Proposed Rule2024-24582
Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
October 29, 2024
Issuing agencies
Justice Department
Abstract
The Department of Justice proposes a rule to implement Executive Order 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government- Related Data by Countries of Concern), by prohibiting and restricting certain data transactions with certain countries or persons.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 209 (Tuesday, October 29, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 209 (Tuesday, October 29, 2024)]
[Proposed Rules]
[Pages 86116-86227]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-24582]
[[Page 86115]]
Vol. 89
Tuesday,
No. 209
October 29, 2024
Part II
Department of Justice
-----------------------------------------------------------------------
28 CFR Part 202
Provisions Pertaining to Preventing Access to U.S. Sensitive Personal
Data and Government-Related Data by Countries of Concern or Covered
Person; Proposed Rule
��Federal Register / Vol. 89 , No. 209 / Tuesday, October 29, 2024 /
Proposed Rules��
[[Page 86116]]
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
28 CFR Part 202
[Docket No. NSD 104]
RIN 1124-AA01
Provisions Pertaining to Preventing Access to U.S. Sensitive
Personal Data and Government-Related Data by Countries of Concern or
Covered Persons
AGENCY: National Security Division, Department of Justice.
ACTION: Proposed rule; request for comments.
-----------------------------------------------------------------------
SUMMARY: The Department of Justice proposes a rule to implement
Executive Order 14117 of February 28, 2024 (Preventing Access to
Americans' Bulk Sensitive Personal Data and United States Government-
Related Data by Countries of Concern), by prohibiting and restricting
certain data transactions with certain countries or persons.
DATES: Written comments on this notice of proposed rulemaking (NPRM)
must be received by November 29, 2024.
ADDRESSES: You may send comments, identified by Docket No. NSD 104, by
either of the following methods:
<bullet> Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
Follow the instructions for sending comments.
<bullet> Mail: U.S. Department of Justice, National Security
Division, Foreign Investment Review Section, 175 N Street NE, 12th
Floor, Washington, DC 20002.
FOR FURTHER INFORMATION CONTACT: Email (preferred):
<a href="/cdn-cgi/l/email-protection#87c9d4c3a9c1ced5d4a9e3e6f3e6f4e2e4f2f5eef3fec7f2f4e3e8eda9e0e8f1"><span class="__cf_email__" data-cfemail="8fc1dccba1c9c6dddca1ebeefbeefceaecfafde6fbf6cffafcebe0e5a1e8e0f9">[email protected]</span></a>. Otherwise, please contact: Lee Licata,
Deputy Chief for National Security Data Risks, Foreign Investment
Review Section, National Security Division, U.S. Department of Justice,
175 N Street NE, Washington, DC 20002; Telephone: 202-514-8648.
SUPPLEMENTARY INFORMATION: In accordance with 5 U.S.C. 553(b)(4), a
plain language summary of the proposed rule is available at
<a href="http://www.regulations.gov">www.regulations.gov</a>.
Public Participation
Instructions: We encourage comments to be submitted via <a href="https://www.regulations.gov">https://www.regulations.gov</a>. Please submit comments only, include your name and
company name (if any), and cite ``Provisions Pertaining to Preventing
Access to U.S. Sensitive Personal Data and Government-Related Data by
Countries of Concern or Covered Persons'' in all correspondence. Anyone
submitting business confidential information should clearly identify
the business confidential portion at the time of submission, file a
statement justifying nondisclosure and referring to the specific legal
authority claimed, and provide a non-confidential version of the
submission. For comments submitted electronically containing business
confidential information, the file name of the business confidential
version should begin with the characters ``BC.'' Any page containing
business confidential information must be clearly marked ``BUSINESS
CONFIDENTIAL'' at the top of that page. The corresponding non-
confidential version of those comments must be clearly marked
``PUBLIC.'' The file name of the nonconfidential version should begin
with the character ``P.'' Any submissions with file names that do not
begin with a ``BC'' will be assumed to be public and will be posted
without change, including any business or personal information
provided, such as names, addresses, email addresses, or telephone
numbers.
To facilitate an efficient review of submissions, the Department of
Justice encourages but does not require commenters to: (1) submit a
short executive summary at the beginning of all comments; (2) provide
supporting material, including empirical data, findings, and analysis
in reports or studies by established organizations or research
institutions; (3) describe the relative benefits and costs of the
approach contemplated in this NPRM and any alternative approaches; and
(4) refer to the specific proposed subpart or defined term to which
each comment is addressed. The Department of Justice welcomes
interested parties' submissions of written comments discussing relevant
experiences, information, and views. Parties wishing to supplement
their written comments with a follow-up meeting may request to do so,
and the Department of Justice may accommodate such requests as
resources permit.
Table of Contents
I. Executive Summary
II. Background
III. Advance Notice of Proposed Rulemaking and Comments
IV. Discussion of the Proposed Rule
A. Subpart C--Prohibited Transactions and Related Activities
1. Section 202.210--Covered Data Transactions
2. Section 202.301--Prohibited Data-Brokerage Transactions
3. Section 202.201--Access
4. Section 202.249--Sensitive Personal Data
5. Section 202.212--Covered Personal Identifiers
6. Section 202.234--Listed Identifier
7. Section 202.242--Precise Geolocation Data
8. Section 202.204--Biometric Identifiers
9. Section 202.224--Human Genomic Data
10. Other Human `Omic Data
11. Section 202.240--Personal Financial Data
12. Section 202.241--Personal Health Data
13. Section 202.206--Bulk U.S. Sensitive Personal Data
14. Section 202.205--Bulk
15. Section 202.222--Government-Related Data
16. Section 202.302--Other Prohibited Data-Brokerage
Transactions Involving Potential Onward Transfer to Countries of
Concern or Covered Persons
17. Section 202.303--Prohibited Human Genomic Data and Human
Biospecimen Transactions
18. Section 202.304--Prohibited Evasions, Attempts, Causing
Violations, and Conspiracies
19. Section 202.305--Knowingly Directing Prohibited Transactions
20. Section 202.215--Directing
21. Section 202.230--Knowingly
B. Subpart D--Restricted Transactions
1. Section 202.401--Authorization To Conduct Restricted
Transactions; Section 202.402--Incorporation by Reference
2. Section 202.258--Vendor Agreement
3. Section 202.217--Employment Agreement
4. Section 202.228--Investment Agreement
C. Subpart E--Exempt Transactions
1. Section 202.501--Personal Communications; Section 202.502--
Information or Informational Materials; and Section 402.503--Travel
2. Section 202.504--Official Business of the United States
Government
3. Section 202.505--Financial Services
4. Section 202.506--Corporate Group Transactions
5. Section 202.507--Transactions Required or Authorized by
Federal Law or International Agreements, or Necessary for Compliance
With Federal Law
6. Section 202.508--Investment Agreements Subject to a CFIUS
Action
7. Section 202.509--Telecommunications Services
8. Section 202.510--Drug, Biological Product, and Medical Device
Authorizations
9. Section 202.511--Other Clinical Investigations and Post-
Marketing Surveillance Data
10. Other Exemptions
D. Subpart F--Determination of Countries of Concern
1. Section 202.601--Determination of Countries of Concern
a. China
b. Cuba
c. Iran
d. North Korea
e. Russia
f. Venezuela
E. Subpart G--Covered Persons
1. Section 202.211--Covered Person
2. Section 202.701--Designation of Covered Persons
F. Subpart H--Licensing
[[Page 86117]]
1. Section 202.801--General Licenses
2. Section 202.802--Specific Licenses
3. Conditions on General and Specific Licenses
G. Subpart I--Advisory Opinions
1. Section 202.901--Inquiries Concerning Application of This
Part
H. Subpart J--Due Diligence and Audit Requirements
1. Section 202.1001--Due Diligence for Restricted Transactions
2. Section 202.1002--Audits for Restricted Transactions
I. Subpart K--Reporting and Recordkeeping Requirements
1. Section 202.1101--Records and Recordkeeping Requirements
2. Section 202.1102--Reports To Be Furnished on Demand
3. Section 202.1103--Annual Reports
4. Section 202.1104--Reports on Rejected Prohibited Transactions
J. Subpart M--Penalties and Finding of Violation
1. Section 202.1301--Penalties for Violations
2. Section 202.1305--Finding of Violation
K. Coordination With Other Regulatory Regimes
L. Severability
V. Analysis for Proposed Bulk Thresholds
A. Analysis of Sensitivity of Each Category of Sensitive
Personal Data
1. Human Genomic Data
2. Biometric Identifiers
3. Precise Geolocation Data
4. Personal Health Data
5. Personal Financial Data
6. Covered Personal Identifiers
B. Grouping the Categories Into Tiers by Similar Sensitivity
C. Proposed Bulk Thresholds for Each Tier
VI. Interpretation of ``Information or Informational Materials'' in
IEEPA
A. The Berman Amendment Is Intended To Protect the Free Exchange
of Ideas
B. The Berman Amendment Does Not Reach Transactions Involving
Sensitive Personal Data Under This Proposed Rule
C. Exclusion for Materials Already Created and in Existence
VII. Regulatory Requirements
A. Executive Orders 12866 (Regulatory Planning and Review) as
Amended by Executive Orders 13563 (Improving Regulation and
Regulatory Review) and 14094 (Modernizing Regulatory Review)
1. Executive Summary
2. Introduction
3. Market Sectors Impacted by the Proposed Regulation
a. Sensitive Personal Data and Government-Related Data
i. Personal Financial Data
ii. Personal Health Data
iii. Precise Geolocation Data
iv. Human Genomic and Human `Omic Data
v. Biometric Identifiers
vi. Covered Personal Identifiers
b. The Data-Brokerage Market
i. Companies That May Meet the Definition of Data Brokers for
the Purposes of the Proposed Rule
ii. Market Size
iii. Products Sold by Data Brokers
iv. Price Information
v. Customers of Data-Brokerage Products
c. Agreements Affected by the Proposed Regulation
i. Vendor Agreements
ii. Employment Agreements
iii. Investment Agreements
iv. Security Requirements
v. Due Diligence and Recordkeeping
vi. Audits
vii. Licenses
4. Need for Regulatory Action
5. Baseline (Without the Proposed Rule)
a. Baseline National Security and Foreign-Policy Risks by
Category of Data
i. Human Genomic and Human `Omic Data
ii. Biometric Identifiers
iii. Precise Geolocation Data
iv. Personal Health Data
v. Personal Financial Data
vi. Covered Personal Identifiers
vii. Government-Related Data
b. Baseline: Total Potential U.S. Population Affected by Risks
c. Summary of Baseline (Without the Proposed Rule)
6. Alternative Approaches
7. Benefits of the Proposed Rule
8. Costs of the Proposed Rule
a. Value of Lost and Forgone Transactions
i. Global Market Value of Genomic, Biometric, and Location Data
ii. U.S. Exports to Relevant Specific Categories and to
Countries of Concern
iii. Estimates of U.S. Exports of Genomic, Biometric, and
Location Data
iv. Estimates of U.S. Exports of Genomic, Biometric, and
Location Data to the Six Countries of Concern
v. Total Estimated Value of Lost and Forgone Transactions
vi. Alternative Methodology for Estimating the Value of Lost and
Forgone Transactions
b. Security Costs
i. Similar Security Standards and Frameworks
ii. Current Industry Compliance Level
iii. Costs of Compliance
c. Costs Associated With Compliance Program: Due Diligence,
Recordkeeping, and Auditing
i. Due Diligence Costs
ii. Recordkeeping Costs
iii. Executive Order on Modernizing Regulatory Review
Recordkeeping and Related Costs
iv. Auditing Costs
v. Estimated Recordkeeping Costs From the Reviewed Literature
vi. Summary of a Compliance Program: Due Diligence,
Recordkeeping, and Auditing
9. Summary of Regulatory Analysis
B. Regulatory Flexibility Act
1. Succinct Statement of the Objectives of, and Legal Basis for,
the Proposed Rule
2. Description of and, Where Feasible, an Estimate of the Number
of Small Entities to Which The Proposed Rule Will Apply
3. Description of the Projected Reporting, Recordkeeping, and
Other Compliance Requirements of the Proposed Rule
4. Identification of all Relevant Federal Rules That May
Duplicate, Overlap, or Conflict With the Proposed Rule
C. Executive Order 13132 (Federalism)
D. Executive Order 13175 (Consultation and Coordination With
Indian Tribal Governments)
E. Executive Order 12988 (Civil Justice Reform)
F. Paperwork Reduction Act
G. Unfunded Mandates Reform Act
I. Executive Summary
Executive Order 14117 of February 28, 2024, ``Preventing Access to
Americans' Bulk Sensitive Personal Data and United States Government-
Related Data by Countries of Concern'' (``the Order''), directs the
Attorney General to issue regulations that prohibit or otherwise
restrict United States persons from engaging in any acquisition,
holding, use, transfer, transportation, or exportation of, or dealing
in, any property in which a foreign country or national thereof has any
interest (``transaction''), where the transaction: involves United
States Government-related data (``government-related data'') or bulk
U.S. sensitive personal data, as defined by final rules implementing
the Order; falls within a class of transactions that has been
determined by the Attorney General to pose an unacceptable risk to the
national security of the United States because it may enable access by
countries of concern or covered persons to government-related data or
Americans' bulk U.S. sensitive personal data; and meets other criteria
specified by the Order. On March 5, 2024, the National Security
Division of the Department of Justice (``DOJ'' or ``the Department'')
issued an Advance Notice of Proposed Rulemaking (``ANPRM'') seeking
public comment on various topics related to implementation of the
Order.\1\
---------------------------------------------------------------------------
\1\ 89 FR 15780 (Mar. 5, 2024).
---------------------------------------------------------------------------
This Notice of Proposed Rulemaking (``NPRM'') addresses the public
comments received on the ANPRM, sets forth a proposed rule to implement
the Order, and seeks public comment. The proposed rule identifies
classes of prohibited and restricted transactions; identifies countries
of concern and classes of covered persons with whom the regulations
would prohibit or restrict transactions involving government-related
data or bulk U.S. sensitive personal data; establishes a process to
issue (including to modify or rescind) licenses authorizing otherwise
prohibited or restricted transactions and to issue advisory opinions;
and addresses recordkeeping and reporting of transactions to inform
investigative, enforcement, and regulatory efforts of the Department of
Justice.
[[Page 86118]]
II. Background
On February 28, 2024, the President issued Executive Order 14117
(Preventing Access to Americans' Bulk Sensitive Personal Data and
United States Government-Related Data by Countries of Concern) (``the
Order''), pursuant to his authority under the Constitution and the laws
of the United States, including the International Emergency Economic
Powers Act (50 U.S.C. 1701 et seq.) (``IEEPA''); the National
Emergencies Act (50 U.S.C. 1601 et seq.) (``NEA''); and title 3,
section 301 of the United States Code. In the Order, the President
expanded the scope of the national emergency declared in Executive
Order 13873 of May 15, 2019 (Securing the Information and
Communications Technology and Services Supply Chain), and further
addressed with additional measures in Executive Order 14034 of June 9,
2021 (Protecting Americans' Sensitive Data From Foreign Adversaries).
The President determined that additional measures are necessary to
counter the unusual and extraordinary threat to U.S. national security
posed by the continuing efforts of certain countries of concern to
access and exploit government-related data or Americans' bulk U.S.
sensitive personal data.
The Order directs the Attorney General, pursuant to the President's
delegation of his authorities under IEEPA, to issue regulations that
prohibit or otherwise restrict United States persons from engaging in
certain transactions in which a foreign country of concern or national
thereof has an interest. Restricted and prohibited transactions include
transactions that involve government-related data or bulk U.S.
sensitive personal data, are a member of a class of transactions that
the Attorney General has determined poses an unacceptable risk to the
national security of the United States because the transactions may
enable countries of concern or covered persons to access government-
related data or bulk U.S. sensitive personal data, and are not
otherwise exempted from the Order or its implementing regulations. The
Order directs the Attorney General to issue regulations that identify
classes of prohibited and restricted transactions; identify countries
of concern and classes of covered persons whose access to government-
related data or bulk U.S. sensitive personal data poses the national
security risk described in the Order; establish a process to issue
(including to modify or rescind) licenses authorizing otherwise
prohibited or restricted transactions; further define terms used in the
Order; address recordkeeping and reporting of transactions to inform
investigative, enforcement, and regulatory efforts of the Department of
Justice; and to take whatever additional actions, including
promulgating additional regulations, as may be necessary to carry out
the purposes of the Order.
The Order and this proposed rule fill an important gap in the
United States Government's authorities to address the threat posed by
countries of concern accessing government-related data or Americans'
bulk U.S. sensitive personal data. As the President determined in the
Order, ``[a]ccess to Americans' bulk sensitive personal data or United
States Government-related data increases the ability of countries of
concern to engage in a wide range of malicious activities.'' As the
ANPRM explained, countries of concern can use their access to
government-related data or Americans' bulk U.S. sensitive personal data
to engage in malicious cyber-enabled activities and malign foreign
influence activities and to track and build profiles on U.S.
individuals, including members of the military and other Federal
employees and contractors, for illicit purposes such as blackmail and
espionage. And countries of concern can exploit their access to
government-related data or Americans' bulk U.S. sensitive personal data
to collect information on activists, academics, journalists,
dissidents, political figures, or members of nongovernmental
organizations or marginalized communities to intimidate them; curb
political opposition; limit freedoms of expression, peaceful assembly,
or association; or enable other forms of suppression of civil
liberties.
As the 2024 National Counterintelligence Strategy explains, ``as
part of a broader focus on data as a strategic resource, our
adversaries are interested in personally identifiable information (PII)
about U.S. citizens and others, such as biometric and genomic data,
health care data, geolocation information, vehicle telemetry
information, mobile device information, financial transaction data, and
data on individuals' political affiliations and leanings, hobbies, and
interests.'' \2\ These and other kinds of sensitive personal data ``can
be especially valuable, providing adversaries not only economic and
[research and development] benefits, but also useful
[counterintelligence] information, as hostile intelligence services can
use vulnerabilities gleaned from such data to target and blackmail
individuals.'' \3\
---------------------------------------------------------------------------
\2\ Nat'l Counterintel. & Sec. Ctr., National
Counterintelligence Strategy 2024 13 (Aug. 1, 2024), <a href="https://www.dni.gov/files/NCSC/documents/features/NCSC_CI_Strategy-pages-20240730.pdf">https://www.dni.gov/files/NCSC/documents/features/NCSC_CI_Strategy-pages-20240730.pdf</a> [<a href="https://perma.cc/9L2T-VXSU">https://perma.cc/9L2T-VXSU</a>].
\3\ Id.
---------------------------------------------------------------------------
Nongovernmental experts have underscored these risks. For example,
a recent study by the MITRE Corporation summarized open-source
reporting, highlighting the threat of blackmail, coercion,
identification of high-risk government personnel and sensitive
locations, and improved targeting of offensive cyber operations and
network exploitation posed by hostile actors' access to Americans' data
derived from advertising technology.\4\
---------------------------------------------------------------------------
\4\ Kirsten Hazelrig, Ser. No. 14, Intelligence After Next:
Surveillance Technologies Are Imbedded Into the Fabric of Modern
Life--The Intelligence Community Must Respond, The MITRE Corporation
2 (Jan. 5, 2023), <a href="https://www.mitre.org/sites/default/files/2023-01/PR-22-4107-INTELLIGENCE-AFTER-NEXT-14-January-2023.pdf">https://www.mitre.org/sites/default/files/2023-01/PR-22-4107-INTELLIGENCE-AFTER-NEXT-14-January-2023.pdf</a> [<a href="https://perma.cc/3WA2-PGM2">https://perma.cc/3WA2-PGM2</a>].
