National Security Division; Provisions Regarding Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern, 15780-15802 [2024-04594]
Download as PDF
<![CDATA[
15780
Proposed Rules
Federal Register
Vol. 89, No. 44
Tuesday, March 5, 2024
This section of the FEDERAL REGISTER
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
DEPARTMENT OF JUSTICE
28 CFR Part 202
[Docket No. NSD 104]
RIN 1105–AB72
National Security Division; Provisions
Regarding Access to Americans’ Bulk
Sensitive Personal Data and
Government-Related Data by Countries
of Concern
National Security Division,
Department of Justice.
ACTION: Advance notice of proposed
rulemaking.
AGENCY:
The Executive order of
February 28, 2024, ‘‘Preventing Access
to Americans’ Bulk Sensitive Personal
Data and United States GovernmentRelated Data by Countries of Concern’’
(the Order), directs the Attorney General
to issue regulations that prohibit or
otherwise restrict United States persons
from engaging in any acquisition,
holding, use, transfer, transportation, or
exportation of, or dealing in, any
property in which a foreign country or
national thereof has any interest
(‘‘transaction’’), where the transaction:
involves U.S. Government-related data
or bulk U.S. sensitive personal data, as
defined by final rules implementing the
Order; falls within a class of
transactions that has been determined
by the Attorney General to pose an
unacceptable risk to the national
security of the United States because it
may enable access by countries of
concern or covered persons to
Americans’ bulk sensitive personal data
or U.S. government-related data; and
meets other criteria specified by the
Order. This advance notice of proposed
rulemaking (ANPRM) seeks public
comment on various topics related to
the implementation of the Order.
DATES: Written comments on this
ANPRM must be received by April 19,
2024.
ADDRESSES: You may send comments,
identified by Docket No. NSD 104, by
either of the following methods:
lotter on DSK11XQN23PROD with PROPOSALS1
SUMMARY:
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
• Federal eRulemaking Portal:
https://www.regulations.gov. Follow the
instructions for sending comments.
• Mail: U.S. Department of Justice,
National Security Division, Foreign
Investment Review Section, 175 N
Street NE, 12th Floor, Washington, DC
20002.
Instructions: We encourage comments
to be submitted via https://
www.regulations.gov. Please submit
comments only and include your name
and company name (if any) and cite
‘‘Provisions Pertaining to Preventing
Access to Americans’ Bulk Sensitive
Personal Data and U.S. GovernmentRelated Data by Countries of Concern’’
in all correspondence. Anyone
submitting business confidential
information should clearly identify the
business confidential portion at the time
of submission, file a statement justifying
nondisclosure and referring to the
specific legal authority claimed, and
provide a non-confidential version of
the submission. For comments
submitted electronically containing
business confidential information, the
file name of the business confidential
version should begin with the characters
‘‘BC.’’ Any page containing business
confidential information must be clearly
marked ‘‘BUSINESS CONFIDENTIAL’’
at the top of that page. The
corresponding non-confidential version
of those comments must be clearly
marked ‘‘PUBLIC.’’ The file name of the
nonconfidential version should begin
with the character ‘‘P.’’ Any
submissions with file names that do not
begin with either a ‘‘BC’’ or a ‘‘P’’ will
be assumed to be public and will be
posted without change, including any
business or personal information
provided, such as names, addresses,
email addresses, or telephone numbers.
To facilitate an efficient review of
submissions, the Department of Justice
encourages but does not require
commenters to: (1) submit a short
executive summary at the beginning of
all comments; (2) provide supporting
material, including empirical data,
findings, and analysis in reports or
studies by established organizations or
research institutions; (3) consistent with
the questions below, describe the
relative benefits and costs of the
approach contemplated in this ANPRM
and any alternative approaches; and (4)
refer to the numbered question(s) herein
to which each comment is addressed.
PO 00000
Frm 00001
Fmt 4702
Sfmt 4702
The Department of Justice welcomes
interested parties’ submissions of
written comments discussing relevant
experiences, information, and views.
Parties wishing to supplement their
written comments in a meeting may
request to do so, and the Department of
Justice may accommodate such requests
as resources permit. Additionally, in
consultation with other United States
Government agencies, the Department of
Justice expects to seek additional
opportunities to engage in discussions
with certain stakeholders, including
foreign partners and allies.
FOR FURTHER INFORMATION CONTACT:
Email (preferred):
NSD.FIRS.datasecurity@usdoj.gov.
Otherwise, please contact: Lee Licata,
Deputy Chief for National Security Data
Risks, Foreign Investment Review
Section, National Security Division,
U.S. Department of Justice, 175 N Street
NE, Washington, DC 20002; telephone:
202–514–8648.
SUPPLEMENTARY INFORMATION:
I. Background
On February 28, 2024, the President
issued the Order pursuant to his
authority under the Constitution and
laws of the United States, including the
International Emergency Economic
Powers Act (50 U.S.C. 1701 et seq.)
(IEEPA), the National Emergencies Act
(50 U.S.C. 1601 et seq.) (NEA), and
section 301 of title 3, United States
Code. In the Order, the President
expanded the scope of the national
emergency declared in Executive Order
13873 of May 15, 2019 (Securing the
Information and Communications
Technology and Services Supply
Chain), and further addressed with
additional measures in Executive Order
14034 of June 9, 2021 (Protecting
Americans’ Sensitive Data from Foreign
Adversaries). The President determined
that additional measures are necessary
to counter the unusual and
extraordinary threat to U.S. national
security posed by the continuing efforts
of certain countries of concern to access
and exploit Americans’ bulk sensitive
personal data and U.S. Governmentrelated data (‘‘government-related
data’’).
Unrestricted transfers of bulk
sensitive personal data and governmentrelated data to countries of concern,
through commercial transactions or
otherwise, present a range of threats to
E:\FR\FM\05MRP1.SGM
05MRP1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
U.S. national security and foreign
policy. Countries of concern can use
their access to Americans’ bulk sensitive
personal data to engage in malicious
cyber-enabled activities and malign
foreign influence, and to track and build
profiles on U.S. individuals, including
members of the military and Federal
employees and contractors, for illicit
purposes such as blackmail and
espionage. Countries of concern can also
use access to U.S. persons’ bulk
sensitive personal data to collect
information on activists, academics,
journalists, dissidents, political figures,
or members of non-governmental
organizations or marginalized
communities in order to intimidate such
persons; curb political opposition; limit
freedoms of expression, peaceful
assembly, or association; or enable other
forms of suppression of civil liberties.
The Office of the Director of National
Intelligence (ODNI) has made clear that
‘‘[o]ur adversaries increasingly view
data as a strategic resource. They are
focused on acquiring and analyzing
data—from personally identifiable
information on U.S. citizens to
commercial and government data—that
can make their espionage, influence,
kinetic and cyber-attack operations
more effective; advance their
exploitation of the U.S. economy; and
give them strategic advantage over the
United States.’’ 1 Advanced
technologies—including big-data
analytics, artificial intelligence (‘‘AI’’),
high-performance computing, and other
capabilities—increasingly enable
countries of concern to exploit bulk
amounts of Americans’ sensitive
personal data and government-related
data to achieve these goals.
As ODNI has assessed, countries of
concern are ‘‘increasing their ability to
analyze and manipulate large quantities
of personal information in ways that
will allow them to more effectively
target and influence, or coerce,
individuals and groups in the United
States and allied countries.’’ 2 Countries
of concern ‘‘almost certainly are already
applying data-analysis techniques to
hone their efforts against U.S. targets.’’ 3
1 Office of the Director of National Intelligence,
Annual Threat Assessment of the U.S. Intelligence
Community at 26 (Feb. 6, 2023), https://
www.odni.gov/files/ODNI/documents/assessments/
ATA-2023-Unclassified-Report.pdf [https://
perma.cc/4B2Y-7NVD].
2 National Intelligence Council, Assessment:
Cyber Operations Enabling Expansive Digital
Authoritarianism at 3 (Apr. 7, 2020) (declassified
Oct. 5, 2022), https://www.dni.gov/files/ODNI/
documents/assessments/NICM-Declassified-CyberOperations-Enabling-Expansive-DigitalAuthoritarianism-20200407--2022.pdf [https://
perma.cc/ZKJ4-TBU6].
3 Id.
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
For example, AI is making it easier to
extract, re-identify, link, infer, and act
on sensitive information about people’s
identities, locations, habits, and desires,
as outlined in Executive Order 14110 of
October 30, 2023 (Safe, Secure, and
Trustworthy Development and Use of
Artificial Intelligence).4 Likewise, as the
National Counterintelligence and
Security Center has explained, ‘‘[t]he
combination of stolen [personally
identifiable information], personal
health information, and large [human]
genomic data sets collected from
abroad’’ gives countries of concern ‘‘vast
opportunities to precisely target
individuals in foreign governments,
private industries, or other sectors for
potential surveillance, manipulation, or
extortion.’’ 5 Moreover, access to bulk
sensitive personal data can fuel the
creation and refinement of AI, big-data,
and other analytical capabilities, the
development of which requires large
amounts of human data—ultimately
compounding the risks.
