Down to Business: Relevance of Upcoming Regulations on Cross-Border Data Transactions to the Business Community
On February 28, 2024, President Joe Biden issued a landmark Executive Order titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Order”). The regulations stemming from the Order are far from final or effective, but the Order itself and the DOJ’s recently published advanced notice of proposed rulemaking (“ANPRM”) provide insight into the potential risks and compliance obligations of the Order’s data protection mandates for the business community.
Overview of the Executive Order and ANPRM
The Order seeks to restrict “countries of concern” and “covered persons” from accessing bulk sensitive personal data and U.S. Government-related data where such access would pose “an unacceptable risk to the national security of the United States” due to the potential use of such data for illicit purposes, such as blackmail or espionage. Accordingly, the Order empowers the DOJ to implement regulations effecting that goal.
In the ANPRM, the DOJ lays out a tentative regulatory framework that generally prohibits a “United States person” from “knowingly” engaging in a “covered data transaction” with a “country of concern” or “covered person.” The relevant definitions that the DOJ is considering are listed below:
- United States person is defined broadly to include citizens, nationals, and lawful permanent residents of the United States, individuals with refugee or asylee status, and any entity organized under the laws of the U.S. or any jurisdiction therein (including a foreign branch of a U.S. company) as well as any entity in the U.S.
- Knowingly applies to a person who knew or should have known of the circumstances of a transaction. Though the ANPRM indicates that this standard is not meant to be a strict liability standard or one that requires affirmative diligence on the U.S. person’s part, the DOJ proposes that the “should have known” language account for certain facts and circumstances — such as the relative sophistication of the parties, the scale and sensitivity of the data involved, and the extent to which the parties were aware of attempts, or sought, to evade the application of the regulations.
- Covered data transaction is a transaction (1) involving any “bulk U.S. sensitive personal data” or “government-related data”; and (2) involving a data brokerage, vendor agreement, employment agreement, or investment agreement. “Bulk U.S. sensitive personal data” is defined as sensitive data related to a certain threshold number of U.S. persons for the following categories: human genomic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and covered personal identifiers. “Government-related data” is broadly defined as categories of data, regardless of volume, including sensitive government-related locations or sensitive personal data linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government.
- Countries of concern include China (including Hong Kong and Macau), Russia, Cuba, Iran, Venezuela, and North Korea.
- Covered person encompasses a wide set of individuals and entities associated with countries of concern, including any entities that are directly or indirectly majority owned by, organized or chartered under the laws of, or have their principal places of business in a country of concern. The definition also includes any “foreign person” (i.e., non-U.S. person) primarily residing in a country of concern or employed by a covered entity, specific persons designated by the Attorney General, and any entity directly or indirectly majority owned by any of the foregoing persons.
Within this general prohibitory framework, the DOJ is considering identifying two categories of transactions: “prohibited transactions” and “restricted transactions”:
- Prohibited transactions are entirely prohibited and include the subset of covered data transactions that are (1) data brokerage transactions; and (2) any transaction that provides a country of concern or covered person with access to bulk human genomic data.
- Restricted transactions are the remaining subset of covered data transactions that would otherwise be prohibited unless they meet certain security requirements. Those include transactions involving vendor agreements, employment agreements, and investment agreements.
As further explored below, the DOJ is also seeking to define certain types of transactions that will be exempt from these regulations and provide a system for general and specific licenses that would authorize covered data transactions that would otherwise be prohibited or restricted.
Practical Compliance Issues for Companies to Consider
Although both the Order and ANPRM seek to minimize “disruption to commercial activity,” the regulations will create new obligations — and therefore new risks — for businesses transacting across national boundaries. Despite the preliminary nature of the regulations, companies may find it useful to begin preparing for and mitigating any disruptions the new data protection mandates may cause for their businesses. Consider:
- Does my business or any part of my business engage in transactions that fall within the prohibitory framework of the proposed regulations?
- Understand Data Collection Operations. Given the ubiquity of data collection throughout various business sectors, it is important that companies scrutinize how much and what type of personal data may be collected in the course of their operations. Regardless of whether a company transacts with its data, the Order makes clear that the DOJ is empowered to restrict or prohibit transactions merely involving covered data. Thus, the ANPRM indicates that an investment agreement between a U.S. company storing covered data and a covered person would still be restricted even if the agreement explicitly forbids the covered person’s access to the covered data. It is therefore imperative that companies understand their own data collection operations as a first-line inquiry into whether they will fall under the proposed regulations.
- Examine Multinational Business Structures. Multinational companies will want to examine or seek guidance on how each of their related entities would be defined under or affected by the proposed regulations. For example, foreign branches of U.S. companies are generally defined as U.S. persons under the ANPRM, but a foreign subsidiary or affiliate will likely also qualify as a covered person. Moreover, because the DOJ is considering prohibition on a U.S. person knowingly “directing” any covered data transactions, companies will need to be wary of indirect ties between their U.S. business entities and covered persons through foreign affiliates — e.g., if a U.S. business unit of a company approves one of its foreign affiliates to transact with a covered person.