---------------------------------------------------------------------------
The development of artificial intelligence (``AI''), high-
performance computing, big-data analytics, and other advanced
technological capabilities by countries of concern amplifies the threat
posed by these countries' access to government-related data or
Americans' bulk U.S. sensitive personal data. For instance, the U.S.
National Intelligence Council assessed in 2020 that ``access to
personal data of other countries' citizens, along with [artificial
intelligence]-driven analytics, will enable [the People's Republic of
China] to automate the identification of individuals and groups beyond
China's borders to target with propaganda or censorship.'' \5\
---------------------------------------------------------------------------
\5\ Nat'l Intel. Council, Assessment: Cyber Operations Enabling
Expansive Digital Authoritarianism 4 (Apr. 7, 2020), <a href="https://www.dni.gov/files/ODNI/documents/assessments/NICM-Declassified-Cyber-Operations-Enabling-Expansive-Digital-Authoritarianism-20200407-2022.pdf">https://www.dni.gov/files/ODNI/documents/assessments/NICM-Declassified-Cyber-Operations-Enabling-Expansive-Digital-Authoritarianism-20200407-2022.pdf</a> [<a href="https://perma.cc/ZKJ4-TBU6">https://perma.cc/ZKJ4-TBU6</a>].
---------------------------------------------------------------------------
Countries of concern can also exploit their access to government-
related data regardless of volume to threaten U.S. national security.
One academic study explained that ``[f]oreign and malign actors could
use location datasets to stalk or track high-profile military or
political targets,'' revealing ``sensitive locations--such as visits to
a place of worship, a gambling venue, a health clinic, or a gay bar--
which again could be used for profiling, coercion, blackmail, or other
purposes.'' \6\ The MITRE report further explained that location
datasets could reveal ``U.S. military bases and undisclosed
intelligence sites'' or ``be used to
[[Page 86119]]
estimate military population or troop buildup in specific areas around
the world or even identify areas of off-base congregation to target.''
\7\ As another example of these data risks and the relative ease with
which they can be exploited, journalists were able to commercially
acquire from a data broker a continuous stream of 3.6 billion
geolocation data points that were lawfully collected on millions of
people from advertising IDs.\8\ The journalists were then able to
create ``movement profiles'' for tens of thousands of national security
and military officials, and from there, could determine where they
lived and worked as well as their names, education levels, family
situations, and hobbies.\9\
---------------------------------------------------------------------------
\6\ Justin Sherman et al., Duke Sanford Sch. of Pub. Pol'y, Data
Brokers and the Sale of Data on U.S. Military Personnel 15 (Nov.
2023), <a href="https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf">https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf</a> [<a href="https://perma.cc/BBJ9-44UH">https://perma.cc/BBJ9-44UH</a>].
\7\ Id.
\8\ Suzanne Smalley, US Company's Geolocation Data Transaction
Draws Intense Scrutiny in Germany, The Record (July 18, 2024),
<a href="https://therecord.media/germany-geolocation-us-data-broker">https://therecord.media/germany-geolocation-us-data-broker</a> [<a href="https://perma.cc/ME9F-TAQ7">https://perma.cc/ME9F-TAQ7</a>] (citing joint reporting by the German public
broadcaster Bayerische Rundfunk and digital civil rights opinion
news site <a href="http://netzpolitik.org">netzpolitik.org</a>).
\9\ Id.
---------------------------------------------------------------------------
The Order and this proposed rule seek to mitigate these and other
national security threats that arise from countries of concern
accessing government-related data or Americans' bulk U.S. sensitive
personal data.
No current Federal legislation or rule categorically prohibits or
imposes security requirements to prevent U.S. persons from providing
countries of concern or covered persons access to sensitive personal
data or government-related data through data brokerage, vendor,
employment, or investment agreements. For example, the scope and
structure of the Protecting Americans' Data from Foreign Adversaries
Act of 2024 (see Pub. L. 118-50, div. I, 118th Cong. (2024)) do not
create a comprehensive regulatory scheme that adequately and
categorically addresses these national security risks, as explained in
part IV.K of this preamble. Likewise, the Committee on Foreign
Investment in the United States (``CFIUS'') has authority to assess the
potential national security risks of certain investments by foreign
persons in certain United States businesses that ``maintain[] or
collect[] sensitive personal data of United States citizens that may be
exploited in a manner that threatens national security.'' \10\ CFIUS
only reviews certain types of investments in U.S. businesses; it does
so on a transaction-by-transaction basis, instead of prescribing
prospective and categorical rules regulating all such transactions; and
its authorities do not extend to other activities that countries of
concern may use to gain access to government-related data or Americans'
bulk U.S. sensitive personal data, such as through purchases of such
data on the commercial market or through vendor or employment
agreements.\11\
---------------------------------------------------------------------------
\10\ 50 U.S.C. 4565(a)(4)(B)(iii)(III).
\11\ See generally Foreign Investment Risk Review Modernization
Act of 2018, Public Law 115-232, tit. XVII, secs. 1701-28, 132 Stat.
1636, 2173.
---------------------------------------------------------------------------
Similarly, Executive Order 13873 prohibits any acquisition,
importation, transfer, installation, dealing in or use of by U.S.
persons from acquiring certain information and communication
technologies and services (``ICTS'') designed, developed, manufactured,
or supplied by foreign adversaries where, among other things, the
Secretary of Commerce determines that the transaction poses an
``unacceptable risk to the national security of the United States or
the security and safety of United States persons.'' \12\ In building
upon the national emergency declared in Executive Order 13873, the
President, in Executive Order 14034, determined that connected software
applications operating on U.S. ICTS ``can access and capture vast
swaths of . . . personal information and proprietary business
information,'' a practice that ``threatens to provide foreign
adversaries with access to that information.'' \13\ However, as with
CFIUS legal authorities, the orders do not broadly empower the United
States Government to prohibit or otherwise restrict the sale of
government-related data or Americans' bulk U.S. sensitive personal
data, and the orders do not broadly restrict other commercial
transactions, such as investment, employment, or vendor agreements,
that may provide countries of concern access to government-related data
or Americans' bulk U.S. sensitive personal data.
---------------------------------------------------------------------------
\12\ E.O. 13873 of May 15, 2019, 84 FR 22689, 22690 (May 15,
2019).
\13\ E.O. 14034, 86 FR 31423, 31423 (June 9, 2021).
---------------------------------------------------------------------------
The proposed rule would complement these statutory and regulatory
authorities. It prescribes forward-looking, categorical rules that
prevent U.S. persons from providing countries of concern or covered
persons access to government-related data or Americans' bulk U.S.
sensitive personal data through commercial data-brokerage transactions.
The proposed rule also imposes security requirements on other kinds of
commercial transactions, such as investment, employment, and vendor
agreements, that involve government-related data or Americans' bulk
U.S. sensitive personal data to mitigate the risk that a country of
concern could access such data. The proposed rule would address risks
to government-related data or Americans' bulk U.S. sensitive personal
data that current authorities leave vulnerable to access and
exploitation by countries of concern and provide predictability and
regulatory certainty by prescribing categorical rules regulating
certain kinds of data transactions that could give countries of concern
or covered persons access to government-related data or Americans' bulk
U.S. sensitive personal data.
III. Advance Notice of Proposed Rulemaking and Comments
The National Security Division of the Department published an ANPRM
on March 5, 2024 (former RIN: 1105-AB72), soliciting public comment on
various topics related to the Order.\14\ The Department received and
carefully reviewed 64 timely comments in response to the ANPRM from
trade associations, public interest advocacy groups, think tanks,
private individuals, and companies, as well as comments from several
foreign governments. The Department also received two additional ex
parte comments after the comment period closed, which DOJ publicly
posted on <a href="http://regulations.gov">regulations.gov</a>.
---------------------------------------------------------------------------
\14\ 89 FR 15780 (Mar. 5, 2024).
---------------------------------------------------------------------------
During the comment period, the Department of Justice, both on its
own and with other agencies, met with businesses, trade groups, and
other stakeholders potentially interested in or impacted by the
contemplated regulations to discuss the ANPRM. For example, the
Department discussed the ANPRM with the Consumer Technology
Association, the Information Industry Technology Council,
Pharmaceutical Research and Manufacturers of America, the Biotechnology
Innovation Organization, the Bioeconomy Information Sharing Analysis
Center, the U.S. Chamber of Commerce, Tesla, Workday, Anthropic, and
the Special Competitive Studies Project, and it provided briefings to
the Secretary of Commerce and Industry Trade Advisory Committees 6, 10,
and 12 administered by the Office of the U.S. Trade Representative and
the Department of Commerce. The Department also discussed the Order and
contemplated regulations with stakeholders at events open to the
public, including ones hosted by the American Conference Institute, the
American Bar Association, the Center for Strategic and International
Studies, and the R Street Institute, and through other public
engagements such as the Lawfare Podcast, ChinaTalk Podcast, CyberLaw
Podcast, and the Center for
[[Page 86120]]
Cybersecurity Policy & Law's Distilling Cyber Policy podcast.
After the comment period closed, the Department of Justice, along
with the Department of Commerce, followed up with commenters who
provided feedback regarding the bulk thresholds to discuss that topic
in more detail, including the Council on Government Relations Industry
Association, Association of American Medical Colleges, Airlines for
America, Bank Policy Institute, the Business Roundtable, Information
Technology Industry Council, Centre for Information Policy Leadership,
Biotechnology Innovation Organization, Software and Information
Industry Association, Cellular Telephone Industries Association, the
internet and Television Association, US Telecom, Ford Motor Company,
Bioeconomy Information Sharing and Analysis Center, Coalition of
Services Industries, Enterprise Cloud Coalition, Electronic Privacy
Information Center, Center for Democracy and Technology, Business
Software Alliance, Global Data Alliance, Interactive Advertising
Bureau, U.S.-China Business Council, IBM, Workday, and individuals
Justin Sherman, Mark Febrizio, and Charlie Lorthioir. The Department
has also discussed the Order and the ANPRM with foreign partners to
ensure that they understood the Order and contemplated program and how
they fit into broader national security, economic, and trade policies.
The Department considered each comment submitted, including the ex
parte comments that have since been publicly posted. Many of the
comments were general in nature and supported the Department's efforts
and approach with respect to the proposed rule. Overall, commenters
were generally supportive of the intent of the proposed rule. However,
several commentators representing industry questioned the effectiveness
of the proposed rule as compared to the passage of a holistic federal
privacy law, proposed revisions, and highlighted areas where the
proposed rule would benefit from further clarity. The Department
discusses comments, and any edits or revisions made in response to the
comments, in the discussion of the proposed rule in part IV of this
preamble.
IV. Discussion of the Proposed Rule
The proposed rule implements the Order through categorical rules
that regulate certain data transactions involving government-related
data or bulk U.S. sensitive personal data that could give countries of
concern or covered persons access or the ability to access such data
and present an unacceptable risk to U.S. national security. The
proposed rule (1) identifies certain classes of highly sensitive
transactions with countries of concern or covered persons that the
proposed rule would prohibit in their entirety (``prohibited
transactions'') and (2) identifies other classes of transactions that
would be prohibited except to the extent they comply with predefined
security requirements (``restricted transactions'') to mitigate the
risk of access to bulk U.S. sensitive personal data by countries of
concern. The Attorney General has determined that the prohibited and
restricted transactions set forth in the proposed rule pose an
unacceptable risk to the national security of the United States because
they may enable countries of concern or covered persons to access and
exploit government-related data or bulk U.S. sensitive personal data.
In addition to identifying classes of prohibited and restricted
transactions that pose an unacceptable risk to national security, the
proposed rule identifies certain classes of transactions that are
exempt from the proposed rule. For example, the proposed rule exempts
transactions for the conduct of the official business of the United
States Government by employees, grantees, or contractors thereof, and
transactions conducted pursuant to a grant, contract, or other
agreement entered into with the United States Government, including
those for outbreak and pandemic prevention, preparedness, and response.
The proposed rule also defines relevant terms; identifies countries of
concern; defines covered persons; and creates processes for the
Department to issue general and specific licenses, to issue advisory
opinions, and to designate entities or individuals as covered persons.
The proposed rule also establishes a compliance and enforcement regime.
The Department relied upon unclassified and classified sources to
support the proposed rule. Although the unclassified record fully and
independently supports the proposed rule without the need to rely on
the classified record, the classified record provides supplemental
information that lends additional support to the proposed rule. The
proposed rule would be the same even without the classified record.
Some commenters offered overarching comments. A few commenters made
suggestions that addressed issues unrelated to the proposed rule, such
as expressing views on U.S. positions in certain international
negotiations over digital trade. No change was made in response to
these comments. These comments addressed unrelated issues that are not
relevant to the scope of the proposed rule and that are directed to
other agencies and forums, and they generally did not suggest any
specific changes to the contemplated program. To the extent that these
comments intended to suggest that the Order's and proposed rule's
restrictions on access to sensitive personal data are inconsistent with
international commitments by the United States, the Department
disagrees.
The proposed rule's prohibitions and restrictions on access to U.S.
sensitive personal data and government-related data by countries of
concern are consistent with access restrictions on sensitive personal
data that have long been imposed in other national security contexts,
including for some transactions reviewed by CFIUS and the Committee for
the Assessment of Foreign Participation in the United States
Telecommunications Services Sector (``Team Telecom'').\15\ Those access
restrictions, in turn, are consistent with or otherwise permissible
under trade and other international agreements.\16\ For example, the
World Trade Organization's (``WTO'') General Agreement on Trade in
Services (``GATS''), like other trade agreements to which the United
States is a party, includes an essential security interests exception
that states that nothing in the agreement shall be construed to prevent
a party to such an agreement from taking any action that it considers
necessary for the protection of its essential security interests. As a
result, rather than prohibiting such access restrictions, GATS and
other relevant international agreements to which the United States is a
party explicitly authorize national security-based restrictions on data
access and data flows through the longstanding essential security
exception. The proposed rule, like conditions restricting access in
CFIUS or Team Telecom mitigation
[[Page 86121]]
agreements to address identified national security risks, is necessary
to protect the essential security interests of the United States and is
thus consistent with such international agreements to which the United
States is a party.\17\ Notably, consistent with the United States
Government's long-standing support of cross-border data flows, the
proposed rule does not require data localization or wholly restrict
data flows to any specific country. Rather, the proposed rule only
limits data transfers in narrow, specifically defined circumstances
necessary to safeguard security interests, and it is being developed
through a process that enables stakeholder consultation and input. The
proposed rule is also consistent with the United States' longstanding
support for Data Free Flows Trust (``DFFT''). The categories of
prohibited and restricted transactions in the proposed rule identify
circumstances that present an unacceptable national security risk of
enabling countries of concern to access and exploit Americans'
sensitive personal data--circumstances that lack the trust required for
free data flows.
---------------------------------------------------------------------------
\15\ See Foreign Investment Risk Review Modernization Act of
2018, supra note 11 (CFIUS); E.O. 13913, 85 FR 19643 (Apr. 4, 2020)
(Team Telecom); see, e.g., FCC, New Pacific Light Cable Network GU
Holdings-Google National Security Agreement 20-044 Enclosure 1 (Dec.
16, 2021), <a href="https://licensing.fcc.gov/cgi-bin/ws.exe/prod/ib/forms/reports/related_filing.hts?f_key=-448225&f_number=SCLLIC2020082700038">https://licensing.fcc.gov/cgi-bin/ws.exe/prod/ib/forms/reports/related_filing.hts?f_key=-448225&f_number=SCLLIC2020082700038</a> [<a href="https://perma.cc/PD5E-BYWS">https://perma.cc/PD5E-BYWS</a>].
\16\ See, e.g., Agreement on Trade-Related Aspects of
Intellectual Property Rights art. 73, Apr. 15, 1994, amended Jan.
23, 2017, Marrakesh Agreement Establishing the World Trade
Organization, Annex 1C, 1869 U.N.T.S. 299, <a href="https://www.wto.org/english/docs_e/legal_e/31bis_trips_09_e.htm">https://www.wto.org/english/docs_e/legal_e/31bis_trips_09_e.htm</a> [<a href="https://perma.cc/FSP4-BBZQ">https://perma.cc/FSP4-BBZQ</a>]; General Agreement on Tariffs and Trade art. XXI, Oct. 30,
1947, 61 Stat. A--11, 55 U.N.T.S. 194, <a href="https://www.wto.org/english/docs_e/legal_e/31bis_trips_e.pdf">https://www.wto.org/english/docs_e/legal_e/31bis_trips_e.pdf</a> [<a href="https://perma.cc/LE7M-ZM4F">https://perma.cc/LE7M-ZM4F</a>].
\17\ See Press Release, Off. of the U.S. Trade Representative,
Statements by the United States at the Meeting of the WTO Dispute
Settlement Body (Jan. 27, 2023), <a href="https://ustr.gov/about-us/policy-offices/press-office/press-releases/2023/january/statements-united-states-meeting-wto-dispute-settlement-body">https://ustr.gov/about-us/policy-offices/press-office/press-releases/2023/january/statements-united-states-meeting-wto-dispute-settlement-body</a> [<a href="https://perma.cc/CQG5-9AZ5">https://perma.cc/CQG5-9AZ5</a>] (emphasizing the United States' commitment to protect its
essential security interests in the context of World Trade
Organization disputes); General Agreement on Tariffs and Trade art.
XXI, supra note 16.
---------------------------------------------------------------------------
Several commenters suggested various revisions to borrow or
incorporate aspects of international or State privacy laws into this
proposed rule. The Department generally declines to adopt these
suggestions, except on a discrete issue discussed in part IV.A.7 of
this preamble. The Department supports privacy measures and national
security measures as complementary protections for Americans' sensitive
personal data. Despite some overlap, privacy protections and national
security measures generally focus on different challenges associated
with sensitive personal data. General privacy protections focus on
addressing individual rights and preventing individual harm, such as
protecting the rights of individuals to control the use of their own
data and reducing the potential harm to individuals by minimizing the
collection of data on the front end and limiting the permissible uses
of that data on the back end. National security measures, by contrast,
focus on collective risks and externalities that may result from how
individuals and businesses choose to sell and use their data, including
in lawful and legitimate ways.
For example, some commenters suggested adding a new exemption for
transactions in which a U.S. individual consents to the sale or
disclosure of their data to a country of concern or covered person. The
proposed rule declines to adopt this exemption. Such a consent-based
exemption would leave unaddressed the threat to national security by
allowing U.S. individuals and companies to choose to share government-
related data or Americans' bulk U.S. sensitive personal data with
countries of concern or covered persons. It is precisely those choices
that, in aggregate, help create the national security risk of access by
countries of concern or covered persons, and the purpose of the Order
and the proposed rule is to address the negative externality that is
created by individuals' and companies' choices in the market in the
first place. It would also be inconsistent with other national security
regulations to leave it up to market choices to decide whether to give
American technology, capital, or data to a country of concern or
covered person. Export controls do not allow U.S. companies to
determine whether their sensitive technology can be sent to a foreign
adversary, and sanctions do not allow U.S. persons to determine whether
their capital and material support can be given to terrorists and other
malicious actors. Likewise, the proposed rule would not allow U.S.
individuals to determine whether to give countries of concern or
covered persons access to their sensitive personal data or government-
related data. One of the reasons that the public is not in a position
to assess and make decisions about the national security interests of
the United States is that the public typically does not have all of the
information available to make a fully informed decision about the
national security interests of the United States.