These risks are not merely
hypothetical and have been tested. As a
recent study has explained, for example,
‘‘[a]ggregated insights from location
data’’ could be used to damage national
security 6—such as in 2018, when the
publication of a global heatmap of users’
location data collected by a popular
fitness app enabled researchers to
quickly identify and map the locations
of military and government facilities
and activities.7 Similarly, in 2019, New
York Times writers were able to
combine a single set of bulk location
data collected from cell phones and
4 See also id. at 4–5 (explaining that China’s
‘‘commercial access to personal data of other
countries’ citizens, along with AI-driven analytics,’’
can ‘‘enable it to automate the identification of
individuals and groups,’’ and ‘‘China can draw on
ample Western commercial models for large-scale
algorithm-driven delivery of targeted content and
behavior-shaping microincentives’’).
5 National Counterintelligence and Security
Center, China’s Collection of Genomic and Other
Healthcare Data From America: Risks to Privacy
and U.S. Economic and National Security at 4 (Feb.
2021), https://www.dni.gov/files/NCSC/documents/
SafeguardingOurFuture/NCSC_China_Genomics_
Fact_Sheet_2021revision20210203.pdf [https://
perma.cc/BL4H-WJSW].
6 Justin Sherman et al., Data Brokers and the Sale
of Data on U.S. Military Personnel at 15 (Nov.
2023), https://techpolicy.sanford.duke.edu/wpcontent/uploads/sites/4/2023/11/Sherman-et-al2023-Data-Brokers-and-the-Sale-of-Data-on-USMilitary-Personnel.pdf [https://perma.cc/M9S8MYAA].
7 E.g., Richard Pe
´ rez-Pen˜a and Matthew
Rosenberg, Strava Fitness App Can Reveal Military
Sites, Analysts Say, The New York Times (Jan. 29,
2018), https://www.nytimes.com/2018/01/29/world/
middleeast/strava-heat-map.html [https://
perma.cc/VZF9-X7LJ]; Jeremy Hsu, The Strava Heat
Map and the End of Secrets, WIRED (Jan. 29, 2018
7:14 p.m.), https://www.wired.com/story/stravaheat-map-military-bases-fitness-trackers-privacy
[https://perma.cc/B9KT-E75J].
PO 00000
Frm 00002
Fmt 4702
Sfmt 4702
15781
bought and sold by location-data
companies—which was anonymized
and represented ‘‘just one slice of data,
sourced from one company, focused on
one city, covering less than one year’’—
with publicly available information to
identify, track, and follow ‘‘military
officials with security clearances as they
drove home at night,’’ ‘‘law enforcement
officers as they took their kids to
school,’’ and ‘‘lawyers (and their guests)
as they traveled from private jets to
vacation properties.’’ 8
Countries of concern can also exploit
access to government-related data,
regardless of volume. As one report has
explained, for example, tracking
location data on individual military or
government targets can ‘‘reveal sensitive
locations—such as visits to a place of
worship, a gambling venue, a health
clinic, or a gay bar—which again could
be used for profiling, coercion,
blackmail, or other purposes,’’ or could
reveal ‘‘reputationally damaging
lifestyle characteristics’’ that could be
exploited, ‘‘such as infidelity.’’ 9
Accordingly, transactions that may
enable countries of concern to access
bulk amounts of Americans’ sensitive
personal data or government-related
data, as defined by the Order, pose
particular and unacceptable risks to
national security and foreign policy.
This risk of access to U.S. persons’ bulk
sensitive personal data and governmentrelated data is not limited to
transactions directly involving the
governments of countries of concern.
Persons who are owned by, controlled
by, or subject to the jurisdiction or
direction of a country of concern may
enable the government of that country to
indirectly access such data. For
example, countries of concern may have
cyber, national security, and
intelligence laws that, without sufficient
legal safeguards, can obligate such
persons to provide that country’s
intelligence services access to U.S.
persons’ bulk sensitive personal data
and government-related data.
Countries of concern can leverage
their access to Americans’ bulk sensitive
personal data and government-related
data to engage in a variety of nefarious
activities, including malicious cyberenabled activities, espionage, and
blackmail. Countries of concern can
exploit Americans’ bulk sensitive
personal data and government-related
data to track and build profiles on U.S.
8 Stuart A. Thompson and Charlie Warzel, Twelve
Million Phones, One Dataset, Zero Privacy, The
New York Times (Dec. 19, 2019), https://
www.nytimes.com/interactive/2019/12/19/opinion/
location-tracking-cell-phone.html [https://
perma.cc/X3VB-429P].
9 Sherman et al., supra note 6, at 15.
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
15782
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
persons, including Federal employees
and contractors, military
servicemembers, and members of the
Intelligence Community to support
espionage operations and to identify
and exploit vulnerabilities for malicious
cyber activities. Countries of concern
can also access U.S. persons’ bulk
sensitive personal data and governmentrelated data to collect information on
activists, academics, journalists,
dissidents, political figures, and
members of non-governmental
organizations and marginalized
communities to intimidate opponents of
countries of concern, curb dissent, and
limit Americans’ freedom of expression
and other civil liberties. The risks posed
by access to Americans’ bulk sensitive
personal data and government-related
data are exacerbated by AI and other
data processing tools that exploit large
datasets in increasingly sophisticated
and effective ways to the detriment of
U.S. national security. These tools, and
the access to Americans’ bulk sensitive
personal data and government-related
data upon which the tools rely, enable
countries of concern to target U.S.
persons more effectively by recognizing
patterns across multiple, unrelated
datasets to identify individuals whose
links to, for example, the Federal
Government, would be otherwise
obscured in a single database.
As the President affirmed in the
Order, the United States remains
committed to promoting an open,
global, interoperable, reliable, and
secure internet; promoting open,
responsible scientific collaboration to
drive innovation; protecting human
rights online and offline; supporting a
vibrant, global economy by promoting
cross-border data flows to enable
international commerce and trade; and
facilitating open investment.
Accordingly, the Order authorizes the
Attorney General to take specific,
carefully calibrated actions to minimize
the risks associated with access to
Americans’ bulk sensitive personal data
and government-related data by
countries of concern and persons that
are ‘‘owned by, controlled by, or subject
to the jurisdiction or direction of’’
countries of concern, while minimizing
disruption to commercial activity. For
example, the Order exempts certain
classes of transactions that are less
likely to pose these unacceptable
national-security risks, including
financial-services transactions, and
authorizes the Attorney General to
exempt additional classes of
transactions. Also consistent with the
Order, this ANPRM does not propose
generalized data-localization
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
requirements either to store Americans’
bulk sensitive personal data or
government-related data within the
United States or to locate computing
facilities used to process Americans’
bulk sensitive personal data or
government-related data within the
United States. Nor does it seek to
broadly prohibit U.S. persons from
conducting commercial transactions
with entities and individuals located in
countries of concern or impose
measures aimed at a broader decoupling
of the substantial consumer, economic,
scientific, and trade relationships that
the United States has with other
countries. This carefully calibrated
action instead reflects the U.S.
Government’s longstanding support for
the concept of ‘‘Data Free Flow with
Trust,’’ in recognition of its importance
to the economy and human rights
online.
The Order has two primary
components relevant to this ANPRM.
First, it directs the Attorney General, in
coordination with the Secretary of
Homeland Security and in consultation
with the relevant agencies, to issue
regulations identifying for prohibition
specific classes of transactions that may
enable access by countries of concern or
covered persons to defined categories of
Americans’ bulk sensitive personal data
or government-related data, and that the
Attorney General determines pose an
unacceptable risk to U.S. national
security and foreign policy. Second, it
instructs the Attorney General, in
coordination with the Secretary of
Homeland Security and in consultation
with the relevant agencies, to issue
regulations identifying specific classes
of transactions that will be required to
comply with security requirements, to
be established by the Secretary of
Homeland Security through the Director
of the Cybersecurity and Infrastructure
Security Agency, that mitigate the risks
of access to Americans’ bulk sensitive
personal data or government-related
data by countries of concern. As
previewed in this ANPRM, the security
requirements could include (1)
organizational requirements (e.g., basic
organizational cybersecurity posture),
(2) transaction requirements (e.g., data
minimization and masking, use of
privacy-preserving technologies,
requirements for informationtechnology systems to prevent
unauthorized disclosure, and logical
and physical access controls), and (3)
compliance requirements (e.g.,
audits).10
10 The Order contains other provisions, which are
not directly relevant to this ANPRM, to enhance
existing authorities to address data-security risks,
PO 00000
Frm 00003
Fmt 4702
Sfmt 4702
II. Program Overview
The Department of Justice is
considering implementing the Order
through categorical rules that regulate
certain data transactions involving bulk
U.S. sensitive personal data and
government-related data that present an
unacceptable risk to U.S. national
security, pursuant to section 2(c) of the
Order. To that end, the Department of
Justice is considering establishing a
program that would (1) identify certain
classes of highly sensitive transactions
that would be prohibited in their
entirety (‘‘prohibited transactions’’), and
(2) identify other classes of transactions
that would be prohibited except to the
extent they comply with predefined
security requirements (‘‘restricted
transactions’’) to mitigate the risk of
access to bulk sensitive personal data by
countries of concern.
