On February 28, 2024, the Department of Justice released the following report: Advance Notice of Proposed Rulemaking (ANPRM) To seek public comment on establishing a new regulatory regime to restrict the transfer of large amounts of sensitive personal data and some U.S. government data by U.S. persons to covered foreign nationals.
ANPRM was issued in response to the new White House presidential order This law, issued under the International Emergency Economic Powers Act (IEEPA), requires the Department of Justice within six months to respond to potential national security threats arising from cross-border personal and government data transfers. requires them to propose administrative regulations.
Target data transaction
Under the ANPRM, the Department of Justice may restrict U.S. persons from engaging in “covered data transactions” that refer to:
- (a) “Transaction”: The acquisition, possession, use, transfer, transportation, export, or trade of property in which a foreign country or its nationals have an interest.
- (b) It includes (1) large amounts of sensitive personal data in the United States; or (2) government-related data.and
- (c) Includes (1) data intermediation, (2) vendor agreements, (3) employment agreements, or (4) investment agreements.
large amounts of sensitive personal data. According to the ANPRM, the term “sensitive personal data” includes:
(1) specifically listed categories and combinations of covered personal identifiers (not all personally identifiable information); (2) precise geolocation data; (3) biometric identifiers; (4) human genome data, (5) personal health data, and (6) ) personal financial data.
Only transactions that exceed certain “bulk” or thresholds are subject to relevant limits based on the number of U.S. persons or U.S. devices involved.
Government related data. According to the ANPRM, the term refers to (1) precise geolocation data (regardless of amount) of geofenced locations within an enumerated list, and (2) related to current or former U.S. government means Sensitive Personal Data (regardless of quantity). , military or intelligence community employees, contractors, or senior officials.
Prohibited, Restricted and Exempted Transactions
The EO and ANPRM propose a three-step approach to distinguishing between the types of restrictions that would be subject to a proposed rule.
Prohibited Transactions. The ANPRM generally prohibits U.S. persons from knowingly engaging in “covered data transactions” with related countries or subjects.
Restricted transactions. The ANPRM provides that for U.S. persons involved in “covered data transactions” related to vendor, employment, or investment contracts, appropriate security measures are in place in accordance with relevant regulations promulgated by the Cybersecurity and Infrastructure Security Agency. provides that such transactions may be permitted. Department of Homeland Security.
Transactions that are exempt. The ANPRM applies to certain data transactions, such as (1) data transactions involving private communications, information, or information material excised by IEEPA; (2) transactions for official government business; and (3) financial services, payment processing, or regulatory compliance. We are proposing to exempt these types of transactions. related transactions, (4) intracompany transactions incidental to business operations, and (5) transactions required or permitted by federal law or international treaty.
License system. The EO authorizes the Department of Justice to grant specific (entity- or individual-specific transactions) and general (covering a wide range of types of transactions) licenses for U.S. persons to engage in prohibited and restricted transactions. . The Justice Department is considering establishing a permit system modeled on the economic sanctions permit system administered by the Treasury Department's Office of Foreign Assets Control.
Countries of concern and targets
Concerned country. The ANPRM proposes to identify China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern.
Target audience. The ANPRM defines a “covered person” as (1) an entity owned, controlled by, or subject to the jurisdiction or direction of a covered country; (2) a foreign person who is an employee or contractor of that country; We propose to define it as (3) Foreign nationals who are employees or contractors of a Covered State; and (4) Foreign nationals who reside primarily within the jurisdiction of a Covered State. The Department of Justice may also designate certain individuals and entities as “covered persons.”
implementation
This system will only become effective once the final administrative regulations are promulgated. The scope of the final rule may differ significantly from the proposals published in the ANPRM. Additionally, the EO provides the Department of Justice and other agencies with interpretations to further clarify and refine processes and mechanisms for complying with the final rule, including potential due diligence, recordkeeping, or voluntary reporting requirements. It provides significant discretion to issue guidance and enforcement guidelines. .