Each subpart of the proposed rule, including any relevant comments
received on the corresponding part of the ANPRM, is discussed below in
the remaining sections of this preamble.
A. Subpart C--Prohibited Transactions and Related Activities
The proposed rule identifies transactions that are categorically
prohibited unless the proposed rule otherwise authorizes them pursuant
to an exemption or a general or specific license or, for the categories
of restricted transactions, in compliance with security requirements
and other requirements set forth in the proposed rule.
1. Section 202.210--Covered Data Transactions
The Order authorizes the Attorney General to issue regulations that
prohibit or otherwise restrict U.S. persons from engaging in a
transaction where, among other things, the Attorney General has
determined that a transaction ``is a member of a class of transactions
. . . [that] pose an unacceptable risk to the national security of the
United States because the transactions may enable countries of concern
or covered persons to access bulk sensitive personal data or United
States Government-related data in a manner that contributes to the
national emergency declared in this [O]rder.'' \18\ Pursuant to the
Order, the proposed rule categorically prohibits or, for the categories
of restricted transactions, imposes security and other requirements on
certain covered data transactions with U.S. persons and countries of
concern or covered persons because the covered data transactions may
otherwise enable countries of concern or covered persons to access
government-related data or bulk U.S. sensitive personal data to harm
U.S. national security.
---------------------------------------------------------------------------
\18\ 89 FR 15423.
---------------------------------------------------------------------------
The proposed rule defines a ``covered data transaction'' as any
transaction that involves any access to any government-related data or
bulk U.S. sensitive personal data and that involves: (1) data
brokerage, (2) a vendor agreement, (3) an employment agreement, or (4)
an investment agreement. See Sec. 202.210. The Department has
determined that these categories of covered data transactions pose an
unacceptable risk to U.S. national security because they may enable
countries of concern or covered persons to access government-related
data or bulk U.S. sensitive personal data to engage in malicious cyber-
enabled activities, track and build profiles on United States
individuals for illicit purposes, including blackmail or espionage, and
to intimidate, curb political dissent or political opposition, or
otherwise limit civil liberties of U.S. persons opposed to countries of
concern, among other harms to U.S. national security. For instance, one
study has demonstrated that foreign malign actors can purchase bulk
quantities of sensitive personal data about U.S. military personnel
from data brokers ``for coercion, reputational damage, and blackmail.''
\19\ Countries of
[[Page 86122]]
concern or covered persons could also exploit vendor, employment, or
investment agreements to obtain access to government-related data or
bulk U.S. sensitive personal data to harm U.S. national security.\20\
---------------------------------------------------------------------------
\19\ Justin Sherman et al., supra note 6, at 14.
\20\ See, e.g., Dep't of Commerce, Final Determination: Case No.
ICTS-20121-002, Kaspersky Lab, Inc., 89 FR 52434, 52436 (June 24,
2024), <a href="https://www.govinfo.gov/content/pkg/FR-2024-06-24/pdf/2024-13532.pdf">https://www.govinfo.gov/content/pkg/FR-2024-06-24/pdf/2024-13532.pdf</a> [<a href="https://perma.cc/LAS7-S7HF">https://perma.cc/LAS7-S7HF</a>] (describing how Kaspersky
employees gained access to sensitive U.S. person data through their
provision of anti-virus and cybersecurity software); see generally
OFAC, U.S. Dep't of Treas., Guidance on the Democratic People's
Republic of Korea Information Technology Workers (May 16, 2022),
<a href="https://ofac.treasury.gov/media/923131/download?inline">https://ofac.treasury.gov/media/923131/download?inline</a> [<a href="https://perma.cc/8DTV-Q34S">https://perma.cc/8DTV-Q34S</a>]; E.O. 14083, 87 FR 57369, 57373 (Sept. 15,
2022).
---------------------------------------------------------------------------
In response to the ANPRM, commenters asked that the Department
clarify when a transaction ``involves'' government-related data or bulk
U.S. sensitive personal data. The Department has responded to those
comments by revising the definition of a ``covered data transaction''
to any transaction that involves any access to the data by the
counterparty to a transaction (rather than any transaction that
involves government-related data or bulk U.S. sensitive personal data).
2. Section 202.301--Prohibited Data-Brokerage Transactions
The proposed rule prohibits any U.S. person from knowingly engaging
in a covered data transaction involving data brokerage with a country
of concern or a covered person. The proposed rule defines ``data
brokerage'' as the sale of data, licensing of access to data, or
similar commercial transactions involving the transfer of data from any
person (``the provider'') to any other person (``the recipient''),
where the recipient did not collect or process the data directly from
the individuals linked or linkable to the collected or processed data.
See Sec. 202.214.
Because the data brokerage prohibition, along with the other
prohibitions and restrictions, center around data transactions
involving access to government-related data or bulk U.S. sensitive
personal data, the Department addresses each of those key terms and
related terms in detail in the following discussion.
3. Section 202.201--Access
Adopting the approach contemplated in the ANPRM without change, the
proposed rule defines ``access'' as logical or physical access,
including the ability to obtain, read, copy, decrypt, edit, divert,
release, affect, alter the state of, or otherwise view or receive, in
any form, including through information systems, information technology
systems, cloud-computing platforms, networks, security systems,
equipment, or software.
One commenter suggested that the Department remove the term
``divert'' from the definition of ``access'' to avoid unintentionally
capturing activities that do not involve actual access to data and
that, according to the commenter, do not pose a risk to national
security. The Department declines to do so. The definition of
``access'' is intentionally broad. It includes the term ``divert'' to
ensure that the proposed rule covers data transactions that would
enable a covered person to divert government-related data or bulk U.S.
sensitive personal data from an intended recipient to a country of
concern or a covered person, either for their own use or for the use of
countries of concern or other covered persons, and to prevent countries
of concern or covered persons from amassing data (including anonymized,
encrypted, aggregated, or pseudonymized data), as discussed in part
IV.A.13 of this preamble.
4. Section 202.249--Sensitive Personal Data
As previewed in the ANPRM, the proposed rule builds on the Order by
further defining the six categories of ``sensitive personal data'' that
could be exploited by a country of concern to harm U.S. national
security if that data is linked or linkable to any identifiable U.S.
individual or to a discrete and identifiable group of U.S. persons.
These six categories are: (1) covered personal identifiers; (2) precise
geolocation data; (3) biometric identifiers; (4) human genomic data;
(5) personal health data; and (6) personal financial data. The proposed
rule also categorically excludes certain categories of data from the
definition of the term ``sensitive personal data.'' These exclusions
include public or nonpublic data that does not relate to an individual,
including trade secrets and proprietary information, and data that is,
at the time of the transaction, lawfully publicly available from
government records or widely distributed media, personal communications
as defined in Sec. 202.239, and information or informational materials
as defined in Sec. 202.226. Nothing in the proposed rule shall be
construed to affect the obligations of U.S. Government departments and
agencies under the Foundations for Evidence-Based Policymaking Act of
2018, Public Law 115-435 (2019), 44 U.S.C. 3501 et seq.
5. Section 202.212--Covered Personal Identifiers
The Order defines ``covered personal identifiers'' as
``specifically listed classes of personally identifiable data that are
reasonably linked to an individual, and that--whether in combination
with each other, with other sensitive personal data, or with other data
that is disclosed by a transacting party pursuant to the transaction
and that makes the personally identifiable data exploitable by a
country of concern--could be used to identify an individual from a data
set or link data across multiple data sets to an individual,'' subject
to certain exclusions.\21\ The ANPRM thus contemplated three
subcategories of covered personal identifiers: (1) listed identifiers
in combination with any other listed identifier; (2) listed identifiers
in combination with other sensitive personal data; and (3) listed
identifiers in combination with other data that are disclosed by a
transacting party pursuant to the transaction that makes the listed
identifier exploitable by a country of concern, if they could be used
to identify an individual from a dataset or to link data across
multiple datasets to an individual.\22\ The ANPRM also contemplated two
exceptions: (1) demographic or contact data that is linked only to
other demographic or contact data; and (2) a network-based identifier,
account-authentication data, or call-detail data that is linked only to
other network-based identifiers, account-authentication data, or call-
detail data as necessary for the provision of telecommunications,
networking, or similar services. The proposed rule expands the approach
described in the ANPRM by making the exceptions applicable to all
subcategories of covered personal identifiers, instead of being
applicable only to listed identifiers in combination with any other
listed identifiers. The listed identifiers are described in more detail
in the next section.
---------------------------------------------------------------------------
\21\ E.O. 14117, 89 FR 15421,15428 (Feb 28, 2024).
\22\ 89 FR 15784-85.
---------------------------------------------------------------------------
With respect to the first subcategory, listed identifiers in
combination with any other listed identifier: The ANPRM contemplated a
list-based approach that would identify a comprehensive list of eight
classes of data determined by the Attorney General to be reasonably
linked to an individual under the Order's definition of ``covered
personal identifiers.'' \23\
---------------------------------------------------------------------------
\23\ Id.
---------------------------------------------------------------------------
With respect to the second subcategory, listed identifiers in
combination with other sensitive
[[Page 86123]]
personal data: The ANPRM contemplated treating these combinations as
combined data subject to the lowest bulk threshold applicable to the
categories of data present.\24\ The proposed rule generally adopts the
approach described in the ANPRM, but instead of addressing this
category in the definition of ``listed identifiers,'' the proposed rule
incorporates this category as part of the definition of ``bulk.''
---------------------------------------------------------------------------
\24\ Id. at 15785.
---------------------------------------------------------------------------
With respect to the third subcategory, listed identifiers in
combination with other data that are disclosed by a transacting party
pursuant to the transaction that makes the listed identifier
exploitable by a country of concern: The ANPRM indicated that the
Department did not intend to impose an obligation on transacting
parties to independently determine whether particular combinations of
data would be ``exploitable by a country of concern.'' \25\ The ANPRM
provided several examples intended to be within the scope of this
subcategory and several examples intended to be outside the scope of
this subcategory and sought comment on ways in which this subcategory
could be further defined.\26\ In response, multiple commenters
suggested anchoring this subcategory to the reasonable foreseeability
that the other data could be used to link the listed identifier to a
U.S. individual. As these commenters explained, without the connection
to foreseeability, nearly any public data could become covered personal
identifiers, because it is possible that the transacting party
receiving the data could find some way of linking any public data point
to an individual using the listed identifier.
---------------------------------------------------------------------------
\25\ Id.
\26\ Id.
---------------------------------------------------------------------------
The proposed rule largely adopts this suggestion. Rather than
requiring companies to determine when linkage is reasonably foreseeable
on a case-by-case basis, the proposed rule would define a category of
data for which the Department believes it is reasonably foreseeable
that the other data could be used to link the listed identifier to a
U.S. individual: other data that makes the listed identifier linked or
linkable to other listed identifiers or to other sensitive personal
data. The proposed rule thus narrows the third subcategory to any
listed identifier in combination with other data that is disclosed by a
transacting party such that the listed identifier is linked or linkable
to other listed identifiers or to other sensitive personal data. See
Sec. 202.212(a)(2). The proposed rule also incorporates the examples
described in the ANPRM and additional examples to illustrate how this
subcategory would and would not apply.
6. Section 202.234--Listed Identifier
Adopting the approach contemplated in the ANPRM,\27\ the proposed
rule defines a ``listed identifier'' as any piece of data in any of the
following data fields: (1) full or truncated government identification
or account number (such as a Social Security Number, driver's license
or State identification number, passport number, or Alien Registration
Number); (2) full financial account numbers or personal identification
numbers associated with a financial institution or financial-services
company; (3) device-based or hardware-based identifier (such as
International Mobile Equipment Identity (``IMEI''), Media Access
Control (``MAC'') address, or Subscriber Identity Module (``SIM'') card
number); (4) demographic or contact data (such as first and last name,
birth date, birthplace, ZIP code, residential street or postal address,
phone number, email address, or similar public account identifiers);
(5) advertising identifier (such as Google Advertising ID, Apple ID for
Advertisers, or other mobile advertising ID (``MAID'')); (6) account-
authentication data (such as account username, account password, or an
answer to a security question); (7) network-based identifier (such as
internet Protocol (``IP'') address or cookie data); or (8) call-detail
data (such as Customer Proprietary Network Information (``CPNI'')). See
Sec. 202.234.
---------------------------------------------------------------------------
\27\ Id. at 15784.
---------------------------------------------------------------------------
Under this definition, the term ``covered personal identifiers''
refers to a much narrower set of material than that covered by certain
laws and policies aimed generally at protecting personal privacy.\28\
It encompasses only the types of data and combinations thereof that are
expressly listed. For example, the proposed rule's definition of
``covered personal identifiers'' would not include an individual's
employment history, educational history, organizational memberships,
criminal history, or web-browsing history. Some commenters suggested
that the Department adopt a broader definition that aligns with the
definition of ``personally identifiable information'' used in State or
European Union (''EU'') privacy laws to ease the burden of compliance.
The Department declines to adopt this approach, and the proposed rule
retains the definition stated in the ANPRM without change. Although it
may be true that ``personally identifiable information'' is a familiar
term in laws and guidance addressing the privacy and security of data
held by the private sector and government, it is such a broad term that
adopting a definition akin to it would significantly expand the scope
of the regulations and therefore require that the Department regulate
more commercial transactions or relationships than seem necessary, at
least at this time, to mitigate the highest priority national security
risks articulated in the Order. Furthermore, the commenters supplied no
data to suggest that any cost savings realized from adopting an
existing definition would outweigh the added burdens of regulating a
larger swath of transactions.
---------------------------------------------------------------------------
\28\ C.f., e.g., California Consumer Privacy Act of 2018, Cal.
Civ. Code sec. 1798.140(v)(1) (West 2024) (defining ``personal
information'' in the context of a generalized privacy-focused
regime); Regulation (EU) 2016/679 of the European Parliament and of
the Council of Apr. 27, 2016, On the Protection of Natural Persons
with Regard to the Processing of Personal Data and on the Free
Movement of Such Data, and Repealing Directive 95/46/EC, art. 4(1)
(defining ``personal data'' in the context of a generalized data
privacy regime).
---------------------------------------------------------------------------
Similarly, another commenter suggested broadening the definition of
``covered personal identifiers'' to add categories of data from State
and EU privacy laws, such as web-browsing data and data that identifies
or could lead to inferences about membership in protected classes such
as race, religion, and national origin. The proposed rule makes no
change in response to this comment. As previewed in the ANPRM, the
proposed rule's definition of ``covered personal identifiers'' is
tailored to address the national security risks identified in the
Order, and the Department is establishing the program by issuing
proposed rulemakings in tranches based on priority. Also, the
Department intends to regularly monitor the effectiveness and impact of
the regulations once they become effective. Absent more specific
information from commenters on this topic about the cross-border use of
these additional kinds of identifiers by foreign governments in ways
that could harm Americans, the proposed rule retains the definition
stated in the ANPRM without change at this time.
One commenter suggested that the Department remove basic contact
information from the listed identifiers. The proposed rule maintains
the approach in the ANPRM without change.\29\ The Order already
contains an exception to the definition of ``covered personal
identifiers'' for demographic or contact data that is linked only to
other demographic or contact data. The proposed rule implements the
exception articulated in the Order and previewed
[[Page 86124]]
in the ANPRM, which excludes such data from the definition of ``covered
personal identifiers.'' \30\
---------------------------------------------------------------------------
\29\ 89 FR 15784.
\30\ Id.
---------------------------------------------------------------------------
By contrast, another commenter recommended that ``covered personal
identifiers'' be expanded to include demographic or contact data that
is linked only to other demographic or contact data, because most
Americans believe that information to be deserving of privacy
protections. The Department declines to adopt this addition to the
definition of ``covered personal identifiers.'' Such an expansion of
the definition would be contrary to the Order, which specifically
exempts this kind of data from its scope.\31\ Additionally, as the
commenter acknowledges, a significant amount of this information is
already publicly available to countries of concern, and therefore
country of concern access to this type of information does not carry
the same national security risk as access to the other covered personal
identifiers identified in these regulations, even if it may raise
separate privacy considerations.
---------------------------------------------------------------------------
\31\ 89 FR 15428.
---------------------------------------------------------------------------
A few commenters advocated removing truncated government
identification and account numbers from the definition of ``listed
identifiers,'' given their widescale use. One commenter supported the
inclusion of these truncated identifiers because they are regularly
used to identify individuals. The proposed rule continues to include
these truncated identifiers as contemplated in the ANPRM because, as
one commenter points out, they could be, and are, ``used to identify an
individual from a data set or link data across multiple data sets to an
individual[.]'' They therefore fall within the Order's definition of
``covered personal identifiers'' when they are combined with certain
other categories of data. Although these truncated numbers may be used
widely, the proposed rule would not regulate how they are used in most
transactions. Specifically, it would not regulate how these truncated
numbers are used domestically, a company's internal use of that data
(other than with respect to covered persons who are employees), or
transactions abroad involving third countries (other than with respect
to certain conditions for the data brokerage to address onward sale).
The proposed rule also contains a non-substantive change in
language designed to be more technically accurate and to clarify that
any piece of data in any of the listed classes of data constitutes a
listed identifier. See Sec. 202.234. This change remains consistent
with the examples previewed in the ANPRM and in the proposed rule
showing that multiple pieces of data (such as account username and
account password) in the same data field (account-authentication data)
each count as separate listed identifiers.\32\
---------------------------------------------------------------------------
\32\ 89 FR 15785.
---------------------------------------------------------------------------
7. Section 202.242--Precise Geolocation Data
The proposed rule defines ``precise geolocation data'' as data,
whether real-time or historical, that identifies the physical location
of an individual or a device with a precision of within 1,000 meters.
Examples of ``precise geolocation data'' include GPS coordinates and IP
address geolocation. To help develop this definition, the Department
examined the settings available to software developers in Android and
iOS, the two most popular mobile device operating systems, for the
precision of geolocation readings. Available options included accuracy
to within 10 meters, 100 meters, 1,000 meters, 3,000 meters, and
10,000+ meters.\33\ The Department selected 1,000 meters as the option
that most carefully balanced the risk that countries of concern or
covered persons could exploit U.S. persons' precise geolocation data
and current technology practices and standards. The Department also
considered State privacy laws, with which companies are already
familiar and which provide examples of the level of precision at which
a device's location warrants protection.\34\
---------------------------------------------------------------------------
\33\ CLLocationAccuracy, Apple Developer, <a href="https://developer.apple.com/documentation/corelocation/cllocationaccuracy">https://developer.apple.com/documentation/corelocation/cllocationaccuracy</a>
[<a href="https://perma.cc/AZ48-VSCP">https://perma.cc/AZ48-VSCP</a>]; Change Location Settings, Android
Developer, <a href="https://developer.android.com/develop/sensors-and-location/location/change-location-settings">https://developer.android.com/develop/sensors-and-location/location/change-location-settings</a> [<a href="https://perma.cc/5BY3-P7L3">https://perma.cc/5BY3-P7L3</a>].
\34\ See, e.g., Cal. Civ. Code sec. 1798.140(w) (which uses a
radius of 1,850 feet); Utah Consumer Privacy Act, Utah Code Ann.
sec. 13-61-101(33)(a) (West 2024) (which uses a radius of 1,750
feet).
