactions, including requiring sellers of covered data to include language in contracts with non-U.S. parties prohibiting the diversion of the covered data to a covered party. Sellers must also report within 14 days any known or suspected violation of the regulations, and also flow down that reporting requirement in their contracts with non-U.S. parties.
- Restricted Transaction Requirements. We knew from the ANPRM there would be cybersecurity requirements from CISA for businesses with vendor agreements, employment agreements, or investment agreements that included access to covered data by covered parties (“restricted transactions”). For businesses with restricted transactions, the Proposed Rule also introduces requirements for due diligence, auditing, and reporting. Businesses must develop and implement data compliance programs and regularly audit for violations. They must also report annually to the DOJ on these programs if 25% or more of their equity is owned by a country of concern or covered party.
- Reports for Solicited Transactions. The Proposed Rule requires anyone who receives and rejects an offer to engage in a prohibited transaction to report to the DOJ within 14 days of rejecting the transaction.
New Obligations
Once final, this regulation will impose substantive compliance requirements on virtually any U.S. business that has covered data. In addition to determining whether your business has covered data, the following questions also should be considered to assist in understanding the impact of this rule.
- Do you have bulk data or any U.S. Government-related data? If your business collects and stores covered data, then you will need to be aware of the reporting requirements if you receive solicitations for the sale of that covered data. This will be particularly relevant for businesses that market themselves as serving government or military personnel, as any customer data is likely to be covered regardless of volume.
- Do you store data outside the United States? Do you have non-U.S. employees who can access data? Do you have non-U.S. investors who can access data? If your business operations include storing data outside the United States or access to data outside the United States, you will need to determine if any of that access is by a country of concern or covered parties. If it is, your business likely will need to implement a data compliance program and train employees on identifying reportable transactions.
- Do you sell covered data? If your business conducts “data brokerage transactions,” it is important to understand the types of transactions that will be prohibited going forward, as well as potential reporting obligations. Additionally, contractual language with customers outside the United States will need to be updated.
Companies affected by this regulation may consider submitting a comment to the DOJ – the comment period is open until November 29, 2024. In addition, companies that may be impacted should begin to analyze what covered data they may hold as well as the controls and compliance obligations that may arise. As we continue to watch this space, stay tuned for the eventual Part III.
FOOTNOTES
[1] These six data types are (1) covered personal identifiers; (2) geolocation and related sensor data; (3) biometric identifiers; (4) human genomic data; (5) personal health data; (6) personal financial data.
[2] Covered parties include any entity owned or controlled by a country of concern or organized under the laws of a country of concern, as well as any entity 50% owned or controlled by such entities. This also includes primary residents of countries of concern, or employees or contractors of one of the covered entities. The Proposed Rule identifies the countries of concern as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The attorney general may also designate any person as being covered by these regulations.