Under this framework, the
Department of Justice would establish
the program by issuing proposed
rulemakings in tranches based on
priority, including the limits of current
authorities, and effective administration
of the program. This ANPRM takes the
foundational steps by seeking the input
needed to establish the structure of the
program, including, as described in
section 2(c) of the Order, identifying
classes of prohibited and restricted
transactions that pose an unacceptable
risk to national security, defining
relevant terms, identifying countries of
concern, creating processes for
administrative licensing and entity
designations, and establishing a
compliance and enforcement regime.
This ANPRM is focused on identifying
discrete classes of prohibited
transactions that raise the highest
national-security risks, focusing on data
transactions between U.S. persons and
countries of concern (or persons subject
to their ownership, control, jurisdiction,
or direction where the transaction
involves property in which a foreign
country or national thereof has an
interest) that pose direct risks. As
contemplated by this ANPRM, the
rulemaking would target only
transactions between a U.S. person and
a country of concern (or person subject
to its ownership, control, jurisdiction, or
including directing the Committee for the
Assessment of Foreign Participation in the United
States Telecommunications Services Sector to take
certain actions with respect to submarine cables;
instructing the Secretaries of Defense, Health and
Human Services, and Veterans Affairs, and the
Director of the National Science Foundation, to
consider taking certain steps regarding the
provision of Federal assistance; and encouraging
the Consumer Financial Protection Bureau to take
consider taking steps to address the role that data
brokers play in contributing to the national-security
risks.
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
direction), with one discrete exception
described below. The program would
not regulate purely domestic
transactions between U.S. persons (who
are not otherwise designated as covered
persons acting on behalf of a country of
concern), such as the collection,
maintenance, processing, or use of data
by U.S. persons within the United
States.
Section 2(f) of the Order authorizes
the Department of Justice to engage in
subsequent rulemakings to tailor the
regulatory program to the nationalsecurity risks identified in the Order,
and to the costs and benefits of
administering and complying with the
regulatory program. Where practical, the
proposed program, its structure, and
definitions would be modeled on
existing regulations based on IEEPA that
are generally familiar to the public, such
as those administered by the United
States Department of the Treasury’s
Office of Foreign Assets Control (OFAC)
and the United States Department of
Commerce’s Bureau of Industry and
Security (BIS).
Under section 2(a)(ii) of the Order, the
Attorney General is authorized to
determine and identify classes of
transactions that ‘‘pose an unacceptable
risk to the national security of the
United States because the transactions
may enable countries of concern or
covered persons to access bulk sensitive
personal data or United States
Government-related data.’’ Specifically,
the Department of Justice is considering
identifying two classes of prohibited
data transactions between U.S. persons
and countries of concern (or covered
persons) to address critical risk areas
involving bulk U.S. sensitive personal
data or government-related data: (1)
data-brokerage transactions; and (2) any
transaction that provides a country of
concern or covered person with access
to bulk human genomic data (a
subcategory of human ‘omic data) or
human biospecimens from which that
human genomic data can be derived.
These classes of prohibited data
transactions are not directly regulated
under existing Federal authorities, and
these types of transactions necessarily
provide access to bulk sensitive
personal data or government-related
data directly to countries of concern or
persons subject to their ownership,
control, jurisdiction, or direction.
The Department of Justice is also
considering identifying three classes of
restricted data transactions to address
critical risk areas to the extent they
involve countries of concern or covered
persons and bulk U.S. sensitive personal
data: (1) vendor agreements (including,
among other types, agreements for
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
technology services and cloud-service
agreements), (2) employment
agreements, and (3) investment
agreements. These classes of restricted
transactions represent significant means
through which countries of concern can
access bulk U.S. sensitive personal data
or government-related data, but the
national-security risks associated with
these transactions can be mitigated
through appropriate security-related
conditions.
The program would cover
transactions involving six defined
categories of bulk U.S. sensitive
personal data—U.S. persons’ covered
personal identifiers, personal financial
data, personal health data, precise
geolocation data, biometric identifiers,
and human genomic data—and
combinations of those categories, as laid
out in the Order and defined below.
These categories would be clearly
defined and, for covered personal
identifiers, significantly narrower than
the broad categories of material
typically implicated by privacy-focused
regulatory regimes.
In addition to addressing data
transactions involving bulk U.S.
sensitive personal data, and as also laid
out in the Order, the program would
also address the heightened nationalsecurity risks posed by U.S. persons’
transactions with countries of concern
(or covered persons) and two kinds of
government-related data regardless of
volume: (1) geolocation data in listed
geofenced areas associated with certain
military, other government, and other
sensitive facilities (which could
threaten national security by revealing
information about those locations and
U.S. persons associated with them), and
(2) sensitive personal data that is
marketed as linked or linkable to
current or recent former employees or
contractors, or former senior officials, of
the U.S. government, including the
military and Intelligence Community.
Consistent with the Order, the
program would be implemented as a
carefully calibrated national-security
authority to address specific national
security threats, including
counterintelligence threats, posed by
data-security risks to U.S. persons and
government-related data. The program is
not intended as a commercial regulation
of all cross-border data flows between
the United States and our foreign
partners, or as a comprehensive program
to regulate Americans’ data privacy.
Also consistent with the Order, the
Department of Justice intends to
implement the program consistent with
longstanding U.S. policy to promote
trusted cross-border data transfers
among partners that respect democratic
PO 00000
Frm 00004
Fmt 4702
Sfmt 4702
15783
values and the rule of law, as the
program would address only the
national-security risks posed by
countries of concern because of their
potential to target and misuse
Americans’ sensitive personal data.
Importantly, the program is also not
intended to impede all U.S. persons’
data transactions with countries of
concern or persons subject to their
jurisdiction. The program, under the
rulemaking under consideration, would
prohibit or restrict specific classes of
data transactions between U.S. persons
and countries of concern (or persons
subject to their ownership, control,
jurisdiction, or direction) that involve
either (1) specific categories of sensitive
personal data above certain bulk-volume
thresholds or (2) specific categories of
government-related data regardless of
volume. The program under
consideration would also identify
classes of exempt data transactions and
would provide a process for the
Department of Justice to issue general
and specific licenses using procedures
that are generally familiar to the public.
The Department of Justice does not
contemplate that the program will rely
on case-by-case review of individual
data transactions. Rather, the
Department of Justice will affirmatively
identify classes of prohibited and
restricted data transactions. Importantly,
the Department of Justice believes that
a categorical approach provides brightline rules to data-transaction parties.
The program would not apply
retroactively (before the effective date of
the final rule). However, the Department
of Justice may, after the effective date of
the regulations, request information
about transactions by United States
persons that were completed or agreed
to after the date of the issuance of the
Order to better inform the development
and implementation of the program.
III. Issues for Comment
The Department of Justice welcomes
comments and views from a wide range
of stakeholders on all aspects of how the
Attorney General should implement this
new program under the Order. The
Department of Justice is particularly
interested in obtaining information on
the topics discussed below. This
ANPRM does not necessarily identify
the full scope of potential approaches
the Department of Justice might
ultimately undertake in regulations to
implement the Order.
A. Overview
The Order frames the key terms that
will be developed through rulemaking.
Under the rules that the Department of
Justice is considering, U.S. persons
E:\FR\FM\05MRP1.SGM
05MRP1
15784
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
would be prohibited from engaging in
classes of covered data transactions,
which (as further defined below) have
been determined by the Attorney
General to pose an unacceptable risk to
the national security of the United
States because these classes of covered
data transactions may enable countries
of concern or covered persons to access
bulk U.S. sensitive personal data or
government-related data. Some
otherwise-prohibited covered data
transactions may be restricted and be
permitted to proceed only subject to
certain conditions, including security
requirements published by the
Department of Homeland Security in
coordination with the Department of
Justice. Prohibited or restricted covered
data transactions may also be permitted
to proceed based on applicable general
or specific licenses. None of the
program’s requirements would apply to
a U.S. person engaged in an exempt data
transaction.
Definitions under consideration for
these and related terms are italicized
and discussed below, along with
questions on which the Department of
Justice seeks comment.
lotter on DSK11XQN23PROD with PROPOSALS1
B. Bulk U.S Sensitive Personal Data
The Order authorizes the Attorney
General to prohibit or otherwise restrict
United States persons from engaging in
any transaction where the transaction
involves bulk sensitive personal data
and meets other criteria specified in
section 2(a) of the Order. The Order
defines ‘‘bulk’’ as ‘‘an amount of
sensitive personal data that meets or
exceeds a threshold over a set period of
time, as specified in regulations issued
by the Attorney General pursuant to
section 2 of th[e] order.’’ The Order also
defines ‘‘sensitive personal data’’ as
‘‘covered personal identifiers,
geolocation and related sensor data,
biometric identifiers, human ‘omic data,
personal health data, personal financial
data, or any combination thereof,’’ as
further defined in final rules
implementing the Order, ‘‘that could be
exploited by a country of concern to
harm United States national security if
that data is linked or linkable to any
identifiable United States individual or
to a discrete and identifiable group of
United States individuals.’’ The
Department of Justice is considering
elaborating on and providing greater
detail to the Order’s definitions of
‘‘sensitive personal data’’ and ‘‘bulk.’’
