On February 28, President Biden issued Executive Order 14117 (the EO) directing the US Attorney General and other agencies to promulgate regulations that restrict and, in some cases, prohibit transactions that might involve the sharing of sensitive personal data and government-related data with “countries of concern” (currently China, including Hong Kong and Macau, Russia, Iran, North Korea, Cuba, and Venezuela). In tandem, the Department of Justice (DoJ) issued an Advance Notice of Proposed Rulemaking (ANPRM) to provide information regarding the forthcoming DoJ regulations and request comments from the public. Following comments on the ANPRM, DoJ will issue a notice of proposed rulemaking, seek further comments, and subsequently publish a final rule. Although there is no immediate prohibition or restriction on data transfer, the EO and the various agency regulatory actions could have a substantial impact on US and global businesses depending on their final terms.

The EO and the ANPRM appear to represent an extension of national security risk mitigation measures that have been imposed in recent years by the Department of the Treasury’s Committee on Foreign Investment in the United States (CFIUS). From a global perspective, the EO and ANPRM appear to be similar in some respects to interpretations of cross-border data transfer restrictions implemented under the EU General Data Protection Regulation (EU GDPR) and the China Personal Information Privacy Act and related laws (China PIPA). This Baker McKenzie Client Alert provides a brief summary of the EO and the DoJ ANPRM, and outlines initial impressions of the commercial implications of the regulations on US and global businesses.

EO Overview

The EO explains that it aims to protect Americans’ sensitive personal data from exploitation by countries of concern. Companies are collecting more of Americans’ data than ever before, and this data is often legally sold and resold through data brokers and other companies. Such data can also be sold legally to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments. The EO specifies that it aims to address the national security risks arising from US adversaries’ access to such personal data, including the use of the data by such adversaries for blackmail, espionage, suppression of civil liberties, and other activities counter to US interests.

The EO is based on the International Emergency Economic Powers Act (IEEPA) like many US sanctions regimes, and the proposed data restrictions broadly follow a similar framework involving categorical prohibitions and licensing for particular transactions. The EO directs various government agencies to effectuate its objectives. DoJ carries the primary responsibility to implement the core directives of the EO. Other relevant agencies and offices include the Department of Homeland Security (DHS), Department of the Treasury, the Department of Defense, the Department of Commerce, the Department of Health and Human Services, the Office of the Director of National Intelligence, the Office of the National Cyber Director, the Office of Management and Budget, the Federal Trade Commission, the Federal Communications Commission, and any other agency or office that DoJ determines appropriate. Several of the EO’s key mandates are as follows:

  • DoJ and DHS in consultation with relevant agencies must issue regulations that prohibit US persons from engaging in transactions in which a foreign country or national has an interest where the transaction: (i) involves “bulk” sensitive personal data (i.e., sets of sensitive personal data that go beyond certain prescribed quantitative thresholds) or US Government-related data; (ii) poses an unacceptable national security risk; and (iii) does not fall within an exception. The DoJ ANPRM is discussed in the section below.
  • The Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom) must consider threats to sensitive personal data in its reviews of submarine cable licenses.
  • The Departments of Health and Human Services, Defense, and Veterans Affairs, and the National Science Foundation must take steps to ensure that federal grants, contracts, and awards are not used to facilitate access to sensitive health data by countries of concern, and to help US research entities ensure protection of their bulk sensitive personal data.
  • The Consumer Financial Protection Bureau is encouraged to take steps to address risks of data brokers and others in the data brokerage industry making available sensitive personal data to countries of concern.
  • DoJ, DHS, and the Director of National Intelligence must evaluate how to mitigate the risks of prior transfers of bulk sensitive personal data to countries of concern, and work with relevant agencies to implement such mitigating measures.
  • A number of other agencies and offices, including the Office of Science and Technology Policy, the Office of Pandemic Preparedness and Response Policy, the Departments of Health and Human Services, Defense and Veteran Affairs, the Federal Bureau of Investigation, and the National Science Foundation, must assess the risks and benefits of regulating transactions involving “human ‘omic data” other than human genomic data, and make related recommendations on how to mitigate such risks.

