Justice Department issues comprehensive proposed rule addressing national security risks posed to U.S. sensitive data
Note: Read the Department’s fact sheet on this matter here.
The Justice Department today issued a Notice of Proposed Rulemaking (NPRM) to implement President Biden’s Executive Order 14117 (the E.O.) of Feb. 28, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The E.O. addresses the national security threat posed by the continued effort of certain countries of concern to access and exploit certain kinds of Americans’ sensitive personal data. The President charged the Justice Department with the responsibility of establishing and implementing this new national security regulatory program to address these risks. On March 5, the Department’s Advance Notice of Proposed Rulemaking (ANPRM) was published in the Federal Register. Informed by extensive stakeholder outreach and careful consideration of comments the NPRM addresses public comments received on the ANPRM and proposes a rule to establish this new program and implement the E.O.
This comprehensive proposed rule would implement the E.O. by establishing categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to government-related data or bulk U.S. sensitive personal data. Among other things, the proposed rule identifies classes of prohibited and restricted transactions, identifies countries of concern and classes of covered persons to whom the proposed rule applies, identifies classes of exempt transactions, explains the Department’s methodology for establishing bulk thresholds, provides the Department’s initial assessment of economic and other regulatory impacts, establishes processes to issue licenses authorizing certain prohibited or restricted transactions, issue advisory opinions, and designate covered persons, and addresses recordkeeping, reporting, and other due-diligence obligations for covered transactions.
The Justice Department’s National Security Division requests public comment on the proposed rule within 30 days of its publication in the Federal Register. The Department seeks comments on the proposed rule from industry, trade association groups, civil society, subject-matter experts, organizations and entities potentially affected by the proposed rule, and others with interest in the rule or expertise on data security and cybersecurity. The public may submit written comments on the NPRM at www.regulations.gov.
The proposed rule is tailored to address the specific national security risks stemming from access by countries of concern and covered persons to Americans’ bulk sensitive personal data and certain sensitive U.S. government-related data. These measures complement the United States’ commitment to promoting an open, global, interoperable, reliable, and secure internet; protecting human rights online and offline; supporting a vibrant, global economy by promoting cross-border data flows that are required to enable international commerce and trade; and facilitating open investment.
As previewed in the ANPRM, the proposed rule does not authorize the imposition of generalized data localization requirements to store Americans’ bulk sensitive personal data or U.S. Government-related data or to locate computing facilities used to process such data in the United States. As also previewed in the ANPRM, the proposed rule also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries. To reflect this, the NPRM proposes a new exemption for telecommunications services, provides further clarity on exemptions regarding financial services and intra-corporate-group transfers that were previewed in the ANPRM, and seeks public comment on a new proposed exemption for clinical-trial data.
The proposed rule’s prohibitions and restrictions are consistent with other access restrictions on sensitive personal data that have been imposed in other contexts, including for transactions reviewed by the Committee on Foreign Investment in the United States (CFIUS) and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom). As the ANPRM previewed, the proposed rule exempts several classes of data transactions from the scope of its prohibitions and restrictions, including certain personal communications, financial services, corporate group transactions, transactions authorized by Federal law and international agreements, investment agreements subject to a CFIUS action, telecommunication services, biological product and medical device authorizations, clinical investigations, and others.
As explained in the NPRM, countries of concern can use their access to these types of data to engage in malicious cyber-enabled activities and malign foreign influence activities, bolster their military capabilities, and track and build profiles on U.S. individuals (including members of the military and other Federal employees and contractors) for illicit purposes such as blackmail and espionage. Countries of concern can also exploit this data to collect information on activists, academics, journalists, dissidents, political opponents, or members of nongovernmental organizations or marginalized communities to intimidate them, curb political opposition, limit freedoms of expression, peaceful assembly, or association, or enable other forms of suppression of civil liberties.
The proposed rule would require vendor agreements, employment agreements, and investment agreements that qualify as restricted transactions to comply with the separately proposed security requirements that have been developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) in coordination with the Justice Department. These proposed security requirements require U.S. persons engaging in a restricted transaction to comply with organizational and system-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and controls are in place, and data-level requirements, such as data minimization and masking, encryption, and privacy-enhancing techniques. CISA is concurrently making these proposed security requirements available for public comment at www.regulations.gov.