Rule2024-31486
Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
January 8, 2025
Effective
April 8, 2025
Issuing agencies
Justice Department
Abstract
The Department of Justice is issuing a final rule to implement Executive Order 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government- Related Data by Countries of Concern), by prohibiting and restricting certain data transactions with certain countries or persons.
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 5 (Wednesday, January 8, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 5 (Wednesday, January 8, 2025)]
[Rules and Regulations]
[Pages 1636-1752]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-31486]
[[Page 1635]]
Vol. 90
Wednesday,
No. 5
January 8, 2025
Part III
Department of Justice
-----------------------------------------------------------------------
28 CFR Part 202
Preventing Access to U.S. Sensitive Personal Data and Government-
Related Data by Countries of Concern or Covered Persons; Final Rule
��Federal Register / Vol. 90, No. 5 / Wednesday, January 8, 2025 /
Rules and Regulations��
[[Page 1636]]
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
28 CFR Part 202
[Docket No. NSD 104]
RIN 1124-AA01
Preventing Access to U.S. Sensitive Personal Data and Government-
Related Data by Countries of Concern or Covered Persons
AGENCY: National Security Division, Department of Justice.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Justice is issuing a final rule to implement
Executive Order 14117 of February 28, 2024 (Preventing Access to
Americans' Bulk Sensitive Personal Data and United States Government-
Related Data by Countries of Concern), by prohibiting and restricting
certain data transactions with certain countries or persons.
DATES: This rule has been classified as meeting the criteria under 5
U.S.C. 804(2) and is effective April 8, 2025. However, at the
conclusion of the Congressional review, if the effective date has been
changed, the Department of Justice will publish a document in the
Federal Register to establish the actual date of effectiveness or to
terminate the rule. The incorporation by reference of certain material
listed in this rule is approved by the Director of the Federal Register
as of April 8, 2025.
FOR FURTHER INFORMATION CONTACT: Email (preferred):
<a href="/cdn-cgi/l/email-protection#aee0fdea80e8e7fcfd80cacfdacfddcbcddbdcc7dad7eedbddcac1c480c9c1d8"><span class="__cf_email__" data-cfemail="6628352248202f3435480207120715030513140f121f26131502090c48010910">[email protected]</span></a>. Otherwise, please contact: Lee Licata,
Deputy Chief for National Security Data Risks, Foreign Investment
Review Section, National Security Division, U.S. Department of Justice,
175 N Street NE, Washington, DC 20002; Telephone: 202-514-8648.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
II. Background
III. Rulemaking Process
IV. Discussion of Comments on the Notice of Proposed Rulemaking and
Changes From the Proposed Rule
A. General Comments
1. Section 202.216--Effective Date.
B. Subpart C--Prohibited Transactions and Related Activities
1. Section 202.210--Covered Data Transactions
2. Section 202.301--Prohibited Data-Brokerage Transactions;
Section 202.214--Data Brokerage
3. Section 202.201--Access
4. Section 202.249--Sensitive Personal Data
5. Section 202.212--Covered Personal Identifiers
6. Section 202.234--Listed Identifier
7. Section 202.242--Precise Geolocation Data
8. Section 202.204--Biometric Identifiers
9. Section 202.224--Human `Omic Data
10. Section 202.240--Personal Financial Data
11. Section 202.241--Personal Health Data
12. Section 202.206--Bulk U.S. Sensitive Personal Data
13. Section 202.205--Bulk
14. Section 202.222--Government-Related Data
15. Section 202.302--Other Prohibited Data-Brokerage
Transactions Involving Potential Onward Transfer to Countries of
Concern or Covered Persons
16. Section 202.303--Prohibited Human `Omic Data and Human
Biospecimen Transactions
17. Section 202.304--Prohibited Evasions, Attempts, Causing
Violations, and Conspiracies
18. Section 202.215--Directing
19. Section 202.230--Knowingly
C. Subpart D--Restricted Transactions
1. Section 202.401--Authorization To Conduct Restricted
Transactions
2. Section 202.258--Vendor Agreement
3. Section 202.217--Employment Agreement
4. Section 202.228--Investment Agreement
D. Subpart E--Exempt Transactions
1. Section 202.502--Information or Informational Materials
2. Section 202.504--Official Business of the United States
Government
3. Section 202.505--Financial Services
4. Section 202.506--Corporate Group Transactions
5. Section 202.507--Transactions Required or Authorized by
Federal Law or International Agreements, or Necessary for Compliance
With Federal Law
6. Section 202.509--Telecommunications Services
7. Section 202.510--Drug, Biological Product, and Medical Device
Authorizations
8. Section 202.511--Other Clinical Investigations and Post-
Marketing Surveillance Data
9. Exemptions for Non-Federally Funded Research
E. Subpart F--Determination of Countries of Concern
1. Section 202.601--Determination of Countries of Concern
F. Subpart G--Covered Persons
1. Section 202.211--Covered Person
2. Section 202.701--Designation of Covered Persons
G. Subpart H--Licensing
H. Subpart I--Advisory Opinions
1. Section 202.901--Inquiries Concerning Application of This
Part
I. Subpart J--Due Diligence and Audit Requirements
1. Section 202.1001--Due Diligence for Restricted Transactions
2. Section 202.1002--Audits for Restricted Transactions
J. Subpart K--Reporting and Recordkeeping Requirements
1. Section 202.1101--Records and Recordkeeping Requirements
2. Section 202.1102--Reports To Be Furnished on Demand
3. Section 202.1104--Reports on Rejected Prohibited Transactions
K. Subpart M--Penalties and Finding of Violation
L. Coordination With Other Regulatory Regimes
M. Severability
N. Other Comments
V. Regulatory Requirements
A. Executive Orders 12866 (Regulatory Planning and Review) as
Amended by Executive Orders 13563 (Improving Regulation and
Regulatory Review) and 14094 (Modernizing Regulatory Review)
B. Regulatory Flexibility Act
1. Succinct Statement of the Objectives of, and Legal Basis for,
the Rule
2. Description of and, Where Feasible, an Estimate of the Number
of Small Entities to Which the Rule Will Apply
3. Description of the Projected Reporting, Recordkeeping, and
Other Compliance Requirements of the Rule
4. Identification of All Relevant Federal Rules That May
Duplicate, Overlap, or Conflict With the Rule
C. Executive Order 13132 (Federalism)
D. Executive Order 13175 (Consultation and Coordination With
Indian Tribal Governments)
E. Executive Order 12988 (Civil Justice Reform)
F. Paperwork Reduction Act
G. Unfunded Mandates Reform Act
H. Congressional Review Act
I. Administrative Pay-As-You-Go Act of 2023
I. Executive Summary
Executive Order 14117 of February 28, 2024, ``Preventing Access to
Americans' Bulk Sensitive Personal Data and United States Government-
Related Data by Countries of Concern'' (``the Order''), directs the
Attorney General to issue regulations that prohibit or otherwise
restrict United States persons from engaging in any acquisition,
holding, use, transfer, transportation, or exportation of, or dealing
in, any property in which a foreign country or national thereof has any
interest (``transaction''), where the transaction: involves United
States Government-related data (``government-related data'') or bulk
U.S. sensitive personal data, as defined by final rules implementing
the Order; falls within a class of transactions that has been
determined by the Attorney General to pose an unacceptable risk to the
national security of the United States because it may enable access by
countries of concern or covered persons to government-related data or
Americans' bulk U.S. sensitive personal data; and meets other criteria
specified by the Order.\1\
---------------------------------------------------------------------------
\1\ E.O. 14117, 89 FR 15421 (Feb. 28, 2024).
---------------------------------------------------------------------------
[[Page 1637]]
On March 5, 2024, the National Security Division of the Department
of Justice (``DOJ'' or ``the Department'') issued an Advance Notice of
Proposed Rulemaking (``ANPRM'') seeking public comment on various
topics related to implementation of the Order.\2\ On October 29, 2024,
the Department issued a Notice of Proposed Rulemaking (``NPRM'') to
address the public comments received on the ANPRM, set forth a proposed
rule to implement the Order, and seek further public comment.\3\ The
Department is now issuing a final rule that addresses the public
comments received on the NPRM and that implements the Order. The rule
identifies classes of prohibited and restricted transactions;
identifies countries of concern and classes of covered persons with
whom the regulations prohibit or restrict transactions involving
government-related data or bulk U.S. sensitive personal data;
establishes a process to issue (including to modify or rescind)
licenses authorizing otherwise prohibited or restricted transactions
and to issue advisory opinions; and addresses recordkeeping and
reporting of transactions to inform investigative, enforcement, and
regulatory efforts of the Department.
---------------------------------------------------------------------------
\2\ 89 FR 15780 (Mar. 5, 2024).
\3\ 89 FR 86116 (Oct. 29, 2024).
---------------------------------------------------------------------------
II. Background
On February 28, 2024, the President issued Executive Order 14117
(Preventing Access to Americans' Bulk Sensitive Personal Data and
United States Government-Related Data by Countries of Concern) (``the
Order''), pursuant to his authority under the Constitution and the laws
of the United States, including the International Emergency Economic
Powers Act, 50 U.S.C. 1701 et seq. (``IEEPA''); the National
Emergencies Act, 50 U.S.C. 1601 et seq. (``NEA''); and title 3, section
301 of the United States Code.\4\ In the Order, the President expanded
the scope of the national emergency declared in Executive Order 13873
of May 15, 2019 (Securing the Information and Communications Technology
and Services Supply Chain), and further addressed with additional
measures in Executive Order 14034 of June 9, 2021 (Protecting
Americans' Sensitive Data From Foreign Adversaries). The President
determined that additional measures are necessary to counter the
unusual and extraordinary threat to U.S. national security posed by the
continuing efforts of certain countries of concern to access and
exploit government-related data or bulk U.S. sensitive personal data.
---------------------------------------------------------------------------
\4\ 89 FR 15421.
---------------------------------------------------------------------------
The Order directs the Attorney General, pursuant to the President's
delegation of his authorities under IEEPA, to issue regulations that
prohibit or otherwise restrict United States persons from engaging in
certain transactions in which a foreign country of concern or national
thereof has an interest. Restricted and prohibited transactions include
transactions that involve government-related data or bulk U.S.
sensitive personal data, are a member of a class of transactions that
the Attorney General has determined poses an unacceptable risk to the
national security of the United States because the transactions may
enable countries of concern or covered persons to access government-
related data or bulk U.S. sensitive personal data, and are not
otherwise exempted from the Order or its implementing regulations. The
Order directs the Attorney General to issue regulations that identify
classes of prohibited and restricted transactions; identify countries
of concern and classes of covered persons whose access to government-
related data or bulk U.S. sensitive personal data poses the national
security risk described in the Order; establish a process to issue
(including to modify or rescind) licenses authorizing otherwise
prohibited or restricted transactions; further define terms used in the
Order; address recordkeeping and reporting of transactions to inform
investigative, enforcement, and regulatory efforts of the Department;
and to take whatever additional actions, including promulgating
additional regulations, as may be necessary to carry out the purposes
of the Order.
The rule implements the Order through categorical rules that
regulate certain data transactions involving government-related data or
bulk U.S. sensitive personal data that could give countries of concern
or covered persons access to such data and present an unacceptable risk
to U.S. national security. The rule (1) identifies certain classes of
highly sensitive transactions with countries of concern or covered
persons that the rule prohibits in their entirety (``prohibited
transactions'') and (2) identifies other classes of transactions that
would be prohibited except to the extent they comply with predefined
security requirements (``restricted transactions'') to mitigate the
risk of access to bulk U.S. sensitive personal data by countries of
concern or covered persons. As the Department discussed in the NPRM,
the Attorney General has determined that the prohibited and restricted
transactions set forth in the rule pose an unacceptable risk to the
national security of the United States because they may enable
countries of concern or covered persons to access and exploit
government-related data or bulk U.S. sensitive personal data.
In addition to identifying classes of prohibited and restricted
transactions that pose an unacceptable risk to national security, the
rule identifies certain classes of transactions that are exempt from
the rule. For example, the rule exempts transactions for the conduct of
the official business of the United States Government by employees,
grantees, or contractors thereof, and transactions conducted pursuant
to a grant, contract, or other agreement entered into with the United
States Government, including those for outbreak and pandemic
prevention, preparedness, and response. The rule also defines relevant
terms; identifies countries of concern; defines covered persons; and
creates processes for the Department to issue general and specific
licenses, to issue advisory opinions, and to designate entities or
individuals as covered persons. The rule also establishes a compliance
and enforcement regime.
The Department relied upon unclassified and classified sources to
support the rule. Although the unclassified record fully and
independently supports the rule without the need to rely on the
classified record, the classified record provides supplemental
information that lends additional support to the rule. The rule would
be the same even without the classified record.
The Order and this rule fill an important gap in the United States
Government's authorities to address the threat posed by countries of
concern accessing government-related data or Americans' bulk U.S.
sensitive personal data. As the President determined in the Order,
``[a]ccess to Americans' bulk sensitive personal data or United States
Government-related data increases the ability of countries of concern
to engage in a wide range of malicious activities.'' \5\ As the NPRM
explained, countries of concern can use their access to government-
related data or Americans' bulk U.S. sensitive personal data to engage
in malicious cyber-enabled activities and malign foreign influence
activities and to track and build profiles on U.S. individuals,
including members of the military and other Federal employees and
contractors, for illicit purposes such as blackmail and espionage. And
countries
[[Page 1638]]
of concern can exploit their access to government-related data or
Americans' bulk U.S. sensitive personal data to collect information on
activists, academics, journalists, dissidents, political figures, or
members of nongovernmental organizations or marginalized communities to
intimidate them; curb political opposition; limit freedoms of
expression, peaceful assembly, or association; or enable other forms of
suppression of civil liberties.
---------------------------------------------------------------------------
\5\ Id.
---------------------------------------------------------------------------
As the 2024 National Counterintelligence Strategy explains, ``as
part of a broader focus on data as a strategic resource, our
adversaries are interested in personally identifiable information (PII)
about U.S. citizens and others, such as biometric and genomic data,
health care data, geolocation information, vehicle telemetry
information, mobile device information, financial transaction data, and
data on individuals' political affiliations and leanings, hobbies, and
interests.'' \6\ These and other kinds of sensitive personal data ``can
be especially valuable, providing adversaries not only economic and
[research and development] benefits, but also useful
[counterintelligence] information, as hostile intelligence services can
use vulnerabilities gleaned from such data to target and blackmail
individuals.'' \7\
---------------------------------------------------------------------------
\6\ Nat'l Counterintel. & Sec. Ctr., National
Counterintelligence Strategy 2024, at 13 (Aug. 1, 2024), <a href="https://www.dni.gov/files/NCSC/documents/features/NCSC_CI_Strategy-pages-20240730.pdf">https://www.dni.gov/files/NCSC/documents/features/NCSC_CI_Strategy-pages-20240730.pdf</a> [<a href="https://perma.cc/9L2T-VXSU">https://perma.cc/9L2T-VXSU</a>].
\7\ Id.
---------------------------------------------------------------------------
Nongovernmental experts have underscored these risks. For example,
a recent study by the MITRE Corporation summarized open-source
reporting, highlighting the threat of blackmail, coercion,
identification of high-risk government personnel and sensitive
locations, and improved targeting of offensive cyber operations and
network exploitation posed by hostile actors' access to Americans' data
derived from advertising technology.\8\
---------------------------------------------------------------------------
\8\ Kirsten Hazelrig, Ser. No. 14, Intelligence After Next:
Surveillance Technologies Are Imbedded Into the Fabric of Modern
Life--The Intelligence Community Must Respond, The MITRE Corporation
2 (Jan. 5, 2023), <a href="https://www.mitre.org/sites/default/files/2023-01/PR-22-4107-INTELLIGENCE-AFTER-NEXT-14-January-2023.pdf">https://www.mitre.org/sites/default/files/2023-01/PR-22-4107-INTELLIGENCE-AFTER-NEXT-14-January-2023.pdf</a> [<a href="https://perma.cc/3WA2-PGM2">https://perma.cc/3WA2-PGM2</a>].
---------------------------------------------------------------------------
The development of artificial intelligence (``AI''), high-
performance computing, big-data analytics, and other advanced
technological capabilities by countries of concern amplifies the threat
posed by these countries' access to government-related data or
Americans' bulk U.S. sensitive personal data. For instance, the U.S.
National Intelligence Council assessed in 2020 that ``access to
personal data of other countries' citizens, along with AI-driven
analytics, will enable [the People's Republic of China (``China'' or
``PRC'')] to automate the identification of individuals and groups
beyond China's borders to target with propaganda or censorship.'' \9\
---------------------------------------------------------------------------
\9\ Nat'l Intel. Council, Assessment: Cyber Operations Enabling
Expansive Digital Authoritarianism 4 (Apr. 7, 2020), https://
www.dni.gov/files/ODNI/documents/assessments/NICM-Declassified-
Cyber-Operations-Enabling-Expansive-Digital-Authoritarianism-
20200407_2022.pdf [<a href="https://perma.cc/ZKJ4-TBU6">https://perma.cc/ZKJ4-TBU6</a>].
---------------------------------------------------------------------------
Countries of concern can also exploit their access to government-
related data regardless of volume to threaten U.S. national security.
One academic study explained that ``[f]oreign and malign actors could
use location datasets to stalk or track high-profile military or
political targets,'' revealing ``sensitive locations--such as visits to
a place of worship, a gambling venue, a health clinic, or a gay bar--
which again could be used for profiling, coercion, blackmail, or other
purposes.'' \10\ The study further explained that location datasets
could reveal ``U.S. military bases and undisclosed intelligence sites''
or ``be used to estimate military population or troop buildup in
specific areas around the world or even identify areas of off-base
congregation to target.'' \11\ As another example of these data risks
and the relative ease with which they can be exploited, journalists
were able to commercially acquire from a data broker a continuous
stream of 3.6 billion geolocation data points that were lawfully
collected on millions of people from advertising IDs.\12\ The
journalists were then able to create ``movement profiles'' for tens of
thousands of national security and military officials, and from there,
could determine where they lived and worked as well as their names,
education levels, family situations, and hobbies.\13\ The Order and
this rule seek to mitigate these and other national security threats
that arise from countries of concern accessing government-related data
or Americans' bulk U.S. sensitive personal data.
---------------------------------------------------------------------------
\10\ Justin Sherman et al., Duke Sanford Sch. of Pub. Pol'y,
Data Brokers and the Sale of Data on U.S. Military Personnel 15
(Nov. 2023), <a href="https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf">https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf</a> [<a href="https://perma.cc/BBJ9-44UH">https://perma.cc/BBJ9-44UH</a>].
\11\ Id.
\12\ Suzanne Smalley, US Company's Geolocation Data Transaction
Draws Intense Scrutiny in Germany, The Record (July 18, 2024),
<a href="https://therecord.media/germany-geolocation-us-data-broker">https://therecord.media/germany-geolocation-us-data-broker</a> [<a href="https://perma.cc/ME9F-TAQ7">https://perma.cc/ME9F-TAQ7</a>] (citing joint reporting by the German public
broadcaster Bayerische Rundfunk and digital civil rights opinion
news site <a href="http://netzpolitik.org">netzpolitik.org</a>).