Sensitive personal data. The
Department of Justice is considering
further defining each of the six
categories of sensitive personal data
identified in the Order as follows:
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
1. Covered personal identifiers. The
Order defines ‘‘covered personal
identifiers’’ as ‘‘specifically listed
classes of personally identifiable data
that are reasonably linked to an
individual, and that—whether in
combination with each other, with other
sensitive personal data, or with other
data that is disclosed by a transacting
party pursuant to the transaction and
that makes the personally identifiable
data exploitable by a country of
concern—could be used to identify an
individual from a data set or link data
across multiple data sets to an
individual.’’ The Department is
considering further defining the term
covered personal identifiers as follows.
1(a). With respect to the subcategory
of listed classes of personally
identifiable data ‘‘in combination with
each other,’’ the term covered personal
identifiers would mean any listed
identifier that is linked to any other
listed identifier, except:
(a) The term covered personal identifiers
does not include demographic or contact data
that is linked only to other demographic or
contact data; and
(b) The term covered personal identifiers
does not include a network-based identifier,
account-authentication data, or call-detail
data that is linked only to other networkbased identifier, account-authentication data,
or call-detail data as necessary for the
provision of telecommunications,
networking, or similar services.
Listed identifiers would include the
following classes of data determined by
the regulations to be ‘‘reasonably linked
to an individual’’ under the Order’s
definition of ‘‘covered personal
identifiers.’’ The final rule will include
a comprehensive list of listed identifiers.
• Full or truncated government
identification or account number
(such as a Social Security Number,
driver’s license or state identification
number, passport number, or Alien
Registration Number)
• Full financial account numbers or
personal identification numbers
associated with a financial institution
or financial-services company
• Device-based or hardware-based
identifier (such as International
Mobile Equipment Identity (IMEI),
Media Access Control (MAC) address,
or Subscriber Identity Module (SIM)
card number)
• Demographic or contact data (such as
first and last name, birth date,
birthplace, zip code, residential street
or postal address, phone number, and
email address and similar public
account identifiers)
• Advertising identifier (such as Google
Advertising ID, Apple ID for
PO 00000
Frm 00005
Fmt 4702
Sfmt 4702
Advertisers, or other Mobile
Advertising ID (MAID))
• Account-authentication data (such as
account username, account password,
or an answer to security questions)
• Network-based identifier (such as
internet Protocol (IP) address or
cookie data)
• Call-detail data (such as Customer
Proprietary Network Information
(CPNI))
Under this definition, the term
covered personal identifiers would be
much narrower than the categories of
material typically covered by laws and
policies aimed generally at protecting
personal privacy.11 It would not include
any combinations of types of data that
are not expressly listed. For example,
this definition of covered personal
identifiers would not include an
individual’s:
• Employment history;
• Educational history;
• Organizational memberships;
• Criminal history; or
• Web-browsing history.
For purposes of defining covered
personal identifiers only, the
Department of Justice is considering
defining identifiers as linked when the
identifiers involved in a single covered
data transaction, or in multiple covered
data transactions or a course of dealing
between the same or related parties, are
capable of being associated with the
same specific person(s). Identifiers
would not be considered linked when
additional identifiers or data not
involved in the relevant covered data
transaction(s) would be necessary to
associate the identifiers with the same
specific person(s). For example, if a U.S.
person transferred two listed identifiers
in a single spreadsheet—such as a list of
names of individuals and associated
MAC addresses for those individuals’
devices—the names and MAC addresses
would be considered linked. The same
would be true if the names and MAC
addresses were transferred to two
related parties in two different covered
data transactions, provided that the
receiving parties were capable of
determining which names corresponded
to which MAC addresses. On the other
hand, a standalone list of MAC
11 Cf., e.g., California Consumer Privacy Act of
2018, Cal. Civ. Code section 1798.140(v)(1)
(defining ‘‘personal information’’ in the context of
a generalized privacy-focused regime); Regulation
(EU) 2016/679 of the European Parliament and of
the Council, ‘‘On the protection of national persons
with regard to the processing of personal data and
on the free movement of such data, and repealing
Directive 95/46/EC’’ (General Data Protection
Regulation), art. 4(1) (27 April 2016) (defining
‘‘personal data’’ in the context of a generalized data
privacy regime).
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
addresses, without any additional listed
identifiers, would not be covered
personal identifiers. That standalone list
of MAC addresses would not become
covered personal identifiers even if the
receiving party is capable of obtaining
separate sets of other listed identifiers or
sensitive personal data through separate
covered data transactions with
unaffiliated parties that would
ultimately permit the association of the
MAC addresses to specific persons. The
MAC addresses would not be
considered linked to those separate sets
of other listed identifiers or sensitive
personal data.
The Department of Justice currently
intends the category of covered personal
identifiers to apply as follows:
• Example 1. A standalone listed
identifier in isolation (i.e., that is not
linked to another listed identifier,
sensitive personal data, or other data
that is disclosed by a transacting party
pursuant to the transaction that makes
the personally identifiable data
exploitable by a country of concern)—
such as a data set of only Social Security
Numbers or only account usernames—
would not constitute covered personal
identifiers.
• Example 2. A listed identifier
linked to another listed identifier—such
as a data set of first and last names
linked to Social Security Numbers,
driver’s license numbers linked to
passport numbers, device MAC
addresses linked to residential
addresses, account usernames linked to
first and last names, or mobile
advertising IDs linked to email
addresses—would constitute covered
personal identifiers.
• Example 3. Demographic or contact
data linked only to other demographic
or contact data—such as a data set
linking first and last names to
residential street addresses, email
addresses to first and last names, or
customer loyalty membership records
linking first and last names to phone
numbers—would not constitute covered
personal identifiers.
• Example 4. Demographic or contact
data linked to other demographic or
contact data and to another listed
identifier—such as a data set linking
first and last names to email addresses
and to IP addresses—would constitute
covered personal identifiers.
• Example 5. Account usernames
linked to passwords as part of a sale of
a data set would constitute covered
personal identifiers. Those types of
account-authentication data are not
linked as part of the provision of
telecommunications, networking, or
similar services.
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
1(b). With respect to the subcategory
of listed classes of personally
identifiable data ‘‘in combination . . .
with other sensitive personal data,’’ the
Department is considering treating these
combinations as combined data subject
to the lowest bulk threshold applicable
to the categories of data present, as
separately discussed below with respect
to the definition of the term bulk U.S.
sensitive personal data.
1(c). With respect to the subcategory
of listed classes of personally
identifiable data ‘‘in combination . . .
with other data that is disclosed by a
transacting party pursuant to the
transaction that makes the personally
identifiable data exploitable by a
country of concern,’’ the Department
does not intend to impose an obligation
on transacting parties to independently
determine whether particular
combinations of data would be
‘‘exploitable by a country of concern’’;
rather, the Department intends to
identify specific classes of data that,
when combined, would satisfy this
standard. The Department seeks
comment on other ways in which it can
further define this subcategory. As
context, the Department intends this
subcategory to apply to scenarios such
as the following:
• Example 6. A foreign person who is
a covered person asks a U.S. company
for a list of MAC addresses from devices
that have connected to the wireless
network of a U.S. fast-food restaurant
located in a particular government
building. The U.S. company then sells
the list of MAC addresses, without any
other listed identifiers or sensitive
personal data, to the covered person.
The data disclosed by the covered
person’s inquiry for MAC addresses
from ‘‘devices that have connected to
the wireless network of a U.S. fast-food
restaurant located in a particular
government building’’ makes the list of
MAC addresses exploitable by a country
of concern.
• Example 7. A U.S. company sells to
a country of concern a list of full names
that the company describes (in a
heading in the list or to the country of
concern as part of the transaction) as
‘‘members of a country of concern’s
opposition political party in New York
City,’’ or as ‘‘active-duty LGBTQ+
military officers’’ without any other
listed identifiers or sensitive personal
data. The data disclosed by the U.S.
company’s description of the list of
names as ‘‘members of a country of
concern’s opposition political party in
New York City’’ or ‘‘active-duty
LGBTQ+ military officers’’ makes the
list of names exploitable by a country of
concern.
PO 00000
Frm 00006
Fmt 4702
Sfmt 4702
15785
By contrast, the Department does not
intend this subcategory to apply to
scenarios such as the following:
• Example 8. A covered person asks
a U.S. company for a bulk list of birth
dates for ‘‘any American who visited a
Starbucks in Washington, DC in
December 2023.’’ The U.S. company
then sells the list of birth dates, without
any other listed identifiers or sensitive
personal data, to the covered person.
• Example 9. A U.S. company sells to
a covered person a list of full names that
the company describes (in a heading in
the list or to the covered person as part
of the transaction) as ‘‘Americans who
watched more than 50% of episodes’’ of
a popular TV show, without any other
listed identifiers or sensitive personal
data.
