The U.S. Department of Justice published a long-awaited notice of proposed rulemaking this week. The draft regulation takes the next step in clarifying a major shift in U.S. policy around the flow of personal data across borders. Though the free flow of data remains the general U.S. approach, restrictions are emerging for the disclosure of sensitive personal data to adversarial countries.
The DOJ rules propose a singularly complex multitiered regulatory regime for covered transactions. Comments from interested stakeholders will be due 30 days after the rule is published in the Federal Register.
This is the second step in the DOJ's process for implementing President Joe Biden's Executive Order 14117 on "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." The overarching goal of the executive order is to restrict transactions that could disclose dangerous amounts of sensitive personal data or any amount of government data to persons associated with six "countries of concern,” China, Cuba, Iran, North Korea, Russia and Venezuela.
Shortly after the executive order's release, the DOJ published an advance notice of proposed rulemaking. The new NPRM revises this early draft substantially in response to stakeholder comments and additional internal DOJ review. At the IAPP Privacy Security Risk conference in Los Angeles, attendees were afforded a preview of the direction of the rulemaking process, which my colleague Joe Duball wrote about here.
Alongside the draft DOJ regulation, the Cybersecurity and Infrastructure Security Agency released a set of proposed security requirements that would create a cybersecurity safe harbor for otherwise restricted transactions under the DOJ rules.
Some transactions — "data brokerage" transactions involving bulk sensitive data or U.S. government data — are entirely prohibited. Data brokerage means any transfer of covered data to a recipient "where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data."
Three other categories of transactions are restricted, but allowed if the security requirements outlined in the draft CISA rule are met: vendor agreements, employment agreements and investment agreements.
In some ways, this nascent regulatory regime takes the inverse of the approach in the EU. Instead of a process for identifying whitelisted countries with adequate protections for legal data transfers, the proposed rule creates a list of countries to which the disclosure of covered data types via covered transactions is entirely prohibited. Rather than allowing for alternative methods to facilitate responsible transfers, the U.S. would create a export-like licensing program to grant exceptions from the total prohibition.
Not your father's sensitive data
At first glance, sensitive data seems narrowly defined — but looks can be deceiving. In the case of what the DOJ calls "covered personal identifiers," the data in scope of the rule is much broader than any other conception of sensitive data. Proposing a singular approach for a U.S. regulatory regime, the DOJ would treat unique identifiers as sensitive data when they are combined in a transaction with other unique identifiers, other sensitive personal data types, or "with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern."
Covered personal identifiers would include eight categories: government ID numbers, financial account numbers and PINs, device IDs such as MAC addresses, advertising IDs, account-authentication data such as usernames, network-based identifiers "such as IP addresses or cookie data," call detail data such as CPNI, and "demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers)."
As proposed, any two of these data types together, or any one plus another category of sensitive data, would fall into covered data restricted from being sold to countries of concern or other covered persons.
Beyond covered personal identifiers, the proposed rule would cover five other types of sensitive data, which are all more consistent with existing U.S. definitions of sensitive data: precise geolocation data, biometric identifiers, human genomic data, personal health data and personal financial data.
Four tiers of sensitivity
Though the substantive prohibitions are largely the same across covered data types, DOJ has crafted a four-tiered structure for the relative sensitivity level of the various covered types of personal data in the NPRM. To validate the proposal, the DOJ describes how it reviewed over 50 transactions reviewed by the Committee on Foreign Investment in the U.S. "in which the government identified, and took action to address, a risk to national security posed by access to data by countries of concern or persons subject to their ownership, direction, jurisdiction, or control."
Some data types, such as geolocation data, have not been frequently scrutinized by CFIUS, so the DOJ also reviewed state privacy laws and enforcement by the U.S. Federal Trade Commission to validate the thresholds it set for each tier of sensitive data to qualify as bulk.
Here are the modified tiers, most of which fall around the middle of the range originally proposed in the ANPR:
• Human genomic data: More than 100 U.S. persons.