The EO specifies it does not aim to restrict the free flow of personal data for commercial purposes. Specifically, the EO does not authorize the imposition of generalized data localization requirements to store sensitive personal data in the United States or to locate computing facilities used to process the data in the United States.  Even as DoJ describes the EO as “groundbreaking,” the EO further asserts it does not seek to block categorically US persons from conducting commercial transactions with persons subject to the control or jurisdiction of countries of concern, or impose measures aimed at decoupling the substantial economic relationships that the United States has with other countries.

DoJ ANPRM

The ANPRM creates two levels of restriction. Highly sensitive data transactions will be fully prohibited, while other types of data transactions will be “restricted” and allowed only if the transactions comply with certain data security requirements.

Prohibited Transactions: US persons (i.e., US companies and other entities organized under the laws of the United States and their foreign branches, US nationals and green card holders, and any person physically located in the United States) will be prohibited from knowingly engaging in the following transactions with entities or individuals subject to the jurisdiction of countries of concern or other restricted parties, if the transactions involve bulk US personal data or US government-related data:

  1. data-brokerage transactions, i.e. the sale or licensing of access to personal data where the recipient did not collect or process the data directly from the underlying individuals; and
  2. transfers of bulk human genomic data or biospecimens via a vendor agreement, employment agreement, or investment agreement.

Transactions Subject to Security Requirements: US persons will be prohibited from knowingly engaging in the following data transactions with entities or individuals subject to the jurisdiction of countries of concern or restricted parties, unless the transactions comply with certain data security requirements, which will be detailed in further regulations, but will likely include, for example, organizational cybersecurity requirements, physical and logical access controls, data masking and minimization (e.g., tokenization), and privacy-preserving technologies including encryption:

  1. vendor agreements involving the provision of goods and services, including cloud-service agreements;
  2. employment agreements; and
  3. investment agreements.

The applicable security requirements are still under development and will be proposed by DHS with an opportunity for public comment. In addition to assuring substantive information security controls as described above, we anticipate that the security measures will be aimed at preventing actual access to underlying data by the relevant countries of concern.

Covered Data

The data that trigger the prohibitions and restrictions listed above include the following categories, with associated volume thresholds in the below contemplated ranges:

Bulk Sensitive Personal Data

  1. Personal identifiers of more than 10,000 – 1,000,000 US persons: Two or more personal identifiers when linked together, including identifiers in the following categories:
    a. Full or truncated government ID or account number, e.g. social security number; driver’s license number, passport number;
    b. Full financial account number;
    c. Device or hardware-based identifier, e.g. a SIM card number;
    d. Demographic or contact data;
    e. Advertising identifier, e.g. Google Advertising ID, Apple ID for Advertisers, or other Mobile Advertising ID;
    f. Account username or password;
    g. Network-based identifier, e.g. IP address;
    h. Call-detail data.
  2. Precise geolocation data of more than 100 – 10,000 US persons, whether real-time or historical;
  3. Biometric identifiers of more than 100-10,000 US persons, e.g. facial images, retina and iris scans, palm print or fingerprints, voice prints and patterns;
  4. Human genomic data of more than 100 – 1,000 US persons, including the results of an individual’s genetic test;
  5. Personal health data of more than 1,000-1,000,000 US persons; and
  6. Personal financial data of more than 1,000-1,000,000 US persons, e.g. information about an individual’s credit card or bank account; data in a financial statement; or data in a credit report.

Government-Related Data

  1. Precise geolocation data for any location within a specific geofenced area associated with military, government, or other sensitive facilities or locations (no volume threshold); and
  2. Any “sensitive personal data” in the six categories above that a transaction party markets as linked or linkable to current or recent former officials, employees, or contractors of the US government (no volume threshold)

The restrictions would apply regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted.