---------------------------------------------------------------------------
A few commenters suggested that the Department define ``precise
geolocation data'' as that term is defined in the California Privacy
Rights Act, which includes a geographic radius of 1,850 feet
(approximately 563 meters). The Department did not accept this
suggestion because our assessment of the relevant national security
interests required a broader geographic area, in part due to the types
of United States Government personnel and locations (such as military
bases with large surrounding footprints) that are relevant to national
security. By contrast, the California standard does not take these
national security interests relating to Government personnel into
account. One commenter suggested that the Department omit the phrase
``based on electronic signals or inertial sensing units,'' which was
included in the ANPRM definition of ``precise geolocation data,'' to
make the term more technology-neutral as to the method of
collection.\35\ The Department has adopted this suggestion and deleted
that phrase from the proposed definition.
---------------------------------------------------------------------------
\35\ 89 FR 15785.
---------------------------------------------------------------------------
8. Section 202.204--Biometric Identifiers
Adopting the approach contemplated in the ANPRM without change, the
proposed rule defines ``biometric identifiers'' as measurable physical
characteristics or behaviors used to recognize or verify the identity
of an individual, including facial images, voice prints and patterns,
retina and iris scans, palm prints and fingerprints, gait, and keyboard
usage patterns that are enrolled in a biometric system and the
templates created by the system.
9. Section 202.224--Human Genomic Data
Adopting the approach contemplated in the ANPRM without change, the
proposed rule defines ``human genomic data'' as data representing the
nucleic acid sequences that constitute the entire set or a subset of
the genetic instructions found in a human cell, including the result or
results of an individual's ``genetic test'' (as defined in 42 U.S.C.
300gg-91(d)(17)) and any related human genetic sequencing data. The
term ``human genomic data'' does not include non-human data, such as
pathogen genetic sequence data, that is derived from or integrated into
human genomic data.
10. Other Human 'Omic Data
The Department of Justice is considering regulating, as prohibited
or restricted transactions in the final rule, certain transactions in
which a U.S. person provides a country of concern (or covered person)
with access to bulk human 'omic data, other than human genomic data, as
defined in Sec. 202.224. At a high level, the 'omics sciences examine
biological processes that contribute to the form and function of cells
and tissues.\36\ The categories of 'omic data that the Department is
considering regulating could include
[[Page 86125]]
human epigenomic data, glycomic data, lipidomic data, metabolomic data,
meta-multiomic data, microbiomic data, phenomic data, proteomic data,
and transcriptomic data. The Department does not intend the definition
of meta-multiomic data to include nonhuman data separated from human
data or for the definition of microbiomics data to include data related
to individual pathogens, even when derived from human sources. The
Department is considering whether to include the following definitions
of these terms in the final rule:
---------------------------------------------------------------------------
\36\ See, e.g., Evolution of Translational Omics: Lessons
Learned and the Path Forward 23, 33 (Christine M. Micheel et al.,
eds., 2012), <a href="https://www.ncbi.nlm.nih.gov/books/NBK202168/pdf/Bookshelf_NBK202168.pdf">https://www.ncbi.nlm.nih.gov/books/NBK202168/pdf/Bookshelf_NBK202168.pdf</a> [<a href="https://perma.cc/Q5YE-7XLM">https://perma.cc/Q5YE-7XLM</a>].
---------------------------------------------------------------------------
1. Epigenomic data: data derived from the analysis of human
epigenetic modifications, which are changes in gene expression or
cellular phenotype that do not involve alterations to the DNA sequence
itself. These epigenetic modifications include modifications such as
DNA methylation, histone modifications, and non-coding RNA regulation.
2. Glycomic data: data derived from the analysis of the structure,
function, and interactions of glycans (complex carbohydrates) within
human biological systems. The field of glycomics generally aims to
understand the roles of glycans in cell-cell communication, immune
responses, and various diseases.
3. Lipidomic data: data derived from a systems-level
characterization of lipids from a human or human cell, including their
identification, quantification, and characterization in biological
systems. Routine clinical measurements of lipids for individualized
patient care purposes would not be considered lipidomic data because
such measurements would not entail a systems-level analysis of the
complete set of lipids found in such a sample.
4. Metabolomic data: data derived from the analysis of metabolites,
the small molecules produced during metabolism, that aim to understand
disease mechanisms, identify biomarkers for diagnosis, and develop
targeted treatments by revealing the dynamic biochemical activities in
a living system. This data provides a general snapshot of an organism,
tissue, or cell, offering insights into physiological and pathological
processes.
5. Meta-multiomic data: The Department is considering the following
options for defining meta-multiomic data:
(i) Datasets that include two or more categories of human 'omic
data identified in this regulation, which can include data derived from
the human genome, proteome, transcriptome, epigenome, or metabolome; or
(ii) Datasets that include two or more categories of human 'omic
data identified in this regulation and that include 'omic data from
another species.
6. Microbiomic data: data derived from analysis of all the
microorganisms of a given community within the human body (including a
particular site on the human body). Microbiomic data is implicated in
the field of metagenomics, which generally aims to investigate and
understand genetic material of entire communities of organisms,
including the composition of a microbial community.
7. Phenomic data: data derived from analysis of human phenotypes,
including physical traits, physiological parameters, and behavioral
characteristics.
8. Proteomic data: data derived from analysis of human proteomes,
which refers to the entire set of proteins expressed by a human genome,
cell, tissue, or organism. The field of proteomics generally aims to
identify and characterize proteins and study their structures,
functions, interactions, and post-translational modifications.
9. Transcriptomic data: data derived from analysis of a human
transcriptome, which is the complete set of RNA transcripts produced by
the human genome under specific conditions or in a specific cell type.
The field of transcriptomics generally aims to understand gene
expression patterns, alternative splicing, and regulation of RNA
molecules.
The Department is considering excluding from the definition of
other human 'omic data pathogen-specific data embedded in 'omic data
sets.
The Department welcomes input from commenters regarding the
potential risks and benefits that may arise from restricting or
prohibiting covered data transactions with a country of concern or
covered person involving some or all of these categories of other human
'omic data. The Department is particularly interested in comments
addressing the health, economic, or scientific impacts of regulating
such data transactions, as well as any national security implications.
Specifically:
<bullet> In what ways, if any, should the Department of Justice
elaborate or amend the definitions of these classes of other human
'omic data? If the definitions should be elaborated or amended, why?
<bullet> Should bulk data transactions involving these types of
other human 'omic data be regulated? If so, which types of human 'omic
data--including any not listed--should be regulated, why should they be
regulated, and how should they be regulated? Additionally, what bulk
thresholds should apply and why?
<bullet> To what extent would the regulation of bulk data
transactions involving these types of other human 'omic data affect
individuals' rights to share their own biological samples (e.g., blood,
urine, tissue, etc.) or health, 'omic, and other data?
<bullet> What would be the effects of prohibiting or restricting
transactions involving these data classes in the final rule,
particularly with respect to:
[cir] health outcomes
[cir] health supply chain impacts
[cir] research and administrative costs
[cir] economic costs due to (1) imposing these regulations, or (2)
allowing unregulated bulk access to human 'omic data
[cir] innovation costs
<bullet> What additional risks should be considered if these bulk
data transactions are not regulated, specifically as they relate to:
[cir] risks stemming from exploitable health information
[cir] manipulation of bulk data for strategic advantage over the
United States
[cir] use of bulk datasets for the creation and refinement of AI or
other similar advanced technologies
11. Section 202.240--Personal Financial Data
Adopting the approach contemplated in the ANPRM without change, the
proposed rule defines ``personal financial data'' as data about an
individual's credit, charge, or debit card, or bank account, including
purchases and payment history; data, including assets liabilities,
debts, and transactions in a bank, credit, or other financial
statement; or data in a credit report or in a ``consumer report'' (as
defined in 15 U.S.C. 1681a(d)).
One commenter sought clarification that personal financial data
does not include inferences based on that data, suggesting, for
example, that hotel record transactions may be personal financial data
but an ultimate inference that the person is interested in business
travel should not be considered personal financial data. As set forth
in the Order and previewed in the ANPRM, the proposed rule would
prohibit or restrict only certain categories of transactions in
government-related data or bulk U.S. sensitive personal data, neither
of which include inferences on their own.\37\
---------------------------------------------------------------------------
\37\ 89 FR 15783; 89 FR 15428-29.
---------------------------------------------------------------------------
[[Page 86126]]
12. Section 202.241--Personal Health Data
The ANPRM contemplated defining ``personal health data'' as
``individually identifiable health information,'' as defined under the
Health Insurance Portability and Accountability Act of 1996
(``HIPAA''), ``regardless of whether such information is collected by a
`covered entity' or `business associate.' '' \38\
---------------------------------------------------------------------------
\38\ Id.; see 42 U.S.C. 1320d(6); 45 CFR 160, 103.
---------------------------------------------------------------------------
Several commenters supported defining personal health data as
``individually identifiable health information.'' That definition is
similar to how those terms are defined in HIPAA and its implementing
regulations. However, one commenter expressed confusion as to how
cross-referencing that definition in this program would relate to
``covered entities'' or ``business associates'' under HIPAA. The
proposed rule adopts much of the substance of the approach in the ANPRM
while providing greater clarity to address this confusion. Instead of
defining ``personal health information'' by cross referencing and
incorporating HIPAA, the proposed rule reproduces the relevant
substance of the HIPAA definition to provide greater clarity that the
definition does not turn on the HIPAA-specific inquiry of whether data
is handled by covered entities or business associates. Further, unlike
the HIPAA definition, the proposed rule would not define health
information in terms of whether the information identifies individuals,
because the proposed rule applies regardless of whether data is de-
identified.
As a result, the proposed rule defines ``personal health data'' as
health information that relates to the past, present, or future
physical or mental health or condition of an individual; the provision
of healthcare to an individual; or the past, present, or future payment
for the provision of healthcare to an individual. The term includes
basic physical measurements and health attributes (such as bodily
functions, height and weight, vital signs, symptoms, and allergies);
social, psychological, behavioral, and medical diagnostic,
intervention, and treatment history; test results; logs of exercise
habits; immunization data; data on reproductive and sexual health; and
data on the use or purchase of prescribed medications. The proposed
rule would operate on a categorical basis and would determine that the
category of personal health data generally meets the requirements of
being ``exploitable by a country of concern to harm United States
national security'' and ``is linked or linkable to any identifiable
United States individual or to a discrete and identifiable group of
United States individuals'' under section 7(l) of the Order. To be
sure, it is possible to hypothesize a limited data set of discrete
information related to an individual's physical or mental health
condition that is not inherently linked or linkable to U.S. individuals
(such as a data set of only heights or weights with no identifying
information). But based on the information currently available, it does
not appear that such limited datasets accurately reflect how personal
health data is stored, transmitted, and used in the real world, and
thus it does not appear appropriate to adjust the proposed rule to
account for this hypothetical at this time. The Department welcomes
comments on the extent to which such datasets exist and are the subject
of covered data transactions between U.S. persons and countries of
concern or covered persons.
13. Section 202.206--Bulk U.S. Sensitive Personal Data
Adopting the approach contemplated in the ANPRM without change, the
prohibitions and restrictions apply to ``bulk U.S. sensitive personal
data,'' which the proposed rule defines as a collection or set of
sensitive personal data relating to U.S. persons, in any format,
regardless of whether the data is anonymized, pseudonymized, de-
identified, or encrypted. The bulk thresholds of data set by the
proposed rule are addressed in detail in part V of this preamble.
Several commenters requested that the Department align the
categories of sensitive personal data with State data privacy laws,
particularly to exclude encrypted, pseudonymized, de-identified, or
aggregated data from the proposed rule's coverage. In contrast, other
commenters supported the Department's treatment of pseudonymized, de-
identified, or encrypted data, including to prevent the data from being
re-identified in the future and to recognize that not all techniques
for pseudonymization, de-identification, encryption, or aggregation are
equally effective. The Department declines to adjust the proposed rule
to exclude anonymized, encrypted, pseudonymized, or de-identified data,
and the proposed rule adopts the approach described in the ANPRM
without change. As the Order emphasizes, even where types of sensitive
personal data are ``anonymized, pseudonymized, or de-identified,
advances in technology, combined with access by countries of concern to
large datasets, increasingly enable countries of concern that access
this data to re-identify or de-anonymize data,'' which could reveal
exploitable sensitive personal information on U.S. persons.\39\ As the
Department has recently explained, ``[o]pen-source reporting has
repeatedly raised concern[s] that supposedly anonymized data is rarely,
if ever, truly anonymous.'' \40\ As a recent study has explained, for
example, ``[a]ggregated insights from location data'' could be used to
damage national security.\41\ Examples abound. Researchers in 2024 used
a little more than a year's worth of ``raw, `ping'-level data, a year's
worth of location data from de-identified smartphones in 26 major
metropolitan areas encompassing nearly every SEC office and most public
firm headquarters to identify non-public investigations and enforcement
actions, and glean insights about how those visits affected financial
markets.\42\ In 2018, the publication of a global heatmap of anonymized
users' location data collected by a popular fitness app enabled
researchers to quickly identify and map the locations of military and
government facilities and activities.\43\ Similarly, in 2019, New York
Times writers were able to combine a single set of bulk location data
collected from cell phones and bought and sold by location-data
companies--which was anonymized and represented ``just one slice of
data, sourced from one company, focused on one city, covering less than
one year''--with publicly available information to identify, track, and
follow ``military officials with security clearances as they drove home
at night,'' ``law enforcement officers as they took their kids to
school,'' and ``lawyers (and their guests) as they
[[Page 86127]]
traveled from private jets to vacation properties.'' \44\ A 2019
research study concluded that ``99.98% of Americans would be correctly
re-identified in any dataset using 15 demographic attributes,'' thus
``suggest[ing] that even heavily sampled anonymized datasets are
unlikely to satisfy the modern standards for anonymization set forth by
[the EU's General Data Protection Regime] and seriously challenge the
technical and legal adequacy of the de-identification release-and-
forget model.'' \45\ Other studies and reports have reported similar
results.\46\ As a result, as the Department recently explained,
``[a]dversaries can use these datasets to reverse-engineer anonymized
data and identify people, subjects, or devices that were supposedly
anonymized.'' \47\
---------------------------------------------------------------------------
\39\ 89 FR 15426; see also E.O. 14083, 87 FR 57369, 57372-73
(Sept. 15, 2022).
\40\ In Camera, Ex Parte Classified Decl. of David Newman,
Principal Deputy Assistant Att'y Gen., Nat'l Sec. Div., U.S. Dep't
of Just., Doc. No. 2066897 at Gov't App. 74-75 ]] 100-01, TikTok
Inc. v. Garland, Case Nos. 24-1113, 24-1130, 24-1183 (D.C. Cir. July
26, 2024) (publicly filed redacted version) (hereinafter ``Newman
Decl.'').
\41\ Sherman et al., supra note 6, at 15.
\42\ William C. Gerken et al., Watching the Watchdogs: Tracking
SEC Inquiries using Geolocation Data 2-4 (Aug. 30, 2024)
(unpublished manuscript), <a href="https://ssrn.com/abstract=4941708">https://ssrn.com/abstract=4941708</a> [<a href="https://perma.cc/L7L9-WU3T">https://perma.cc/L7L9-WU3T</a>].
\43\ E.g., Richard Perez-Pena & Matthew Rosenberg, Strava
Fitness App Can Reveal Military Sites, Analysts Say, N.Y. Times
(Jan. 29, 2018), <a href="https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html">https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html</a> [<a href="https://perma.cc/FT3A-W547">https://perma.cc/FT3A-W547</a>]; Jeremy
Hsu, The Strava Heat Map and the End of Secrets, Wired (Jan. 29,
2018), <a href="https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy/">https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy/</a> [<a href="https://perma.cc/6TWD-P76B">https://perma.cc/6TWD-P76B</a>].
\44\ Stuart A. Thompson & Charlie Warzel, Twelve Million Phones,
One Dataset, Zero Privacy, N.Y. Times (Dec. 19, 2019), <a href="https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html">https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html</a> [<a href="https://perma.cc/X3VB-429P">https://perma.cc/X3VB-429P</a>].
\45\ Luc Rocher et al., Estimating the Success of Re-
Identifications in Incomplete Datasets Using Generative Models, 10
Nature Commc'ns, at 1 (2019), <a href="https://www.nature.com/articles/s41467-019-10933-3.pdf">https://www.nature.com/articles/s41467-019-10933-3.pdf</a> [<a href="https://perma.cc/SYJ7-KA95">https://perma.cc/SYJ7-KA95</a>]; see also Alex
Hern, `Anonymised' Data Can Never Be Totally Anonymous, Says Study,
The Guardian (Jul. 23, 2019), <a href="https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds">https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds</a> [<a href="https://perma.cc/5BF8-745A">https://perma.cc/5BF8-745A</a>].
\46\ See, e.g., Alex Hern, New York Taxi Details Can Be
Extracted From Anonymised Data, Researchers Say, The Guardian (June
27, 2014), <a href="https://www.theguardian.com/technology/2014/jun/27/new-york-taxi-details-anonymised-data-researchers-warn">https://www.theguardian.com/technology/2014/jun/27/new-york-taxi-details-anonymised-data-researchers-warn</a> [<a href="https://perma.cc/6SYK-6ZEG">https://perma.cc/6SYK-6ZEG</a>] (reporting that a researcher ``discovered that
the anonymous data'' of taxi records ``was easy to restore to its
original, personally identifiable format,'' taking a ``matter of
only minutes to determine which [license] numbers were associated
with which pieces of anonymised data'' and only an hour to ``de-
anonymise the entire dataset,'' making it possible to ``figure out
which person drove each trip'' and to determine taxi drivers'
supposedly anonymous home addresses); Ryan Singel, Netflix Spilled
Your Brokeback Mountain Secret, Lawsuit Claims, Wired (Dec. 17,
2009), <a href="https://www.wired.com/2009/12/netflix-privacy-lawsuit/">https://www.wired.com/2009/12/netflix-privacy-lawsuit/</a>
[<a href="https://perma.cc/B96P-AY97">https://perma.cc/B96P-AY97</a>] (reporting on researchers who de-
anonymized a Netflix dataset of movie ratings by using publicly
available information, which revealed ``political leanings and
sexual orientation'' in some cases, and reporters who ``quickly''
de-anonymized supposedly anonymous AOL search-engine logs ``to track
down real people'').
\47\ Newman Decl., supra note 40, at Gov't App. 33 ] 105.
---------------------------------------------------------------------------
Similar concerns exist with respect to encrypted data. Countries of
concern amass large quantities of encrypted data including by
harvesting encrypted data now in order to decrypt it in the future
should advances in quantum technologies render current standard public-
key cryptographic algorithms ineffective.\48\ Encryption keys can also
be stolen, handed over under compulsion, and otherwise obtained for use
in decrypting datasets.\49\
---------------------------------------------------------------------------
\48\ David Lague, U.S. and China Race to Shield Secrets from
Quantum Computers, Reuters (Dec. 14, 2023), <a href="https://www.reuters.com/investigates/special-report/us-china-tech-quantum/">https://www.reuters.com/investigates/special-report/us-china-tech-quantum/</a> [<a href="https://perma.cc/9HAA-46XA">https://perma.cc/9HAA-46XA</a>]; Nat'l Counterintel. & Sec. Ctr., Protecting
Critical and Emerging U.S. Technologies From Foreign Threats 5 (Oct.
2021), <a href="https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL_NCSC_Emerging%20Technologies_Factsheet_10_22_2021.pdf">https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL_NCSC_Emerging%20Technologies_Factsheet_10_22_2021.pdf</a> [<a href="https://perma.cc/L6ZU-8HU7">https://perma.cc/L6ZU-8HU7</a>]; Nat'l Cybersec. Ctr. of Excellence, NIST SP
1800-38B, Migration to Post-Quantum Cryptography, at 1 (drft. Dec.