\13\ Id.
---------------------------------------------------------------------------
Additional open-source reporting released since issuance of the
NPRM underscores the increasingly urgent risks posed by countries of
concern obtaining access to government-related data or bulk U.S.
sensitive personal data. For example, on November 22, 2024,
cybersecurity researchers presented their findings after monitoring a
collection of black-market services that recruit and pay insiders from
a wide range of Chinese information technology (``IT''), technology,
telecom, and other companies, to sell their access to individuals' data
to online buyers. As a result, according to the researchers, these
black-market services create an ecosystem for the public to pay to
query individuals' data, including call records, bank accounts, hotel
bookings, flight records, passport images, and location data.\14\
---------------------------------------------------------------------------
\14\ Andy Greenberg, China's Surveillance State Is Selling
Citizen Data as a Side Hustle, WIRED (Nov. 21, 2024), <a href="https://www.wired.com/story/chineses-surveillance-state-is-selling-citizens-data-as-a-side-hustle/">https://www.wired.com/story/chineses-surveillance-state-is-selling-citizens-data-as-a-side-hustle/</a> [<a href="https://perma.cc/9B9P-3ZR6">https://perma.cc/9B9P-3ZR6</a>].
---------------------------------------------------------------------------
On November 19, 2024, WIRED released the results of an
investigation in which they bought the digital advertising data and
location information on phones in Germany from a U.S. data broker and
used it to track the movements of United States Government contractors,
intelligence personnel, and soldiers.\15\ The investigation uncovered
and tracked ``38,474 location signals from up to 189 devices inside
B[uuml]chel Air Base, a high-security German installation where as many
as 15 U.S. nuclear weapons are reportedly stored in underground
bunkers''; 191,415 signals from up to 1,257 devices at Grafenw[ouml]hr
Training Area, ``where thousands of U.S. troops are stationed and have
trained Ukrainian soldiers on Abrams tanks''; and 164,223 signals from
nearly 2,000 devices at Ramstein Air Base, ``which supports some U.S.
drone operations.'' \16\ The researchers observed patterns that went
``far beyond just understanding the working hours of people on base,''
including ``map[ping] key entry and exit points, pinpointing frequently
visited areas, and even tracing personnel to their off-base routines.''
\17\ As WIRED explained, ``foreign governments could use this data to
identify individuals with access to sensitive areas; terrorists or
criminals
[[Page 1639]]
could decipher when U.S. nuclear weapons are least guarded; or spies
and other nefarious actors could leverage embarrassing information for
blackmail.'' \18\
---------------------------------------------------------------------------
\15\ Dhruv Mehrotra & Dell Cameron, Anyone Can Buy Data Tracking
US Soldiers and Spies to Nuclear Vaults and Brothels in Germany,
WIRED (Nov. 19, 2024), <a href="https://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/">https://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/</a> [<a href="https://perma.cc/P5H6-3DFB">https://perma.cc/P5H6-3DFB</a>].
\16\ Id.
\17\ Id.
\18\ Id.
---------------------------------------------------------------------------
Similarly, on October 28, 2024, journalists found that ``the highly
confidential movements of U.S. President Joe Biden, presidential rivals
Donald Trump and Kamala Harris, and other world leaders can be easily
tracked online through a fitness app that their bodyguards use,'' which
tracked their precise location data even when they used the app while
off-duty.\19\ This rule will prevent such foreign adversaries from
legally obtaining such data through commercial transactions with U.S.
persons, thereby stemming data flows and directly addressing the
national security risks identified in the Order.
---------------------------------------------------------------------------
\19\ Sylvie Corbet, Fitness App Strava Gives Away Location of
Biden, Trump and Other Leaders, French Newspaper Says, Associated
Press (Oct. 28, 2024), <a href="https://apnews.com/article/biden-trump-macron-bodyguards-security-strava-0a48afca09c7aa74d703e72833dcaf72">https://apnews.com/article/biden-trump-macron-bodyguards-security-strava-0a48afca09c7aa74d703e72833dcaf72</a>
[<a href="https://perma.cc/W59P-Y6TY">https://perma.cc/W59P-Y6TY</a>].
---------------------------------------------------------------------------
No current Federal legislation or rule categorically prohibits or
imposes security requirements to prevent U.S. persons from providing
countries of concern or covered persons access to sensitive personal
data or government-related data through data brokerage, vendor,
employment, or investment agreements. For example, the scope and
structure of the Protecting Americans' Data from Foreign Adversaries
Act of 2024 (``PADFAA'') do not create a comprehensive regulatory
scheme that adequately and categorically addresses these national
security risks,\20\ as explained in part IV.L of this preamble.
Likewise, the Committee on Foreign Investment in the United States
(``CFIUS'') has authority to assess the potential national security
risks of certain investments by foreign persons in certain United
States businesses that ``maintain[ ] or collect[ ] sensitive personal
data of United States citizens that may be exploited in a manner that
threatens national security.'' \21\ However, CFIUS only reviews certain
types of investments in U.S. businesses; it does so on a transaction-
by-transaction basis, instead of prescribing prospective and
categorical rules regulating all such transactions; and its authorities
do not extend to other activities that countries of concern may use to
gain access to government-related data or Americans' bulk U.S.
sensitive personal data, such as through purchases of such data on the
commercial market or through vendor or employment agreements.\22\
---------------------------------------------------------------------------
\20\ See Public Law 118-50, div. I, 118th Cong. (2024).
\21\ 50 U.S.C. 4565(a)(4)(B)(iii)(III).
\22\ See generally Foreign Investment Risk Review Modernization
Act of 2018, Public Law 115-232, tit. XVII, secs. 1701-28, 132 Stat.
1636, 2173.
---------------------------------------------------------------------------
Similarly, Executive Order 13873 prohibits any acquisition,
importation, transfer, installation, dealing in, or use by U.S. persons
of certain information and communication technologies and services
(``ICTS'') designed, developed, manufactured, or supplied by foreign
adversaries where, among other things, the Secretary of Commerce
determines that the transaction poses an ``unacceptable risk to the
national security of the United States or the security and safety of
United States persons.'' \23\ In building upon the national emergency
declared in Executive Order 13873, the President, in Executive Order
14034, determined that connected software applications operating on
U.S. ICTS ``can access and capture vast swaths of . . . personal
information and proprietary business information,'' a practice that
``threatens to provide foreign adversaries with access to that
information.'' \24\ However, as with CFIUS legal authorities, the
orders do not broadly empower the United States Government to prohibit
or otherwise restrict the sale of government-related data or Americans'
bulk U.S. sensitive personal data, and the orders do not broadly
restrict other commercial transactions, such as investment, employment,
or vendor agreements, that may provide countries of concern access to
government-related data or Americans' bulk U.S. sensitive personal
data.
---------------------------------------------------------------------------
\23\ E.O. 13873, 84 FR 22689, 22690 (May 15, 2019).
\24\ E.O. 14034, 86 FR 31423, 31423 (June 9, 2021).
---------------------------------------------------------------------------
The rule complements these statutory and regulatory authorities. It
prescribes forward-looking, categorical rules that prevent U.S. persons
from providing countries of concern or covered persons access to
government-related data or Americans' bulk U.S. sensitive personal data
through commercial data-brokerage transactions. The rule also imposes
security requirements on other kinds of commercial transactions, such
as investment, employment, and vendor agreements, that involve
government-related data or Americans' bulk U.S. sensitive personal data
to mitigate the risk that a country of concern could access such data.
The rule addresses risks to government-related data or Americans' bulk
U.S. sensitive personal data that current authorities leave vulnerable
to access and exploitation by countries of concern and provide
predictability and regulatory certainty by prescribing categorical
rules regulating certain kinds of data transactions that could give
countries of concern or covered persons access to government-related
data or Americans' bulk U.S. sensitive personal data.
III. Rulemaking Process
The Department has issued this rule via notice-and-comment
rulemaking consistent with the President's direction in the Order, and
it has provided the public with multiple and meaningful opportunities
to share feedback on the rule at various stages of the rulemaking
process.\25\ On March 5, 2024, the Department issued a fulsome ANPRM
setting forth the contemplated contours of the rule, posed 114 specific
questions for public input, and allotted 45 days for public
comment.\26\
---------------------------------------------------------------------------
\25\ This rulemaking pertains to a foreign affairs function of
the United States and therefore is not subject to the notice-and-
comment rulemaking requirements of the Administrative Procedure Act
(``APA''), which exempts a rulemaking from such requirements ``to
the extent there is involved . . . a military or foreign affairs
function of the United States.'' 5 U.S.C. 553(a)(1). The rule is
being issued to assist in addressing the national emergency declared
by the President with respect to the threat posed to U.S. national
security and foreign policy by the continuing effort of countries of
concern to access and exploit government-related data or Americans'
bulk U.S. sensitive personal data. As described in the Order, this
threat to the national security and foreign policy of the United
States has its source in whole or substantial part outside the
United States. Accordingly, the rule has a direct impact on foreign
affairs concerns, which include the protection of national security
against external threats (for example, prohibiting or restricting
transactions that pose an unacceptable risk of giving countries of
concern or covered persons access to bulk U.S. sensitive personal
data). Although the rule is not subject to the APA's notice and
comment requirements, the Department is engaging in notice-and-
comment rulemaking for this rule, consistent with sections 2(a) and
2(c) of the Order.
\26\ 89 FR 15780.
---------------------------------------------------------------------------
As described in the NPRM, the Department also solicited input on
the ANPRM through dozens of large-group listening sessions, industry
engagements, and one-on-one engagements with hundreds of
participants.\27\ The Department of Justice, both on its own and with
other agencies, met with businesses, trade groups, and other
stakeholders potentially interested in or impacted by the contemplated
regulations to discuss the ANPRM. For example, the Department discussed
the ANPRM with the Consumer Technology Association, the Information
Industry Technology Council, Pharmaceutical Research and Manufacturers
of America, the Biotechnology Innovation Organization, the Bioeconomy
Information Sharing Analysis Center, the U.S. Chamber of
[[Page 1640]]
Commerce, Tesla, Workday, Anthropic, and the Special Competitive
Studies Project. It also provided briefings to the Secretary of
Commerce and Industry Trade Advisory Committees 6, 10, and 12
administered by the Office of the U.S. Trade Representative and the
Department of Commerce. The Department of Justice also discussed the
Order and contemplated regulations with stakeholders at events open to
the public, including ones hosted by the American Conference Institute,
the American Bar Association, the Center for Strategic and
International Studies, and the R Street Institute, as well as through
other public engagements such as the Lawfare Podcast, ChinaTalk
Podcast, CyberLaw Podcast, and the Center for Cybersecurity Policy &
Law's Distilling Cyber Policy podcast.
---------------------------------------------------------------------------
\27\ 89 FR 86119-56.
---------------------------------------------------------------------------
During the ANPRM comment period, the Department received 64 timely
comments, including 15 comments from trade associations; 13 from non-
profits; three from advocacy associations; three from technology
companies; two from think tanks; and one each from an automobile
manufacturer, advertising company, biotechnology company, and academic
medical center. The Department also received two comments after the
close of the ANPRM comment period. In turn, the NPRM included a lengthy
and substantive consideration of these timely and untimely public
comments received on the ANPRM.\28\
---------------------------------------------------------------------------
\28\ Id.
---------------------------------------------------------------------------
After the comment period closed, the Department of Justice, along
with the Department of Commerce, followed up with commenters who
provided feedback regarding the bulk thresholds to discuss that topic
in more detail. These commenters included the Council on Government
Relations Industry Association; the Association of American Medical
Colleges; Airlines for America; the Bank Policy Institute; the Business
Roundtable; the Information Technology Industry Council; the Centre for
Information Policy Leadership; the Biotechnology Innovation
Organization; the Software and Information Industry Association; the
Cellular Telephone Industries Association; the internet and Television
Association; USTelecom; Ford Motor Company; the Bioeconomy Information
Sharing and Analysis Center; the Coalition of Services Industries; the
Enterprise Cloud Coalition; the Electronic Privacy Information Center;
the Center for Democracy and Technology; the Business Software
Alliance; the Global Data Alliance; the Interactive Advertising Bureau;
the U.S.-China Business Council; IBM, Workday; and individuals Justin
Sherman, Mark Febrizio, and Charlie Lorthioir. The Department also
discussed the Order and the ANPRM with foreign partners to ensure that
they understood the Order and contemplated program and how they fit
into broader national security, economic, and trade policies.
The Department published an NPRM on October 29, 2024, that
addressed the public comments received on the ANPRM, set forth draft
regulations and a lengthy explanatory discussion, and sought public
comment.\29\ During the NPRM comment period, the Department, both on
its own and with other agencies, met with businesses, trade groups, and
other stakeholders potentially interested in or impacted by the
contemplated regulations to discuss the NPRM. Also during the NPRM
comment period, the Department, in coordination with the Department of
Commerce, conducted individual consultations with the Pharmaceutical
Research and Manufacturers of America, the Centre for Information
Policy Leadership, the Electronic Privacy Information Center, the
Information Technology Industry Council, the World Privacy Forum, the
U.S. Chamber of Commerce, the Council on Government Relations, BSA The
Software Alliance, and the Telecommunications Industry Association to
discuss their members' views. In accordance with 28 CFR 50.17, the
Department has documented all ex parte engagements during the NPRM's
comment period and publicly posted summaries of them on the docket for
this rulemaking on <a href="http://regulations.gov">regulations.gov</a>. The Department encouraged those
groups to submit detailed, timely comments to follow up on those
discussions. The Department also discussed the NPRM with stakeholders
at events open to the public, including ones hosted by the American
Conference Institute, and through other public engagements such as the
Lawfare Podcast, ChinaTalk Podcast, and the Center for Cybersecurity
Policy & Law's Distilling Cyber Policy podcast. The Department also
discussed the NPRM with foreign partners to ensure that they understood
the contemplated program and how it fits into broader national
security, economic, and trade policies.
---------------------------------------------------------------------------
\29\ 89 FR 86116.
---------------------------------------------------------------------------
Although the NPRM evolved from the ANPRM based on the Department's
consideration of public comments, such as by adding new potential
exemptions to the proposed rule's prohibitions and restrictions, the
NPRM included most of the substantive provisions that the Department
either previewed or described in detail in the ANPRM. For example, in
many instances, the NPRM adopted without change definitions the
Department also set forth in the ANPRM.\30\
---------------------------------------------------------------------------
\30\ See, e.g., 89 FR 86123.
---------------------------------------------------------------------------
The Department received and carefully reviewed 75 timely comments
in response to the NPRM from trade associations, public interest
advocacy groups, think tanks, private individuals, and companies, as
well as comments from several foreign governments. The Department also
reviewed three comments that were relevant to the NPRM and that were
timely filed on the docket in response to the Cybersecurity and
Infrastructure Security Agency (``CISA'') Federal Register notice
requesting comment on proposed security requirements applicable to
restricted transactions.\31\ The Department considered each comment
that was timely submitted.
---------------------------------------------------------------------------
\31\ 89 FR 85976 (Oct. 29, 2024).
---------------------------------------------------------------------------
During the 31-day comment period, the Department received a request
to extend the time allotted for public comment.\32\ As described in the
NPRM, the Department solicited input on the ANPRM through engagements
with dozens of stakeholders, including many of the commenters who
sought the extension to the NPRM comment period.\33\ As described in
detail in part III of this preamble, during the NPRM comment period,
the Department also conducted numerous engagements with the public to
facilitate meaningful public participation during the comment period by
providing stakeholders with an opportunity to ask questions about the
proposed rule and to provide relevant feedback. These engagements
included the organizations that requested that the Department extend
the comment period.
---------------------------------------------------------------------------
\32\ Consumer Tech. Ass'n, et al., Comment Letter on Provisions
Pertaining to Preventing Access to U.S. Sensitive Personal Data and
Gov't-Related Data by Countries of Concern or Covered Persons (Nov.
8, 2024), <a href="https://www.regulations.gov/comment/DOJ-NSD-2024-0004-0008">https://www.regulations.gov/comment/DOJ-NSD-2024-0004-0008</a>
[<a href="https://perma.cc/3URP-9H7B">https://perma.cc/3URP-9H7B</a>]. Although the official comment period
was 30 days from the NPRM's publication in the Federal Register on
October 29, 2024, the Department shared the NPRM on its website on
October 21, 2024, providing the public with a total of 41 days to
review and provide comment. See Press Release, U.S. Dep't of Just.,
Justice Department Issues Comprehensive Proposed Rule Addressing
National Security Risks Posed to U.S. Sensitive Data (Oct. 21,
2024), <a href="https://www.justice.gov/opa/pr/justice-department-issues-comprehensive-proposed-rule-addressing-national-security-risks">https://www.justice.gov/opa/pr/justice-department-issues-comprehensive-proposed-rule-addressing-national-security-risks</a>
[<a href="https://perma.cc/ZS7G-9QZH">https://perma.cc/ZS7G-9QZH</a>].
\33\ 89 FR 86119-56.
---------------------------------------------------------------------------
The Department considered this request but declined to extend the
comment period for several reasons.\34\
[[Page 1641]]
As the Order, ANPRM, NPRM, and part IV of this preamble describe, the
Department is issuing this rule to address the national emergency posed
by an unusual and extraordinary threat from the continued effort of
countries of concern to access government-related data and bulk U.S.
sensitive personal data. This is an increasingly urgent threat, and the
Department must move expeditiously to address it. Foreign adversaries
are actively trying to exploit commercial access to Americans'
sensitive personal data to threaten U.S. national security. This rule
thus fills what Members of Congress and Administrations of both parties
have consistently recognized is a significant gap in U.S. national
security.
---------------------------------------------------------------------------
\34\ U.S. Dep't of Just., Comment Letter on Provisions
Pertaining to Preventing Access to U.S. Sensitive Personal Data and
Gov't-Related Data by Countries of Concern or Covered Persons (Nov.
18, 2024), <a href="https://www.regulations.gov/document/DOJ-NSD-2024-0004-0028">https://www.regulations.gov/document/DOJ-NSD-2024-0004-0028</a> [<a href="https://perma.cc/M86F-5NUG">https://perma.cc/M86F-5NUG</a>].