2. Geolocation and related sensor
data. The Department of Justice
currently intends for its first rulemaking
to regulate covered data transactions
involving geolocation and related sensor
data only to the extent that such
transactions involve precise geolocation
data. Precise geolocation data would
mean data, whether real-time or
historical, that identifies the physical
location of an individual or a device
with a precision of within [number of
meters/feet] based on electronic signals
or inertial sensing units.
3. Biometric identifiers. The term
biometric identifiers means measurable
physical characteristics or behaviors
used to recognize or verify the identity
of an individual, including facial
images, voice prints and patterns, retina
and iris scans, palm prints and
fingerprints, gait, and keyboard usage
patterns that are enrolled in a biometric
system and the templates created by the
system.
4. Human ‘omic data. The
Department of Justice currently intends
for its first rulemaking to regulate
covered data transactions involving
human ‘omic data only to the extent that
such transactions involve human
genomic data. The term human genomic
data means data representing the
nucleic acid sequences that comprise
the entire set or a subset of the genetic
instructions found in a human cell,
including the result or results of an
individual’s ‘‘genetic test’’ (as defined in
42 U.S.C. 300gg–91(d)(17)) and any
related human genetic sequencing data.
5. Personal health data. The term
personal health data means
‘‘individually identifiable health
information’’ (as defined in 42 U.S.C.
1302d(6) and 45 CFR 160.103),
regardless of whether such information
is collected by a ‘‘covered entity’’ or
‘‘business associate’’ (as defined in 45
CFR 160.103).
E:\FR\FM\05MRP1.SGM
05MRP1
15786
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
6. Personal financial data. The term
personal financial data means data
about an individual’s credit, charge, or
debit card, or bank account, including
purchases and payment history; data in
a bank, credit, or other financial
statement, including assets, liabilities
and debts, and transactions; or data in
a credit or ‘‘consumer report’’ (as
defined under 15 U.S.C. 1681a).
With respect to the definition of the
term sensitive personal data, the
Department of Justice is considering or
further defining categorical exclusions
to the extent that data consists of:
i. Public or nonpublic data that does not
relate to an individual, including such data
that meets the definition of a ‘‘trade secret’’
(as defined in 18 U.S.C. 1839(3)) or
‘‘proprietary information’’ (as defined in 50
U.S.C. 1708(d)(7));
ii. Data that is lawfully available to the
public from a Federal, State, or local
government record or in widely distributed
media (such as court records or other sources
that are generally available to the public
through unrestricted and open-access
repositories);
iii. Personal communications that do not
transfer anything of value (see 50 U.S.C.
1702(b)(1)); or
iv. Information or informational materials
(see 50 U.S.C. 1702(b)(3)), which would be
defined further in the regulations. The
Human genomic
data
Bulk thresholds. The program would
establish volume-based thresholds for
each category of sensitive personal data
and for combined datasets. The
Department of Justice is considering the
following approach to determine the
bulk thresholds.
To the maximum extent feasible, the
bulk thresholds would be set based on
a risk-based assessment that examines
threat, vulnerabilities, and
consequences as components of risk. In
the context of the bulk thresholds, a
risk-based assessment would account
for the characteristics of datasets that
affect the data’s vulnerability to
exploitation by countries of concern and
that affect the consequences of
exploitation. These characteristics may
include both human-centric
characteristics (which describe a data
set in terms of its potential value to a
human analyst) and machine-centric
characteristics (which describe how
easily a data set could be processed by
Biometrics
identifiers
I
Precise geolocation
data
a computer system). The framework’s
human-centric characteristics may
include how many individuals a data
set covers (size), how the data could be
used (purpose), how easy it is to
deliberately change the data
(changeability), who tracks and manages
the data (control), and how easy the data
is to obtain (availability). The
framework’s machine-centric
characteristics may include the number
of data points in a dataset (volume),
how quickly the dataset evolves
(velocity), how specifically a data set
targets a sensitive group (correlation),
and how much processing is required to
use the data (quality). Applying this
style of framework would allow for a
particularized assessment of the relative
sensitivity of each of the six categories
of sensitive personal data and would
inform the volume threshold applicable
to each category.
Based on a preliminary risk
assessment, the Department of Justice,
in consultation with other agencies, is
considering adopting bulk thresholds
within the following ranges, and would
welcome additional analysis about the
costs and benefits of specific thresholds
for each category:
Personal health
data
I
Personal financial
data
Covered personal
identifiers
Low:
More than 100 U.S.
persons.
More than 100 U.S. persons (for biometric identifiers) or U.S.
devices (for precise geolocation data).
More than 1,000 U.S. persons.
More than 10,000 U.S.
persons.
High:
More than 1,000 U.S.
persons.
More than 10,000 U.S. persons (for biometric identifiers) or U.S.
devices (for precise geolocation data).
More than 1,000,000 U.S. persons.
More than 1,000,000
U.S. persons.
The Department of Justice proposes to
operationalize these bulk thresholds as
follows:
lotter on DSK11XQN23PROD with PROPOSALS1
Department of Justice anticipates interpreting
the phrase ‘‘information or informational
materials’’ as including expressive
information, like videos and artwork, and
excluding non-expressive data, consistent
with the speech-protective purpose of 50
U.S.C. 1702(b)(3).
The term bulk U.S. sensitive personal data
means a collection or set of data relating to
U.S. persons, in any format, regardless of
whether the data is anonymized,
pseudonymized, de-identified, or encrypted
and that includes, at any point in the
preceding twelve months, whether through a
single covered data transaction or aggregated
across covered data transactions involving
the same foreign person or covered person:
(i) Human genomic data collected or
maintained on more than [number of] U.S.
persons;
(ii) Biometric identifiers collected or
maintained on more than [number of] U.S.
persons;
(iii) Precise geolocation data collected or
maintained on more than [number of] U.S.
devices;
(iv) Personal health data collected or
maintained on more than [number of] U.S.
persons;
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
(v) Personal financial data collected or
maintained on more than [number of] U.S.
persons;
(vi) Covered personal identifiers collected
or maintained on more than [number of] U.S.
persons; or
(vii) Combined data, meaning any
collection or set of data that contains more
than one of categories (i) through (vi), or that
contains any listed identifier linked to
categories (i) through (v), that meets the
threshold number of persons or devices
collected or maintained in the aggregate for
the lowest number of U.S. persons or U.S.
devices in any category of data present.
The ANPRM seeks comment on this
topic, including:
1. In what ways, if any, should the
Department of Justice elaborate or amend the
definition of bulk U.S. sensitive personal
data? If the definition should be elaborated
or amended, why?
2. Should the Department of Justice treat
data that is anonymized, pseudonymized, deidentified, or encrypted differently? If so,
why?
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
3. Should the Department of Justice
consider amending the definitions applicable
to any of the six categories of sensitive
personal data? If the definition should be
elaborated or amended, why?
4. Are there categories of bulk U.S.
sensitive personal data that should be added
to the definition? Are there categories
proposed that should be removed? Please
explain.
5. The Executive order directs a report and
recommendation assessing the risks and
benefits of regulating transactions involving
other specified types of human ‘omic data.
Should data transactions involving these
other types of human ‘omic data be
regulated? If so, which types of human ‘omic
data? What risks, scientific value, and
economic costs should be considered?
6. What, if any, possible unintended
consequences could result from the
definition (including the bulk thresholds)
under consideration? In particular, to what
extent would the approach contemplated
here affect individuals’ rights to share their
own biospecimens and health, genomic, and
other data?
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
7. What thresholds for datasets should
apply with respect to each category of bulk
U.S. sensitive personal data under
consideration, and why is each such
threshold appropriate? Should any category
of sensitive personal data (e.g., covered
personal identifiers) have different
thresholds for different subtypes or specific
fields of data based on sensitivity, purpose,
correlation, or other factors?
8. Are there other factors or characteristics
that the Department of Justice should
evaluate as part of the proposed analytical
framework for determining the bulk
thresholds?
9. What data points, specific use cases, or
other information should the Department of
Justice consider in determining the bulk
thresholds for bulk U.S. sensitive personal
data?
10. At what level should the Department of
Justice set the precision (i.e., numbers of
meters/feet) in defining precise geolocation
data? What are common commercial
applications of geolocation data, and what
level of precision is required to support those
applications? When geolocation data is
‘‘fuzzed’’ in some commercial applications to
reduce potential privacy impacts, what are
common techniques for ‘‘fuzzing’’ the data,
what is the resulting reduction in the level
of precision, and how effective are those
techniques in reducing the sensitivity of the
data? To what extent should the definition be
informed by the level of precision for
geolocation data used in certain state dataprivacy laws, such as a radius of 1,850 feet
(see, e.g., Cal. Civ. Code section 1798.140(w))
or a radius of 1,750 feet (see, e.g., Utah Civ.
Code section 13–61–101(33(a)))?
11. Should the Department of Justice
consider changing any of the categorical
exclusions to the definition of sensitive
personal data? How should the program
define the exclusion for data that is lawfully
a matter of public record, particularly in light
of data that is scraped from the internet or
data points that are themselves public but
whose linkage to the same individual is not
public? What types of data are generally
available to the public through open-access
repositories?
12. How do businesses use each category
of sensitive personal data, particularly in the
cross-border context, and how would the
ranges of bulk thresholds under
consideration affect businesses’ ability to
engage in data transactions with countries of
concern or covered persons?