Covered Persons

US persons will be prohibited/restricted from engaging in data transactions with the following entities and individuals associated with a “country of concern” (i.e., China, Russia, Iran, North Korea, Cuba, and Venezuela):

  • An entity organized under the laws of a country of concern;
  • An entity with principal place of business in a country of concern;
  • A non-US person who is an employee or contractor of a country of concern or an entity organized/owned/with principal place of business in a country of concern;
  • A non-US person who is primarily resident in a country of concern;
  • Any person designated by the Attorney General as being owned, controlled by, or subject to the jurisdiction or direction of, or as acting on behalf of a country of concern, or as knowingly causing or directing a violation of the data restriction rules;
  • An entity 50% or more owned by a country of concern;
  • An entity 50% or more owed by an entity organized/owned/with principal place of business in a country of concern; or
  • An entity 50% or more owned by a non-US person who is an employee or contractor of an entity described above, or who is primarily resident in a country of concern, or who has been designated by the Attorney General as described above.

Licensing

DoJ is considering establishing a general and specific licensing regime similar to the Department of the Treasury’s Office of Foreign Assets Control (OFAC) licensing in the sanctions context. General licenses would be issued publicly and would authorize certain types of data transactions that would otherwise be prohibited, potentially subject to certain reporting or other requirements. Specific licenses would be issued to particular parties, for a particular transaction. DoJ is considering whether or not to publish specific licenses. Licenses may come with auditing or other compliance requirements.

EO and ANPRM Commercial Implications

Commercial implications of the EO and ANPRM may be substantial, depending on the final regulations and enforcement. At a high level, every US company that collects and maintains the relevant volumes of personal data, and that shares such data, directly or indirectly, with business partners, vendors, employees, affiliates or other persons in China or other covered jurisdictions will need to evaluate the application of the requirements to its operations.

Among other key points:

  • Data mapping and business agreements: From a data privacy and governance perspective, US companies with the relevant personal data would need to enhance their due diligence activities to determine whether counterparties have a nexus with the relevant countries of concern. Such companies may also wish to revisit cross-border transfer restrictions in its agreements with vendors, business partners, and affiliates, and consider any necessary steps to address cybersecurity requirements associated with covered sharing activities. US companies would also need to address cybersecurity requirements prior to hiring employees who reside in countries of concern and who would otherwise have access to the relevant personal data.
  • Foreign investment: From an investment perspective, the rules will impact investors affiliated with countries of concern and US investee companies that handle relevant data. According to the ANPRM, even if transaction documents expressly prohibit access by an investor from a country of concern to relevant data, the investment would nevertheless be prohibited unless required data security measures, e.g. physical and logical access controls, are in place. That said, DoJ might carve out from restriction certain “passive” investments in US companies that handle relevant data, e.g. over-the-counter investments in publicly traded companies, investments made as a limited partner in a fund, or investments below a certain threshold where the investor acquires only minority shareholder rights. DoJ is considering how the data rules will interact with CFIUS jurisdiction, including the possibility of the data rules regulating an investment agreement that is also a “covered transaction” for CFIUS purposes unless and until CFIUS enters into a mitigation agreement with the parties.

In terms of next steps, we anticipate continued US regulatory developments and implementation efforts on a relatively fast pace. This US regulatory activity will fit within the broader context of an increasingly complex global regulatory environment impacting cross-border investment, commercial activity, and data transfers. We will continue to update on the key developments as they occur.

Author

Rod Hunter, a partner based in the Washington, DC office of Baker McKenzie, practices trade and investment law. He previously served as Special Assistant to the President for National Security Affairs and senior director for international economics at the National Security Council (NSC), the White House office that coordinates trade policy and supervises CFIUS. In that role, he managed CFIUS cases, including negotiating resolution of the most sensitive cases. A recognized expert in the field, he has testified before Congress during the legislative process leading to recent amendments to CFIUS’ authorizing legislation.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.