President Joe Biden's executive order restricting the transfer of sensitive personal data will fill a major gap in US regulation regarding sensitive personal data.
Previously, a foreign investor seeking to invest in a U.S. company that held sensitive data could have their investment restricted through the CFIUS process; There was no system in place for the government to regulate the purchase of such products. Take action. The government is currently preparing rules that would broadly limit the sharing of large amounts of sensitive personal data of Americans.
Businesses affected by upcoming regulations can submit comments, assess their risk profiles, and adjust their compliance programs in advance of proposed rulemaking.
In recent years, U.S. national security officials have expressed increasing concern about the risks associated with the sale of sensitive personal information to foreign parties. A 2018 investigation found that a fitness app that published maps based on users' geolocation data showed the outline of sensitive U.S. military bases. Media reports have also highlighted how sensitive datasets on military personnel, including information on health status and financial indicators, are easily obtained from “data brokers.”
The Feb. 28 executive order directs the Department of Justice to begin a notice-and-comment rulemaking process. As a first step in that process, the Department of Justice issued an advance notice of proposed rulemaking. The proposed rules would ban certain types of transactions and impose security-related restrictions on others through a new regulatory regime.
The proposal would cover a wide range of transactions involving sensitive data. First, the Department of Justice has disclosed large amounts of sensitive U.S. personal data, including a wide range of “personal identifiers” associated with Americans' digital identities, including cookies, IP addresses, call details, Social Security numbers, and SIM card numbers. Defined broadly. geolocation data, personal health data, financial data, and other types of data.
Second, the rule broadly defines who is subject to the rule, including businesses or nationals of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, or Venezuela.
The rules being considered include such companies or any entity that is 50% owned by citizens. This means that overseas subsidiaries and investment funds in Europe, the Middle East, etc. may also be included in the scope of the rules. The Department of Justice has not explicitly stated whether U.S. subsidiaries of Chinese companies are included in the list, but the “50% rule'' suggests that this is a possibility.
This rule broadly prohibits Covered Persons will no longer have access to large amounts of sensitive U.S. data through sales, licenses, or subscriptions. This applies to data brokers who sell access to this type of information.
However, it may also apply to U.S. companies that do not consider themselves to be in the data business. For example, the prohibition could apply if a U.S. company shares information about its customers with a Chinese company as part of a partnership or business development.
The rules limit the Investment, employment, and vendor agreements with covered parties are required to be subject to security requirements from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency.
Although these requirements have not yet been made public, they will establish physical and cybersecurity requirements to prevent users covered by the rules from accessing sensitive bulk data. For example, it could require U.S. companies with offices in China to implement security requirements that limit access to sensitive data by Chinese employees.
How to prepare
First, given the potentially broad scope of the proposed rule, companies may wish to provide comments individually or through industry associations. Written comments will be accepted until April 19th.
Second, a senior Justice Department official said on March 8 that multinational companies should “individually risk The company is currently developing a risk-based compliance program tailored to its profile. Then, check to see if there is a sales agreement or other agreement in place that provides access to that data.
Third, this rule may have secondary effects that companies should consider. For example, Chinese competitors seeking to establish themselves in the U.S. market may be limited to industries where data is less prevalent under the proposed rule. This may impact market trends in key industries including healthcare, defense, communications, and other critical sectors.
This executive order is another example of a trend over the past 15 years of presidents bringing up national security to create new regulatory frameworks. The number of regulatory regimes is growing, including the proposed “Foreign Investment'' regulations and the recent Information and Communications Technology and Services Regulations issued under the President's National Security Authority. We expect the expansion of executive national security regulations to continue.
Based on what has been announced so far, the final rule is expected to be a significant development for some U.S. companies, impacting their business lines and compliance programs.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author information
John P. Carlin is co-chair of Paul Weiss' cybersecurity and data protection practice and chair of the national security practice.
L. Rush Atkinson is a partner in the litigation department and a member of the firm's cybersecurity and data protection practice.
Samuel Kleiner is an associate in the litigation department.
Please write to us: Author guidelines