13. Should the classes of listed identifiers,
such as for government identification
numbers and financial account numbers,
include truncated versions of the full
numbers? If so, how should ‘‘truncated’’ be
defined?
14. With respect to defining linked for
purposes of covered personal identifiers,
should the Department of Justice consider
placing a time limit on when listed identifiers
would be considered linked to address a
scenario in which, for example, a U.S. person
sells a bulk list of names to a covered person
on day one (which would not be a covered
data transaction) and then sells a list of
Social Security Numbers associated with
those names years later? Would the lack of
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
such a time limit require or encourage U.S.
companies, such as data brokers, to retain
sensitive personal data that they would
otherwise purge in the normal course of
business?
15. With respect to defining the term
covered personal identifiers, how should the
Department define the subcategory of listed
classes of personally identifiable data ‘‘in
combination . . . with other data that is
disclosed by a transacting party pursuant to
the transaction that makes the personally
identifiable data exploitable by a country of
concern’’?
16. How should the Department define
information or informational materials?
What factors should the Department take into
account in its definition? What relevant
precedents from other IEEPA-based programs
should the Department take into account
when defining the term?
C. Government-Related Data
In addition to authorizing the
Attorney General to address the
national-security risks posed by
transactions involving bulk sensitive
personal data, the Order also authorizes
the Attorney General to prohibit or
otherwise restrict U.S. persons from
engaging in certain transactions
involving government-related data
regardless of volume. The Order defines
the term ‘‘United States Governmentrelated data’’ as sensitive personal data
that, regardless of volume, the Attorney
General determines poses a heightened
risk of being exploited by a country of
concern to harm United States national
security and that (1) a transacting party
identifies as being linked or linkable to
categories of current or recent former
employees or contractors, or former
senior officials, of the Federal
Government, including the military, as
specified in regulations issued by the
Attorney General pursuant to section 2
of the order; (2) is linked to categories
of data that could be used to identify
current or recent former employees or
contractors, or former senior officials, of
the Federal Government, including the
military, as specified in regulations
issued by the Attorney General pursuant
to section 2 of the order; or (3) is linked
or linkable to certain sensitive locations,
the geographical areas of which will be
specified publicly, that are controlled by
the Federal Government, including the
military.
The Department of Justice is
considering further defining the term
government-related data to include two
data categories: (1) any precise
geolocation data, regardless of volume,
for any location within any area
enumerated on a list of specific
geofenced areas associated with
military, other government, or other
sensitive facilities or locations (the
Government-Related Location Data
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
15787
List), or (2) any sensitive personal data,
regardless of volume, that a transacting
party markets as linked or linkable to
current or recent former employees or
contractors, or former senior officials, of
the U.S. government, including the
military and Intelligence Community.
With respect to the location
subcategory, the Government-Related
Location Data List would be created
through an interagency process in
which each agency identifies any
geofenced areas relative to its equities
for inclusion on the list, and DOJ would
maintain and publish the list.
The Department of Justice currently
intends the personnel subcategory to
apply to scenarios such as the following:
• Example 10. A U.S. company
advertises the sale of a set of sensitive
personal data as belonging to ‘‘active
duty’’ personnel, ‘‘military personnel
who like to read,’’ ‘‘DoD’’ personnel,
‘‘government employees,’’ or
‘‘communities that are heavily
connected to a nearby military base.’’
• Example 11. In discussing the sale
of a set of sensitive personal data with
a foreign counterparty, a U.S. company
describes the data set as belonging to
members of a specific organization,
which restricts membership to current
and former members of the military and
their families.
The ANPRM seeks comment on this
topic, including:
17. In what ways, if any, should the
Department of Justice elaborate or amend the
definition of government-related data,
including with respect to ‘‘recent former’’
employees or contractors, and ‘‘former senior
officials’’?
18. Are there categories of governmentrelated data that should be added to the
definition? Are there categories proposed that
should be removed? Please explain.
19. How should the Department of Justice
define data that is ‘‘marketed as linked or
linkable’’ to current or recent former
employees or contractors, or former senior
officials, of the U.S. Government (including
the military or Intelligence Community)?
What are the current industry practices?
20. How would the contemplated
definitions of bulk sensitive personal data
and government-related data affect health
and related research activities, such as
genomic research on deceased U.S. persons
who were former senior U.S. officials or
recent former employees or contractors? To
what extent do such activities involve
covered data transactions with countries of
concern or covered persons that would be
prohibited or regulated under this program?
Should the Department of Justice consider a
general license for such activities, and if so,
what should the parameters be for such a
license?
21. What, if any, possible unintended
consequences could result from the
definition of government-related data under
consideration?
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
15788
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
D. Covered Data Transactions
The Order authorizes the Attorney
General to prohibit or otherwise restrict
United States persons from engaging in
transactions meeting several criteria and
requires the Attorney General to identify
classes of transactions subject to those
prohibitions or restrictions. With
respect to defining what would
constitute a covered data transaction,
the Department of Justice proposes to
carefully tailor the program to achieve
the Order’s intent and effect.
Consequently, the Department of Justice
is considering adopting the following
definitions relevant to the concept of a
covered data transaction. A transaction
is any acquisition, holding, use, transfer,
transportation, exportation of, or dealing
in any property in which a foreign
country or national thereof has an
interest. A covered data transaction is
any transaction that involves any bulk
U.S. sensitive personal data or
government-related data and that
involves: (1) data brokerage; (2) a vendor
agreement; (3) an employment
agreement; or (4) an investment
agreement.
Under this definition of covered data
transactions and the definition of access
below (which includes both actual, as
well as ‘‘the ability to’’ exercise,
physical or logical access), prohibited
transactions would be those covered
data transactions that are categorically
determined to pose an unacceptable risk
to national security because they may
enable countries of concern or covered
persons to access bulk U.S. sensitive
personal data or government-related
data. Likewise, under these definitions,
restricted transactions would be those
covered data transactions that are
categorically determined to pose an
unacceptable risk to national security
because they may enable countries of
concern or covered persons to access
bulk U.S. sensitive personal data or
government-related data unless the
security requirements are implemented.
The program would take a categorical
approach to regulating covered data
transactions; it would not rely on
transacting parties or the government to
determine whether specific covered
data transactions within the classes of
prohibited and restricted transactions
individually pose unacceptable risks of
access.
Basic terms. The Department of
Justice is considering defining the term
access to mean ‘‘logical or physical
access, including the ability to obtain,
read, copy, decrypt, edit, divert, release,
affect, alter the state of, or otherwise
view or receive, in any form, including
through information-technology
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
systems, cloud-computing platforms,
networks, security systems, equipment,
or software.’’ The Department of Justice
is considering defining the term U.S.
device to mean ‘‘any device that is
linked or linkable to a U.S. person.’’ The
Department of Justice is also
considering defining the terms entity,
foreign person, person, and U.S. person
as follows, consistent with the
definitions of those terms in other
IEEPA-based regulations, including
those contained in relevant sections of
title 31 of the Code of Federal
Regulations:
The term entity means a partnership,
association, trust, joint venture, corporation,
group, subgroup, or other organization.
The term foreign person means any person
that is not a U.S. person. (For clarity, a
foreign branch of a U.S. company would
generally be treated the same as the U.S.
company itself—as a U.S. person, not a
foreign person.)
The term person means an individual or
entity.
The term U.S. person means any United
States citizen, national, or lawful permanent
resident; or any individual admitted to the
United States as a refugee under 8 U.S.C.
1157 or granted asylum under 8 U.S.C. 1158;
or any entity organized solely under the laws
of the United States or any jurisdiction
within the United States (including foreign
branches); or any person in the United States.
• Example 12. An individual is a citizen
of a country of concern and is in the United
States. The individual is a U.S. person.
• Example 13. An individual is a U.S.
citizen. The individual is a U.S. person,
regardless of location.
• Example 14. An individual is a dual
citizen of the United States and a country of
concern. The individual is a U.S. person,
regardless of location.
• Example 15. An individual is a citizen
of a country of concern, is not a permanent
resident alien of the United States, and is
outside the United States. The individual is
a foreign person.
Data brokerage. The program would
define data brokerage as the sale of,
licensing of access to, or similar
commercial transactions involving the
transfer of data from any person (the
provider) to any other person (the
recipient), where the recipient did not
collect or process the data directly from
the individuals linked or linkable to the
collected or processed data. The
Department of Justice currently intends
data brokerage to apply to scenarios
such as the following:
• Example 16. A U.S. company sells
bulk U.S. sensitive personal data to an
entity headquartered in a country of
concern.
• Example 17. A U.S. company enters
into an agreement that gives a covered
person a license to access governmentrelated data held by the U.S. company.
PO 00000
Frm 00009
Fmt 4702
Sfmt 4702
• Example 18. A U.S. organization
maintains a database of bulk U.S.
sensitive personal data and offers
annual memberships for a fee that
provide members a license to access
that data. Providing an annual
membership to a covered person would
constitute a prohibited data brokerage.