2023), <a href="https://www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38b-preliminary-draft.pdf">https://www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38b-preliminary-draft.pdf</a> [<a href="https://perma.cc/FXF2-BJ62">https://perma.cc/FXF2-BJ62</a>].
\49\ Can Encrypted Data be Hacked?, IT Foundations (Apr. 19,
2021), <a href="https://itfoundations.com/can-encrypted-data-be-hacked/">https://itfoundations.com/can-encrypted-data-be-hacked/</a>
[<a href="https://perma.cc/E3TN-YAVV">https://perma.cc/E3TN-YAVV</a>].
---------------------------------------------------------------------------
A few commenters suggested that the approach contemplated in the
ANPRM would weaken national security by failing to differentiate
between data that is encrypted or otherwise protected and data that is
not. In their view, encryption is an important tool to secure data from
unauthorized access, and treating encrypted and non-encrypted data
alike could discourage the use of encryption, weakening the overall
security of data. Other commenters, however, supported treating
pseudonymized, encrypted, de-identified, and aggregated data as
sensitive personal data because of the ability to re-identify such data
and the rapid advancements in re-identification techniques. The
Department declines to modify the proposed rule in response to these
comments. As contemplated in the ANPRM, the proposed rule explicitly
recognizes and relies upon the privacy and national security-preserving
value of high quality, effective methods of encryption, de-
identification, pseudonymization, and aggregation by specifically
authorizing certain otherwise prohibited transactions so long as they
meet the security requirements described in part IV.B.1 of this
preamble, including by using data-level control(s) such as these
techniques in combination with other security requirements. At the same
time, as contemplated in the ANPRM, the proposed rule also recognizes
that ineffective methods of encryption, de-identification,
pseudonymization, and aggregation present the same unacceptable
national security risk of access by countries of concern and covered
persons as the risks posed by such access to identifiable data that is
not secured through any of these techniques. The proposed rule thus
allows otherwise prohibited employment agreements, vendor agreements,
and investment agreements only if they use any combination of the data-
level requirements necessary to prevent access to covered data by
covered persons or countries of concern, as requirements laid out in
the security requirements to be published by the Department of Homeland
Security (``DHS''), in addition to organizational- and system-level
requirements.
Commenters also requested that the Department use existing State
privacy law definitions to define the categories of sensitive personal
data, such as personal financial data. Commenters stated that many
companies already know how to comply with State privacy laws. The
Department has considered these comments. However, as discussed in part
IV.A.6 of this preamble, the cited definitions do not necessarily align
with the specific national security goals of these regulations.
Therefore, the proposed rule adopts the approach described in the ANPRM
without change and does not adopt the State privacy law definitions of
the terms in the proposed rule.
14. Section 202.205--Bulk
As previewed in the ANPRM, the proposed rule's prohibitions apply
to bulk amounts of U.S. sensitive personal data (in addition to the
separate category of government-related data). The proposed rule
defines ``bulk'' as any amount of such data that meets or exceeds
thresholds during a given 12-month period, whether through one covered
data transaction or multiple covered data transactions involving the
same U.S. person and the same foreign person or covered person. The
proposed rule sets specific thresholds for each category of sensitive
personal data. See Sec. 202.205. Certain specified data transactions
that exceed those thresholds are ``covered data transactions'' and thus
subject to the proposed rule's prohibitions unless they are otherwise
authorized by the proposed rule. See Sec. 202.210. The Department has
determined the proposed bulk thresholds based on the analysis previewed
in the ANPRM and described in more detail in part V of this preamble.
A few commenters expressed concerns that it would be necessary to
decrypt data to determine whether it meets a relevant bulk threshold
and suggested discarding the bulk thresholds as a result. They noted
that decrypting data is generally less secure and could lead to
unauthorized access. The proposed rule makes no change in response to
these comments, for several reasons. First, many businesses engaging in
the categories of prohibited and restricted transactions generally use
[[Page 86128]]
the data in the course of operating their business, rather than merely
serving as a pass-through for encrypted data as the comments suggest.
While encrypting data in transit and data at rest is and should be a
standard security technique, and encrypting data in use is increasingly
common, data is routinely decrypted while it is being actively
accessed, processed, filtered, sorted, searched, analyzed, displayed,
and otherwise used by a business (for example, when an authorized
employee or user opens and searches an encrypted file or database).
However, nothing in the proposed rule imposes a legal requirement to
decrypt data to comply. Instead, the proposed rule requires only that
U.S. persons implement a risk-based compliance program tailored to
their individual risk profiles. And data may also be encrypted using
cryptographic methods that permit some computation and analysis to be
performed on cyphertext that ascertains the kinds and volume of data
without decrypting the data.\50\ Businesses can map the kinds and
volumes of their data to evaluate it against the bulk thresholds in the
data life cycle in which it is either decrypted for access or encrypted
in use.
---------------------------------------------------------------------------
\50\ Abbas Acar et al., A Survey on Homomorphic Encryption
Schemes: Theory and Implementation, 51 [No. 4] ACM Computing Survs.
79:1, 79:2 (2018), <a href="https://dl.acm.org/doi/pdf/10.1145/3214303">https://dl.acm.org/doi/pdf/10.1145/3214303</a>
[<a href="https://perma.cc/AM69-7ZWV">https://perma.cc/AM69-7ZWV</a>]. In addition, to the extent that
businesses use emerging techniques (such as homomorphic encryption)
that permit computations to be performed on encrypted data without
first decrypting it, these techniques may enable businesses to map
their data even if it remains encrypted.
---------------------------------------------------------------------------
Second, even beyond mapping data in use, companies choosing to
engage in these categories of data transactions can and should have
some awareness of the volume of data they possess and in which they are
transacting. For example, typically data-using entities maintain
metrics, such as user statistics, that can help estimate the number of
impacted individuals for the purposes of identifying whether a
particular transaction meets the bulk threshold.\51\ Given that the
bulk thresholds are built around order-of-magnitude evaluations of the
quantity of user data, it is reasonable for entities to conduct similar
order-of-magnitude-based assessments of their data stores and
transactions for the purposes of regulatory compliance. Companies
already must understand, categorize, and map the volumes of data they
have for other regulatory requirements, such as State laws requiring
notification of data breaches of specific kinds of data above certain
thresholds.\52\
---------------------------------------------------------------------------
\51\ Justin Ellingwood, User Data Collection: Balancing Business
Needs and User Privacy, DigitalOcean (Sept. 26, 2017), <a href="https://www.digitalocean.com/community/tutorials/user-data-collection-balancing-business-needs-and-user-privacy">https://www.digitalocean.com/community/tutorials/user-data-collection-balancing-business-needs-and-user-privacy</a> [<a href="https://perma.cc/GCX5-RGSK">https://perma.cc/GCX5-RGSK</a>]; Jodie Siganto, Data Tagging: Best Practices, Security &
Implementation Tips, Privacy108 (Nov. 14, 2023), <a href="https://privacy108.com.au/insights/data-tagging-for-security/">https://privacy108.com.au/insights/data-tagging-for-security/</a> [<a href="https://perma.cc/8PQA-89DA">https://perma.cc/8PQA-89DA</a>]; National Institutes of Health, Metrics for Data
Repositories and Knowledgebases: Working Group Report 7, (Sept. 15,
2021), <a href="https://datascience.nih.gov/sites/default/files/Metrics-Report-2021-Sep15-508.pdf">https://datascience.nih.gov/sites/default/files/Metrics-Report-2021-Sep15-508.pdf</a> [<a href="https://perma.cc/8KBQ-HWRK">https://perma.cc/8KBQ-HWRK</a>].
\52\ See, e.g., Del. Code. Ann. tit. 6, sec. 12B--100 to--104
(West 2024); N.M. Stat. Ann. sec. 57-12C-10 (LexisNexis 2024).
---------------------------------------------------------------------------
Third, this concern appears premised on a scenario in which a U.S.
business handles only encrypted data on which no computational
functions can be performed to determine the kinds and volume of data,
never accesses the decrypted data in its business, does not have other
proxies or metrics to determine the kinds and volumes of data in which
it is transacting, and must comply with the prohibitions and
restrictions in the proposed rule. This scenario appears to be an edge
case at best, and the comments do not provide a real-world example of
this scenario or its frequency. Indeed, as discussed in some of the
examples contained in the proposed rule, if a U.S. entity merely
provides a platform for, or transports data between, a U.S. customer
and a covered person or country of concern, and thus does not know or
reasonably should not know of the kind or volume of data involved, then
it generally would not ``knowingly'' engage in a prohibited transaction
if the U.S. customer uses that platform or infrastructure to engage in
a prohibited transaction with a covered person. Instead, the U.S.
customer would generally be responsible for having ``knowingly''
engaged in the prohibited transaction, as illustrated in the
clarification of the ``knowingly'' standard and the new examples
incorporated into the proposed rule. See Sec. 202.230. Similarly, if a
U.S. entity merely stores encrypted data on behalf of a U.S. customer
and does not possess the encryption key, and if the U.S. entity does
not know or reasonably should not know the kind or volume of data
involved, the U.S. entity generally would not meet the ``knowingly''
standard of the proposed rule.
Fourth, to the extent that there is a U.S. business that handles
only encrypted data on which no computational functions can be
performed to determine the kinds and volume of data, never accesses the
decrypted data in its business, does not have other proxies or metrics
to determine the kinds and volumes of data it is transacting, and is
subject to the prohibitions and restrictions in the proposed rule, that
U.S. business would have choices under the proposed rule. It would be
able to engage with the Department and seek an advisory opinion or a
specific license tailored to its business. Similarly, it would have
choices about how best to comply as part of its individualized, risk-
based compliance program. For example, it can choose not to engage in
prohibited or restricted transactions with countries of concern or
covered persons as part of its individualized risk-based compliance
program. If the U.S. business chooses to engage in categories of
transactions potentially subject to the proposed rule, it can conduct
reasonable due diligence on the source of its encrypted data (such as
engaging with and obtaining contractual commitments from its customers)
to determine the volume and kinds of data in which it is transacting.
Or, if it chooses to engage in restricted transactions with countries
of concern or covered persons, it can assume that its transactions
involve bulk volumes of sensitive personal data and comply with the
security requirements and other applicable conditions out of an
abundance of caution.
Even if this hypothetical U.S. business were to choose to engage in
categories of transactions potentially subject to the proposed rule,
and it voluntarily decided to briefly decrypt the data to determine the
kinds and volume of its data as part of its risk-based compliance
program, commentors have not provided evidence that such a brief
decryption would meaningfully increase the risks of unauthorized access
relative to the risks involved in routine decryption for business use.
Encryption is one security tool designed to mitigate the risk of
unauthorized access to data.\53\ Entities should use encryption as a
tool whenever possible, including when data is at rest, in transit, and
in use. However, using encryption does not eliminate risk or the
requirement to perform appropriate due diligence. If an entity is using
data at any point or has access to both encrypted data and the
encryption key, that entity has full se into and control over the data
on its systems for the
[[Page 86129]]
purposes of this regulation.\54\ Entities are responsible for balancing
risks within their systems, with encryption serving as one available
tool for achieving risk management goals alongside other tools like
data governance and data minimization plans, role-based and least-
privilege access controls, and identity management through multifactor
authentication.\55\
---------------------------------------------------------------------------
\53\ What Is Encryption?, Cloudflare, <a href="https://www.cloudflare.com/learning/ssl/what-is-encryption/">https://www.cloudflare.com/learning/ssl/what-is-encryption/</a> [<a href="https://perma.cc/T3KT-BURX">https://perma.cc/T3KT-BURX</a>]; Cybersec. & Infrastructure Sec. Agency, Zero
Trust Maturity Model 5, 27 (v. 2.0 Apr. 2023), <a href="https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf">https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf</a>
[<a href="https://perma.cc/F9LB-JVL9">https://perma.cc/F9LB-JVL9</a>].
\54\ Clare Stouffer, What Is Encryption? How It Works + Types of
Encryption, Norton: Blog (July 18, 2023), <a href="https://us.norton.com/blog/privacy/what-is-encryption">https://us.norton.com/blog/privacy/what-is-encryption</a> [<a href="https://perma.cc/RC3D-NS95">https://perma.cc/RC3D-NS95</a>].
\55\ Nat'l Sec. Agency & Cybersec. & Infrastructure Sec. Agency,
Recommended Best Practices for Administrators: Identity and Access
Management (n.d.), <a href="https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20identity%20and%20access%20management%20recommended%20best%20practices%20for%20administrators%20pp-23-0248_508c.pdf">https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20identity%20and%20access%20management%20recommended%20best%20practices%20for%20administrators%20pp-23-0248_508c.pdf</a> [<a href="https://perma.cc/B7VP-4RWF">https://perma.cc/B7VP-4RWF</a>]; Mohammed Khan, Data Minimization--A Practical
Approach, ISACA (Mar. 29, 2021), <a href="https://www.isaca.org/resources/news-and-trends/industry-news/2021/data-minimization-a-practical-approach">https://www.isaca.org/resources/news-and-trends/industry-news/2021/data-minimization-a-practical-approach</a> [<a href="https://perma.cc/8APH-5E5A">https://perma.cc/8APH-5E5A</a>]; Cybersec. & Infrastructure
Sec. Agency, Protecting Sensitive and Personal Information From
Ransomware-Caused Data Breaches (n.d.), <a href="https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf">https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf</a> [<a href="https://perma.cc/Q7TN-NLR4">https://perma.cc/Q7TN-NLR4</a>].
---------------------------------------------------------------------------
It is the responsibility of the regulated entity to manage risk
that already exists, which includes making choices about the best way
to manage its own particular risk and tradeoffs between various data
risk management strategies, including technical measures like
encryption, organizational policies, and access management. Other
options include altering commercial activities to minimize the size and
scope of covered data transactions and utilizing a strong data
governance regime to minimize the type and quantity of data collected.
If data cannot remain encrypted while in use, the risk of temporarily
decrypting data to comply with regulations can be offset by measures
such as well-designed data collection, data management, and data
security programs. Given these factors, any risk associated with a
hypothetical U.S. business' decision to temporarily decrypt data that
would otherwise remain encrypted at all times in the business' life
cycle would appear to be much more remote and attenuated than the risk
that accrues by allowing the U.S. business to engage in a transaction
that grants a country of concern or covered person access to encrypted
government-related data or bulk U.S. sensitive personal data.
15. Section 202.222--Government-Related Data
As set forth in Sec. 202.222, the proposed rule would not impose
any bulk threshold requirements on transactions involving government-
related data. The proposed rule defines subcategories of government-
related data for locations and personnel, as contemplated in the ANPRM.
For the location subcategory, the proposed rule defines ``government-
related data'' as any precise geolocation data, regardless of volume,
for any location within any area enumerated on the Government-Related
Location Data List in Sec. 202.1401 that the Attorney General has
determined poses a heightened risk of being exploited by a country of
concern to reveal insights to the detriment of national security about
locations controlled by the Federal Government, including insights
about facilities, activities, or populations in those locations,
because of the nature of those locations or the personnel who work
there. The purpose of this list is to prevent countries of concern from
exploiting the geolocation data in these locations, such as by using
aggregated geolocation data to draw inferences about facilities,
activities, or populations located there that could undermine U.S.
national security or foreign policy or to conduct intelligence or
counterintelligence operations against government employees or
contractors, or against government facilities, as discussed in parts
II, IV(D) and V(A) of this preamble. As set forth in the proposed rule,
the locations that the Department might add to this list may include
the worksites or duty stations of Federal Government employees or
contractors who occupy national security positions, as that term is
defined in 5 CFR 1400.102(a), wherever they are located. The locations
may also include military installations, embassies or consulates, or
other facilities worldwide that support the Federal Government in
achieving its national security, defense, intelligence, law
enforcement, or foreign policy missions. The proposed rule thus
modifies the definition contemplated in the ANPRM by setting forth more
details about the types of locations that will be listed on the
Government-Related Location Data List.\56\
---------------------------------------------------------------------------
\56\ 89 FR 15787.
---------------------------------------------------------------------------
The proposed rule also proposes a format for the Government-Related
Location Data List and proposes some areas for inclusion on that List.
See Sec. 202.1401. This is not yet a comprehensive list of locations.
The Department anticipates that the final rule will include additional
locations associated with military, other Government, or other
sensitive facilities or locations that meet the criteria in the
definition. These locations may include, for example, military bases,
embassies, or law enforcement facilities.
For the personnel subcategory, the proposed rule adopts the ANPRM's
contemplated definition without change by defining ``government-related
data'' as any sensitive personal data, regardless of volume, that a
transacting party markets as linked or linkable to current or recent
former employees or contractors, or former senior officials, of the
United States Government, including the military and intelligence
community.\57\
---------------------------------------------------------------------------
\57\ Id.
---------------------------------------------------------------------------
Commenters were generally supportive of the proposed rule's
protections for government-related data. A few commenters requested
that the proposed rule provide clarity as to what constitutes a
``former senior official'' and a ``recent former employee.'' The
proposed rule defines ``recent former employees or contractors'' as
employees or contractors who have worked for or provided services to
the United States Government, in a paid or unpaid status, within the 2
years preceding a proposed covered data transaction. See Sec. 202.245.
The proposed rule defines a ``former senior official'' as either a
``former senior employee'' or ``former very senior employee,'' as those
terms are defined in the ethics regulations pertaining to post-
employment conflicts of interest for former Executive Branch or
independent agency employees. 5 CFR 2641.104. See Sec. 202.220.
One commenter expressed concern that, with respect to the personnel
subcategory, companies will have to ask individuals whether they are
former government employees when collecting their data and retain that
information to ensure they can comply with the regulations. The
commenter argued that this could have the unintended consequence of
inadvertently creating a database of sensitive information that bad
actors could target. While the Department appreciates that concern and
agrees that this unintended consequence should be avoided, the
Department has designed the proposed rule to specifically avoid this
problem by defining the personnel subcategory based on how the U.S.
person markets the data, not on whether a particular dataset contains
data on former government employees or contractors. In other words, the
personnel subcategory applies only to transactions in which the U.S.
person has already identified and described sensitive personal data as
being about certain government personnel. This subcategory does not
apply on the basis of the presence or absence of data linked to
[[Page 86130]]
certain government personnel in the underlying sensitive personal data.
One commenter suggested removing the qualifier that data had to be
``marketed'' as data about members of the military or intelligence
community because certain data can still be ``linked or linkable'' to
members of the military through geolocation without being explicitly
marketed as such. As the Order's second category of government-related
data confirms, sensitive personal data that is linked to categories of
data that could be used to identify current or certain former
government personnel can present a national security risk, even if a
transacting party does not market it as linked or linkable to those
personnel.\58\ The Department is still considering how to address this
issue, specifically whether to include, and how to define, this
category of information in the proposed rule while minimizing the
unintended consequence described above in this section. The Department
appreciates any views from the public.
---------------------------------------------------------------------------
\58\ 89 FR 15429.
---------------------------------------------------------------------------
16. Section 202.302--Other Prohibited Data-Brokerage Transactions
Involving Potential Onward Transfer to Countries of Concern or Covered
Persons
As previewed in the ANPRM, the proposed rule also includes a
prohibition specific to data brokerage to address transactions
involving the onward transfer or resale of government-related data or
bulk U.S. sensitive personal data to countries of concern and covered
persons.\59\ See Sec. 202.302. The proposed rule defines ``data
brokerage'' as the sale of data, licensing of access to data, or
similar commercial transactions involving the transfer of data from any
person (``the provider'') to any other person (``the recipient''),
where the recipient did not collect or process the data directly from
the individuals linked or linkable to the collected or processed data.