---------------------------------------------------------------------------
For example, the 2017 National Security Strategy noted that China
and other adversaries ``weaponize information'' against the United
States and predicted that ``[r]isks to U.S. national security will grow
as competitors integrate information derived from personal and
commercial sources with intelligence collection and data analytic
capabilities based on Artificial Intelligence (AI) and machine
learning.'' \35\ That strategy criticized ``U.S. efforts to counter the
exploitation of information'' by adversaries as ``tepid and
fragmented,'' having ``lacked a sustained focus.'' \36\ A partially
declassified April 2020 assessment by the Office of the Director of
National Intelligence (``ODNI'') explained that foreign adversaries are
``increasing their ability to analyze and manipulate large quantities
of personal information in ways that will allow them to more
effectively target and influence, or coerce, individuals and groups in
the United States and allied countries.'' \37\ The 2022 National
Security Strategy underscored the need to develop a way to ``counter
the exploitation of Americans' sensitive data.'' \38\ A bipartisan 2023
report by the House Select Committee on the Strategic Competition
Between the United States and the Chinese Communist Party (``CCP'')
explained that the ``CCP is committed to using the presence of
technology products and services it controls to conduct cyberattacks on
the United States,'' ``collect data on Americans to advance its AI
goals,'' and ``surveil Americans as part of its campaign of
transnational repression.'' \39\ The Committee's bipartisan
recommendations included taking ``steps to prevent foreign adversaries
from collecting or acquiring U.S. genomic and other sensitive health
data.'' \40\ The 2024 National Counterintelligence Strategy made
protecting Americans against foreign intelligence targeting and
collection a key goal given foreign adversaries' ``broader focus on
data as a strategic resource'' and the counterintelligence value it
provides.\41\ The November 2024 Report to Congress of the U.S.-China
Economic & Security Review Commission explained that ``China
understands the value of data to AI and has taken active measures to
increase the availability of quality data within its AI ecosystem.''
\42\ The report also explains that the ``major research and market
presence of Chinese genomic and biotech services companies in the
United States gives these companies access to key technologies and
data,'' leading to a ``heightened risk of the transfer of sensitive
health data of U.S. citizens'' to China.\43\ And so on.
---------------------------------------------------------------------------
\35\ Exec. Off. Of the President, National Security. Strategy of
the United States of America 34 (Dec. 2017), <a href="https://trumpwhitehouse.archives.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf">https://trumpwhitehouse.archives.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf</a> [<a href="https://perma.cc/R4F5-QXJH">https://perma.cc/R4F5-QXJH</a>].
\36\ Id. at 35.
\37\ Nat'l Intel. Council, supra note 9, at 3.
\38\ Exec. Off. of the President, National Security Strategy 33
(Oct. 12, 2022), <a href="https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf">https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf</a> [<a href="https://perma.cc/G54X-L7ER">https://perma.cc/G54X-L7ER</a>].
\39\ H. Select Comm. on the Strategic Competition Between the
U.S. and the Chinese Communist Party, Reset, Prevent, Build: A
Strategy to Win America's Economic Competition with the Chinese
Communist Party 22 (2023), <a href="https://selectcommitteeontheccp.house.gov/sites/evo-subsites/selectcommitteeontheccp.house.gov/files/evo-media-document/reset-prevent-build-scc-report.pdf">https://selectcommitteeontheccp.house.gov/sites/evo-subsites/selectcommitteeontheccp.house.gov/files/evo-media-document/reset-prevent-build-scc-report.pdf</a> [<a href="https://perma.cc/5A7Q-YL9U">https://perma.cc/5A7Q-YL9U</a>].
\40\ Id. at 23.
\41\ Nat'l Counterintel. & Sec. Ctr., supra note 6, at 13.
\42\ U.S.-China Econ. & Sec. Review Comm'n, 118th Cong., 2024
Rep. to Cong. 11 (Comm. Print 2024), <a href="https://www.uscc.gov/sites/default/files/2024-11/2024_Annual_Report_to_Congress.pdf">https://www.uscc.gov/sites/default/files/2024-11/2024_Annual_Report_to_Congress.pdf</a> [<a href="https://perma.cc/ZWC5-G5SV">https://perma.cc/ZWC5-G5SV</a>].
\43\ Id. at 12, 220.
---------------------------------------------------------------------------
Extending the comment period would allow this increasingly urgent,
unaddressed threat to continue unabated, giving countries of concern
more time and opportunities to collect and exploit government-related
data and bulk U.S. sensitive personal data.\44\ Delay only increases
this unusual and extraordinary threat which gives countries of concern
``a cheap and reliable way to [among other threatening activities]
track the movements of American military and intelligence personnel
overseas, from their homes and their children's schools to hardened
aircraft shelters within an airbase where . . . nuclear weapons are
believed to be stored.'' \45\ Not only do countries of concern like
China ``draw on . . . commercially collected data sources . . . [and]
insiders from the country's tech and telecom firms [and] banks'' to
perpetuate its surveillance apparatus, they also sell their access to
such data for other nefarious purposes that can put Americans at
risk.\46\
---------------------------------------------------------------------------
\44\ See, e.g., Mehrotra & Cameron, supra note 15 (describing an
``analysis of billions of location coordinates obtained from a US-
based data broker [that] provides extraordinary insight into the
daily routines of US service members'' and ``[provides]'' ``a vivid
example of the significant risks the unregulated sale of mobile
location data poses to the integrity of the US military and the
safety of its service members and their families overseas'').
\45\ Id.
\46\ See Greenberg, supra note 14 (describing how a surveillance
data black market has developed in China due in part to there being
``virtually no legal checks on the government's ability to
physically and digitally monitor its citizens'' and in which ``phone
numbers, hotel and flights records, and . . . location data [are
sold]'' in criminal markets).
---------------------------------------------------------------------------
The Department also believes that extending the comment period
would not provide meaningful additional input that would improve the
rule. The Department has gone to great lengths to provide the public
with meaningful opportunities to provide input at every stage of
development of this rule. The Department took the optional step of
releasing an ANPRM to provide the public with an additional formal
opportunity to comment, in addition to the public's formal opportunity
to comment on the NPRM. The rule closely tracks the NPRM, which had all
its core components extensively previewed in the ANPRM. The public has
had at least 87 days to formally provide comments throughout this
rulemaking: The comment period on the NPRM was 31 days, the public had
an additional 11 days to review the NPRM while it was on public
inspection in the Federal Register before it was formally published,
and the public had 45 days to comment on the ANPRM.
In addition to these formal opportunities to comment, and as
documented in the ANPRM, NPRM, part III of this preamble, and the
docket on <a href="http://regulations.gov">regulations.gov</a>, the Department also provided extensive
informal opportunities for feedback. Those opportunities began with
multiple informal engagements with hundreds of stakeholders before the
release of the Order and ANPRM. After the release of the ANPRM and
NPRM, the Department undertook extensive large-group, small-group, and
one-on-one engagements with over 800 stakeholder invitees or
participants across over 50 informal engagements to explain the rule
and provide feedback.
[[Page 1642]]
As described in part IV of this preamble, many of the comments
received on the NPRM merely state preferences or renew comments made on
the ANPRM without providing specific information or new analysis, or do
not engage with the analysis in the NPRM. The constructive refinements
suggested by commenters have become increasingly discrete. In addition,
many commenters have not specifically identified what additional
changes, analysis, or data they would provide if given additional time
to comment. The Department thus believes that the opportunities for
public comment and input during this rulemaking process have
appropriately balanced the need for feedback to ensure that the rule
effectively addresses the national security risks and the need to move
expeditiously given the increasingly urgent national security risks.
IV. Discussion of Comments on the Notice of Proposed Rulemaking and
Changes From the Proposed Rule
The discussion in part IV of this preamble summarizes comments
submitted in response to the NPRM and responds to those comments. The
Department does not discuss provisions of the rule that commenters did
not address substantively and has implemented those provisions in the
final rule without change from the NPRM. Unless the Department
otherwise addresses parts of the rule in this preamble, the Department
incorporates the NPRM's discussion of the rule into the preamble,\47\
including, for example, the Department's determination that the
categories of covered data transactions pose an unacceptable risk to
national security,\48\ the Department's interpretation of ``information
or informational materials'' under IEEPA,\49\ and the Department's
analysis for proposed bulk thresholds.\50\
---------------------------------------------------------------------------
\47\ 89 FR 86117-70.
\48\ 89 FR 86121.
\49\ 89 FR 86165-70.
\50\ 89 FR 86156-65.
---------------------------------------------------------------------------
Many comments were constructive. They expressed strong support for
the goals of the Order and the rule, the use of exemptions as a careful
and targeted approach to addressing the national security and foreign
policy risks, and the Department's changes in the NPRM in response to
comments on the ANPRM. These comments suggested and justified
additional specific refinements that help clarify and reinforce the
targeted nature of the Order and the rule, which are addressed with
respect to the relevant subparts of the rule.
Some commenters suggested clarifications or changes that were
premised on a misunderstanding or narrow view of the Order and this
rule. For example, some comments were premised on the view that the
national security and foreign policy risks addressed by the Order and
this rule are solely or primarily about the identifiability of a set of
sensitive personal data. As the NPRM explained, anonymized data is
rarely, if ever, truly anonymous, especially when anonymized data in
one dataset can become identifiable when cross-referenced and layered
on top of another anonymized dataset.\51\ In addition, as the
Department discussed in detail in the NPRM, identifiability is only one
in a range of concerns. Anonymized data itself can present a national
security risk, as can pattern-of-life data and other insights that harm
national security from anonymized data itself (such as in the case of
precise geolocation data).\52\ Sets of bulk U.S. sensitive personal
data may also be used to identify vulnerabilities within a population
or, in the case of bulk human genomic data, to enhance military
capabilities that include facilitating the development of bioweapons.
Additionally, even smaller sets of bulk U.S. sensitive personal data
can be used to make statistical inferences or conclusions about much
larger population sets. Usually, a sample size should not and need not
exceed 10 percent of a population to make inferences about the entire
population. However, even extremely small sample sizes may allow the
extrapolation of inferences about much larger populations. For example,
Meta requires only a source audience of 1,000 customers, which need
only include 100 people from a single country, in order to extrapolate
a ``lookalike'' audience of million individuals for targeted
advertising. In other words, countries of concern may be able to glean
valuable information about the health and financial well-being of a
large number of Americans through smaller datasets of bulk U.S.
sensitive personal data. As a result, the Department has not adopted
these suggestions, as they do not account for the broader range of
national security risks that the Order and this rule address.
---------------------------------------------------------------------------
\51\ 89 FR 86126-27.
\52\ Id.
---------------------------------------------------------------------------
Similarly, some comments were premised on a narrow view that the
sole or primary focus of the rule is the sale of data. As discussed at
length in the Order, ANPRM, and NPRM and as further described in part
IV.C of this preamble, the sale of data is only one means by which
countries of concerns are seeking access to government-related data and
bulk U.S. sensitive personal data. Countries of concern also leverage
vendor, employment, and investment agreements as additional vectors to
try to obtain that access. As a result, the Department has not adopted
suggestions to the extent that they do not account for the full range
of risk vectors that the Order and this rule addresses.
Many comments failed to provide specifics the Department would need
to justify changes to the rule. These comments merely stated policy
preferences or made conclusory assertions without providing meaningful
support or analysis, or without addressing the analysis in the ANPRM
and NPRM. For example, some comments claimed that the rule would have
particular impacts on certain sectors or activities, but they did not
identify specific non-exempt covered data transactions with countries
of concern or covered persons that currently occur that the rule would
prohibit or restrict, explain the significance of these transactions to
the sector or industry, show why the sensitive personal data in those
transactions was integral to share with a country of concern or covered
person, or explain why it would not be feasible to shift those
transactions to other countries or persons over time.
Other comments reflected misunderstandings about the Order and the
proposed rule. For example, several comments stated that, with respect
to different provisions of the proposed rule that apply to a category
of activity ``including'' a list of specifics, it is unclear whether
those lists are exhaustive or exemplary. There is no ambiguity,
however, because Sec. 202.102(b) already defines ``including'' to mean
``including but not limited to.'' The final rule addresses other
mistaken assertions and misunderstandings with respect to each subpart
in part IV of this preamble and clarifies what the rule does or does
not do.
One commenter reiterated comments originally provided on the ANPRM
to suggest that the Order's and the proposed rule's restrictions on
access to sensitive personal data are inconsistent with international
commitments by the United States. Specifically, the commenter calls on
the Department to make a greater effort to explain how the rule is
consistent with the U.S. commitment towards the promotion of trusted
cross-border data flows. As the NPRM explained, the rule permits cross-
border data flows except with respect to
[[Page 1643]]
commercial transactions that pose unacceptable national security risks
(and thus lack the trust required for the free flow of data), which the
rule prohibits or restricts.\53\ Because the commenter merely renews
its prior comment on the ANPRM without any attempt to address the
explanation in the NPRM, no further explanation appears necessary.
---------------------------------------------------------------------------
\53\ 89 FR 86121.
---------------------------------------------------------------------------
The Department will continue to assess the risk posed by countries
of concern and covered persons accessing government-related data or
bulk U.S. sensitive personal data, including examining whether the
Department needs to expand the final rule to tackle connected data
security concerns, such as data scraping or illegitimate data access
via the provision of services from entities linked to state threat
actors. The Department retains the right to promulgate additional rules
within the scope of the Order to address that risk.
Two commenters reiterated suggestions that the Department make
various revisions to borrow or incorporate aspects of international or
State privacy laws into this rule. As previously stated in the NPRM,
the Department supports privacy measures and national security measures
as complementary protections for Americans' sensitive personal
data.\54\ Despite some overlap, privacy protections and national
security measures generally focus on different challenges associated
with sensitive personal data. General privacy protections focus on
addressing individual rights and preventing individual harm, such as
protecting the rights of individuals to control the use of their own
data and reducing the potential harm to individuals by minimizing the
collection of data on the front end and limiting the permissible uses
of that data on the back end. National security measures, by contrast,
focus on collective risks and externalities that may result from how
individuals and businesses choose to sell and use their data, including
in lawful and legitimate ways. Commenters' suggestions raise no new
justifications that the Department did not already consider at the NPRM
stage, nor do these suggestions address how or why privacy protections
would adequately address national security concerns such that the
Department should align definition with existing privacy laws.
---------------------------------------------------------------------------
\54\ Id.
---------------------------------------------------------------------------
In response to the NPRM, some commenters suggested adding a new
exemption for transactions in which a U.S. individual consents to the
sale or disclosure of their data to a country of concern or covered
person. One commenter requested that the Department exempt disclosures
of nonclinical research data where research subjects consented to the
disclosure of their data. Another commenter expressed concern about
their data being sold within the United States for commercial purposes
without consent or equitable benefit.
The rule declines to adopt a consent exemption for the same reasons
provided in the NPRM. As explained in the NPRM, such a consent-based
exemption would leave unaddressed the threat to national security by
allowing U.S. individuals and companies to choose to share government-
related data or bulk U.S. sensitive personal data with countries of
concern or covered persons.\55\ It is precisely those choices that, in
aggregate, have helped create the national security risk of access by
countries of concern or covered persons, and the purpose of the Order
and the rule is to address the negative externality that has been
created by individuals' and companies' choices in the market in the
first place. It would also be inconsistent with other national security
regulations to leave it up to market choices to decide whether to give
American technology, capital, or data to a country of concern or
covered person. Export controls do not allow U.S. companies to
determine whether their sensitive technology can be sent to a foreign
adversary, and sanctions do not allow U.S. persons to determine whether
their capital and material support can be given to terrorists and other
malicious actors. Likewise, the rule does not allow U.S. individuals to
determine whether to give countries of concern or covered persons
access to their sensitive personal data or government-related data. One
of the reasons that the public is not in a position to assess and make
decisions about the national security interests of the United States is
that the public typically does not have all of the information
available to make a fully informed decision about the national security
interests of the United States.
---------------------------------------------------------------------------
\55\ Id.
---------------------------------------------------------------------------
The Department also declines to adopt a residual compensation
requirement for domestic sales of data. The Order and this rule do not
address purely domestic transactions between U.S. persons--such as the
collection, maintenance, processing, or use of data by U.S. persons
within the United States--except to the extent that such U.S. persons
are affirmatively and publicly designated as covered persons.
Each subpart of the rule, including any relevant comments received
on the corresponding part of the NPRM, is discussed below in the
remaining sections of this preamble.
A. General Comments
1. Section 202.216--Effective Date
The NPRM did not propose a specific effective date of the
applicable prohibitions and directives contained in the proposed rule.
One commenter requested consultation with the Department on a timeframe
for the implementation of the final rule. Some commenters requested
that the Department delay the effective date of the rule--with requests
ranging from 12 months to 18 months, or an indefinite deadline--to
allow companies, individuals, and universities time to assess their
data transactions, update internal polices, make necessary data
security changes, and come into compliance without disrupting
commercial activity. Two commenters suggested that the Department
``pause'' rulemaking, postpone publication of the final rule, or,
alternatively, publish the regulations for prohibited transactions
first and postpone the publication of restricted transactions to a
later, indeterminate date to provide more time for consultation and
revisions to those provisions.
The Department carefully considered these requests and declines, at
least at this time, to categorically extend the effective date beyond
April 8, 2025. The Department will, however, delay the date for when
U.S. persons must comply with subpart J, related to due diligence and
audit requirements for restricted transactions, and for Sec. Sec.
202.1103 and 202.1104, related to certain reporting requirements for
restricted transactions, until October 6, 2025.
For reasons similar to the reasons why the Department declined to
extend the comment period, the Department declines these commenters'
request to significantly delay the effective date across the board. As
the Order, ANPRM, NPRM, and parts III and IV of this preamble explain,
this rule addresses a national emergency and an unusual and
extraordinary threat to national security and foreign policy. Foreign
adversaries are actively trying to exploit commercial access to
Americans' sensitive personal data to threaten U.S. national security.
This threat is increasingly urgent, justifying the expedited process
for this rulemaking to address that threat. Significantly delaying the
effective date of the final rule across the board would
[[Page 1644]]
give countries of concern additional time to collect government-related
data and bulk U.S. sensitive personal data.\56\ The pressing risks
posed by these countries' ongoing attempts to collect and exploit
government-related data and bulk U.S. sensitive personal data to the
detriment of U.S. national security weigh against extending the
effective date of the rule, notwithstanding the compliance burdens some
commenters raised. Commenters' request for a significantly delayed
effective date cannot be reconciled with the need to expeditiously
address these increasingly urgent and serious risks. United States
persons have been on notice regarding the risks of sharing sensitive
personal data with countries of concern for years and the United States
Government's recommended steps to address those risks. For example,
since at least 2020, the Department of Homeland Security (``DHS'') has
publicly warned U.S. businesses using data services from the PRC or
sharing data with the PRC about the same risk vectors addressed by this
rule.\57\ DHS Security has urged U.S. entities to ``scrutinize any
business relationship that provides access to data'' by ``identifying
the sensitive personal and proprietary information in their
possession,'' ``minimiz[ing] the amount of at-risk data being stored
and used in the PRC or in places accessible by PRC authorities,'' and
conducting ``[r]obust due diligence and transaction monitoring'' that
includes ``acquir[ing] a thorough understanding of the ownership of
data service providers, location of data infrastructure, and any
tangential foreign business relationships and significant foreign
investors.'' \58\
---------------------------------------------------------------------------
\56\ See, e.g., Mehrotra & Cameron, supra note 15 (describing an
``analysis of billions of location coordinates obtained from a US-
based data broker [that] provides extraordinary insight into the
daily routines of US service members'' and provides ``a vivid
example of the significant risks the unregulated sale of mobile
location data poses to the integrity of the US military and the
safety of its service members and their families overseas'').