• Biometric identifiers and precise geolocation data: More than 1,000 U.S. persons.
• Personal health data and personal financial data: More than 10,000 U.S. persons.
• Covered personal identifiers: More than 100,000 U.S. persons.
Even at non-bulk levels, the separate category of "government-related data" restricts the sale of sensitive personal data of government employees, contractors, military personnel, or senior officials in situations where the company markets the data as linked or linkable to such individuals.
Deidentified doesn’t matter
As the DOJ bluntly puts it, "The Department declines to adjust the proposed rule to exclude anonymized, encrypted, pseudonymized, or de-identified data" despite requests from many commenters to do so.
The justification for this expansive scope has to do with the national security-related nature of the executive order. The DOJ claims that "examples abound" about the ease with which supposedly de-identified datasets can be re-identified or otherwise used to reveal information about individuals.
Contracts and reporting obligations
To limit the onward transfer of covered data to countries of concern, the proposed rule requires that any data brokerage transaction to any foreign person must include contractual safeguards prohibiting the onward transfer of the data to countries of concern or designated "covered persons."
Not only does this require data processing agreements must include this term, but any entity that engages in such a transaction also has an ongoing obligation to monitor and report any suspicious onward transfers.
Almost like a breach report, companies must notify the U.S. government about known or suspected disclosures to countries of concern by foreign entities to which they transferred the data.
But wait, there’s more restrictions on foreign adversaries
It is important to remember that this new regulatory framework will not be the only restriction on the foreign sale of sensitive data.
Since the executive order was signed, Congress passed a law banning similar transactions, enforceable by the FTC, known as the Protecting Americans' Data from Foreign Adversaries Act of 2024. The DOJ takes pains to specify that the new law does not require any changes to the NPRM.
The DOJ generally paints PADFAA as far narrower than the NPRM. For starters, the regulation applies to "data brokerage" transactions, which the DOJ says is a broader category than the definition of "data broker" in PADFAA. The scope of PADFAA includes an initial step of determining whether the selling entity is a data broker. But in the NPRM the types of entities don't matter, even an individual engaging in a covered data transaction is covered.
Additionally, PADFAA does not "expressly addresses the re-export or resale of data by third parties and indirect sales through intermediaries." And it also includes an exception for consent.
Not mentioned by the DOJ is the fact that PADFAA only covers four designated foreign adversaries. Transactions to Cuba and Venezuela are not restricted under the law.
However, the scope of covered data and prohibited recipients cannot be said to be narrower under PADFAA.
For recipients, the two regimes are just different. The updated NPRM presents criteria for ownership and control as well as a designation process by which the U.S. government can determine that specific entities are prohibited from receiving covered data. PADFAA lacks such a regulatory process, but it also includes an arguably stronger standard for ownership: any entity that is owned 20% or more by an entity in a covered country is treated as restricted under PADFAA.
Covered data under PADFAA does not require bulk thresholds and the list of data types is far more expansive, except that it lacks some of the categories such as unique device IDs included in the NPRM.
The new norm for transactions to foreign entities
All told, the draft DOJ rules and PADFAA have ushered in an era of expanded scrutiny for companies that transfer personal data outside of the U.S. Ongoing review and documentation will be required to ensure that transfers of data outside of the U.S. do not trigger the exemptions of either regulatory regime.
For what it’s worth, the DOJ also takes time to reassure stakeholders that it will work closely with the FTC in overseeing the two separate regimes. The Department and the FTC intend to coordinate, as appropriate, on licensing decisions and on any potential enforcement actions under the PADFAA with respect to activities that may be authorized, exempt, or licensed under the proposed rule.
It is safe to say this is the beginning of the end of the free flow of personal data from the U.S. It is a welcome step for many advocates, academics and national security wonks. But it leaves open many questions about the future of global data flows.
Please send feedback, updates and deletion requests to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director in Washington, D.C., for the IAPP.