See Sec. 202.214. The proposed rule prohibits any U.S. person from
knowingly engaging in a covered data transaction involving data
brokerage with any foreign person that is not a covered person unless
the U.S. person contractually requires that the foreign person refrain
from engaging in a subsequent covered data transaction involving that
data with a country of concern or covered person. This narrow
circumstance is the only instance in which the proposed rule's
regulation of covered data transactions could impact transactions
involving third countries (i.e., U.S. persons' covered data
transactions in which a country of concern or covered person is not a
party).
---------------------------------------------------------------------------
\59\ 89 FR 15792.
---------------------------------------------------------------------------
Commenters generally supported the feasibility of using contractual
requirements to address the resale of data as contemplated in the
ANPRM. They noted, however, that it may be difficult for U.S. persons
to enforce those requirements or to ensure that the data is not
subsequently resold in violation of those provisions. Several aspects
of the proposed rule are designed to address these concerns. First, in
addition to requiring a contractual commitment from the foreign person
not to engage in a subsequent covered data transaction with a country
of concern or covered person, as contemplated in the ANPRM, the
proposed rule adds a requirement for U.S. persons engaged in such
transactions to report any known or suspected violations of the
required contractual provision. This requirement creates a mechanism to
provide the necessary information for the Department to investigate and
take appropriate action to address any violations of the proposed rule.
Second, relying on both its own investigations and its investigations
of any known or suspected violations reported by private parties, the
Department intends to exercise the designation authority under the
proposed rule to designate as covered persons, as appropriate, foreign
third parties that violate the contractual provisions required by this
prohibition. See Sec. 202.701. Third, consistent with the overall
approach to compliance and enforcement under the proposed rule, the
Department expects U.S. persons engaged in these kinds of data
brokerage transactions to take reasonable steps to evaluate whether
their foreign counterparties are complying with the contractual
provision as part of implementing risk-based compliance programs under
the proposed rule. Absent indications of evasion, conspiracy, or
knowingly directing prohibited transactions, U.S. persons that conduct
adequate due diligence as part of a risk-based compliance program would
not have engaged in a prohibited transaction if the foreign
counterparty later violates the required contractual provision or if
the U.S. person fails to detect such violations. Depending on the
circumstances, a U.S. person's failure to conduct adequate due
diligence may subject the U.S. person to enforcement actions if that
failure would constitute an evasion of the regulations, such as
repeatedly knowing of violations by a foreign person and continuing to
engage in data-brokerage transactions with that foreign person. The
Department welcomes public input on any additional measures that should
be considered as part of the final rule. In addition, after the final
rule goes into effect, the Department intends to monitor the
effectiveness of the measures to address the risk of onward sale and
make any appropriate adjustments.
Although not specifically raised by commenters, the Department is
considering the specific language used to describe the contractual
requirement. As previewed in the ANPRM,\60\ the proposed rule frames
the contractual requirement as an obligation to provide that the
foreign party ``refrain from engaging in a subsequent covered data
transaction involving the same data with a country of concern or
covered person.'' See Sec. 202.302(a)(1). The Department invites
public comment on this language, including whether any alternative
language (such as inserting ``knowingly'' before ``refrain'' or
``contractually requires that the foreign person use best efforts not
to engage'') would be more appropriate.
---------------------------------------------------------------------------
\60\ Id.
---------------------------------------------------------------------------
Commenters expressed varying views about the contemplated
definition of ``data brokerage.'' Several commenters expressed concerns
about the breadth of the definition of ``data brokerage'' in the
ANPRM.\61\ Some commenters suggested that the proposed term, and in
particular the phrase ``or similar commercial transactions,'' creates
uncertainty as to its scope and fails to distinguish between selling
data for monetary purposes and transferring data pursuant to normal
business operations. Some commenters urged the Department to limit the
scope of the proposed rule to ``data brokers'' by adopting the
definition used in existing State privacy laws, such as
California's.\62\ Others proposed ways that the Department should
narrow the definition, including by requiring that the data be sold in
exchange for monetary or other valuable consideration; that the data
must be the object of the transaction and not shared incident to the
development, testing, or sale of a product or service; or that the data
must be knowingly transferred or sold. Other commenters suggested that
the Department amend the definition of ``sale'' to exclude the
disclosure of sensitive personal data to service providers processing
data on behalf of a U.S. company, to third parties for providing
products or services requested by a U.S. company, or for
[[Page 86131]]
disclosures or transfers to subsidiaries or affiliates of U.S.
companies. Still other commenters supported the approach contemplated
by the ANPRM for defining data brokerage by reference to transactions,
not the identities of the parties, noting that the ANPRM's approach is
stronger than existing State privacy laws, and encouraged the adoption
of a broad definition.
---------------------------------------------------------------------------
\61\ See 89 FR 15788.
\62\ See Cal. Civ. Code 1798.99.80 (West 2024).
---------------------------------------------------------------------------
The Department declines to revise the definition of ``data
brokerage'' in response to these comments. The definition of ``data
brokerage'' in the proposed rule is intentionally designed to address
the activity of data brokerage that gives rise to the national security
risk, regardless of the kind of entity that engages in it. Both first-
party data brokerage (i.e., by the person that directly collected the
U.S. person's data) and third-party data brokerage (i.e., by a person
that did not directly collect the U.S. person's data, such as a
subsequent reseller) present similar national security risks: the
outright sale and transfer of sensitive personal data to a country of
concern or covered person. For this reason, the proposed definition
intentionally regulates data transactions, including transactions that
transfer data to entities in countries of concern for product
development, an issue raised by numerous commenters, because those
transactions give rise to the risks discussed in the Order. In
addition, commenters did not provide any specific evidence that the
proposed definition of data brokerage would have any measurable
economic impact related to product development or testing.\63\
Consequently, the proposed rule maintains the approach described in the
ANPRM without change.
---------------------------------------------------------------------------
\63\ See infra note 418 and accompanying text.
---------------------------------------------------------------------------
A few commenters expressed concern about how this provision might
affect the ability of biomedical and pharmaceutical manufacturers to
share clinical trial data with drug and device regulators in countries
of concern. Relatedly, a few commenters expressed concerns that the
proposed rule's inclusion of aggregated and anonymized data would
prohibit companies from using clinical trial data to launch clinical
trials in countries of concern or sharing safety and efficacy data
obtained from clinical trials in the United States with countries of
concern. The proposed rule includes two exemptions responsive to these
comments, in sections 202.510 and 202.511. These exemptions allow
certain transactions relevant to medical research, marketing, and
safety, as explained in more detail below.
17. Section 202.303--Prohibited Human Genomic Data and Human
Biospecimen Transactions
As previewed in the ANPRM, the proposed rule includes a prohibition
to specifically address the risks posed by covered data transactions
involving access by countries of concern to U.S. persons' bulk human
genomic data and human biospecimens from which that bulk data can be
derived, such as covered data transactions that give access to bulk
human genomic data to laboratories owned or operated by covered persons
or provide them with human biospecimens from which such data can be
derived. The proposed rule prohibits any U.S. person from knowingly
engaging in any covered data transaction involving human genomic data
that provides a country of concern or covered person with access to
bulk U.S. sensitive personal data that consists of human genomic data
or human biospecimens from which such data could be derived, where the
number of U.S. persons in the dataset is greater than the applicable
bulk threshold at any point in the preceding 12 months, whether in a
single covered data transaction or aggregated across covered data
transactions. This prohibition applies to any of the categories of
covered data transactions that involve access to bulk human genomic
data or human biospecimens from which bulk human genomic data can be
derived, even when the transactions involve an employment, investment,
or vendor agreement. In other words, transactions falling within the
scope of proposed Sec. 202.303 are never treated as restricted
transactions under the proposed rule. Relatedly, and as discussed in
more detail with respect to the categories of exempt transactions, the
proposed rule exempts (1) transactions for the conduct of the official
business of the United States Government by employees, grantees, or
contractors thereof, or transactions conducted pursuant to a grant,
contract, or other agreement entered into with the United States
Government, including those for outbreak and pandemic prevention,
preparedness, and response; and (2) data transactions, including the
sharing of human biospecimens from which human genomic data may be
derived, that are required or authorized by certain specified
international arrangements addressing global and pandemic preparedness.
One commenter sought clarification that vendor, employment, and
investment agreements involving access to bulk human genomic data, or
human biospecimens from which such data could be derived, are
prohibited transactions under subpart C of the proposed rule rather
than restricted transactions under subpart D of the proposed rule. The
commenter suggested that the proposed rule should clarify that such
vendor, employment, and investment agreements are prohibited because
they present the same policy concerns as other categories of
transactions involving access to this kind of data. The Department
agrees. As shown by Example 49 in the ANPRM, vendor, employment, and
investment agreements involving access to this kind of sensitive
personal data are prohibited rather than restricted.\64\ For the
avoidance of doubt, Sec. 202.303 of the proposed rule clarifies that
the authorization for restricted transactions, see Sec. Sec. 202.401-
202.402, does not apply to any transactions involving access to bulk
human genomic data or bulk human biospecimens.
---------------------------------------------------------------------------
\64\ 89 FR 15794.
---------------------------------------------------------------------------
18. Section 202.304--Prohibited Evasions, Attempts, Causing Violations,
and Conspiracies
Adopting the approach contemplated in the ANPRM without change, the
proposed rule prohibits any transactions that have the purpose of
evading or avoiding the proposed rule's prohibitions, or that cause a
violation of or attempt to violate the proposed rule's prohibitions.
The proposed rule also prohibits conspiracies formed to violate the
proposed rule's prohibitions.
One commenter suggested expanding the scope of the regulations to
prohibit transactions involving algorithms or artificial intelligence
models that are trained and developed using bulk U.S. sensitive
personal data in certain circumstances. The commenter described a
scenario in which the transfer of such an algorithm or model provides a
means to evade the prohibitions--for example, where a transaction gives
a country of concern or covered person access to the model, and the
model makes the underlying bulk U.S. sensitive personal data on which
it was trained available to that country of concern or covered person.
According to the commenter, this access could occur by querying the
model in such a way that results in it sharing all of or a highly
relevant component of the underlying data on which it was trained, such
as a query that resulted in identification of people with a particular
medical condition.\65\ Apart
[[Page 86132]]
from concerns over access to the underlying data, a model could also
provide insights into counter-intelligence targeting that would not
otherwise be observable from the underlying sensitive personal data.
The Department shares these concerns. In response to the comment, the
proposed rule includes Examples 5 and 6 in Sec. 202.304(b)
highlighting how these regulations would apply in certain scenarios
where bulk U.S. sensitive personal data would be licensed or sold to
support algorithmic development, including cases of evasion, or where
sensitive personal data could be extracted from artificial intelligence
models. The Department will continue to evaluate the national-security
risks in this emerging area as it considers the effectiveness of this
regulation. To the extent that there are broader concerns about
national-security risks from the export of artificial intelligence
models or algorithms regardless of the access they provide to sensitive
personal data (such as their ability to provide insights that would not
otherwise be observable from the data on which they are trained), the
Department believes that other authorities, such as export controls and
Executive Order 13859 of February 11, 2019 (Maintaining American
Leadership in Artificial Intelligence),\66\ are more appropriate in the
first instance to address those concerns.
---------------------------------------------------------------------------
\65\ Tim Johansson & Balder Janryd, Preventing Health Data from
Leaking in a Machine Learning System 4-6 (2024) (First Cycle 15
credits, KTH Royal Institute of Technology), <a href="https://kth.diva-portal.org/smash/get/diva2:1865596/FULLTEXT01.pdf">https://kth.diva-portal.org/smash/get/diva2:1865596/FULLTEXT01.pdf</a> [<a href="https://perma.cc/S5S8-M3DJ">https://perma.cc/S5S8-M3DJ</a>]; see, e.g., Anuj Mudaliar, ChatGPT Leaks Sensitive User
Data, OpenAI Suspects Hack, Spiceworks (Feb. 1, 2024), <a href="https://www.spiceworks.com/tech/artificial-intelligence/news/chatgpt-leaks-sensitive-user-data-openai-suspects-hack/">https://www.spiceworks.com/tech/artificial-intelligence/news/chatgpt-leaks-sensitive-user-data-openai-suspects-hack/</a> [<a href="https://perma.cc/AS5E-FATZ">https://perma.cc/AS5E-FATZ</a>].
\66\ E.O. 13859, 84 FR 3967 (Feb. 11, 2019).
---------------------------------------------------------------------------
19. Section 202.305--Knowingly Directing Prohibited Transactions
Adopting the approach contemplated in the ANPRM without change, the
proposed rule prohibits U.S. persons from knowingly directing any
covered data transaction that would be a prohibited transaction
(including restricted transactions that do not comply with the security
requirements) if engaged in by a U.S. person.
20. Section 202.215--Directing
Adopting the approach contemplated in the ANPRM without change, the
proposed rule defines ``directing'' to mean that the U.S. person has
any authority (individually or as part of a group) to make decisions on
behalf of a foreign entity and exercises that authority. For example, a
U.S. person would direct a transaction by exercising their authority to
order, decide to engage, or approve a transaction that would be
prohibited under these regulations if engaged in by a U.S. person.
21. Section 202.230--Knowingly
Adopting the approach contemplated in the ANPRM without change, the
proposed rule defines ``knowingly'' to mean, with respect to conduct, a
circumstance, or a result, that the U.S. person had actual knowledge
of, or reasonably should have known about, the conduct, circumstance,
or result. To determine what an individual or entity reasonably should
have known in the context of prohibited transactions, the Department
will take into account the relevant facts and circumstances, including
the relative sophistication of the individual or entity at issue, the
scale and sensitivity of the data involved, and the extent to which the
parties to the transaction at issue appear to have been aware of and
sought to evade the application of these proposed rules. As a result of
the knowledge standard, the regulations incorporating the word
``knowingly'' do not adopt a strict liability standard.
The ``knowingly'' language is also not intended to require U.S.
persons, in engaging in vendor agreements and other classes of data
transactions with foreign persons, to conduct due diligence on the
employment practices of those foreign persons to determine whether the
foreign persons' employees qualify as covered persons. For instance, as
illustrated by Examples 37 and 38 in the ANPRM, which are incorporated
into the proposed rule, it would not be a prohibited transaction for a
U.S. person to enter into a vendor agreement to have bulk U.S.
sensitive personal data processed or stored by a foreign person that is
not a covered person, even if that foreign person then employs covered
persons and grants them access to the data (absent any indication of
evasion or knowing direction).\67\ In those circumstances, the U.S.
person would not be expected to conduct due diligence on the foreign
person's employment practices as part of its risk-based compliance
program.
---------------------------------------------------------------------------
\67\ 89 FR 15792.
---------------------------------------------------------------------------
Several commenters sought clarity about liability where service
providers have little or no knowledge of the data that customers keep
or transact on their infrastructure. They also requested that the
Department distinguish between data controllers and data processers. In
response to these comments, the proposed rule has provided additional
examples to clarify the function of the ``knowingly'' standard. See
Sec. 202.230(b)(2)-(6). As the examples demonstrate, if a U.S. entity
merely provides a software platform or owns or operates infrastructure
for a U.S. customer, and thus does not know or reasonably should not
know of the kind or volume of data involved, then the U.S. entity
generally would not ``knowingly'' engage in a prohibited transaction if
the U.S. customer uses their platform or infrastructure to engage in a
prohibited transaction. Instead, the U.S. customer would generally be
responsible for having ``knowingly'' engaged in the prohibited
transaction. Likewise, if a U.S. entity merely stores encrypted data on
behalf of a U.S. customer and does not have access to the encryption
key (or has access only to an emergency backup encryption key usable
only at the customer's explicit request), and if the U.S. entity is
reasonably unaware of the kind or volume of data involved, the U.S.
entity generally would not meet the ``knowingly'' standard of the
proposed rule.
The Department declines, however, to draw a categorical distinction
between processors and controllers in the proposed rule. Inserting a
categorical distinction based on the kind of entity would be
inconsistent with the structure and overall approach of the proposed
rule, which addresses activities that present an unacceptable national
security risk. In addition, as the new examples illustrate, the same
kinds of entities can engage in different kinds of activities, some of
which (such as merely providing a software platform) raise different
risks than others (such as providing a software platform and services
to handle and process the data). The ``knowingly'' standard provides
the requisite flexibility to address the national security risks while
providing a basis to distinguish responsibility based on the activities
and roles that particular entities may have. The proposed rule thus
adopts the approach described in the ANPRM with the additional examples
described above in this section to illustrate the ``knowingly''
standard.
Similarly, one comment sought clarification that the proposed rule
would apply only to U.S. persons that have or maintain control over the
bulk U.S. sensitive personal data involved in a prohibited or
restricted transaction. As the commenter explained, an automobile
manufacturer should not have compliance obligations with respect to
bulk U.S. sensitive personal data that is transferred via an
aftermarket device that was installed in a vehicle fleet by the owner.
As
[[Page 86133]]
previewed in the ANPRM, the proposed rule imposes prohibitions and
restrictions only on U.S. persons that are engaged in covered data
transactions that meet certain criteria. In the commenter's example,
the U.S. automobile manufacturer has not engaged in a covered data
transaction with respect to the aftermarket device. As a result, no
change was made to the proposed rule in response to this comment.
B. Subpart D--Restricted Transactions
1. Section 202.401--Authorization To Conduct Restricted Transactions;
Section 202.402--Incorporation by Reference
The proposed rule sets forth three classes of transactions (vendor
agreements, employment agreements, and investment agreements) that are
prohibited unless the U.S. person entering into the transactions
complies with the ``security requirements'' referenced in section
202.248. The goal of the proposed security requirements is to address
national security and foreign-policy threats that arise when countries
of concern and covered persons access government-related data or bulk
U.S. sensitive personal data that may be implicated by the categories
of restricted transactions. The security requirements have been
developed and proposed by the Cybersecurity and Infrastructure Security
Agency (``CISA'') in coordination with the Department. CISA has
published the proposed requirements--the CISA Proposed Security
Requirements for Restricted Transactions--on its website, as announced
via a Federal Register notice requesting comment on those proposed
security requirements issued concurrently with this proposed rule. The
proposed security requirements require U.S. persons engaging in
restricted transactions to comply with organizational and system-level
requirements, such as ensuring that basic organizational cybersecurity
policies, practices, and requirements are in place, as well as data-
level requirements, such as data minimization and masking, encryption,
or privacy-enhancing techniques. After CISA receives and considers
public input, it will revise as appropriate and publish the final
security requirements. The Department of Justice will then incorporate
by reference the published final security requirements in the final
rule that the Department issues. Interested parties can view CISA's
proposed security requirements on CISA's website at <a href="https://www.cisa.gov/">https://www.cisa.gov/</a> and can review CISA's notice requesting comments on the
proposed security requirements in the notice docketed as CISA-2024-0029
(October 29, 2024).
The proposed rule also clarifies that restricted transactions are
not prohibited only if they comply with the security requirements and
other applicable requirements for conducting restricted transactions.
The proposed rule includes a new example that makes it clear that U.S.
persons engaging in restricted transactions may not, absent a license,
use measures other than the security requirements and other applicable
conditions to mitigate the risk posed by country-of-concern or covered-
person access.
Some commenters provided feedback on the security requirements that
would govern restricted transactions. As explained in the ANPRM, CISA
will be soliciting comments on the proposed security requirements as
part of a separate notice-and-comment process in parallel with this
NPRM, and the Department urges commenters to provide any comments on
the security requirements through that process.