\57\ U.S. Dep't of Homeland Sec., Data Security Business
Advisory: Risks and Considerations for Businesses Using Data
Services and Equipment from Firms Linked to China, <a href="https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf">https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf</a> [<a href="https://perma.cc/2C5B-CEWC">https://perma.cc/2C5B-CEWC</a>].
\58\ Id. at 13.
---------------------------------------------------------------------------
United States persons have been aware of this contemplated
rulemaking since the issuance of the Order and ANRPM in February 2024.
During engagements with companies and industry, some participants
suggested that their efforts to understand and map their covered data
transactions are already underway, and some other multinational
companies explained that they already operate separate systems that
``firewall'' U.S.-person data from access in China and other countries
of concern and impose access controls to prevent unauthorized foreign
access. Similarly, in the comments on the NPRM, a different large
global technology business stated that multinational companies already
have robust data privacy and export control programs that may be
leveraged to comply with the rule, and that companies should not be
required to set up entirely new compliance programs; another commenter
echoed the view that companies should be able to leverage existing
privacy and data security programs. But given the serious national
security concerns, if the rule becomes effective, for example, before a
U.S. person engaging in restricted transactions is able to comply with
the security and other requirements the U.S. person should not engage
in those transactions.
The comments seeking to significantly delay or pause the effective
date did not offer adequate substantive analysis or support necessary
to justify the change. These comments expressed a general preference
for delay, but they did not attempt to, for example, identify what and
how many specific non-exempt transactions they engage in that would be
prohibited or restricted; identify what specific controls,
recordkeeping, or systems they currently have in place and why those
are not sufficient to comply; identify what controls, recordkeeping, or
systems they do not have in place now that they would be required to
adopt to comply with the rule; or explain why those transactions could
not be paused, terminated, or shifted to non-countries of concern or
non-covered persons before the effective date or the specific impact of
doing so. The Department thus does not believe that these comments
provide an adequate basis on which to justify a significantly delayed
effective for the sectors and industries represented by the commenters,
in light of the pressing national security risks described in the
Order, ANPRM, NPRM, and this preamble.
In addition, the commenters requesting a significantly delayed
effective date represent specific sectors and industries. The specific
industries represented by these commenters appear to have different
views about the time and resources needed for implementation and do not
appear to be sufficiently representative of the entire category of U.S.
persons engaging in data transactions that may be prohibited or
restricted under the rule. The Department thus does not believe that
these comments justify an across-the-board delay of the effective date.
As a result, in light of the need to expeditiously address the
increasingly urgent national security threat and the lack of
significant and specific countervailing evidence, the Department
believes that it is appropriate for the final rule to establish an
effective date of 90 days as a starting point, consistent with 5 U.S.C.
801(a)(3) and 5 U.S.C. 553(d).\59\ At one end of the spectrum, an
earlier effective date may mean more U.S. persons are not prepared to
comply with the rule and who must delay (or forgo, in some cases)
transactions that may implicate the rule or forgo a broader suite of
business opportunities that would not be prohibited or restricted under
the rule, resulting in temporary but additional costs while they
prepare to comply. At the other end of the spectrum, a later effective
date would mean a greater risk to national security and foreign policy
while countries of concern and covered person have additional time to
access, obtain, and exploit government-related data or bulk U.S.
sensitive personal data. The Department believes it is appropriate to
err on the side of the former given the serious and pressing risks.
---------------------------------------------------------------------------
\59\ These provisions--in particular 5 U.S.C. 801(a)(3)--
generally require the effective date be at least 60 days after
publication of the rule in the Federal Register. The Department has
not invoked any exception to these statutory requirements,
notwithstanding the national emergency and threat to national
security and foreign policy addressed by this rule. Although the
risks addressed by this rule are urgent and ongoing, the Department
recognizes the breadth of potential disruption to current business
activities and the associated economic interest in a more orderly
process for coming into compliance with this rule. The Department is
exercising its discretion in balancing the ongoing threats to
national security with the potential disruption to current business
activities and has therefore determined that while a blanket
extension beyond 90 days is unwarranted, it also would not be
appropriate to establish an effective date earlier than that.
---------------------------------------------------------------------------
The Department recognizes that U.S. persons may need time to amend
internal policies and procedures to ensure compliance with the final
rule's due diligence provisions and to comply with reporting
requirements by, for example, evaluating and assessing ongoing
transactions or transaction types. Some aspects of the rule can be
delayed without unduly compromising the national security interests
advanced by the principal prohibitions and restrictions in subparts C
and D. The rule's due-diligence requirements for engaging in restricted
transactions and the recordkeeping requirements that apply to both
prohibited and restricted transactions are based on existing compliance
expectations set by other
[[Page 1645]]
regulators, such as the Department of Treasury's Office of Foreign
Asset Control (``OFAC'') and the Department of Commerce's Bureau of
Industry and Security (``BIS''), for screening vendors and transaction
counterparties. The Department recognizes, however, the specific burden
in applying these provisions to this new context, and has determined it
is appropriate to allow additional time--an additional six months--
before those provisions become operative. Thus, the provisions in
Sec. Sec. 202.1001, 202.1002, 202.1103, and 202.1104 will only apply
to those who engage in the relevant transactions (or, for Sec.
202.1104, reject a proposed transaction) on or after October 6, 2025.
The Department believes that this will allow sufficient time for the
vast majority of entities to come into compliance with these provisions
and appropriately balances the value of these provisions to combatting
the national security threat they are intended to address. This delay
will have the effect of phasing in these additional compliance
requirements, allowing U.S. persons to focus their efforts at the start
on identifying and understanding the data transactions they engage in
and complying with the prohibitions and restrictions.
During the 90-day period before the rule's effective date and the
additional period before the remaining provisions become operative, the
Department will continue to robustly engage with stakeholders to
determine whether additional time for implementation is necessary and
appropriate. Through those engagements and with more specific
information, the Department may determine, for example, that it is
appropriate (1) for the 90-day effective date to remain in effect, but
to issue a general license authorizing companies to take additional
time to wind-down activities regulated by the rule if they cannot come
into compliance before that date; (2) for the 90-day effective date to
remain in effect, but to issue a general license establishing delayed
effective dates for specific sectors or activities; (3) for the 90-day
effective date to remain in effect, but to issue a general license
further delaying the effective date as to certain compliance
requirements or adjusting those requirements; (4) for the 90-day
effective date to remain in effect, but to issue a non-enforcement
policy for a certain period; (5) to delay the effective date, either
through regulatory modification or a general license; or (6) to make no
changes. The Department will also consider other courses of action as
circumstances warrant.
Several commenters requested that the Department incorporate a
mechanism for continued engagement with the public to discuss and
assess the rule's effectiveness in light of, and its application to,
evolving technologies and threats and to provide compliance guidance.
After the Department issues the final rule, the Department plans to
continue its robust stakeholder engagement, as it has done throughout
the rulemaking process, and issue guidance on compliance and other
topics. In addition, through the advisory opinion process, the rule
provides a formal avenue for the public to request and receive
clarifications about the rule's applicability to particular
transactions. Finally, section 5 of the Order already establishes a
formal mechanism for the Department to assess the effectiveness and
economic impact of the rule by requiring a report within one year after
the rule goes into effect, which will include the solicitation and
consideration of public comments.\60\
---------------------------------------------------------------------------
\60\ 89 FR 15427.
---------------------------------------------------------------------------
A few commenters requested clarification from the Department on
whether the provisions of the rule will apply retroactively and to
existing contracts, or if the provisions will only apply prospectively
on new contracts or contracts up for renewal. One commenter requested
that if the Department determines that retroactive application is
required for the provision in Sec. 202.302 requiring certain
contractual provisions for data brokerage transactions with foreign
persons, then the Department allow sufficient time to amend existing
agreements to ensure compliance.
The rule applies to covered data transactions engaged on or after
the effective date. Covered data transactions completed prior to the
effective date are not regulated by the rule. However, unless exempt or
otherwise authorized, U.S. persons knowingly engaging in a prohibited
or restricted covered data transaction on or after the effective date
are expected to comply with the rule, notwithstanding any contract
entered into or any license or permit granted before the effective
date. In the case of Sec. 202.302, for instance, this means that any
relevant covered data transactions engaged in on or after the effective
date must comply with the contractual requirements in Sec.
202.302(a)(1), even where the U.S. persons had an existing agreement
with the foreign person prior to the effective date. Restricted and
prohibited transactions will not be grandfathered in as compliant
simply because any resulting covered data transactions are subject to a
preexisting contract or agreement. The significant national security
concerns outlined in the Order, NPRM, and parts II-IV of this preamble
require these regulations to be implemented as quickly as possible.
Entities that believe they need more time to come into compliance with
these regulations may request a specific license.
B. Subpart C--Prohibited Transactions and Related Activities
The proposed rule identified transactions that are categorically
prohibited unless the proposed rule otherwise authorizes them pursuant
to an exemption or a general or specific license or, for the categories
of restricted transactions, in compliance with security requirements
and other requirements set forth in the proposed rule.
1. Section 202.210--Covered Data Transactions
The Order authorizes the Attorney General to issue regulations that
prohibit or otherwise restrict U.S. persons from engaging in a
transaction where, among other things, the Attorney General has
determined that a transaction ``is a member of a class of transactions
. . . [that] pose an unacceptable risk to the national security of the
United States because the transactions may enable countries of concern
or covered persons to access bulk sensitive personal data or United
States Government-related data in a manner that contributes to the
national emergency declared in this [O]rder.'' \61\ Pursuant to the
Order, the proposed rule categorically prohibited or, for the
categories of restricted transactions, imposed security and other
requirements on certain covered data transactions with U.S. persons and
countries of concern or covered persons because the covered data
transactions may otherwise enable countries of concern or covered
persons to access government-related data or bulk U.S. sensitive
personal data to harm U.S. national security.
---------------------------------------------------------------------------
\61\ 89 FR 15423.
---------------------------------------------------------------------------
The proposed rule defined a ``covered data transaction'' as any
transaction that involves any access to any government-related data or
bulk U.S. sensitive personal data and that involves: (1) data
brokerage, (2) a vendor agreement, (3) an employment agreement, or (4)
an investment agreement. As stated in the NPRM, the Department has
determined that these categories of covered data transactions pose an
unacceptable risk to U.S. national security because they may enable
countries of concern or
[[Page 1646]]
covered persons to access government-related data or bulk U.S.
sensitive personal data to engage in malicious cyber-enabled
activities, track and build profiles on United States individuals for
illicit purposes, including blackmail or espionage, and to intimidate,
curb political dissent or political opposition, or otherwise limit
civil liberties of U.S. persons opposed to countries of concern, among
other harms to U.S. national security. For instance, one study has
demonstrated that foreign malign actors can purchase bulk quantities of
sensitive personal data about U.S. military personnel from data brokers
``for coercion, reputational damage, and blackmail.'' \62\
---------------------------------------------------------------------------
\62\ Sherman et al., supra note 10, at 14.
---------------------------------------------------------------------------
Some commenters suggested that the final rule be limited to
situations where government-related data or bulk U.S. sensitive
personal data is made accessible by the U.S. person to the covered
person or country of concern, and that it not apply in instances where
(for example) a covered person sends bulk U.S. sensitive personal data
to a U.S. person. The Department agrees that a U.S. person accessing
data from a covered person ordinarily does not present the national
security concerns that the rule seeks to address, and the Department
does not intend the rule to cover that generic circumstance. Although
commenters identified multiple ways to clarify this in the regulatory
text, the Department clarifies this limitation by changing the
definition of ``covered data transaction'' to cover only transactions
that involve ``access by a country of concern or covered person.'' The
rule includes a new example clarifying this limitation in Sec.
202.210. This change also necessitates conforming changes to Sec.
202.302 related to onward transfer provisions as explained in part
IV.B.15 of this preamble.
Other commenters requested clarity about whether the rule would
apply to other transactions that are related to a covered data
transaction but that do not themselves provide a country of concern or
a covered person access to bulk U.S. sensitive personal data or
government-related data. The revised definition of ``covered data
transaction'' captures only those transactions that involve access by a
country of concern or covered person to bulk U.S. sensitive personal
data or government-related data, as the term ``access'' is defined in
the rule. The rule does not impose any restrictions or prohibitions on
transactions that do not involve access by a country of concern or
covered person to government-related data or bulk U.S. sensitive
personal data. For instance, a U.S. research institution that entered
into a vendor agreement with a covered person cloud-services provider
in a country of concern to store bulk U.S. personal health data or bulk
human genomic data in a country of concern would have to comply with
the security requirements mandated by subpart D. But the rule would not
impose any restrictions or prohibitions on the ability of U.S. or
foreign persons who are not covered persons to access or analyze the
bulk U.S. sensitive personal data stored by a country of concern cloud-
services provider.
2. Section 202.301--Prohibited Data-Brokerage Transactions; Section
202.214--Data Brokerage
The NPRM proposed prohibiting any U.S. person from knowingly
engaging in a covered data transaction involving data brokerage with a
country of concern or a covered person. The proposed rule defined
``data brokerage'' as the sale of data, licensing of access to data, or
similar commercial transactions involving the transfer of data from any
person (``the provider'') to any other person (``the recipient''),
where the recipient did not collect or process the data directly from
the individuals linked or linkable to the collected or processed data.
Some comments expressed concern with the perceived breadth of the
term ``data brokerage.'' These comments did not appropriately consider
data brokerage in the context of the rest of the regulations (such as
their exemptions, the other elements of the prohibitions and
restrictions, and other related definitions that limit the scope and
impact of data brokerage) and, as such, made exaggerated claims about
its impacts without support or analysis. These comments were premised
largely on imprecise hypotheticals or generalizations, or they
misstated the regulations. In addition, none of these comments
discussing data brokerage addressed the national security risk posed by
countries of concern or covered persons accessing the digital footprint
of sensitive personal data Americans leave behind when interacting with
the modern world.
Nevertheless, the Department considered each such comment and
responds to the themes presented in them in the continuing discussion.
To the extent that such commenters reiterated points or suggestions
that were already addressed in the NPRM, the Department directs those
commenters to the relevant discussions in the NPRM.\63\ Ultimately, the
Department declines to make any changes to the prohibition in Sec.
202.301, makes a limited change to the definition of ``data brokerage''
in Sec. 202.214, adds three new examples to the definition, and amends
one existing example.
---------------------------------------------------------------------------
\63\ See, e.g., 89 FR 86130-31.
---------------------------------------------------------------------------
Some commenters recommended that the Department adjust the
definition of data brokerage to expressly exclude activities that are
already subject to one of the proposed rule's exemptions to ensure the
proposed regulations do not inadvertently capture transactions that are
well-regulated by financial services regulators. No change was made in
response to this comment. The exemptions in subpart E already
explicitly make clear that the prohibitions and restrictions in
``subparts C and D do not apply to'' the categories of exempt
transactions. And Sec. 202.301 (the provision prohibiting certain
data-brokerage transactions) already explicitly applies ``[e]xcept as
otherwise authorized pursuant to subparts E or H of this part or any
other provision of this part,'' which includes the exemptions in
subpart E. Adding another reference to this issue would be redundant
and unnecessary.
Some commenters expressed confusion about the supposed relationship
or tension between data brokerage and vendor agreements, and suggested
changes that would undermine the prohibitions and restrictions
associated with those defined terms. For example, these commenters
believed intra-company data transactions could be considered prohibited
data brokerage but claimed that same transaction would only be
restricted if engaged in pursuant to a vendor agreement. Some of these
commenters and others also requested changes to the exemption for
corporate group transactions in Sec. 202.506 to address their
confusion.
Data brokerage and vendor agreements are specifically tailored to
address the risk to national security posed by a country of concern or
covered person's access to government-related data or bulk U.S.
sensitive personal data. While the commenters' hypothetical questions
or concerns lack factual specificity, for additional clarity, the
Department has amended the definition of ``data brokerage'' to
explicitly exclude an employment, investment, or vendor agreement. This
change helps ensure that the categories of prohibited transactions and
restricted transactions remain mutually exclusive. Applying these
definitions still involves a fact-specific analysis, as illustrated by
[[Page 1647]]
the accompanying examples. The Department also added two new examples
at Sec. Sec. 202.214(b)(7) and (8) to further illustrate how companies
primarily engaged in non-data brokerage activities might otherwise
trigger the prohibition.
In addition, to the extent that intra-company or internal data
transactions satisfy the exemption under Sec. 202.506 because they are
ordinarily incident to and part of administrative or ancillary business
operations, those transactions would be exempt regardless of whether
they are characterized as prohibited data brokerage or a restricted
vendor agreement. Furthermore, after the effective date of the rule,
the commenters and the broader public will have the opportunity to
submit detailed requests for formal advisory opinions from the
Department regarding any questions they have as to how these terms
affect specific factual situations as opposed to hypothetical ones.
At least one commenter suggested that the Department amend the
definition of ``data brokerage'' by omitting the ``licensing of access
to data'' and ``similar commercial transactions'' prongs, and by
limiting the scope to those transactions where sensitive data is
exchanged for consideration. In the alternative, the commenter
suggested that the Department narrow the scope to apply to the specific
types of transactions the Department intends to cover. The commenter
argued that the current definition of ``data brokerage'' is overbroad
and extends beyond ``bulk sensitive personal data'' to all data, and
that a broad interpretation of ``similar commercial transactions''
could expand the scope of compliance and impact actors in several
sectors such as e-commerce and analytics firms. Other commenters
suggested striking ``similar commercial transactions'' from the
definition or amending it, including by adopting standards found in
certain State privacy laws. And others asked the Department to
reiterate concepts like ``sensitive personal data'' in the definition
of data brokerage.
The Department declines to adopt these suggested approaches, parts
of which were already discussed in the NPRM. The Department intends for
the rule to cover a broad range of data brokerage transactions
involving government-related data or bulk U.S. sensitive personal data.
Persons selling or reselling data to others are engaging in data
brokerage, even if such activity is not that person's primary business
activity. As noted in the NPRM, the proposed rule intentionally covered
both first- and third-party data brokerage because countries of concern
do not discriminate in how they seek to access government-related data
or bulk U.S. sensitive personal data. As such, the rule's broad
definition is critical to ensuring there are no significant loopholes
for countries of concern to continue to leverage the data brokerage
market as a means of acquiring and exploiting government-related data
or bulk U.S. sensitive personal data.
The Department also notes these comments appear to misapply data
brokerage and its relationship to other provisions of the regulations.
For example, the prohibition on data brokerage does not apply to all
data. It only applies to covered data transactions, which, is limited
to government-related data or bulk U.S. sensitive personal data. Adding
sensitive personal data to the definition of the term would therefore
be redundant. The phrase ``similar commercial transactions'' is
intended to cover other commercial arrangements (beyond just sales and
licensing) involving the transfer of government-related data or bulk
U.S. sensitive personal data to countries of concern or covered
persons. Commercial arrangements, by their nature, are engaged in for
consideration. No further clarification of the phrase is warranted or
necessary. Additionally, the exemption in Sec. 202.505 regarding
financial services already ensures that the term ``similar commercial
transactions'' would not inadvertently capture e-commerce activities.