Vendor agreement. The contemplated
program would define a vendor
agreement as any agreement or
arrangement, other than an employment
agreement, in which any person
provides goods or services to another
person, including cloud-computing
services, in exchange for payment or
other consideration. Cloud-computing
services would be defined as services
related to the provision or use of ‘‘cloud
computing,’’ including ‘‘Infrastructureas-a-Service (IaaS),’’ ‘‘Platform-as-aService (PaaS),’’ and ‘‘Software-as-aService (SaaS)’’ (as those terms are
defined in NIST Special Publication
800–145). The Department of Justice
currently intends vendor agreements to
apply to scenarios such as the following:
• Example 19. A U.S. company
collects bulk precise geolocation data
from U.S. users through an app. The
U.S. company enters into an agreement
with a company headquartered in a
country of concern to process and store
this data.
• Example 20. A medical facility in
the United States contracts with a
company headquartered in a country of
concern to provide IT-related services.
The medical facility has bulk personal
health data on its U.S. patients. The IT
services provided under the contract
involve access to the medical facility’s
systems containing the bulk personal
health data.
• Example 21. A U.S. company,
which is owned by an entity
headquartered in a country of concern
and has been designated a covered
person, establishes a new data center in
the United States to offer managed
services. The U.S. company’s data
center serves as a vendor to various U.S.
companies to store bulk U.S. sensitive
personal data collected by those
companies.
• Example 22. A U.S. company
develops mobile games that collect bulk
precise geolocation data and biometric
identifiers of U.S. person users. The U.S.
company contracts part of the software
development to a foreign person who is
primarily resident in a country of
concern and is a covered person. The
software-development services provided
by the covered person under the
contract involve access to the bulk
precise geolocation data and biometric
identifiers.
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
By contrast, the Department of Justice
currently does not intend this category
to apply to scenarios such as the
following:
• Example 23. A U.S. multinational
company maintains bulk U.S. sensitive
personal data of U.S. persons. This
company has a foreign branch, located
in a country of concern, that has access
to this data. The foreign branch
contracts with a local company located
in the country of concern to provide
cleaning services for the foreign
branch’s facilities. Although the foreign
branch is a U.S. person, the local
company is a covered person, and the
contract is a vendor agreement, the
services performed under this contract
do not ‘‘involve’’ the bulk U.S. sensitive
personal data and thus would not be a
covered data transaction subject to
regulation.
Employment agreement. The program
would define an employment agreement
as any agreement or arrangement in
which an individual, other than as an
independent contractor, performs work
or performs job functions directly for a
person in exchange for payment or other
consideration, including employment
on a board or committee, executive-level
arrangements or services, and
employment services at an operational
level. The Department of Justice
currently intends employment
agreements to apply to scenarios such as
the following:
• Example 24. A U.S. company that
conducts consumer genomic testing
collects and maintains bulk human
genomic data from U.S. consumers. The
U.S. company has global IT operations,
including employing a team of
individuals that are citizens of and
primarily reside in a country of concern
to provide back-end services.
Employment as part of the global IT
operations team includes access to the
U.S. company’s systems containing the
bulk human genomic data.
• Example 25. A U.S. company
develops its own mobile games and
social media apps that collect the bulk
U.S. sensitive personal data of its U.S.
users. The U.S. company distributes
these games and apps in the United
States through U.S.-based digital
distribution platforms for software
applications. Although the U.S.
company’s development team does not
employ any covered persons, the U.S.
company intends to hire as CEO an
individual designated by the Attorney
General as a covered person because of
evidence the CEO acts on behalf of a
country of concern. The individual’s
authorities and responsibilities as CEO
involve access to all data collected by
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
the apps, including the bulk U.S.
sensitive personal data.
• Example 26. A U.S. company has
amassed U.S persons’ bulk sensitive
personal data by scraping public photos
from social-media platforms and then
enrolls those photos in a database of
bulk biometric identifiers developed by
the U.S. company, including face-data
scans, for the purpose of training or
enhancing facial-recognition software.
The U.S. company intends to hire a
foreign person, who primarily resides in
a country of concern, as a project
manager responsible for the database.
The individual’s employment as the
lead project manager would involve
access to the bulk biometric identifiers.
The employment agreement would be a
covered data transaction.
• Example 27. A U.S. financialservices company seeks to hire a data
scientist who is a citizen of a country of
concern who primarily resides in that
country of concern and who is
developing a new AI-based personal
assistant that could be sold as a
standalone product to the company’s
customers. As part of that individual’s
employment, the data scientist would
have administrator rights that allow that
individual to access, download, and
transmit bulk quantities of personal
financial data not ‘‘ordinarily incident
to and part of’’ the company’s
underlying provision of financial
services to its customers.
Investment agreement. The program
would define an investment agreement
as any agreement or arrangement in
which any person, in exchange for
payment or other consideration, obtains
direct or indirect ownership interests in
or rights in relation to (1) real estate
located in the United States or (2) a U.S.
legal entity. The Department of Justice
currently intends investment
agreements to apply to scenarios such as
the following:
• Example 28. A U.S. company
intends to build a data center located in
a U.S. territory. The data center will
store bulk personal health data on U.S.
persons. A foreign private-equity fund
located in a country of concern agrees to
provide capital for the construction of
the data center in exchange for
acquiring a majority ownership stake in
the data center.
• Example 29. A foreign technology
company subject to the jurisdiction of a
country of concern and that the
Attorney General has designated as a
covered person enters into a
shareholders’ agreement with a U.S.
business that develops mobile games
and social media apps, acquiring a
minority equity stake in the U.S.
business. These games and apps
PO 00000
Frm 00010
Fmt 4702
Sfmt 4702
15789
systematically collect bulk U.S. sensitive
personal data of its U.S. users. The
investment agreement explicitly gives
the foreign technology company the
ability to access this data.
• Example 30. Same as Example 29,
but the investment agreement either
does not explicitly give the foreign
technology company the right to access
the data or explicitly forbids that access.
The investment agreement would still
fall into the class of restricted covered
data transactions that have been
determined to pose an unacceptable risk
to national security because they may
enable countries of concern or covered
persons to access the bulk U.S. sensitive
personal data; whether the specific
investment agreement poses a risk of
access does not affect whether the
agreement is restricted.
By contrast, the Department of Justice
does not intend to restrict investment
agreements in scenarios such as the
following:
• Example 31. Same as Example 29,
but the U.S. business does not maintain
or have access to any bulk U.S. sensitive
personal data or government-related
data (e.g., a pre-commercial company or
start-up company). Because the data
transaction does not involve any bulk
U.S. sensitive personal data or
government-related data, this
investment agreement does not meet the
definition of covered data transaction.
The Department of Justice is
considering categorically excluding
certain passive investments that do not
convey the ownership interest or rights
(including those that provide
meaningful influence that could be used
to obtain such access) that ordinarily
pose an unacceptable risk to national
security because they may give
countries of concern or covered persons
access to bulk sensitive personal data or
government-related data. Specifically,
the Department of Justice is considering
categorically excluding, from the
definition of investment agreement, any
investment that:
(1) I made:
(a) Into a publicly traded security, with
‘‘security’’ defined in section 3(a)(10) of the
Securities Exchange Act of 1934, Public Law
73–291 (as codified as amended at 15 U.S.C.
78c(a)(10)), denominated in any currency
that trades on a securities exchange or
through the method of trading that is
commonly referred to as ‘‘over-the-counter,’’
in any jurisdiction;
(b) Into an index fund, mutual fund,
exchange-traded fund, or a similar
instrument (including associated derivatives)
offered by an ‘‘investment company’’ (as
defined in section 3(a)(1) of the Investment
Company Act of 1940, Public Law 76–768, as
codified as amended at 15 U.S.C. 80a–3(a)(1))
or by a private investment fund; or
E:\FR\FM\05MRP1.SGM
05MRP1
15790
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
(c) As a limited partner into a venture
capital fund, private equity fund, fund of
funds, or other pooled investment fund, if the
limited partner’s contribution is solely
capital into a limited partnership structure or
equivalent and the limited partner cannot
make managerial decisions, is not
responsible for any debts beyond its
investment, and does not have the formal or
informal ability to influence or participate in
the fund’s or a U.S. person’s decision-making
or operations;
(2) Gives the covered person less than [a de
minimis threshold] in total voting and equity
interest in a U.S. person; and
(3) Does not give a covered person rights
beyond those reasonably considered to be
standard minority shareholder protections,
including (a) membership or observer rights
on, or the right to nominate an individual to
a position on, the board of directors or an
equivalent governing body of the U.S. person,
or (b) any other involvement, beyond the
voting of shares, in substantive business
decisions, management, or strategy of the
U.S. person.
Finally, the Department of Justice is
considering how the program should
address investment agreements that are
‘‘covered transactions’’ subject to the
jurisdiction of the Committee on
Foreign Investment in the United States
(CFIUS) under section 721 of the
Defense Production Act of 1950, Public
Law 81–774, as codified as amended at
50 U.S.C. 4565. This topic is discussed
separately in the section on
‘‘Coordination with Other Regulatory
Regimes.’’
The ANPRM seeks comment on this
topic, including:
22. What modifications to enhance clarity,
if any, should be made to the definitions
under consideration for data brokerage,
vendor agreements, employment agreements,
and investment agreements?