2. Section 202.258--Vendor Agreement
The proposed rule defines a ``vendor agreement'' as any agreement
or arrangement, other than an employment agreement, in which any person
provides goods or services to another person, including cloud-computing
services, in exchange for payment or other consideration. The ANPRM
contemplated defining the term ``cloud-computing services'' as that
term is defined in NIST Special Publication (``SP'') 800-145.\68\ NIST
SP 800-145 describes cloud computing in a way that includes different
essential characteristics, deployment models, and service models, such
as ``Infrastructure as a Service (IaaS),'' ``Platform as a Service
(PaaS),'' and ``Software as a Service (SaaS).'' \69\ Because cloud
computing is just one example of several types of services that may be
involved in a vendor agreement, it does not appear useful to separately
or specially define that term in the proposed rule at this time. The
Department may consider issuing guidance in the future that describes
cloud computing in reference to the NIST definition.
---------------------------------------------------------------------------
\68\ 89 FR 15788.
\69\ See Peter Mell & Timothy Grance, The NIST Definition of
Cloud Computing (NIST, SP 800-145, Sept. 2011), <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf">https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf</a> [<a href="https://perma.cc/HUJ5-B2JS">https://perma.cc/HUJ5-B2JS</a>].
---------------------------------------------------------------------------
3. Section 202.217--Employment Agreement
The proposed rule defines an ``employment agreement'' as any
agreement or arrangement in which an individual, other than as an
independent contractor, performs work or performs job functions
directly for a person in exchange for payment or other consideration,
including employment on a board or committee, executive-level
arrangements or services, and employment services at an operational
level.
4. Section 202.228--Investment Agreement
The proposed rule defines an ``investment agreement'' as any
agreement or arrangement in which any person, in exchange for payment
or other consideration, obtains direct or indirect ownership interests
in or rights in relation to (1) real estate located in the United
States or (2) a U.S. legal entity. The proposed rule categorically
excludes certain passive investments that do not pose an unacceptable
risk to national security because they do not give countries of concern
or covered persons a controlling ownership interest, rights in
substantive decision-making, or influence through a non-controlling
interest that could be exploited to access government-related data or
bulk U.S. sensitive personal data. Specifically, the proposed rule
excludes from ``investment agreement'' investments (1) in any publicly
traded security, in any security offered by any investment company that
is registered with the United States Securities and Exchange
Commission, such as index funds, mutual funds, exchange-traded funds,
or made as limited partners (or equivalent) into a venture capital
fund, private equity fund, fund of funds, or other pooled investment
fund, if the limited partner's contributions and influence are
circumscribed as set forth in the proposed rule; (2) that give the
covered person less than 10 percent of total voting and equity interest
in a U.S. person; and (3) that do not give a covered person rights
beyond those reasonably considered to be standard minority shareholder
protections.
With respect to the requirement of a de minimis percentage of total
voting and equity interest, the Department is considering a range of
different proposals. The proposed rule's definition of ``investment
agreement'' would apply to investments that give a covered person a
certain percentage or more of total voting and equity interest in a
U.S. person, even where that investment is not accompanied by other
[[Page 86134]]
formal rights beyond standard minority shareholder protections. The
proposed rule would include this de minimis threshold to account for
the unacceptable national security risk posed by otherwise passive
investments that may provide investors with meaningful economic
leverage or informal influence over access to a company's assets (like
sensitive personal data) even when the investors do not obtain formal
rights, control, or access beyond standard minority shareholder
protections. The proposed rule would tentatively set this threshold
number at 10 percent to exclude truly passive investments while also
capturing investments that informally may provide covered persons with
influence that presents unacceptable national security risks. The
Department is also considering de minimis thresholds that are
significantly lower and higher than this percentage, such as the 5
percent threshold above which investors must publicly report their
direct or indirect beneficial ownership of certain covered securities
under the Securities Exchange Act of 1934, 15 U.S.C. 78m(d). As a
result, the final figure in the proposed rule could potentially cover
passive investments that provide less (or more) than 10-percent voting
and equity interests in a U.S. person. The Department invites public
comment on the specific de minimis threshold that should be used in
this exception for passive investments.
C. Subpart E--Exempt Transactions
As previewed in the ANPRM, the proposed rule exempts several
classes of data transactions from the scope of the proposed rule's
prohibitions.
1. Section 202.501--Personal Communications; Section 202.502--
Information or Informational Materials; and Section 402.503--Travel
The proposed rule exempts three classes of data transactions to the
extent that they involve data that is statutorily exempt from
regulation under IEEPA: personal communications, information or
informational materials, and data that is ordinarily incident to travel
to or from another country.
One comment suggested clarifying that the exemption for personal
communications that do ``not involve a transfer of anything of value''
under 50 U.S.C. 1702(b)(1) is ``inclusive of business and commercial
transactions.'' The proposed rule makes no change in response to this
comment, as the clarification does not seem necessary at this time,
given the scope of the statutory exemption and the proposed rule.
Section 1702(b)(1) applies to any ``personal communication,'' so it
would be inappropriate to rely on that statutory language to exempt, as
this comment suggests, ``business and commercial transactions.''
Further, the categories of sensitive personal data encompassed by the
proposed rule do not include any personal communications. For example,
fingerprints and other biometric identifiers, human genetic testing
results, and data about financial assets and liabilities are not
``communications'' from one person to another. Any clarification of the
phrase ``a transfer of anything of value,'' therefore, does not appear
necessary. To the extent the commenters, a group of trade associations
representing telecommunications providers, are concerned that personal
communications between individuals that do not involve a transfer of
anything of value are business transactions from their perspective, as
purveyors of telecommunications services, the Department refers the
commenters to the qualified exemption for telecommunications services
in proposed Sec. 202.509.
The Department discusses the exemption for information or
informational materials in part VI of this preamble.
Although not raised by commenters, the proposed rule also adds a
separate exemption for data transactions that are ordinarily incident
to travel to or from another country, such as arranging travel or
importing baggage for personal use. This exemption implements and
tracks the statutory exemption in 50 U.S.C. 1702(b)(4).
2. Section 202.504--Official Business of the United States Government
Adopting the approach contemplated in the ANPRM without change, the
proposed rule exempts data transactions to the extent that they are for
(1) the conduct of the official business of the United States
Government by its employees, grantees, or contractors; (2) any
authorized activity of any United States Government department or
agency (including an activity that is performed by a Federal depository
institution or credit union supervisory agency in the capacity of
receiver or conservator); or (3) transactions conducted pursuant to a
grant, contract, or other agreement entered into with the United States
Government. Most notably, this exemption would exempt grantees and
contractors of Federal departments and agencies, including the
Department of Health and Human Services, the Department of Veterans
Affairs, the National Science Foundation, and the Department of
Defense, so that those agencies can pursue grant-based and contract-
based conditions to address risks that countries of concern can access
sensitive personal data in transactions related to their agencies' own
grants and contracts, as laid out in section 3(b) of the Order--without
subjecting those grantees and contractors to dual regulation.
3. Section 202.505--Financial Services
Section 2(a)(v) of the Order exempts any transaction that is
``ordinarily incident to and part of the provision of financial
services, including banking, capital markets, and financial insurance
services, or required for compliance with any Federal statutory or
regulatory requirements, including any regulations, guidance, or orders
implementing those requirements.'' \70\ The proposed rule defines these
exempt transactions in further detail. Notably, the proposed rule
exempts the transfer of personal financial data or covered personal
identifiers incidental to the purchase and sale of goods and services
(such as the purchase, sale, or transfer of consumer products and
services through online shopping or e-commerce marketplaces, while
still prohibiting these marketplaces from conducting data transactions
that involve data brokerage), as well as exempting the transfer of
personal financial data or covered personal identifiers for the
provision or processing of payments or funds transfers.
---------------------------------------------------------------------------
\70\ 89 FR 15423.
---------------------------------------------------------------------------
Numerous commenters expressed support for the financial-services
exemption. Commenters expressed appreciation for the exemption's
careful scoping to enable business and commercial transactions.
Commenters sought specific edits to the payment-processing part of the
exemption to ensure that it covers operations involving payment dispute
resolution, payor authentication, tokenization, payment gateway,
payment fraud detection, payment resiliency, mitigation and prevention,
and payment-related loyalty point program administration. The
Department appreciates these suggested clarifications, and the proposed
rule incorporates these proposed edits by explicitly adding the
provision of services ancillary to processing payments and funds
transfers, with the suggested examples, to the list of exempt financial
services transactions.\71\ The financial-services exemption aims to
identify the low-risk business and
[[Page 86135]]
commercial transactions that should continue unimpeded while also
ensuring that the Order and its implementing regulations do not serve
as a broader economic decoupling from countries of concern. These edits
are consistent with that purpose.
---------------------------------------------------------------------------
\71\ 89 FR 15794.
---------------------------------------------------------------------------
Another commenter also suggested that investment-management
services be included in the financial-services exemption. The
Department does not intend to impede activities that are ordinarily
incident to and part of the provision of investment-management services
that manage or provide advice on investment portfolios or individual
assets for compensation (such as devising strategies and handling
financial assets and other investments for clients) or provide services
ancillary to investment-management services (such as broker-dealers
executing trades within a securities portfolio based upon instructions
from an investment advisor). For further clarity, the proposed rule
explicitly adds investment-management services to the financial-
services exemption set out in Sec. Sec. 202.505(a)(1) and
202.505(a)(6).
One commenter requested an exemption for cargo-related information
containing listed identifiers. The Department believes this comment is
focused on scenarios in which bulk personal identifiers are transferred
as part of shipping purchased goods internationally. The Department
declines to adopt a separate exemption, or an expansion of the scope of
the exemption for transfers of data required by or authorized by
Federal law or international agreement, for cargo-related information
because the proposed rule already exempts the transfer of personal
financial data or covered personal identifiers incidental to the
purchase and sale of goods and services. This existing exemption
appears to adequately address the scenario raised by the commenter.
Thus, the proposed rule adopts the approach described in the ANPRM.
Although not raised by any commenters, the Department is also
considering whether and how the financial-services exemption should
apply to employment and vendor agreements between U.S. financial-
services firms and covered persons where the underlying financial
services provided do not involve a country of concern. Under this
exemption, U.S. persons would be required to evaluate whether a
particular data transaction (such as a transaction involving data
brokerage or a vendor, employment, or investment agreement) is
``ordinarily incident to and part of'' the provision of financial
services such that it is treated as an exempt transaction.\72\ At one
end of the spectrum, and as previewed by Example 53 in the ANPRM, if a
U.S. financial institution or financial-services company uses a data
center operated by a covered person in a country of concern to
facilitate payments to U.S. persons in that country of concern, the
proposed rule would treat that vendor agreement as ``ordinarily
incident to and part of'' the facilitation of those payments--and thus
exempt.\73\ See Sec. 202.505(b)(3). On the other end of the spectrum,
and as previewed by Example 27 in the ANPRM, if a U.S. financial
institution or financial-services company hires a covered person as a
data scientist with access to its U.S. customers' bulk personal
financial data to develop a new app that could be sold as a standalone
product to the company's customers, the proposed rule would treat this
employment agreement as not ``ordinarily incident to and part of'' the
financial services provided by the U.S. company--and thus not
exempt.\74\ See Sec. 202.217(b)(4).
---------------------------------------------------------------------------
\72\ Cf., e.g., 31 CFR 560.405(c) (discussing OFAC exemption for
transactions ``ordinarily incident to a licensed transaction'' as
applied to scenarios involving the provision of transportation
services to or from Iran), 515.533 n.1 (discussing OFAC exemption
for transactions ``ordinarily incident to'' a licensed transaction
as applied to scenarios involving the licensed export of items to
any person in Cuba); Letter from R. Richard Newcomb, Director, U.S.
Dep't of Treas., Off. of Foreign Assets Control, Re: Iran: Travel
Exemption (Nov. 25, 2003), <a href="https://ofac.treasury.gov/media/7926/download?inline">https://ofac.treasury.gov/media/7926/download?inline</a> [<a href="https://perma.cc/3VRL-X886">https://perma.cc/3VRL-X886</a>] (discussing the OFAC
exemption for transactions ``ordinarily incident to'' travel as
applied to scenarios involving the use of airline-service providers
from a sanctioned jurisdiction).
\73\ 89 FR 15794.
\74\ 89 FR 15789.
---------------------------------------------------------------------------
Between those two ends of the spectrum, the Department is
considering whether the transactions in the following new examples
should be treated as exempt transactions or as restricted transactions:
<bullet> New example in Sec. 202.505(b)(4). Same as Example 3 (see
Sec. 202.505(b)(3)), but the underlying payments are between U.S.
persons in the United States and do not involve a country of concern: A
U.S. bank or other financial institution, to facilitate payments that
do not involve a covered person or country of concern (e.g., between
U.S. persons in the United States), stores and processes the customers'
bulk financial data using a data center operated by a third-party
service provider in a country of concern, which is a covered person.
Should the vendor agreement with the covered person, which is otherwise
a restricted transaction, be treated as ``ordinarily incident to and
part of'' the U.S. financial institution's facilitation of payments
that do not involve a covered person or country of concern?
<bullet> New example in Sec. 202.505(b)(12). A U.S. company
provides wealth-management services and collects bulk personal
financial data on its U.S. clients. The U.S. company appoints a citizen
of a country of concern, who is located in a country of concern, to its
board of directors. In connection with the board's data security and
cybersecurity responsibilities, the director could access the bulk
personal financial data. Should the employment agreement with the
covered person as a board director, which is otherwise a restricted
transaction, be treated as ``ordinarily incident to and part of'' the
U.S. company's provision of wealth-management services to its U.S.
clients?
The Department is tentatively considering treating the transactions
in both examples as restricted transactions because it does not believe
that an employment agreement (including the hiring of board members) or
a vendor agreement that gives a covered person access to U.S. persons'
bulk sensitive personal data is a reasonable and typical practice in
providing the underlying financial services that do not otherwise
involve covered persons or a country of concern. These transactions
therefore appear to pose the same unacceptable national security risk
regardless of the kinds of underlying services provided by the U.S.
person. The Department welcomes public comment to inform its resolution
of this issue, including the extent to which it is reasonable,
necessary, and typical practice for U.S. financial-services firms to
hire covered persons as employees or vendors with access to U.S.
persons' bulk sensitive personal data as part of providing financial
services that do not involve a country of concern; why U.S. financial-
services firms hire covered persons instead of non-covered persons in
those circumstances; and any additional compliance costs that would be
incurred if the transactions in these examples were treated as
restricted transactions. In addition, after issuance of the final rule,
the Department intends to consult the Department of the Treasury and
Federal financial regulatory agencies as part of issuing any guidance
or advisory opinions regarding the application of the financial-
services exemption.
4. Section 202.506--Corporate Group Transactions
As previewed in the ANPRM, the proposed rule exempts covered data
transactions to the extent that they are (1) between a U.S. person and
its
[[Page 86136]]
subsidiary or affiliate located in (or otherwise subject to the
ownership, direction, jurisdiction, or control of) a country of
concern; and (2) ordinarily incident to and part of administrative or
ancillary business operations (such as sharing employees' covered
personal identifiers for human-resources purposes; payroll transactions
like the payment of salaries and pensions to overseas employees or
contractors; paying business taxes or fees; purchasing business permits
or licenses; sharing data with auditors and law firms for regulatory
compliance; and risk management). The ANPRM called this exemption
``intra-entity transactions.'' \75\ For greater clarity and accuracy,
the proposed rule revises the name of this exemption to ``corporate
group transactions.''
---------------------------------------------------------------------------
\75\ 89 FR 15794.
---------------------------------------------------------------------------
Some commenters requested that the Department broaden the corporate
group transactions exemption to include routine business activities
performed by third-party service providers. Similarly, commenters
proposed augmenting the same exemption to include suppliers and other
third-party vendors who are contractually bound to maintain privacy
requirements and who engage in product and services development,
research, and improvement activities for U.S. companies. The Department
declines to incorporate these suggestions because they would not
adequately mitigate the threats posed by access to government-related
data or bulk U.S. sensitive personal data by a country of concern or
covered person. Thus, the proposed rule adopts the approach described
in the ANPRM without change, permitting restricted transactions
involving vendor agreements to proceed as long as they comply with the
proposed rule's security requirements designed to mitigate access to
the sensitive personal data by countries of concern and covered
persons.
One commenter requested clarification that it would not be a
prohibited transaction for a U.S. company to provide access to a global
company staff directory to its business office and employees located in
a country of concern. Consistent with the approach contemplated in the
ANPRM, this scenario would not be a prohibited or restricted
transaction under the proposed rule for two independent reasons. First,
a company directory containing only contact or demographic data linked
to other contact or demographic data would not fall within the
definition of ``covered personal identifiers'' and thus would not
constitute government-related data or bulk U.S. sensitive personal
data. As a result, there would be no covered data transaction in
providing such a directory. Second, the U.S. company's sharing of the
directory would not be a prohibited or restricted transaction,
regardless of whether the business office is a foreign branch or a
subsidiary or affiliate: if the business office in the country of
concern is a branch of the U.S. company, the branch is part of the same
``U.S. person'' as the U.S. company, and the U.S. company has not
engaged in any transaction with a foreign person in the first place.
If, by contrast, the business office is a subsidiary or affiliate of
the U.S. company, the sharing is an exempt corporate group transaction
because a transaction within a corporate group granting its employees
access to a company directory is ordinarily incident to ancillary or
administrative business operations. (In different circumstances where
that exemption is not applicable, a transaction within a corporate
group that gives an employee who is a covered person access to
government-related data or bulk U.S. sensitive personal data would
generally be a restricted employment agreement.)
5. Section 202.507--Transactions Required or Authorized by Federal Law
or International Agreements, or Necessary for Compliance With Federal
Law
As previewed in the ANPRM, the proposed rule exempts covered data
transactions to the extent that they are required or authorized by
Federal law, international agreements or specified global health and
pandemic preparedness measures, or necessary for compliance with
Federal law.
Some commenters requested clarity about whether the exemption for
regulatory compliance (which the ANPRM contemplated as part of the
financial-services exemption) applies to compliance with all Federal
law, not just financial laws.\76\ The Department acknowledges that this
is a correct understanding of this exemption. To improve clarity and
reflect this understanding, the proposed rule moves the exemption for
compliance with Federal law from the financial-services exemption to a
standalone subpart of the exemption for transactions required or
authorized by Federal law or international agreements.
---------------------------------------------------------------------------
\76\ 89 FR 15794-95.
---------------------------------------------------------------------------
The proposed rule clarifies that, with respect to international
agreements authorizing or requiring data transactions, the exemption
applies only to international agreements to which the United States is
a party. Some commenters requested a non-exhaustive list of
international agreements to which this exemption applies. The proposed
rule adds an illustrative list of specific international agreements to
which this exemption applies.