Moreover, these comments' suggestions do not realistically describe how
or whether their recommended approaches would mitigate the national
security risk associated with the rule's examples of data-brokerage
activities other than sale or licensing.
Another commenter suggested that to comply with the regulations,
companies must first identify any data-brokerage activities they
undertake, which the commenter claims is a daunting task. The commenter
also warned that the definition would include activities beyond those
engaged in by data brokerage firms. Many of the commenter's concerns
were addressed in the preamble of the NPRM. The Department intends for
data brokerage to encompass both first- and third-party data brokerage
to address the national security risk the Order was intended to
mitigate. That is a key national security feature of the program and is
addressed earlier in part IV.B.2 of this preamble.
With respect to how to comply with the regulations, the Department
does not endorse any specific practice. The Department believes it is
more effective to have U.S. persons develop compliance programs
suitable to their own individualized risk profile, as explained in the
NPRM.\64\ Such programs can vary based on a range of factors, including
the U.S. person's size and sophistication, products and services,
customers and counterparties, and geographic locations. The Department
may issue guidance on this topic to assist U.S. persons to develop and
implement compliance programs. Without fully knowing the commenter's
situation, alternative approaches to compliance may be appropriate,
such as first evaluating the company's exposure to countries of concern
or covered persons, or their possession of or access to government-
related data or bulk U.S. sensitive personal data, to direct their
compliance efforts.
---------------------------------------------------------------------------
\64\ 89 FR 86128.
---------------------------------------------------------------------------
At least two commenters proposed exempting data-sharing platforms
from the definition of ``data brokerage'' because such platforms do not
determine what data is shared or reviewed before data is shared. These
commenters generally claimed that without the requested exemption, such
platforms would be required to review all data exchanges and underlying
datasets, potentially creating new privacy and data security risks as
well as possible contractual violations. The Department declines to
adopt this proposal because it is unnecessary, redundant, and risks
creating an exemption that could inadvertently undermine the purpose of
the rule, thereby exacerbating the national security risk the Order is
intended to mitigate. The prohibition in Sec. 202.301 requires
``knowingly'' engaging in a covered data transaction involving data
brokerage with a country of concern or covered person. As the examples
in Sec. Sec. 202.230(b) and 202.305(b) illustrate, if a U.S. person
merely provides infrastructure or a platform to a U.S. customer that
uses the infrastructure or platform to engage in a prohibited or
restricted transaction, the third-party infrastructure or platform
provider would not generally have knowingly engaged in a prohibited or
restricted transaction. However, it would be inappropriate for the rule
to exempt third-party infrastructure or platform providers, as they
could engage in their own transactions that would be prohibited or
restricted, as also illustrated by the examples in Sec. 202.230(b) and
Sec. 202.305(b).
At least two commenters were concerned that without changes to the
definition of ``data brokerage'' or the prohibition in Sec. 202.301,
the regulations would adversely affect e-commerce or
[[Page 1648]]
the ability of U.S. persons to purchase goods and services. These
concerns are unfounded because the prohibition does not reach exempted
activities, including data transactions that are ordinarily incident to
and part of the provision of financial services. Financial services
include ``the transfer of personal financial data or covered personal
identifiers incidental to the purchase and sale of goods and services''
and ``the provision or processing of payments or funds transfers.'' See
Sec. 202.505(a)(4) and (5). Example 1 in Sec. 202.505(b)(1) also
specifically addresses the issue of e-commerce.
One comment expressed concern that U.S. persons engaged in data
brokerage are unfairly targeted and encouraged the creation of a safe
harbor for U.S. persons that conduct due diligence on data-brokerage
transactions but are later deceived about a foreign adversary's
ownership or control of a customer company. The Department declines to
adopt the described safe harbor because it is unnecessary and
redundant. The prohibition on data brokerage in Sec. 202.301 requires
a U.S. person to act ``knowingly,'' which ``means that a person has
actual knowledge, or reasonably should have known, of the conduct, the
circumstance, or the result.'' See Sec. 202.230. Generally, U.S.
persons engaged in data brokerage who are in fact deceived by countries
of concern or covered persons, despite taking reasonable measures to
comply with Sec. 202.301, would not be liable because they would not
have had actual knowledge of, nor would they have reasonably known of,
the circumstances. In addition, the Department intends to issue
compliance and enforcement guidance following the publication of the
final rule.
Another commenter provided several open-ended hypotheticals about
the applicability of the definition of ``data brokerage'' in Sec.
202.214 to unfunded or nonprofit research. They asked whether a U.S.
person's transfer of bulk sensitive personal data to a researcher in a
country of concern could be considered data brokerage; whether such
data transfers would be prohibited if they occurred because of mutual
interest in the research; and whether the possibility of collaboration
or co-authoring on a paper constitutes sufficient consideration to
trigger the definition.
The public will have the opportunity to submit detailed requests
for formal advisory opinions after the effective date of the
regulations. In that process, filers would provide non-hypothetical and
specific facts on which the Department will render an opinion on the
applicability of the regulations. Without more specific information or
details, the Department can only provide general answers to these
hypotheticals.
As explained with respect to the comments on Sec. 202.511, while
the rule is not limited to covered data transactions that occur for
solely commercial purposes, the rule does limit data brokerage and the
other categories of covered data transactions (and thus the
prohibitions and restrictions) to transactions that are commercial in
nature, meaning that they involve some payment or other valuable
consideration. Generally, without more, a mutual interest in conducting
research together, or the possibility of research collaboration or co-
authoring a paper, would not constitute the kind of valuable
consideration needed to qualify as a covered data transaction. The
Department added Examples 9 and 10 to Sec. 202.214 to clarify the
circumstances to which the Department intends the rule to apply in the
context of such research activities.
Other commenters similarly sought clarification on whether and how
the rule applies to nonprofit or non-commercial entities. The rule
applies to data brokerage and investment, vendor, or employment
transactions, as defined in the rule, without regard to the for-profit
or not-for-profit nature of the U.S. person engaged in the transaction.
Where a nonprofit engages in a covered data transaction--by, for
example, entering a vendor agreement with a covered person to host bulk
U.S. sensitive personal data--the rule applies. As the NPRM explained,
the rule takes an activity-based approach because it is certain
activities (transactions) that pose the unacceptable risks to national
security and foreign policy, regardless of the kind of entity that
engages in them.
However, other provisions of the regulations might exempt otherwise
prohibited or restricted data transactions engaged in by researchers.
The Department has exempted data transactions arising from the official
business of the United States Government, Federal law or international
agreements, drug, biological, and medical device authorizations, and
other clinical trials in Sec. Sec. 202.504, 202.507, 202.510, and
202.511, respectively. Section 202.504 also covers data transactions
conducted pursuant to a contract, grant, or other agreement with
Federal departments and agencies, even when there is concurrent funding
from non-Federal sources.
At least one commenter suggested that prohibited data brokerage
should be limited to circumstances in which the recipient of the data
receives a right, remedy, power, privilege, or interest with respect to
the data. The Department declines to make the suggested change because
it fails to adequately address the national security risk posed by
countries of concern or covered persons' access to government-related
data and bulk U.S. sensitive personal data. The commenter's suggestion
would undermine the data-brokerage prohibition and effectively give
adversarial nations unfettered access to bulk U.S. sensitive personal
data or government-related data. Subpart E of the regulations offer
carefully tailored exemptions that balance the national security
imperatives of the Order with legitimate economic and humanitarian
activities, among others. Data transactions that qualify for such
exemptions would not be prohibited under this program.
One commenter sought clarification or changes regarding Example 4
in Sec. 202.214 as to whether, assuming all other requirements of the
prohibition in Sec. 202.301 were satisfied, internet Protocol (``IP'')
addresses and advertising identifiers alone, without bulk precise
geolocation information, would constitute prohibited data brokerage.
The Department revised the example to clarify that a data transaction
involving bulk quantities of U.S. users' IP addresses and advertising
IDs would qualify as a prohibited data-brokerage transaction involving
bulk covered personal identifiers because IP addresses and advertising
IDs are listed identifiers. However, a data transaction involving only
one of the listed identifiers--for example, only IP addresses--would
not qualify as a covered data transaction because IP addresses in
isolation do not qualify as sensitive personal data. Countries of
concern may use IP addresses in some instances to aid in identifying
the location of a particular device or user. However, the Department
recognizes that IP addresses alone may not provide enough detailed
information about a specific user or device to qualify as ``precise
geolocation data.'' The Department understands that, in most commercial
instances, IP addresses are collected in datasets that often contain
well into the tens or hundreds of millions of such addresses and often
involve other listed identifiers, as well. Given this reality, the
Department will only treat IP addresses as a listed identifier, rather
than also as precise geolocation data.
[[Page 1649]]
Another commenter recommended narrowing the definition of ``data
brokerage'' primarily by striking the phrase ``similar commercial
transactions'' from the definition, which the Department discussed in
part IV.B.2 of this preamble. The commenter also provided some high-
level examples of activities that they believe should not be considered
data brokerage: (a) Marketplace sales, in which a third-party seller
that is located in a country of concern or that is a covered person
provides items for sale to U.S. persons on platforms owned by U.S.
persons; (b) retail advertising networks that are owned by U.S.
companies and that feature advertisers who are covered persons or that
are based in a country of concern; (c) personal health data and human
genomic data for scientific research and regulatory purposes; and (d)
provisions of services to U.S. individuals abroad.
As this preamble and the NPRM explained, the Department declines to
revise the definition of ``data brokerage'' because it ``is
intentionally designed and scoped to address the activity of data
brokerage that gives rise to the national risk, regardless of the
entity that engages in it'' [and] intentionally regulates data
transactions'' that give rise to the risks the Order was intended to
mitigate.\65\ The commenter did not address how or whether their
recommended approach to data brokerage would mitigate such risk. In
addition, the rule already accounts for the examples provided by the
commenter. Transactions ordinarily incident to the provision of covered
personal identifiers and personal financial data as part of e-commerce
(such as marketplace sales) are generally exempt under the financial
services exemption. With respect to scientific research and regulatory
purposes, the rule does not prohibit research in a country of concern
or research partnerships with a covered person that do not otherwise
involve a covered data transaction. And the exemptions in Sec. Sec.
202.510 and 202.511 already exempt certain data transactions arising
from clinical trials and regulatory approvals in the context of drug,
biological, and medical device authorizations. The commenter failed to
provide sufficient specificity for the Department to address the other
examples they provided. The recommended change, therefore, appears
unnecessary at this time.
---------------------------------------------------------------------------
\65\ 89 FR 86131.
---------------------------------------------------------------------------
Because the data-brokerage prohibition, along with the other
prohibitions and restrictions, center around data transactions
involving access to government-related data or bulk U.S. sensitive
personal data, the Department addresses the comments received on those
key terms and related terms in detail in the following discussion.
3. Section 202.201--Access
The proposed rule defined ``access'' as logical or physical access,
including the ability to obtain, read, copy, decrypt, edit, divert,
release, affect, alter the state of, or otherwise view or receive, in
any form, including through information systems, information technology
systems, cloud-computing platforms, networks, security systems,
equipment, or software.
One commenter requested that, to ensure that compliance mechanisms
do not impede legitimate research activities, the Department
distinguish data access and data export. The commenter interpreted
``access'' to data as physically obtaining data, or as being able to
analyze the data in a remote analysis environment where the data
remains protected and cannot be exported. To this end, the commenter
recommended addressing security concerns, while maintaining legitimate
users' access to research data, by requiring data accessor attestation
or by leveraging trusted research environments that adopt modern data
protection methods and multi-layer security protocols.
The Department declines to distinguish access from export. In the
national security context, the Department views both access to
government-related data and bulk U.S. sensitive personal data by a
country of concern or covered person as synonymous with the export of
such data to the same. Further, it is unclear to the Department whether
something like a ``data accessor attestation'' would be sufficient to
dissuade or prevent a country of concern's intelligence or security
service from seeking to access sensitive data that may be contained in
a secure research environment. The Department does not believe that
these types of measures on their own mitigate the counterintelligence
and other national security risks identified by the Order and parts II-
IV of this preamble. However, these types of measures could be one part
of a broader risk-based compliance program implemented pursuant to the
rule's requirements. Finally, it does not appear that such a change is
necessary to minimize any impact on scientific and research activities,
as the rule does not preclude research in a country of concern, or
research collaborations or partnerships with covered persons, that do
not involve any payment or other consideration as part of a covered
data transaction.
Another commenter suggested a technical correction in the final
rule to avoid inadvertently causing restricted transactions that comply
with the security requirements to no longer be considered covered data
transactions. The Department appreciates this clarification, which it
has adopted in the definition of ``access.''
The final rule otherwise adopts the definition proposed in the NPRM
without change.
4. Section 202.249--Sensitive Personal Data
The NPRM defined six categories of ``sensitive personal data'' that
could be exploited by a country of concern to harm U.S. national
security if that data is linked or linkable to any identifiable U.S.
individual or to a discrete and identifiable group of U.S. persons.
These six categories are: (1) covered personal identifiers; (2) precise
geolocation data; (3) biometric identifiers; (4) human genomic data;
(5) personal health data; and (6) personal financial data. As explained
in part IV.B.16 of this preamble, the Department has changed the
reference to human genomic data to human `omic data in the final rule.
One commenter requested that the Department confirm that physical
and digital dental health data records are included within the scope of
sensitive personal data. The commenter pointed out that unauthorized
access to dental health data poses significant security risks, as they
contain not only personal health information but also can serve as a
unique forensic identifier. The Department agrees and confirms that
physical and digital dental health records would generally fall within
the existing definition of ``personal health data'' within the scope of
sensitive personal data. Section 202.241 of the rule provides an
inclusive definition for personal health data that encompasses
information related to ``the past, present, or future physical or
mental health or condition of an individual, the provision of
healthcare to an individual, or the past, present, or future payment
for the provision of healthcare to an individual.'' This term includes,
for example, basic physical measurements and health attributes, social,
psychological, behavioral, and medical diagnostic, intervention, and
treatment history; test results; logs of exercise habits; immunization
data, data on reproductive and sexual health; and data on the use of
prescribed medications. The data contained in
[[Page 1650]]
dental records would generally relate to the past, present, or future
physical health or condition of an individual and to the provision of
healthcare to an individual, which the Department intentionally scoped
broadly to avoid the risk of inadvertently omitting relevant health
data types. This flexibility allows for new health-related fields or
data types to be included in the future without needing to update the
rule. Further, to the extent that any such dental health records
constituted ``measurable physical characteristics or behaviors used to
recognize or verify the identity of an individual,'' the definition of
``biometric identifier'' included in ``sensitive personal data'' would
capture those records. In light of the Department's confirmation and
the existing definition, the Department does not believe it is
necessary to adjust the inclusive definition of ``personal health
data'' to refer to one specific type of personal health data.
One commenter questioned the inclusion of human genomic data as a
category of sensitive personal data, arguing against the ability to
identify individuals solely through genetic testing and arguing that
the NPRM overstates the predictability of human genomic data. The
commenter agreed that knowledge of a person's genome may offer insights
into potential risks and tendencies, but the commenter concluded,
without citing any reference materials, that such data cannot
accurately predict health, emotional stability, or mental capacity for
most individuals. The commenter also suggested that it would be
``impractical'' to design genetically targeted bioweapons against a
specific individual or group. As noted in the NPRM, human genomic data
is not only useful for identifying traits such as health, emotional
stability, mental capacity, appearance, and physical abilities that
might be useful in intelligence recruitment; countries of concern may
also use this data to develop military capabilities such as
bioweapons.\66\ Human genomic data, even when de-identified, can still
be re-identified, particularly when combined with other datasets such
as medical records, health information, public databases, or social
media information. This potential for re-identification highlights the
necessity of the national security protections set forth in the NPRM
and this preamble. The commenter's contention that a foreign
adversary's government would not leverage human genomic data due to
such efforts being ``impractical'' is contrary to the publicly
available assessments of the United States Government, including the
U.S. Intelligence Community.\67\ For this and other reasons already
discussed in the NPRM,\68\ the Department declines to adopt any change
in response to this comment.
---------------------------------------------------------------------------
\66\ Ken Dilanian, Congress Wants to Ban China's Largest
Genomics Firm from Doing Business in the U.S. Here's Why, NBC News
(Jan. 25, 2024), <a href="https://www.nbcnews.com/politics/nationalsecurity/congress-wants-ban-china-genomics-firm-bgi-from-us-rcna135698">https://www.nbcnews.com/politics/nationalsecurity/congress-wants-ban-china-genomics-firm-bgi-from-us-rcna135698</a>
[<a href="https://perma.cc/T2Y2-R7RZ">https://perma.cc/T2Y2-R7RZ</a>]; Ron Pulivarti et al., Nat'l Inst. Of
Standards & Tech., NIST IR 8432, Cybersecurity of Genomic Data 9
(2023), <a href="https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8432.pdf">https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8432.pdf</a>
[<a href="https://perma.cc/5D3G-BEEZ">https://perma.cc/5D3G-BEEZ</a>].
\67\ Nat'l Counterintel. & Sec. Ctr., China's Collection of
Genomic and Other Healthcare Data from America: Risks to Privacy and
U.S. Economic and National Security (Feb. 2021), <a href="https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/NCSC_China_Genomics_Fact_Sheet_2021revision20210203.pdf">https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/NCSC_China_Genomics_Fact_Sheet_2021revision20210203.pdf</a> [<a href="https://perma.cc/BL4H-WJSW">https://perma.cc/BL4H-WJSW</a>].
\68\ 89 FR 86156-65.
---------------------------------------------------------------------------
The proposed rule categorically excluded certain categories of data
from the definition of the term ``sensitive personal data.'' These
exclusions include public or nonpublic data that does not relate to an
individual, including trade secrets and proprietary information, and
data that is, at the time of the transaction, lawfully publicly
available from government records or widely distributed media, personal
communications as defined in Sec. 202.239, and information or
informational materials as defined in Sec. 202.226. As discussed in
further detail in part IV.B.15 of this preamble, the Department has
refined the definition of ``sensitive personal data'' to ensure that
the exclusion for publicly available data applies to each subcategory
of sensitive personal data, and thus also applies to the term
government-related data. In addition, as discussed in part IV.D.1 of
this preamble, the Department has extended the exclusions to include
certain metadata related to expressive information and informational
materials.
As noted in the NPRM, nothing in the final rule shall be construed
to affect the obligations of United States Government departments and
agencies under the Foundations for Evidence-Based Policymaking Act of
2018, Public Law 115-435 (2019), 44 U.S.C. 3501 et seq.
5. Section 202.212--Covered Personal Identifiers
The Order defines ``covered personal identifiers'' as
``specifically listed classes of personally identifiable data that are
reasonably linked to an individual, and that--whether in combination
with each other, with other sensitive personal data, or with other data
that is disclosed by a transacting party pursuant to the transaction
and that makes the personally identifiable data exploitable by a
country of concern--could be used to identify an individual from a data
set or link data across multiple data sets to an individual,'' subject
to certain exclusions.\69\ The NPRM defined two subcategories of
covered personal identifiers: (1) listed identifiers in combination
with any other listed identifier; and (2) listed identifiers in
combination with other data that is disclosed by a transacting party
pursuant to the transaction, such that the listed identifier is linked
or linkable to other listed identifiers or to other sensitive personal
data. The definition included two exceptions: (1) demographic or
contact data that is linked only to other demographic or contact data;
and (2) a network-based identifier, account-authentication data, or
call-detail data that is linked only to other network-based
identifiers, account-authentication data, or call-detail data as
necessary for the provision of telecommunications, networking, or
similar services.