- Consider Transactional Diligence Policies. Though the DOJ has indicated that the “knowingly” language in its general prohibitory framework is not intended to impose any due diligence requirements on U.S. persons to determine if a counter-party is a covered person, companies may still want to consider creating internal policies and guidelines implementing some level of transactional diligence for several reasons. First, the ANPRM specifically seeks comment on what kind of diligence would be necessary for a U.S. party to ascertain whether a counter-party is a covered person, indicating some interest from the DOJ on the matter. Second, while not proposing any affirmative due diligence or recordkeeping requirements for U.S. persons engaging in covered data transactions with foreign persons generally, the DOJ is considering whether a U.S. person’s failure to develop an adequate due diligence program may be treated as an aggravating factor in an enforcement action.
- If so, are the transactions that fall within the prohibitory framework exempt?
- Exempt Categories. As noted above, the DOJ is considering exempting certain categories of data transactions from prohibition or restriction under the proposed regulations: (1) data transactions involving certain kinds of data (e.g., personal communications and information or informational materials); (2) transactions for the conduct of the official business of the U.S. government or transactions conducted pursuant to agreements entered into with the U.S. government; (3) financial-services, payment processing, and regulatory-compliance related transactions; (4) intra-entity transactions incident to business operations; and (5) transactions required or authorized by federal law or international agreements.
- Exercise Caution When Using the Intra-Entity Exemption. The intra-entity exemption is not a safe harbor for multinational companies engaging in covered data transactions. Though the “incident to business operations” phrase could be read quite broadly, the ANPRM makes clear that this proposed exemption would only apply to covered data transactions “ordinarily incident to and part of ancillary business operations.” The DOJ’s provided examples signal a fairly restrictive view of what might be covered by the exemption:
-
- Sharing of employees’ “covered personal identifiers” for human-resources purposes;
- Payroll transactions such as the payment of salaries or pensions to overseas employees or contractors
- Paying business taxes or fees;
- Purchasing business permits or licenses; and
- Sharing data with auditors or law firms for regulatory compliance and risk management purposes.
Assuming this exemption remains consistent through the notice and comment period, applying the exemption to any situation outside of the DOJ’s listed examples may increase the risk of non-compliance, notwithstanding an internal determination that a transaction is incident to an ancillary business operation. For example, the DOJ has specifically stated that this exemption would not apply to a U.S. company providing access to covered data to a subsidiary of a covered person in order for the subsidiary to comply with the laws of a country of concern requiring access to such data.
-
- If these transactions are not exempt, are they restricted transactions that are authorized subject to certain security requirements?
- Security Requirements. While the ANPRM stresses that the security requirements for restricted transactions are still under development, the DOJ has provided the following prospective outline of what those requirements might entail: (1) implement “Basic Organizational Cybersecurity Posture” requirements; (2) conduct the restricted transaction in compliance with four conditions: (a) data minimization and masking; (b) use of privacy-preserving technologies; (c) development of IT systems to prevent unauthorized disclosure; and (d) implementing logical and physical access controls; and (3) satisfy certain compliance-related conditions, such as retaining an independent auditor.
- Comprehend and Implement Existing Cybersecurity Frameworks. Particularly for (1) and (2) in the security requirements outlined in the ANPRM, the DOJ points to certain already-existing cybersecurity frameworks from which required practices may be incorporated. Those include the Cybersecurity Performance Goals created by the Cybersecurity & Infrastructure Security Agency and the Privacy Framework created by the National Institute of Standards and Technology. Familiarity with, and implementation of, practices from these and other similar cybersecurity frameworks will likely smooth the transition for companies engaged in restricted transactions.
- If these transactions are not exempt, can a license be obtained to engage in them nonetheless?
-
- General and Specific Licenses. The DOJ is considering a licensing regime modeled on the one used by the Office of Foreign Assets Control that would include both general licenses — which would cover certain types of otherwise prohibited or restricted covered data transactions, and specific licenses — which would cover certain otherwise prohibited or restricted transactions. For both types of licenses, the DOJ is considering imposing a reporting requirement on the licensee, and for specific licenses, the DOJ is considering additional requirements related to assuring that the transferred data can be retrieved or erased.
- Assess Compliance Regimes. Though the regulations related to restricted transactions and licenses are still preliminary, it may be prudent for companies to begin considering the costs and benefits of the different compliance regimes described in the ANPRM. For example, deciding whether or not compliance with the security requirements of a restricted transaction is preferable to applying for a license and thereafter complying with its reporting requirements requires careful consideration of a variety of business and legal issues. As further details on the regulations emerge, it will be essential for companies to stay informed.
Though much of the upcoming regulations remain largely undefined — including potential civil monetary penalties and a program for seeking the DOJ’s interpretive guidance — companies can benefit from getting a head start on understanding how these regulations may affect their business.
V&E assists clients in identifying, managing, and mitigating risks associated with emerging technologies, from early planning and assessment to compliance, managing incident response, and resulting litigation.
.
Related Insights
- CLE EventWebcastDecember 5, 2024CLE Credit
- InsightAugust 5, 2024
- InsightJuly 22, 2024
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.