One commenter sought clarification on whether transactions required
or authorized by international agreements include transactions in
accordance with arrangements that facilitate international commercial
data flows, such as the Global Cross-Border Privacy Rules (``G-CBPR'')
and Global Privacy Recognition for Processors (``G-PRP'') Systems of
the Global Cross-Border Privacy Rules Forum (``Global CBPR Forum'') and
the Asia-Pacific Economic Cooperation (``APEC'') Cross-Border Privacy
Rules (``APEC CBPR'') and APEC Privacy Recognition for Processors
Systems. These arrangements are outside the scope of the exemption for
international agreements. These arrangements consist of frameworks for
coordinating national regulatory measures, and they do not facilitate
the sharing of data between the U.S. and a country of concern. Thus,
data transactions covered by this proposed rule would not be ``pursuant
to these arrangements as necessary to meet the definitional
requirements of the exemption. The Department further declines to
expand the scope of the exemption to incorporate these arrangements,
which are designed to address general privacy concerns and other issues
rather than the national security risks detailed in the Order. The same
commenter also sought clarity as to whether the EU-U.S. Data Privacy
Framework (``DPF'') would be such an international agreement. The EU-
U.S. DPF is similarly an arrangement that falls outside the scope of
the exemption. The EU-U.S. DPF fulfills different objectives than the
proposed rule and does not facilitate the sharing of information
between a U.S. person and a country of concern or covered person. For
example, under the EU-U.S. DPF and pursuant to Executive Order 14086 of
October 7, 2022 (Enhancing Safeguards for United States Signals
Intelligence Activities), the Attorney General determined that the laws
of EU/European Economic Area countries require appropriate safeguards
for signals intelligence activities affecting U.S. persons' personal
data.\77\
[[Page 86137]]
Furthermore, while DPF- and APEC CBPR-certified companies are subject
to domestic law, including the Order, no DPF or APEC CBPR countries or
jurisdictions are currently designated as countries of concern under
this Executive Order. As such, the provisions of the Order would not
apply to transfers conducted in reliance on the DPF or APEC CBPR, and
any data transactions that the proposed rule does cover would not be
``pursuant to'' such arrangements as required for this exemption.
Therefore, the proposed rule adopts the approach contemplated by the
ANPRM without change.
---------------------------------------------------------------------------
\77\ E. O. 14086, 87 FR 62283 (Oct. 7, 2022); Dep't of Just.,
Attorney General Designations of the European Union, Iceland,
Liechtenstein, and Norway as ``Qualifying States'', 88 FR 44844
(July 13, 2023).
---------------------------------------------------------------------------
6. Section 202.508--Investment Agreements Subject to a CFIUS Action
Adopting the approach contemplated by the ANPRM, the proposed rule
exempts investment agreements to the extent that they are the subject
of a ``CFIUS action'' as defined in section 202.207 (i.e., CFIUS has
suspended a proposed or pending transaction, or entered into or imposed
mitigation measures to address a national security risk involving
access to sensitive personal data by countries of concern or covered
persons). The rationale for this approach is discussed separately in
part IV.K of this preamble.
7. Section 202.509--Telecommunications Services
The proposed rule exempts transactions that are ordinarily incident
to and part of telecommunications services.
Multiple commenters requested that the proposed rule include an
additional exemption for data that is incidental to the provision and
delivery of communications services. They asked that this kind of data
be carved out from the scope of any restrictions on sensitive personal
data for consumers, enterprises, and governments, including but not
limited to international calling, mobile voice, and data roaming.
Commenters also requested that communications service providers be able
to use, disclose, or permit access to covered data obtained from their
customers, either directly or indirectly through agents, to initiate,
render, bill, and collect for communications services. These commenters
assert that global commerce relies on effective and efficient global
communications, that restrictions on such bulk U.S. sensitive personal
data could hinder the ability of Americans to communicate globally, and
that the United States Government has long held a policy of ensuring
that communications are enabled even with countries subject to U.S.
sanctions.
The Department appreciates the need to ensure Americans' ability to
communicate globally, including with and in countries of concern, and
does not intend for these regulations to impede the ability of U.S.
telecommunications service providers to operate. Accordingly, the
Department has included in the proposed rule an exemption that seeks to
address this concern. The proposed exemption is intended to be narrowly
tailored to ensure that U.S. telecommunications service providers
retain the ability to operate unimpeded while also continuing to
mitigate the national security risk associated with data brokerage
(i.e., the sale of or leasing of access to customer data) to countries
of concern and covered persons.
8. Section 202.510--Drug, Biological Product, and Medical Device
Authorizations
Under the proposed rule, certain data transactions necessary to
obtain and maintain regulatory approval to market a drug, biological
product, medical device, or combination product in a country of concern
would be exempt from the prohibitions in the proposed rule. This
exemption balances the need to mitigate the risks to U.S. national
security from the unrestricted transfer of bulk U.S. sensitive personal
data to countries of concern against the scientific, humanitarian, and
economic interests in enabling the sale of medicines in those
countries. The proposed rule includes reporting requirements that will
allow the Department to maintain visibility on the type and amount of
data that is being transmitted to countries of concern under this
exemption.
This exemption is limited to data that is de-identified; required
by a regulatory entity to obtain or maintain authorization or approval
to research or market a drug, biological product, device, or
combination product (i.e., covered product); and reasonably necessary
to evaluate the safety and effectiveness of the covered product. For
example, de-identified data that is gathered in the course of a
clinical investigation and would typically be required for Food and
Drug Administration (``FDA'') approval of a covered product would
generally fall within the exemption. Conversely, clinical participants'
precise geolocation data, even if required by a country of concern's
regulations, would fall outside the scope of the exemption because such
data is not reasonably necessary to evaluate safety or effectiveness.
The Department recognizes that data collection and submission
continue beyond the initial regulatory approval process, and it intends
the term ``regulatory approval data'' to include data from post-market
clinical investigations (conducted under applicable FDA regulations,
including 21 CFR parts 50 and 56), clinical care data, and post-
marketing surveillance, including data on adverse events.\78\ For
example, where continued approval to market a drug in a country of
concern is contingent on submission of data from ongoing product
vigilance or other post-market requirements, the exemption applies.
---------------------------------------------------------------------------
\78\ See U.S. Food & Drug Admin., What Is a Serious Adverse
Event? (May 18, 2023), https://www.fda.gov/safety/reporting-serious-
problems-fda/what-serious-adverse-
event#:~:text=An%20adverse%20event%20is%20any,medical%20product%20in%
20a%20patient [<a href="https://perma.cc/9Q23-HRWY">https://perma.cc/9Q23-HRWY</a>] (``An adverse event is
any undesirable experience associated with the use of a medical
product in a patient'').
---------------------------------------------------------------------------
The exemption applies even where FDA authorization for a product
has not been sought or obtained. The Department does not, in these
regulations, intend to require U.S. companies to first seek
authorization to market a product in the United States before seeking
regulatory approval from a country of concern.
The exemption is limited to transactions that are necessary to
obtain or maintain regulatory approval in the country of concern. The
Department specifically invites comments on the types of transactions
that are necessary to that end. By way of illustration, Example 3 of
Sec. 202.510, as proposed, would not exempt a vendor or employment
agreement with a covered person to prepare data for submission to a
country of concern's regulatory entity because the Department does not
currently believe that such transactions are necessary to obtain
regulatory approval. The Department seeks comments on whether, and why,
such a vendor or employment agreement with a covered person to prepare
data for submission is necessary and should be exempt.
As Example 3 reflects, the Department does not currently believe
that it is reasonably necessary to use a covered person--as opposed to
services provided by the U.S. company itself or by a non-covered
person--to prepare data for regulatory submission. Although the
marginal risk to national security from granting additional covered
persons access to the submission data may be low, given that the
submission data is ultimately being transferred directly to the
government of
[[Page 86138]]
a country of concern, the Department believes that a third-party vendor
in this scenario may require access to a broader set of data than the
regulatory body itself. At the same time, the Department recognizes
that regulatory and legal expertise relevant to a country of concern is
likely to be concentrated in the country of concern. Employment and
vendor transactions in this context would be restricted, not
prohibited, transactions, and generally could proceed if the
requirements applicable to restricted transactions were followed. The
Department welcomes comments that address this scenario and other
similar transactions, including the potential impacts to clinical
research, medical product development and authorizations, and
companies' business practices and operations, as well as the
feasibility of obtaining regulatory approval without engaging covered
persons to access bulk U.S. sensitive personal data or if such
engagements are subject to the security, recordkeeping, and reporting
requirements applicable to restricted transactions.
The exemption requires that parties engaged in transactions
involving regulatory approval data with countries of concern
nonetheless comply with the recordkeeping and reporting requirements
otherwise applicable to U.S. persons engaged in restricted
transactions, because of the heightened national security risk that
arises from transmitting U.S. sensitive personal data or government-
related data directly to a government entity in a country of concern.
The Department seeks comment on the proposed scope of this
exemption, including on the definition of regulatory approval data and
the extent to which data submissions to regulatory entities in
countries of concern may involve personally identifiable data.
9. Section 202.511--Other Clinical Investigations and Post-Marketing
Surveillance Data
A few commenters expressed concerns that the proposed rule's
inclusion of aggregated and anonymized data would prohibit companies
from launching clinical investigations in countries of concern.
Commenters also noted the possibility that overly restrictive
prohibitions might harm biopharmaceutical innovation. The Department
has considered these comments and agrees that some exemption or
accommodation for clinical research may be appropriate. The Department
proposed the exemption in Sec. 202.511 for that purpose. To help
inform the appropriate contours of the proposed provision, the
Department invites additional comments that illustrate the scope of
transactions that might be subject to the proposed rule's restrictions
and prohibitions and the consequences for clinical research if the
proposed prohibitions and restrictions were applied to that context.
The United States has a national security interest in the
development, authorization, and availability of medical products,
including medical countermeasures to diagnose, treat, or prevent
serious or life-threatening diseases or conditions that may be
attributable to biological, chemical, radiological, or nuclear agents.
The Department seeks to mitigate the national security risk described
in the Order without unduly burdening the biomedical innovation that
benefits U.S. persons. The Department is considering how to effectively
strike that balance and how to scope an exemption for transactions
related to or supporting FDA-regulated research to meet that goal.
The Department is considering the scope of a possible exemption
along three axes. First, in terms of the types of data that would be
within the exemption; second, in terms of the types of transactions
involving that data that would be exempted; and third, in terms of the
duration of any exemption.
On the first axis, the Department anticipates that any exemption
would concern data obtained in the course of clinical investigations
related to drugs, biological products, devices, and combination
products, as those terms are defined in the Federal Food, Drug, and
Cosmetic Act (``FD&C Act'') and FDA regulations. The Department
believes that these products raise the most significant countervailing
economic, health, and scientific concerns that might outweigh the
national security interests otherwise at stake. The Department seeks
comment on whether the exemption should exempt clinical investigations
data related to other products, such as foods (including dietary
supplements) that bear a nutrient content claim or a health claim, food
and color additives, and electronic products, as those terms are
defined in the FD&C Act.
The Department also recognizes the existing regulatory framework in
these contexts and is evaluating whether these provisions adequately
reduce the national security risk associated with the transfer of bulk
U.S. sensitive personal data to a country of concern or covered person.
The FD&C Act and FDA regulations provide a robust framework to protect
the confidentiality and privacy of data collected from subjects in
clinical investigations. This current framework of statutory and
regulatory requirements protects the rights and safety of human
subjects, ensuring that their private information is handled securely.
For example, section 505(i) (21 U.S.C. 355(i)) and section 520(g) (21
U.S.C. 360j(g)) of the FD&C Act address the use of investigational new
drugs and investigational devices, respectively, in clinical
investigations and require that informed consent be obtained from
subjects, with certain exceptions.
The implementing regulations established by the FDA in 21 CFR parts
50, 56, 312, and 812 include various requirements, including related to
informed consent of human subjects and Institutional Review Boards
(``IRBs''). For example, 21 CFR part 56 details requirements for IRB
review, approval, and ethical oversight of FDA-regulated clinical
investigations. Information about the confidentiality of records must
be given to prospective subjects as part of informed consent (21 CFR
50.25(a)(5)), and to approve research, an IRB must determine that,
where appropriate, there are adequate provisions to protect the privacy
of subjects and to maintain the confidentiality of data (21 CFR
56.111(a)(7)). In addition, FDA regulations in 21 CFR part 11 establish
requirements to ensure the authenticity, integrity, and, when
appropriate, confidentiality of certain electronic records (21 CFR
11.10, 11.30). The FDA further issued a proposed rule in September 2022
proposing to require that certain information about future secondary
use of subjects' information or biospecimens be provided to prospective
subjects.\79\
---------------------------------------------------------------------------
\79\ Protection of Human Subjects and Institutional Review
Boards, 87 FR 58733 (proposed Sept. 28, 2022).
---------------------------------------------------------------------------
These regulations are principally focused on patient privacy,
however, and do not directly address the national security concerns
that animate the Order. As the Department has explained elsewhere in
this preamble, privacy protections, in general, focus on addressing
individual rights and preventing individual harm by protecting
individuals' right to control the use of their own data and reducing
the potential harm to individuals by minimizing the collection of data
on the front end and limiting the permissible uses of that data on the
back end. National security measures, by contrast, focus on collective
risks and externalities that may result from how individuals and
businesses choose to sell and use their data, including in lawful and
legitimate ways. But the
[[Page 86139]]
Department is evaluating whether these existing regulations--for
example, the requirements for informed consent under 21 CFR part 50--
could offer sufficiently robust protection to also mitigate national
security concerns.
The exemption would also apply to clinical care data indicating
real-world performance or safety of products, or post-marketing
surveillance data (including pharmacovigilance and post-marketing
safety monitoring), where necessary to support or maintain
authorization by the FDA. These submissions to FDA involve deidentified
data and the exemption arising under proposed Sec. 202.511(a)(2) would
apply only to deidentified data.
On the second axis, the Department is considering what kinds of
transactions to exempt when they involve data that implicates the
exemption--such as, hypothetically, bulk U.S. sensitive personal data
collected in the course of an FDA-regulated clinical investigation to
develop a drug. One possibility would be to exempt all transactions
that are part of the conduct of the investigation. Another possibility
would be to limit an exemption to only certain types of transactions
that are especially important to the conduct of a clinical
investigation and that cannot feasibly be avoided without jeopardizing
the clinical investigation.
The Department does not intend to categorically preclude clinical
investigations from being conducted in a country of concern and does
not believe that the proposed rule, even without a clinical
investigation-focused exemption, does so. The proposed rule generally
does not prohibit or restrict the flow of data from a country of
concern to the United States and does not apply to data unrelated to
U.S. persons. The Department seeks additional comments on whether, why,
and to what extent it would be necessary for U.S. persons to transmit
bulk U.S. sensitive personal data to a covered person in order to
support a clinical investigation taking place in a country of concern.
For example, the Department has considered the following
hypothetical:
<bullet> A U.S. sponsor conducts a clinical investigation to
determine the safety and effectiveness of an investigational drug
product. The clinical investigation involves a multinational trial with
both U.S. citizens and non-U.S. citizens enrolled in the trial at
different sites across the world, including in a country of concern, to
support authorization of the product in the intended use populations.
As part of the investigation, and pursuant to an employment or vendor
agreement, the sponsor transmits bulk U.S. sensitive personal data to
covered persons in the country of concern to conduct a data analysis of
the product's safety and effectiveness across different population
groups. This clinical investigation supports an application for a
marketing permit for a product regulated by the FDA (i.e., a drug for
human use). The trial in this example is subject to the FDA's
regulatory framework for clinical investigations.
The Department believes that, absent an exemption, the employment
or vendor agreement described in this hypothetical would be a
restricted transaction (or a prohibited transaction, if it involves the
transfer of bulk human genomic data or biospecimens from which such
data could be derived). The Department seeks comments on whether such a
vendor agreement should be considered to be ``ordinarily incident to
and part of'' a clinical investigation; how prevalent and important the
practice of sending bulk U.S. sensitive personal data to a covered
person in a country of concern is; and the potential impacts to
clinical research, medical product development and authorization, and
industry if such transactions were restricted or prohibited.
The Department also seeks comments on how these concerns apply in
post-marketing scenarios, such as pharmacovigilance and post-marketing
safety monitoring necessary to support or maintain authorization. For
example, the Department has considered the following hypothetical:
<bullet> A U.S. pharmaceutical company is required to submit
reports to the FDA of adverse events related to its FDA-approved drug
for human use, consistent with the requirements under 21 CFR
314.80.\80\ The firm markets many other drug products; has a wide
global distribution, including in a country of concern; and receives
thousands of reports per year for its various marketed products. Under
a vendor agreement, the firm may outsource processing of these reports
to entities outside of the United States, including in a country of
concern. The firm may also need to exchange adverse event information
about its FDA-approved drug product with its distributors in a country
of concern to pool the data and identify any adverse events trends
across different population groups or conditions of use and submit
those data to the FDA.
---------------------------------------------------------------------------
\80\ An adverse event report describes the experience of an
individual who has experienced an adverse event associated with the
use of a drug.
---------------------------------------------------------------------------
As in the context of the clinical investigation, the Department
believes that, absent an exemption, the vendor agreements described in
this hypothetical would be restricted or prohibited. The Department
seeks comments on how pervasive and important the practice of
outsourcing the processing of adverse event reports to a covered person
is, as well as on how pervasive and important it is to share adverse
event information concerning U.S. persons with drug distributors in a
country of concern. The Department seeks comments on the potential
impacts to patient safety, industry, and the feasibility of obtaining
or maintaining regulatory authorizations if such transactions were to
be prohibited.
The Department is also aware that, as appropriate and required,
certain data related to post-marketing surveillance are made available
to global public health authorities, such as the World Health
Organization Vigibase. Submissions by the United States Government
itself, such as FDA submissions to Vigibase, would be exempt under
proposed Sec. 202.504. The Department expects that similar data
transactions by U.S. persons, even if such data transactions were
considered to be with a country of concern or a covered person so as to
fall within the scope of the restrictions and prohibitions, would
nonetheless be exempt under proposed Sec. 202.507. The Department
seeks specific comments on the nature and type of such submissions and
a list of such global health authorities. The Department also notes
that, if it is lawfully available to the public from a Federal, State,
or local government record or in widely distributed media, such data
would not meet the definition of sensitive personal data under Sec.
202.249(b)(2).
FDA regulations include recordkeeping provisions such that FDA
investigators can gather information about any data transactions,
including to countries of concern. See 21 CFR part 312.62. However, in
general, FDA's regulations related to clinical investigations do not
require sponsors to report data transactions to the FDA in the manner
proposed in the recordkeeping and reporting requirements set forth in
Sec. Sec. 202.1101(a) and 202.1102. The Department is considering
requiring reporting even for transactions within any exemption to
better evaluate the national security risks going forward and seeks
comments on the cost and feasibility for industry of also complying
with the recordkeeping and reporting requirements set forth in
Sec. Sec. 202.1101(a) and 202.1102 with respect to
[[Page 86140]]
transactions related to clinical investigations.
The Department recognizes that U.S. companies employing covered
persons--such as foreign persons primarily resident in a country of
concern to support a clinical investigation there--may have to adjust
data access policies or protocols to limit covered persons' access to
bulk U.S. sensitive personal data. The Department seeks comment on this
issue, including the costs and feasibility of adopting such policies or
protocols and the likely effect of such policies on medical product
research and development, as well as obtaining or maintaining
regulatory authorization.
The Department also notes that, under Sec. 202.504, covered data
transactions that occur as part of federally funded research would be
exempt from the proposed rule's prohibitions (although possibly subject
to separate restrictions applicable to a Federal grantee, to include
requirements established pursuant to section 3(b)(i) of the Order). The
Department invites comment on the proportion of pharmaceutical research
that would not be exempt under that exemption, the cost and feasibility
of complying with different regulatory requirements depending on the
source of funding, and the impact on medical product research and
development.
If the Department were to implement an exemption for clinical
investigations, clinic
[…truncated; see source link]Indexed from Federal Register on October 29, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.