---------------------------------------------------------------------------
\69\ 89 FR 15428-29.
---------------------------------------------------------------------------
Multiple commenters requested that the Department clarify the
applicability of the demographic data exclusion with respect to data
brokerage. The Department directs the commenters to the definition of
``covered personal identifier'' in Sec. 202.212(b), which excludes
``[d]emographic or contact data that is linked only to other
demographic or contact data.'' That definition, in combination with the
examples provided, demonstrates how demographic data and data brokerage
interact with one another. Example 3 in Sec. 202.212(c)(3) states that
a ``first and last name linked to a residential street address, an
email address linked to a first and last name, or a customer loyalty
membership record linking a first and last name to a phone number--
would not constitute covered personal identifiers.''
The data in this example does not satisfy the definition of
``covered personal identifiers.'' Therefore, such data would not be
considered sensitive personal data under Sec. 202.249, and a
transaction involving such data would not be a covered data transaction
under Sec. 202.210. In relevant part, Sec. 202.301 only prohibits
U.S. persons from knowingly engaging in a covered data transaction
involving data brokerage with a country of concern or covered person.
Because there is no covered data transaction, a U.S. person would not
be
[[Page 1651]]
prohibited from engaging in a data-brokerage transaction with a country
of concern or covered person involving the data from this example.
The same commenters also recommended that the Department amend the
definition of ``covered personal identifier'' to exclude combinations
of what the commenters claim to be low-risk identifiers, such as when
advertising or device identifiers are combined with low-risk
identifiers like IP addresses or contact data but not combined with any
other information. The Department addressed this in the NPRM and
declines to make the recommended change here. Specifically, the
Department stated in the NPRM that ``covered personal identifiers and
unique IDs can be used to link other datasets containing more
exploitable information.'' \70\ For example, countries of concern and
covered persons can use such identifiers to ``help link databases of
habitual visitors to gambling sites with debt collection records or a
database of government records. They could link advertising IDs, IP
addresses, and [Subscriber Identity Module (``SIM'')] card numbers to
personal mobile devices, home addresses, and government mobile
devices.'' \71\ Additionally, the definition of ``covered personal
identifier'' in Sec. 202.212 already excludes demographic or contact
data that is linked only to other demographic or contact data.
---------------------------------------------------------------------------
\70\ 89 FR 86162.
\71\ Id.
---------------------------------------------------------------------------
Several commenters took issue with the Department using a
definition of ``covered personal identifier'' that is different than
what is considered sensitive data under other laws. Because of this,
the commenters recommended a broad exemption for any data that is
processed by a covered person on behalf of a U.S. person where: (1) the
purpose of the processing is product research, development, or
improvement; (2) the U.S. person directs and controls the manner of
processing the data; and (3) the covered person is contractually bound
by the U.S. person to maintain the privacy and security of the data. At
least one commenter objected to the inclusion of truncated government
identification or account numbers in the definition of ``listed
identifier.'' The commenters further requested an exemption for data
provided or transferred by internet ecosystem providers in the ordinary
course of providing internet exchange, traffic management, routing, and
related services designed to optimize and secure access to services by
internet end-users (except when involving data brokerage) in addition
to an exemption for any combination of the following: (1) a device- or
hardware-based identifier; (2) an advertising identifier; and (3) a
network-based identifier.
At least one of the commenters also made these recommendations in
response to the ANPRM, and the Department considered them in the NPRM.
However, the commenter provided no new information for the Department
to act on or consider in this instance. The rule's use of the term
``covered personal identifiers'' is much narrower than what is covered
by various privacy-oriented laws and regulations. The Department has
already adopted similar suggestions received from other commenters to
arrive at a narrower category as described in Sec. 202.212(a)(2) and
included several examples. See Sec. 202.212(c). Section 202.212(b)(2)
excludes identifiers critical to the operation of services and devices
``as necessary for the provision of telecommunications, networking, or
similar service.'' \72\ The proposed exemption mirrors generally
prevalent commercial contractual obligations between data controllers
and data processors (as those terms are defined by various privacy
laws). The Department declines to adopt these recommendations because
these conditions are targeted at fulfilling privacy-law requirements
and will not address the national security risks identified in the
Order. In the absence of any new evidence or support, the Department
declines to remove truncated government identification and account
numbers from the definition of ``listed identifiers'' for the reasons
detailed in the NPRM.\73\ The Department declines to add other internet
service-related exemptions, as Sec. 202.212(b)(2) already contains the
requested exclusion.
---------------------------------------------------------------------------
\72\ 89 FR 86206.
\73\ 89 FR 86124.
---------------------------------------------------------------------------
A commenter in the public research field applauded the proposed
rule but suggested that Social Security numbers be classified as a
covered personal identifiers. Social Security numbers are included in
the definition of ``listed identifier'' in Sec. 202.234, which in turn
is incorporated into the definition of ``covered personal identifiers''
in Sec. 202.212.
Another commenter requested that the definition of ``covered
personal identifiers'' exclude data that has been anonymized, de-
identified, pseudonymized, aggregated, or is otherwise considered
publicly available in accordance with privacy laws. The Department
declines to amend this definition. As the Department has explained in
response to comments to the definitions of bulk U.S. sensitive personal
data and sensitive personal data, even anonymized data, when
aggregated, can be used by countries of concern and covered persons to
identify individuals and to conduct malicious activities that implicate
the risk to national security the Order was intended to address.
One commenter recommended ``remov[ing] network identifiers from
[the] set of listed identifiers,'' or that the Department eliminate
Sec. 202.234(g) on network identifiers altogether. As the commenter
noted, the Department has already carved out exceptions for network-
based identifier data that is only linked to other network-based
identifier data. However, when these identifiers are linked to other
types of sensitive personal data, the national security risks
identified in the NPRM are more likely to be present. Therefore, the
Department declines to implement the commenter's recommendations.
6. Section 202.234--Listed Identifier
The proposed rule defined a ``listed identifier'' as any piece of
data in any of the following data fields: (1) full or truncated
government identification or account number (such as a Social Security
number, driver's license or State identification number, passport
number, or Alien Registration Number); (2) full financial account
numbers or personal identification numbers associated with a financial
institution or financial-services company; (3) device-based or
hardware-based identifier (such as International Mobile Equipment
Identity (``IMEI''), Media Access Control (``MAC'') address, or
Subscriber Identity Module (``SIM'') card number); (4) demographic or
contact data (such as first and last name, birth date, birthplace, ZIP
code, residential street or postal address, phone number, email
address, or similar public account identifiers); (5) advertising
identifier (such as Google Advertising ID, Apple ID for Advertisers, or
other mobile advertising ID (``MAID'')); (6) account-authentication
data (such as account username, account password, or an answer to a
security question); (7) network-based identifier (such as internet
Protocol (``IP'') address or cookie data); or (8) call-detail data
(such as Customer Proprietary Network Information (``CPNI'')). See
Sec. 202.234.
One commenter suggested that the Department remove the fifth
category (advertising identifiers) from the definition of ``listed
identifiers,'' arguing that advertising identifiers are not
[[Page 1652]]
personal information and that prohibiting the free flow of advertising
identifiers will seriously affect the development of the internet
advertising industry. The Department disagrees. As articulated in the
NPRM, advertising identifiers combined with other types of covered
personal identifiers are indeed linked or linkable to an individual and
therefore are included in the scope of bulk U.S. sensitive personal
data.
One commenter recommended that the Department remove any reference
to IP addresses from the rule due to the potential for businesses to
refrain from or be hindered in providing communications and
cybersecurity services. The commenter asserted that the NPRM referenced
IP addresses in multiple ways that deviate from their normal use.
Specifically, the commenter highlighted that IP addresses are sometimes
associated with more than one individual, and that one individual may
use multiple IP addresses depending on their location (at home, on
their mobile device, at work, etc.).
Further, the commenter identified alternative identifiers such as
call detail data and contact data that are frequently used with IP
addresses, suggesting that including IP addresses is redundant.
Finally, the commenter notes the challenges that entities have had in
complying with foreign laws that regulate IP addresses as personal data
and suggested that regulating IP addresses in this rule will further
strain those entities.
The Department notes that the definition of ``covered personal
identifiers'' in Sec. 202.212(b)(2) excludes network-based identifier,
account-authentication data, or call-detail data that is linked only to
other network-based identifier, account-authentication data, or call-
detail data as necessary for the provision of telecommunications,
networking, or similar service. The Department disagrees that the
inclusion of IP addresses is unnecessary and should be removed from the
rule. IP addresses are capable of being linked or linkable to a U.S.
person and can provide location data (including, in some circumstances,
precise geolocation data). The fact that IP addresses are sometimes
shared or could be attributed to more than one person in some
circumstances does not preclude them from also being capable of
identifying U.S. persons. To the contrary, even when they can be
attributed to more than one person in some circumstances, IP addresses
can be useful in narrowing down, and thus increasing the
identifiability of, other data that is linked or linkable to a U.S.
person. As the NPRM explained, location data that can be derived from
an IP address can provide important information related to patterns of
life, such as when a person goes from home to work and other locations.
Finally, the rule already separately exempts (1) from the
definition of covered personal identifiers, network-based identifiers,
call-detail data, or account-authentication data that is linked only to
other network-based identifiers, call-detail data, or account-
authentication data; (2) from the prohibitions and restrictions, any
transaction that is ordinarily incident to the provision of
telecommunications services; and (3) from the prohibitions and
restrictions, personal communications. The comment did not identify
what specific non-exempt transactions with countries of concern or
covered persons remain that would be prohibited or restricted, nor did
it explain how those transactions are integral to the delivery of
communications or cybersecurity services. No change to the rule appears
necessary.
7. Section 202.242--Precise Geolocation Data
The proposed rule defined ``precise geolocation data'' as data,
whether real-time or historical, that identifies the physical location
of an individual or a device with a precision of within 1,000 meters.
Two commenters suggested that the Department narrow the geographic
radius of precise geolocation data to align with U.S. State privacy
laws. No change was made in response to these comments. As a threshold
matter, the rule is already consistent with privacy laws when
accounting for available options on most devices. Specifically, the
California Privacy Rights Act, which a few commenters cited as the
standard the Department should follow, includes a geographic radius of
1,850 feet (approximately 563 meters).\74\ As indicated in the NPRM,
the Department considered State privacy laws with which companies are
already familiar, and which provide examples of the level of precision
at which a device's location warrants protection. Furthermore, as the
NPRM explained, the Department also examined Android and iOS software
developers' available settings for the precision of geolocation
readings, which included accuracy to within 10 meters, 100 meters,
1,000 meters, 3,000 meters, and 10,000+ meters.\75\ As discussed in the
NPRM, the Department concluded that location data at a distance greater
than 100 meters was still considered precise and presented an
unacceptable risk to national security, so the Department selected
1,000 meters as the option that most carefully balanced the risk that
countries of concern or covered persons could exploit U.S. persons'
precise geolocation data and current technology practices and
standards.
---------------------------------------------------------------------------
\74\ See, e.g., Cal. Civ. Code sec. 1798.140(w) (which uses a
radius of 1,850 feet); Utah Consumer Privacy Act, Utah Code Ann.
sec. 13-61-101(33)(a) (West 2024) (which uses a radius of 1,750
feet).
\75\ CLLocationAccuracy, Apple Developer, <a href="https://developer.apple.com/documentation/corelocation/cllocationaccuracy">https://developer.apple.com/documentation/corelocation/cllocationaccuracy</a>
[<a href="https://perma.cc/AZ48-VSCP">https://perma.cc/AZ48-VSCP</a>]; Change Location Settings, Android
Developer, <a href="https://developer.android.com/develop/sensors-and-location/location/change-location-settings">https://developer.android.com/develop/sensors-and-location/location/change-location-settings</a> [<a href="https://perma.cc/5BY3-P7L3">https://perma.cc/5BY3-P7L3</a>].
---------------------------------------------------------------------------
One commenter suggested lowering the geographical location range
from 1,000 meters to 100 meters, arguing that the proposed range was
too wide and may include many civil facilities, such as enterprises,
factories, and houses. The Department believes geolocation data within
a distance of 1,000 meters to be precise. For example, in guidance to
its members, the Network Advertising Initiative,\76\ a non-profit trade
group that crafts policies that protect users' privacy in the
advertising technology and digital advertising space, stated, ``If a
member receives information locating a user or device to an area with a
size of 1,000 [square] meters, that member can render the data
imprecise by only storing information that the user or device was in an
area with a size of 800,000 meters.'' \77\ Further to the point, this
comment seems to confuse the government-related geolocation data list
in Sec. 202.1401, with the distance of precise geolocation data for
the other regulated covered data transactions in Sec. 202.242. The
Department declines to adopt the recommendation.
---------------------------------------------------------------------------
\76\ Network Advert. Initiative, About the NAI, <a href="https://thenai.org/about-the-nai2/">https://thenai.org/about-the-nai2/</a> [<a href="https://perma.cc/GFN4-DVZ3">https://perma.cc/GFN4-DVZ3</a>] (showing
that the Network Advertising Initiative (NAI) is a non-profit, self-
regulatory association dedicated to responsible data collection and
its use for digital advertising).
\77\ Network Advert. Initiative, Guidance for NAI Members:
Determining Whether Location is Imprecise 3 (Feb. 2020), <a href="https://thenai.org/wp-content/uploads/2021/07/nai_impreciselocation2.pdf">https://thenai.org/wp-content/uploads/2021/07/nai_impreciselocation2.pdf</a>
[<a href="https://perma.cc/U7CS-YHR5">https://perma.cc/U7CS-YHR5</a>].2020).
---------------------------------------------------------------------------
The definition of ``sensitive personal data'' excludes public or
nonpublic data that does not relate to an individual. Two commenters
requested clarity on the meaning of the exclusion ``does not relate to
an individual'' from sensitive personal data in the context of precise
geolocation data. In particular, the commenters sought a definition of
what ``relate to an individual'' means or a clarifying example to
explain what relates to an individual means when precise geolocation
data is defined
[[Page 1653]]
regarding an individual or a device. They note that precise geolocation
data is defined in terms of U.S. devices, and therefore precise
geolocation data that is de-identified should be excluded from the
scope of the rule.
The Department does not believe it is necessary to create a new
definition regarding ``relate to an individual.'' This phrase in the
exclusionary language of Sec. 202.249(b)(1) is intended to avoid
regulation of proprietary data, trade secrets, and other data that does
not have to do with individuals. Similarly, the term ``U.S. device'' is
already limited to devices that ``store or transmit data that is linked
or linkable to a U.S. person.'' See Sec. 202.257. This definition does
not capture all geolocation data that derives from a U.S. device. For
example, a company may use U.S. devices to track the geolocation data
of corporate assets or packages for delivery without tying that data to
the individual using the device. That data would not constitute precise
geolocation data because the location of corporate assets or packages
does not ``relate to an individual'' and because the data is not
``linked or linkable to a U.S. person.'' If, however, the company ties
the geolocation data of those assets or packages to the individual
handling the U.S. device, the geolocation data would ``relate to an
individual'' and would be ``linked or linkable to a U.S. person.'' Of
course, how the U.S. company collects and handles that data in the
United States would not be regulated by the rule; only non-exempt
transactions that are prohibited or restricted involving that precise
geolocation data would be regulated under the rule.
8. Section 202.204--Biometric Identifiers
The proposed rule defined ``biometric identifiers'' as measurable
physical characteristics or behaviors used to recognize or verify the
identity of an individual, including facial images, voice prints and
patterns, retina and iris scans, palm prints and fingerprints, gait,
and keyboard usage patterns that are enrolled in a biometric system and
the templates created by the system.
One commenter raised concerns that the proposed definition is
broader than the current understanding of the term and claimed it could
include photos or pictures. The commenter suggested that the Department
narrow the definition of ``biometric identifiers'' to only include data
that relates to personal characteristics, has been processed using
specific technologies, and can uniquely identify a person. The
commenter asserted, without support, that this definition is closer to
the traditional understanding of the term and would therefore align
with existing compliance activities.
The Department declines to adopt this recommendation. The
definition of ``biometric identifiers'' already includes similar
limitations; biometric identifiers are defined as ``measurable physical
characteristics or behaviors used to recognize or verify the identity
of an individual.'' See Sec. 202.204. Further, adding a technological
processing component to the definition prevents any kind of raw data
from meeting the definition of a biometric identifier, allowing
countries of concern to acquire biometric identifiers and then conduct
the technological processing themselves. Limiting the definition to
data processed using specific technologies would also risk allowing new
technological developments to undermine the definition. The Department
believes this definition is effectively scoped to the national security
risk, and declines to narrow the definition, particularly based on
unsubstantiated compliance benefits. Finally, the rule already
separately excludes expressive information or informational materials
from all of the categories of sensitive personal data (including
biometric identifiers), so it appears unnecessary and redundant to
adjust this specific definition to address the commenter's concern.
Therefore, the Department makes no change to the definition of
``biometric identifiers'' in the final rule.
9. Section 202.224--Human `Omic Data
The proposed rule sought comment on the effect of regulating human
genomic data and whether to regulate other categories of human `omic
data. Several commenters expressed concerns about regulating covered
data transactions involving human genomic data. For example, some
commenters opposed setting the same bulk threshold for human genomic
data that involves the ``entire set . . . of the genetic instructions
found in a human cell'' and data that involves a ``subset'' of such
instructions, as the rule defines ``human genomic data.'' See Sec.
202.224(a)(1). Commenters explained that there is a low risk of
identifying a single individual from a subset of genetic instructions,
incomplete human genomes, or data about single genes that do not reveal
information that is consequential to the health of a U.S. person or
particular U.S. populations. The Department declines to change the
threshold for human genomic data. As described in the NPRM, countries
of concern, including the PRC, ``view . . . genomic data as a strategic
commodity to be collected and used for its economic and national
security priorities.'' \78\ As the NPRM explains, this data poses risks
not only for ``identifying traits such as health, emotional stability,
mental capacity, appearance, and physical abilities that might be
useful in intelligence recruitment,'' but also because ``countries of
concern may also use this data to develop military capabilities such as
bioweapons.'' \79\ The Department declines to raise the bulk threshold
applied to bulk human genomic data because the national security risks
posed by country of concern access to such data include risks unrelated
to a country of concern's ability to identify particular individuals or
U.S. populations from such data.
---------------------------------------------------------------------------
\78\ 89 FR 86142.
\79\ 89 FR 86157.
---------------------------------------------------------------------------
Other commenters questioned the necessity of the rule, arguing that
current research practices already handle genetic data securely with
strong privacy considerations, such as de-identification and
pseudonymization. As the NPRM explains, however, ``advances in
technology, combined with access by countries of concern to large
datasets, increasingly enable countries of concern that access this
data to re-identify or de-anonymize data,'' allowing them to ``reveal
exploitable sensitive personal information on U.S. persons.'' \80\
Accordingly, the Department declines to exempt from its prohibitions
and restrictions human genomic data that has been de-identified or
pseudonymized, outside the exemptions permitted by Sec. Sec. 202.510
and 202.511, which are subject to additional oversight by the Federal
Government or support data sharing necessary for regulated parties to
obtain or maintain regulatory approval or authorization to market or
research drugs or other products. In addition, some commenters
expressed concerns that the rule could impose unwanted administrative
burdens on U.S. researchers by creating roadblocks to data sharing,
thereby potentially decreasing the global competitiveness of U.S.
genetics research. The Department has calibrated the rule to balance
the interests in maintaining U.S. competitiveness in science and
research with the pressing national security risks identified by the
Order and in this rulemaking. The Department has adopted, clarified,
and revised exemptions in part IV.E of this preamble to help alleviate
the burden on
[[Page 1654]]
individuals conducting human genomic-related research.
---------------------------------------------------------------------------
\80\ 89 FR 86126.
---------------------------------------------------------------------------
One commenter noted the risk that policy makers and the media could
portray human genetic data as exceptional and dangerous, which could
erode public trust in scientists and negatively impact recruitment for
research studies. The Department appreciates the commenter's concern
but notes that the U.S. intelligence community has identified specific
national security risks posed by country of concern access to bulk U.S.
human genomic data that the rule seeks to mitigate and that outweigh
the speculative and indirect risks to public trust in scientists
asserted by the commenter.\81\ Finally, the commenter contended that it
is difficult to identify individuals solely through genetic testing,
arguing that the predictability of human genomic data is overstated in
the NPRM. As described elsewhere in part IV.B.9 of this preamble,
country of concern access to bulk human genomic data poses national
security risks beyond identifying discrete individuals or populations
that the rule's restrictions and prohibitions are intended to mitigate.
---------------------------------------------------------------------------
\81\ See, e.g., 89 FR 86142, 86178.
---------------------------------------------------------------------------
In the NPRM, the Department sought comments about whether and how
it should regulate transactions involving access to bulk human `omic
data other than human genomic data. The Department received several
comments on this topic, including one that supported robust regulation
and others that either opposed including other human `omic data in the
rule or proposed delaying its inclusion to a separate rulemaking. After
further consideration, the Department has determined in the final rule
to treat three categories of other human `omic data--epigenomic data,
proteomic data, and transcriptomic data--similarly to its treatment of
human genomic data. The bulk threshold for these additional categories
of human `omic data will be higher than for human genomic data. The
Department is not including any other categories of human `omic data in
the rule at this time. The Department incorporates this change by
defining a new term, ``human `omic data,'' that includes human genomic
data and each of the three listed other human `omic categories.
At a high level, the `omics sciences examine biological processes
that contribute to the form and function of cells and tissues.\82\ Many
commenters urged the Department to move cautiously in regulating other
human `omic data to avoid disrupting the development of new and
promising fields of research. Although none of these comments spoke
with any specificity about the risks of regulating covered data
transactions as contemplated by the NPRM, the Department agrees that a
cautious approach is needed.
---------------------------------------------------------------------------
\82\ See, e.g., Evolution of Translational Omics: Lessons
Learned and the Path Forward 23, 33 (Christine M. Micheel et al.,
eds., 2012), <a href="https://www.ncbi.nlm.nih.gov/books/NBK202168/pdf/Bookshelf_NBK202168.pdf">https://www.ncbi.nlm.nih.gov/books/NBK202168/pdf/Bookshelf_NBK202168.pdf</a> [<a href="https://perma.cc/Q5YE-7XLM">https://perma.cc/Q5YE-7XLM</a>].
---------------------------------------------------------------------------
The Department recognizes that not all categories of human `omics
data present the same degree of risk if accessed by a country of
concern or covered person. Data from some human `omic categories, for
example, do not present the same identifiability concerns that exist
for human genomic data. But the Department remains deeply concerned by
the national security risk associated with transactions involving human
epigenomic, proteomic, or transcriptomic data. The fields of
epigenomics, proteomics, and transcriptomics are--after genomics--the
most advanced `omic fields.\83\ Generally speaking, epigenomics is the
study of changes in gene expression that do not involve alterations to
the DNA sequence itself. The field of proteomics generally aims to
identify and characterize proteins and study their structures,
functions, interactions, and post-translational modifications. The
field of transcriptomics generally aims to understand gene expression
patterns, alternative splicing, and regulation of RNA molecules. These
three human `omic categories have the greatest clinical and predictive
capacity, especially when used in combination with genomics and other
`omic categories, because they are most closely related to genomics.
---------------------------------------------------------------------------
\83\ Carly S. Cox et al., Information Gathered on the Potential
Impact of Including Omic Data in a Rule on Access to Sensitive U.S.
Data, Appendix A (Science and Technology Policy Institute, Nov.
2024) [hereinafter STPI Report] (citing Dai and Shen 2022). The full
STPI Report is available on <a href="http://regulations.gov">regulations.gov</a> (Docket No. NSD-104).
---------------------------------------------------------------------------
Data in these categories may be used by countries of concern in
numerous ways. This includes risk related to identifiability,
particularly for human transcriptomic data, but also, as one commenter
indicated, for human epigenomic data, human proteomic data, and human
meta-multiomic data.\84\ But the risks are not limited to
identifiability, and countries of concern might leverage access to bulk
U.S. human `omic data in other ways that are adverse to U.S. national
interests. The same attributes that make this data useful for general
research make it potentially useful for nefarious purposes--for
example, to train AI systems enabling the military capabilities of
adversaries and undermining the U.S. bioeconomy. Additionally,
classified reporting reviewed by the Department further underscores the
risks of allowing countries of concern to access U.S. person data in
these categories.
---------------------------------------------------------------------------
\84\ See, e.g., Patrycja Daca-Roszak & Ewa Zietkiewicz,
Transcriptome Variation in Human Populations and Its Potential
Application in Forensics, 60 J. Appl. Genet. 319 (Nov. 2019),
<a href="https://doi.org/10.1007/s13353-019-00510-1">https://doi.org/10.1007/s13353-019-00510-1</a>.
---------------------------------------------------------------------------
In addition to the comments, the Department has also reviewed a
November 2024 limited study performed by the Science and Technology
Policy Institute (``STPI'') that sought to preliminarily evaluate the
effect on ongoing or planned research if the Department regulated human
genomic and other human `omic data in this rulemaking.\85\ That study,
which used various methods to estimate the effect of the contemplated
regulations on research efforts (including surveying and interviewing
potentially impacted stakeholders), concluded that there was unlikely
to be substantial disruption to research. The report, though limited by
its scope and methodology, concluded that only ``a small proportion of
the U.S. research community is participating in research that involves
collaboration with a country of concern'' and that even ``among groups
that do have existing research collaborations with a country of
concern, none of those collaborations involved data sharing that would
constitute a transaction of bulk human `omic data.'' \86\ STPI's review
of clinical trials identified only a single clinical trial that is
currently active in the United States, involves more than 100
participants, gathers `omic (in this case, transcriptomic and genomic)
data, and has a site in China.\87\
---------------------------------------------------------------------------
\85\ See STPI Report, supra note 83.
\86\ Id. at 38.
\87\ Id. at 40. The report found generally low levels of
clinical trials of any sort that also involved a site in a country
of concern.
---------------------------------------------------------------------------
Most of the concerns identified in the STPI report arose from
general compliance concerns, such as that Federal funding entities
would impose different requirements or that researchers would have to
adjust computer security protocols. For example, one interviewee noted
that it took substantially longer to build infrastructure to facilitate
data sharing when cybersecurity requirements had to be met.\87\ Another
thought that research would be slowed because of confusion
[[Page 1655]]
about the scope of the rule during implementation.\88\ One interviewee
observed that the institutional burden of complying with new rules
would limit collaboration with researchers in countries of concern.\89\
It is hard to disentangle these concerns from the other provisions of
the rule, and it is likely that also regulating these three categories
of other human `omic data will pose only limited marginal costs to
research and industry compared to the costs attributable to other
aspects of the rule, including the provisions pertaining to human
genomic data. Indeed, one interviewee expressly predicted that
including other human `omic data in the scope of the regulation would
have no change on the regulatory burden because `omic research almost
always also involves genomic data.\90\
Given the significant national security risks posed by country of
concern or covered person access to these data, the limited available
evidence to characterize the marginal disruptive effect of regulating
these human `omics categories, and the immaturity of research and
commercialization of these human `omics and related applications at
present, the Department has determined to regulate these three
categories of human `omic data.
One commenter expressed support for the inclusion of provisions
regulating other human `omic data, noting that these restrictions will
significantly bolster U.S. biodefense and biosecurity. The commenter
noted that bulk human `omics data should be viewed as providing insight
into how the body is affected by changes in the environment and diet,
by infectious and non-communicable diseases, or by other circumstances.
The commenter encouraged the Department to implement regulations
restricting the transfer of human `omic data, noting that if the United
States is concerned about an outside entity using human genomic data to
maliciously attack the American public via biological threats, then the
information gathered via other human `omic data--especially proteomics
and metabolomics--should be considered equally and perhaps more
sensitive. The Department appreciates this comment. For the current
rulemaking, however, the Department has chosen to focus on the most
acute threats related to human `omic data. The Department may revisit
regulating transactions involving additional human `omic data in future
rulemaking.
One comment offered specific and helpful suggestions for revising
the Department's proposed definitions. The Department greatly
appreciates this comment and has incorporated the commenter's
suggestions as applicable to the three additional categories of human
`omic data in the final rule. For example, the definition of ``human
proteomic data'' now expressly excludes routine clinical measurements.
The Department made similar changes to the definitions of ``human
epigenomic data'' and ``human transcriptomic data.'' The final rule
also clarifies that human proteomic, human epigenomic, and human
transcriptomic data include only data derived from a systems-level
analysis.
In the NPRM, the Department indicated it was considering carving
out pathogen data in `omic datasets. One commenter strongly supported
this exclusion, explaining that pathogen-related data serves important
and unique public health functions. In the preamble to the NPRM, the
Department explained that it would take a similar approach to that
which the commenter suggested with respect to human genomic data; in
the final rule the Department expressly excludes from the definition of
``human `omic data'' pathogen-specific data embedded in `omic data
sets.
Another commenter stressed that, if the Department includes other
human `omic data, it must also include them in the exemptions in
subpart E, including for regulatory approval data and clinical
investigations in Sec. Sec. 202.510 and 202.511. The Department
agrees. Those provisions already exempt transactions within their scope
from the provisions in subparts B and C, which are the operative
provisions prohibiting or restricting transactions. Application of
those exemptions does not turn on the type of data involved, and the
exemptions apply equally to transactions involving human `omic data as
to other categories of sensitive personal data.
Numerous commenters stressed that bulk thresholds for the other
human `omic categories identified in the NPRM should vary with risk and
should be higher than the threshold for human genomic data. Commenters
did not provide specific input on what those thresholds should be or
which `omics categories should have relatively higher or lower
thresholds (except that phenomics probably presented a lower risk). The
three additional `omic categories the Department is regulating are
those with the greatest national security risks at this time, but the
Department agrees that, given the nascency of these fields and the
relatively greater difficulty of using these `omic data for
identification, the bulk thresholds for these categories should be
higher than for human genomic data. Some stakeholders requested simpler
rules to minimize compliance costs, and the Department recognizes that,
independent of individual risk analysis, there is a benefit to setting
the thresholds for all human `omics categories at the same level. But,
in many use cases, this type of data is used together with genomic
data, and so there may be limited practical effects to setting
different thresholds for these human `omics categories.\88\ For these
reasons, the Department uses a threshold of 1,000 U.S. persons for all
these three additional categories of human `omic data (epigenomic,
proteomic, and transcriptomic data), while maintaining the 100 U.S.
person threshold for human genomic data set out in the NPRM.
---------------------------------------------------------------------------
\88\ See, e.g., STPI Report, supra note 83, at 17.
---------------------------------------------------------------------------
10. Section 202.240--Personal Financial Data
The proposed rule defined ``personal financial data'' as data about
an individual's credit, charge, or debit card, or bank account,
including purchases and payment history; data, including assets,
liabilities, debts, and transactions in a bank, credit, or other
financial statement; or data in a credit report or in a ``consumer
report'' (as defined in 15 U.S.C. 1681a(d)).
One commenter sought clarification on whether ``personal financial
history'' pertains solely to transactions with financial institutions
or includes all purchase and payment history. The Department interprets
this question as asking about the scope of the term personal financial
data. The Department confirms that personal financial data in Sec.
202.240, including payment history, applies across the board. It is not
limited to purchases and payment history collected only by financial
institutions.
Another commenter suggested that the Department clarify that
personal financial data only includes information from sources like
banks or credit statements, and not from vendors, merchants, search
engines, or e-commerce records. The Department declines to adopt the
recommendation. While such records are not automatically considered
personal financial data, any record that contains ``data about an
individual's credit, charge, or debit card, bank account, including
purchases and payment history, and data in a bank, credit, or other
financial statement, or in a credit report or consumer report'' meets
the definition. See Sec. 202.240. The same commenter suggested that
personal
[[Page 1656]]
financial data should only be restricted when it comes directly from an
individual's bank accounts. However, the focus of the definition in the
final rule is on the content of the records, documents, or information
containing personal financial data, not necessarily the source. As the
proposed rule explained, countries of concern and covered persons seek
such personal financial data from any source and can combine it with
other data to create vulnerabilities that malicious actors might
exploit, posing national security risks.\89\ Therefore, the Department
declines to limit the definition based on the data source.
---------------------------------------------------------------------------
\89\ See, e.g., 89 FR 86161.
---------------------------------------------------------------------------
11. Section 202.241--Personal Health Data
The proposed rule defined ``personal health data'' as health
information that relates to the past, present, or future physical or
mental health or condition of an individual; the provision of
healthcare to an individual; or the past, present, or future payment
for the provision of healthcare to an individual. The term includes
basic physical measurements and health attributes (such as bodily
functions, height and weight, vital signs, symptoms, and allergies);
social, psychological, behavioral, and medical diagnostic,
intervention, and treatment history; test results; logs of exercise
habits; immunization data; data on reproductive and sexual health; and
data on the use or purchase of prescribed medications.
One commenter suggested that the Department remove ``or the past,
present, or future payment for the provision of healthcare to an
individual,'' ``social, psychological, behavioral,'' and ``logs of
exercise habits'' from the definition of ``personal health
information.'' This commenter argued that medical expenditures are
helpful to the construction and communication of medical treatment
systems but cannot directly reflect someone's disease diagnosis and
treatment, and thus should not be restricted. The same commenter also
asserted, without explanation, that social, psychological, behavioral
and sports habits are too broad to pose any threat to national
security. The Department declines to adopt the recommendation. Medical
expenditures can be revealing about the nature of a diagnosis or
medical issue. For example, medical billing statements often come with
diagnostic codes to show the services provided by a medical
practitioner or facility. An expenditure in a specific location (e.g.,
an oncology office, obstetrics office, or dialysis center) can
similarly reveal information about health conditions. Likewise, data
such as social, psychological, or behavioral habits on a specific
individual can be exploited by a country of concern as a means of
recruitment by an intelligence service (particularly via blackmail or
coercion). This data in the hands of a country of concern could
certainly pose a risk to U.S. national security, as shown by numerous
open-source examples in this preamble and the NPRM's preamble in which
reporters and researchers used precisely this kind of data (such as
exercise logs) to track, surveil, and glean insights on U.S. military
activities and personnel overseas. The rule thus adopts the approach
described in the NPRM without change.
As the NPRM described, this proposed definition operates on a
categorical basis and determines that the category of personal health
data generally meets the requirements of being ``exploitable by a
country of concern to harm United States national security'' and
``linked or linkable to any identifiable United States individual or to
a discrete and identifiable group of United States individuals'' under
section 7(l) of the Order. The Department welcomed comment on the
extent to which there is discrete data related to an individual's
physical or mental health condition that is not inherently linked or
linkable to U.S. individuals (such as a dataset of only heights or
weights with no identifying information).
Commenters did not address the Department's question. Instead,
several commenters raised issues with the Department's use of the term
``relates'' in the proposed rule's definition of ``personal health
data.'' The commenters urged the Department to define the term, or to
narrow the definition of ``personal health data'' to replace the term
``relates'' with other terms, such as ``identifies'' or ``reveals.''
They contended that data that ``relates'' to an individual, but does
not identify an individual, has a low potential to cause harm but is
essential to commerce, access to goods and services, and to ensuring
that innovation is not stifled. One commenter mentioned that the term
``relates'' is so broad that it could apply to the sale not only of a
prescription, but also to innocuous retail purchases that relate to a
condition but do not identify it, such as the purchase of tissues at a
supermarket.
The Department has revised the definition of ``personal health
data'' to provide greater clarity, particularly for regulated parties
not typically governed by the Health Insurance Portability and
Accountability Act of 1996 (``HIPAA'') or familiar with its
terminology. Personal health data within the rule's scope must
indicate, reveal, or describe the past, present, or future physical or
mental health condition of an individual; the provision of healthcare
to an individual; or the past, present, or future payment for the
provision of healthcare to an individual.
However, the Department declines to replace the term ``relates''
with the term ``identifies.'' The commenters do not support their
assertion that data that does not identify individuals on its face has
a low potential to cause harm. The rule intentionally does not define
personal health information in terms of whether the information
identifies individuals, because the rule applies across the board,
regardless of whether data is de-identified. This approach responds to
the national security risks posed by countries of concern that may have
the ability to re-identify the data. The Department discussed these
risks in detail in the NPRM, and in part IV.B.4 of this preamble. The
Department also notes that the definition of ``personal health data''
includes an illustrative list of the types of data that the term
includes, including the use or purchase of prescribed medications.
Although this list is not exhaustive, it demonstrates the kinds of
personal health information that the Department intends the definition
to cover.
One commenter contended that the HIPAA de-identification standards
are out of date, and do not protect individuals in today's data-rich
and computational-rich environment. The commenter commended the NPRM
for addressing the ever-increasing ability to re-identify supposedly
de-identified data, requested that traditional de-identified HIPAA data
be subject to the final rule, and further proposed that de-identified
personal health data such as medical records, pharmacy records, and
reproductive health records or purchases be covered by the final rule.
The Department agrees with this recommendation.
One commenter agreed with the need to regulate personal health data
and suggested that the Department discuss the regulations with
electronic medical record organizations and hospital associations. The
Department, both on its own and with other agencies, discussed the NPRM
with 44 medical organizations, associations, and other stakeholders
that will be impacted by the regulations, comprised of healthcare trade
associations, biotechnology
[[Page 1657]]
organizations, research laboratories, and universities.
12. Section 202.206--Bulk U.S. Sensitive Personal Data
The prohibitions and restrictions apply to ``bulk U.S. sensitive
personal data,'' which the proposed rule described as a collection or
set of sensitive personal data relating to U.S. persons, in any format,
regardless of whether the data is anonymized, pseudonymized, de-
identified, or encrypted.
Three commenters mistakenly noted that the definition of ``bulk
U.S. sensitive personal data'' did not include a definition for
``sensitive personal data'' or ``sensitivity'' and could, as a result,
be interpreted too broadly to cover all data, not just sensitive data.
As shown in the ANPRM and NPRM, the proposed rule already incorporated
a separate definition of the term ``sensitive personal data'' in Sec.
202.249, which is limited to the six categories of bulk U.S. sensitive
personal data. Furthermore, the definition of ``bulk,'' as provided in
Sec. 202.205, incorporates this definition of ``sensitive personal
data.'' Therefore, the term ``bulk U.S. sensitive personal data'' is
appropriately scoped. However, another commenter recommended that the
Department amend the definition of ``bulk U.S. sensitive personal
data,'' which says, ``a collection or set of bulk data,'' to align with
the characterization of the term in the part IV.A.13 of the NPRM, which
says ``a collection or set of sensitive personal data.'' The Department
agrees and has updated the definition of ``bulk U.S. sensitive personal
data'' accordingly to ensure consistency, which should help further
clarify the scope of bulk U.S. sensitive personal data. The Department
has amended the definition of ``bulk U.S. sensitive personal data'' to
read as follows: ``The term bulk U.S. sensitive personal data means a
collection or set of sensitive personal data relating to U.S. persons,
in any format, regardless of whether the data is anonymized,
pseudonymized, de-identified, or encrypted, where such data meets or
exceeds the applicable threshold set forth in Sec. 202.205.''
One commenter asked for clarification on whether precise
geolocation data and personal health data include de-identified data.
The Department encourages this commenter to review Sec. 202.206. Three
commenters suggested that the Department include definitions for the
terms ``anonymized,'' ``pseudonymized,'' and/or ``de-identified.'' One
such commenter recommended, in the context of the exemptions listed in
Sec. Sec. 202.510 and 202.511, that the Department adopt a definition
of ``de-identified'' that is consistent with the privacy protection
standards required by the U.S. Food and Drug Administration (``FDA'')
as part of post-marketing adverse event reporting; namely, that the
data be coded and not include individual names or addresses. The
Department declines to adopt this suggestion. Such techniques evolve
over time, and the final rule is intended to capture these developments
and remain technology neutral. As one of the above commenters admitted,
these are terms that are not universally understood to mean the same
things. More broadly, these terms in the definition are meant to
capture any claimed method for or attempt at anonymizing,
pseudonymizing, or de-identifying sensitive personal data. As explained
below in this part of the preamble, by including any attempt at
anonymizing, pseudonymizing, or de-identifying sensitive personal data
within the scope of ``sensitive personal data'' but then authorizing
restricted transactions that comply with the methods of anonymization,
pseudonymization, and de-identification laid out in CISA's security
requirements to the extent such methods are sufficient to fully and
effectively prevent access to covered data that is linked or
identifiable (or unencrypted or decryptable), the rule promotes
effective methods while prohibiting ineffective methods. No change to
this rule thus appears necessary.
Several commenters suggested that the Department modify the
definition of ``bulk U.S. sensitive personal data'' to exclude data
that is anonymized, pseudonymized, or de-identified ``in compliance
with internationally recognized industry standards.'' These commenters
suggested that such an approach would be appropriate where the link
between the identifying dataset and the individual has been removed,
where the data has been de-identified pursuant to HIPAA ``expert
determination'' de-identification methods, or where the data has been
``reasonably deidentified where a data controller has taken a clearly
defined risk-based approach.'' Many of these commenters argued that it
is difficult to tie anonymous or de-identified personal information to
an individual or an individual's device and that such information is
therefore not sensitive personal data. One commenter noted that
effective de-identification, consistent with clear standards, has
proven protective of individual privacy interests and is critical for
research that leads to medical advancements. Another commenter argued
that the Department's cited studies did not offer definitive evidence
that re-identification of truly anonymized data is a real risk, but the
commenter provided no evidence to contradict the cited studies or to
support their conclusion. Another commenter said that control measures
for anonymized, pseudonymized, and de-identified data should be
different than control measures for unprocessed original data. Finally,
one commenter noted that the Department should instead direct DHS to
identify standards for de-identifying and anonymizing data that meet
certain requirements.
Other commenters suggested that the definitions of government-
related data also exclude data that is subject to robust encryption
measures, including, but not limited to, data protected via post-
quantum cryptography algorithms approved by the National Institute of
Standards and Technology (``NIST'') to withstand quantum computer
attacks. A few commenters opposed the inclusion of encrypted data based
on the proposed CISA security requirements relating to data
minimization and data masking strategies for restricted transactions.
One commenter noted that the inclusion of encrypted data does not
represent a carefully calibrated action and would curtail the
usefulness of privacy-enhancing technologies (even though some of these
were explicitly included in the proposed CISA security requirements).
This same commenter stated, without providing any support, that
quantum-computing capabilities that could be used to decipher encrypted
data are too far from being operational to decrypt bulk data. Another
commenter noted that adopting an exemption for these algorithms would
incentivize better encryption and promote post-quantum cryptography
adoption.
The Department declines to alter the approach in the NPRM. These
comments inaccurately suggest that this rule would treat anonymized,
pseudonymized, de-identified, and encrypted data the same as
unprocessed data. The rule does not prohibit all covered data
transactions with countries of concern or covered persons whenever the
sensitive personal data is anonymized, pseudonymized, de-identified, or
encrypted. Instead, the rule includes such data within the scope of
sensitive personal data and then authorizes the three categories of
restricted transactions as long as they meet CISA's security
requirements, which include data-level requirements that allow
transactions to proceed with sufficiently effective techniques to
accomplish data minimization and
[[Page 1658]]
masking, encryption, and/or privacy-enhancing technologies, and
otherwise comply with the rule's other applicable requirements. For
example, depending on the other circumstances of the restricted
transaction, including the findings of the relevant internal risk
assessment conducted in accordance with CISA's security requirements,
the use of NIST-approved post-quantum cryptography algorithms would
appear to satisfy the data-level requirement of applying comprehensive
encryption techniques during transit and storage, as described in the
CISA security requirements.
The rule's effect is therefore to strike a balance by allowing
employment, vendor, and investment agreements with countries of concern
or covered persons that use the robust anonymization, encryption, and/
or other data-level requirements specified by CISA's security
requirements along with organizational and system-level requirements,
which are derived from the existing and commonly used security
standards for securing data. At the same time, the rule does not allow
transactions if they involve access by a covered person or country of
concern to unprocessed sensitive personal data or insufficient
anonymization, encryption, or other data-level requirements that do not
meet CISA's security requirements.
This approach allows for restricted transactions to move forward,
while setting a floor for the security applied to the underlying
government-related data and bulk U.S. sensitive personal data in these
transactions. As CISA explains, the final security requirements permit
organizations to conduct restricted transactions by applying a
sufficient combination of data-level techniques (such as
pseudonymization, de-identification, aggregation, and/or encryption, as
outlined in the security requirements) that either allow access to an
appropriately mitigated version of the data or directly deny countries
of concern and covered persons access to the data itself, in
conjunction with implementing the organizational and system level
requirements.
This approach is consistent with the NPRM's explanation that access
to weakly anonymized, pseudonymized, encrypted, or de-identified data
presents similar national security risks as access to the unprocessed
or identifiable sensitive personal data. As the NPRM explained,
countries of concern are attempting to access and exploit anonymized,
pseudonymized, de-identified, and encrypted data (including to identify
individuals). The NPRM also explained at length, using representative
studies and open-source examples, how not all forms of anonymization,
pseudonymization, de-identification, and encryption provide sufficient
protection from re-identification. These comments do not address the
NPRM's explanation, do not provide any contrary evidence, and merely
state a desired conclusion. The NPRM's approach allows the Department
to strike an appropriate balance between ensuring that restricted
transactions can continue given their greater economic value and
ensuring that there are robust safeguards in place to protect this
data.
As a result, the rule's approach, coupled with CISA's security
requirements, is designed to encourage the adoption of sufficiently
effective methods of encryption, aggregation, and/or other privacy-
preserving technologies. One of the data-level requirements available
in the security requirements is to encrypt the data ``during transit
and storage'' using comprehensive encryption, with secure management of
the cryptographic key. As the security requirements explain, United
States Government-approved encryption algorithms, ciphers, and
protocols--including any United States Government-approved standards
for quantum-resistant public-key cryptographic algorithms--are
considered comprehensive encryption.
While post-quantum cryptography could be part of a sufficient
combination of data-level requirements under the security requirements
to allow a restricted transaction to go forward (so long as such
encryption qualifies as comprehensive encryption), the Department
declines to entirely exempt restricted transactions that implement a
particular level of encryption. As the NPRM explained, the use of a
strong cryptographic method is one tool to mitigate the risk of access
to data. But as the security requirements make clear, encryption by
itself is not a panacea. Encryption is not sufficient on its own to
adequately mitigate the risk of access by a country of concern or
covered person. Instead, even robust encryption must be accompanied by
other measures to be effective in mitigating the risk of access. For
example, comprehensive encryption must be accompanied by secure
cryptographic key management (such as ensuring that the key is not co-
located with the data and that covered persons and countries of concern
do not have access to the key). Similarly, encryption must be
implemented with the organizational- and system-level requirements to
ensure that encryption is implemented effectively, for example, by
treating the systems responsible for the storage of and access to
encryption keys as being subject to organizational- and system-level
controls that mitigate the risk that a covered person is able to access
the keys to decrypt the data. And the use of even post-quantum
cryptography does not eliminate the need to perform due diligence,
audit compliance with the security requirements, and keep records. As a
result, the Department declines to exempt restricted transactions
merely because they use industry-standard encryption.
Finally, the rule offers a host of exemptions related to health
research, including exemptions for federally funded research, certain
clinical trials, and sharing of this data pursuant to international
agreements such as certain pandemic surveillance agreements. The rule
also authorizes the Department to issue general and specific licenses
as necessary and appropriate.
13. Section 202.205--Bulk
The NPRM proposed applying the proposed rule's prohibitions and
restrictions to bulk amounts of U.S. sensitive personal data (in
addition to the separate category of government-related data). The
proposed rule defined ``bulk'' as any amount of such data that meets or
exceeds thresholds during a given 12-month period, whether through one
covered data transaction or multiple covered data transactions
involving the same U.S. person and the same foreign person or covered
person.
The Department proposed volume-based thresholds for each category
of sensitive personal data and for combined datasets. See Sec.
202.205. The bulk thresholds are based on a risk-based assessment that
accounts for the characteristics of datasets that affect the data's
vulnerability to exploitation by countries of concern and that affect
the consequences of exploitation.
In the ANPRM, the Department previewed ranges within which each of
the bulk thresholds would be selected, relying on orders-of-magnitude
differences to develop preliminary judgments.\90\ The Department sought
input on the thresholds from the public in response to the ANPRM. While
commenters expressed varying views (including that the potential
thresholds were too high or too low, should be zero, or should be
eliminated entirely), these comments merely stated their preferred
numbers.\91\ None of the comments provided actionable data points, use
cases, or evidence that would support an alternative analytical
framework or support adopting one
[[Page 1659]]
particular threshold over another. Given this lack of specificity, the
Department (along with the Department of Commerce) followed up
individually with each commenter on this topic to seek any additional
information available, but those engagements did not yield any
materially new qualitative or quantitative information to reliably
inform the selection of the bulk thresholds.\92\
---------------------------------------------------------------------------
\90\ 89 FR 15786.
\91\ 89 FR 86164.
\92\ Id.
---------------------------------------------------------------------------
In the NPRM, the Department proposed thresholds within the ranges
previewed in the ANPRM and set forth the relevant analysis, including
the methodology and risk-based assessment for each category of
sensitive personal data.\93\ As part of that analysis, the NPRM
examined whether potential unintended economic impacts from the choice
of specific thresholds should justify deviating from the risk-based
analysis and determined that it should not be based on available
information. As the NPRM explained, neither the Department nor
commenters identified actionable data or analysis suggesting that the
specific choice of thresholds above zero is reasonably likely to result
in unintended and unanticipated downstream impacts, and thus it did not
appear to make a difference whether a threshold is, for example, 100
versus 1,000. The NPRM also explained that it seems unlikely that any
such data or analysis exists that would be detailed and representative
enough to reasonably affect the choice of any specific thresholds above
zero, and there is no known, reliable, sufficiently representative
qualitative or quantitative data sufficient to conclude that a choice
between potential thresholds would meaningfully affect the number of
transactions subject to the regulations or the cost of compliance. As
at the ANPRM stage, while commenters once again expressed varying views
and stated their preferred thresholds in response to the NPRM, none of
the comments provided actionable data points, use cases, or evidence
that would support an alternative analytical framework or support
adopting one particular threshold over another. The Department of
Justice (along with the Department of Commerce) once again followed up
individually with commenters on this topic to seek any additional
information, but those engagements did not yield any materially new
qualitative or quantitative information to reliably inform the
selection of the bulk thresholds.
---------------------------------------------------------------------------
\93\ 89 FR 86164-65.
---------------------------------------------------------------------------
No commenter opposed the risk-based framework and analysis that the
NPRM laid out to determine the bulk thresholds, such as by suggesting
an alternative methodology. Other than bare assertions of policy
preferences about the thresholds, the comments addressed only discrete
issues with respect to the thresholds.
The rule therefore adopts the bulk thresholds as proposed in the
NPRM. The bulk thresholds analysis in the NPRM necessarily focused on
orders of magnitude and set ratios based on the relative sensitivity of
the six types of sensitive personal data. On the risk side, order of
magnitude is the most granular level of reliable analysis given current
experience and available information. Research makes clear, for
example, that a relatively small amount of sensitive personal data can
be used to extrapolate insights about a population that is orders of
magnitude larger. By using basic statistical inference techniques, a
sample size need not exceed 10 percent in order to draw conclusions
about an entire population. As discussed above in this part of the
preamble, fairly small sample sizes of Americans may allow for
inferences on much larger segments of the U.S. population.\94\ And
although the Department considered whether this risk-based setting of
ratios should be altered to account for potential unintended economic
impacts, there is no sufficiently granular information or analysis
about the types and volumes of data involved in the categories of
regulated transactions to reliably inform a choice between any
particular thresholds even at the level of generality of orders of
magnitude. Based on the limits of currently available information,
analyzing and setting the bulk thresholds at a level more granular than
orders of magnitude is too speculative to form the basis for a policy
decision.
---------------------------------------------------------------------------
\94\ Sandip Sinharay, An Overview of Statistics in Education, in
International Encyclopedia of Education (Penelope Peterson et al.
eds., 3d ed. 2010).
---------------------------------------------------------------------------
Some commenters asserted that the thresholds for human genomic data
are too low and will hinder normal academic, scientific, and
technological exchanges. The Department declines to change these
thresholds. As articulated in the NPRM, the thresholds for human
genomic data are correlated to the sensitivity of that data and the
national security risk when such data is exploited by a country of
concern, such as the commenter. The 2024 National Counterintelligence
Strategy explains that, ``as part of a broader focus on data as a
strategic resource, our adversaries are interested in personally
identifiable information (PII) about U.S. citizens and others, such as
biometric and genomic data'' and ``health care data.'' \95\ ODNI has
explained, for example, that China has gone to great lengths to obtain
Americans' human genomic data, such as trying ``to leverage access
through its relationships with Chinese companies, strategic investments
in foreign companies, and by purchasing large data sets.'' \96\ China
and Chinese companies ``have sought to acquire sensitive health and
genomic data on U.S. persons through, for example, investment in U.S.
firms that handle such data or by partnering with healthcare or
research organizations in the United States to provide genomic
sequencing services.'' \97\
---------------------------------------------------------------------------
\95\ Nat'l Counterintel. & Sec. Ctr., supra note 6, at 13.
\96\ In Camera, Ex Parte Classified Decl. of Casey Blackburn,
Assistant Dir. of Nat'l Intel., Doc. No. 2066897 at Gov't App. 11 ]
31, TikTok Inc. v. Garland, Case Nos. 24-1113, 24-1130, 24-1183
(D.C. Cir. July 26, 2024) (publicly filed redacted version)
(hereinafter ``Blackburn Decl.'').
\97\ Id. at Gov't App. 11 ] 33(a).
---------------------------------------------------------------------------
Additionally, no evidence has been provided that the rule would
hinder beneficial academic, scientific, and technological research in
light of the examples and exemptions in the rule. As explained in parts
IV.B.2 and IV.D.9 of this preamble, the rule does not prohibit or
restrict U.S. research in countries of concern, or research
partnerships or collaborations with countries of concern or covered
persons, that do not involve a prohibited or restricted commercial
transaction. The rule contains exemptions meant to preserve critical
health research, including the exemptions for federally funded
research, for sharing data pursuant to international agreements
(including certain pandemic-related and global-health-surveillance
agreements), for submissions of regulatory approval data for medical
drugs, devices, and biological products, and for certain clinical-
investigation data and post-marketing surveillance data. Finally, as
articulated in the NPRM, the rule contemplates a process through which
the Department can issue general or specific licenses as necessary and
appropriate to authorize regulated activities in certain circumstances.
One commenter requested that the Department delete Sec.
202.205(c), which sets the bulk threshold for precise geolocation data
at more than 1,000 U.S. devices. As justification, the commenter argued
that Sec. 202.222's Government-Related Location Data List identifies
precise geographic areas, but that Sec. 202.205(c)'s bulk threshold on
precise
[[Page 1660]]
geolocation data is somehow a double limit. This comment, which is
unclear, seems to confuse several different elements of the rule: the
Government-Related Location Data List in Sec. 202.1401, the 1,000-
meter precision required in the definition of ``precise geolocation
data'' in Sec. 202.242, and the bulk threshold of 1,000 U.S. devices
in Sec. 202.205(c). Geographic or location data must first be precise
enough (within 1,000 meters) to meet the definition of ``precise
geolocation data'' in Sec. 202.242. If it is, then the question is
whether that precise geolocation data provides a location within one of
the areas on the Government-Related Location Data List in Sec.
202.1401. If so, then the data is government-related data, and the bulk
threshold of 1,000 U.S. devices in Sec. 202.205(c) does not apply. If
not, then the data qualifies as bulk U.S. sensitive personal data only
if it exceeds the bulk threshold of 1,000 U.S. devices in Sec.
202.205(c). As such, the Department declines to make any change in
response to this comment.
Several commenters encouraged the Department to review and adjust
the bulk thresholds over time to reflect changes to technology and
asked how the Department might change the thresholds in the future. One
commenter sought clarification regarding the benefits of setting static
thresholds for technological uses that may vary widely and change
rapidly. The commenter was concerned that new discoveries, particularly
from AI models, could change the United States Government's risk
tolerance and justify changing the thresholds. The Department intends
to monitor evolving technological developments and national security
threats to ensure that the thresholds remain responsive to the risks.
Changes to the bulk thresholds could be accomp
[…truncated; see source link]Indexed from Federal Register on January 8, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.