23. With respect to the exclusion from the
definition of investment agreements for
certain low-risk investments, what de
minimis threshold of voting or equity interest
should the Department of Justice consider
establishing?
24. Are there any elements of the data
brokerage ecosystem that would not be
included in the definition of data brokerage
under consideration?
25. Are there any additional scenarios or
types of data transactions that would be
helpful to identify whether or not they would
be restricted?
lotter on DSK11XQN23PROD with PROPOSALS1
E. Countries of Concern
The Order requires the Attorney
General to identify countries of concern.
The Order defines ‘‘country of concern’’
as any foreign government that, as
determined by the Attorney General
with the concurrence of the Secretaries
of State and Commerce, ‘‘(1) has
engaged in a long-term pattern or
serious instances of conduct
significantly adverse to the national
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
security of the United States or security
and safety of United States persons, and
(2) poses a significant risk of exploiting
bulk U.S. sensitive personal data or
United States Government-related data
to the detriment of the national security
of the United States or the security and
safety of U.S. persons, as specified in
regulations issued by the Attorney
General pursuant to section 2 of th[e]
order.’’
The Department of Justice is
considering adopting the Order’s
definition of the term country of
concern without elaboration or
amendment. The Department of
Commerce, in implementing Executive
Order 13873—in which the President
declared a national emergency
stemming from foreign adversaries’
ability to exploit information and
communications and technology
services to, among other things, engage
in malicious cyber-enabled activities—
identified the following countries as
having engaged in a long-term pattern or
serious instances of conduct
significantly adverse to the national
security of the United States or security
and safety of the United States: the
People’s Republic of China, along with
the Special Administrative Region of
Hong Kong and the Special
Administrative Region of Macau; the
Russian Federation; the Islamic
Republic of Iran; the Democratic
People’s Republic of Korea; the
Republic of Cuba; and the Bolivarian
Republic of Venezuela. See 15 CFR 7.4.
This Order expands the scope of the
national emergency declared by the
President in Executive Order 13873.
Accordingly, the Department of Justice
is considering identifying the same
countries as countries of concern under
the Order, as will be explained further
in the notice of proposed rulemaking.
The ANPRM seeks comment on this
topic, including:
26. Should the Department of Justice
further elaborate in any way on the definition
of country of concern to provide greater
clarity?
27. Are there other factors or
considerations relating to the abilities of the
proposed countries of concern to access and
exploit bulk sensitive personal data or
government-related data to engage in
nefarious activities that the Department of
Justice should take into account when
determining whether to identify the same
countries as countries of concern?
F. Covered Persons
The Order requires the Attorney
General to identify classes of covered
persons, as appropriate, for the purposes
of the Order. ‘‘Covered person’’ is
defined by the Order as ‘‘an entity
owned by, controlled by, or subject to
PO 00000
Frm 00011
Fmt 4702
Sfmt 4702
the jurisdiction or direction of a country
of concern; a foreign person who is an
employee or contractor of such an
entity; a foreign person who is an
employee or contractor of a country of
concern; a foreign person who is
primarily resident in the territorial
jurisdiction of a country of concern; or
any person designated by the Attorney
General as being owned or controlled by
or subject to the jurisdiction or direction
of a country of concern, as acting on
behalf of or purporting to act on behalf
of a country of concern or other covered
person, or as knowingly causing or
directing, directly or indirectly, a
violation’’ of the Order or its
implementing regulations. The
Department of Justice is considering an
approach that would identify a covered
person as a person that meets the
definition either by (1) falling into one
of the classes without having been
individually designated by the
Department of Justice or (2) having been
individually designated by the
Department of Justice on a public list
maintained and updated by the
Department of Justice.
The Department of Justice is
considering defining the term covered
person as:
(1) An entity that is 50 percent or more
owned, directly or indirectly, by a country of
concern, or that is organized or chartered
under the laws of, or has its principal place
of business in, a country of concern;
(2) An entity that is 50 percent or more
owned, directly or indirectly, by an entity
described in category (1) or a person
described in categories (3), (4), or (5);
(3) A foreign person who is an employee
or contractor of a country of concern or of an
entity described in categories (1), (2), or (5);
(4) A foreign person who is primarily
resident in the territorial jurisdiction of a
country of concern; or
(5) Any person designated by the Attorney
General as being owned or controlled by or
subject to the jurisdiction or direction of a
country of concern, or as acting on behalf of
or purporting to act on behalf of a country of
concern or covered person, or knowingly
causing or directing a violation of these
regulations.
Under this contemplated definition,
citizens of countries of concern located
in third countries (i.e., not located in the
United States and not primarily resident
in a country of concern) would not be
categorically treated as covered persons.
Instead, only a subset of country-ofconcern citizens in third countries
would qualify categorically as covered
persons: those working for the
government of a country of concern or
for a covered entity (as described in
category 3 above). All other country-ofconcern citizens located in third
countries would not qualify as covered
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
persons except to the extent that the
Attorney General designates them. The
term covered person would thus apply
as follows to country-of-concern
citizens:
• Example 32. Foreign persons
primarily resident in Cuba, Iran or
another country of concern would be
categorically treated as covered persons.
• Example 33. Chinese or Russian
citizens located in the United States
would be treated as U.S. persons and
would not be covered persons (except to
the extent individually designated).
They would be subject to the same
prohibitions and restrictions as all other
U.S. persons with respect to engaging in
covered data transactions with
countries of concern or covered persons.
• Example 34. Citizens of a country of
concern who are primarily resident in a
third country, such as Russian citizens
primarily resident in the European
Union or Cuban citizens primarily
resident in South America, would not
be covered persons except to the extent
they are individually designated or to
the extent that they are employees or
contractors of a country-of-concern
government or a covered entity.
• Example 35. A foreign person
located abroad is employed by a
company headquartered in the People’s
Republic of China. Because the foreign
person is the employee of a covered
entity, the person is a covered person.
• Example 36. A foreign person
located abroad is employed by a
company that has been designated as a
covered person. Because the foreign
person is the employee of a covered
entity, the person is a covered person.
With respect to individually
designated covered persons, the
Department of Justice is considering
maintaining a public list of persons
determined to be covered persons,
modeled on various sanctions
designations lists maintained by OFAC.
Inclusion on the Department of Justice’s
covered person list would have no effect
on a person’s inclusion on OFAC or
other U.S. Government designation lists.
As indicated by the contemplated
definition of covered person, this list
would identify ‘‘any person designated
by the Attorney General as being owned
or controlled by or subject to the
jurisdiction or direction of a country of
concern, or as acting on behalf of or
purporting to act on behalf of a country
of concern or covered person, or
knowingly causing or directing a
violation of these regulations.’’ This
designations list would supplement the
defined categories in the definition of
covered person to provide direct and
actual notice to regulated parties of
specific designated persons, would
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
inform the public regarding the specific
designated persons subject to this
regulation’s requirements regarding
prohibited and restricted covered data
transactions, and would serve
enforcement purposes. Importantly,
however, the public list would not
exhaustively include all covered
persons, as any person that satisfies the
criteria contained in the relevant
definitions will be considered a covered
person under the regulation, regardless
of whether the person is identified on
the public list.
The Department of Justice would
establish a process to add to, remove
from, or modify this list. The process
would be similar to the internal
processes used by other United States
Government agencies that make
designations based on IEEPA
authorities, including interagency
consultation to ensure that agencies
with relevant equities and expertise may
weigh in. For example, the Department
of Justice would be free to consider, to
the extent compliant with applicable
law, any classified or unclassified
information from any Federal agency or
other source. A person would be able to
seek administrative reconsideration of
the Department of Justice’s
determination that they are a covered
person, or assert that the circumstances
resulting in the determination no longer
apply, and thus seek to have the
designation rescinded pursuant to
applicable administrative procedures.
This administrative appeals process
would be based on, and substantially
similar to, analogous programs
maintained by other Federal agencies
that exercise IEEPA authorities.
The ANPRM seeks comment on this
topic, including:
28. How would the U.S. party to a data
transaction ascertain whether a counterparty
to the transaction is a covered person as
defined above? What kind of diligence would
be necessary?
29. What are the considerations as to
whether a person is ‘‘controlled by[] or
subject to the jurisdiction or direction of’’ a
country of concern? What, if any, changes
should be made to the definitions above to
make their scope and application clearer?
Why? What, if any changes should be made
to broaden or narrow them? Why?
30. With respect to the part of the
definition of covered person addressing ‘‘a
foreign person who is primarily resident in
the territorial jurisdiction of a country of
concern,’’ how should the Department of
Justice address temporary travel to or in a
country of concern by foreign individuals
who are not citizens of a country of concern?
Should the standard be ‘‘primarily resident
in,’’ ‘‘resident in,’’ ‘‘located in,’’ or something
else?
31. Other than certain lists maintained by
OFAC and BIS, are there other designation
PO 00000
Frm 00012
Fmt 4702
Sfmt 4702
15791
lists accessible to industry that the
Department of Justice should consider as a
model for identifying potential covered
persons?
32. How should the list be published? How
should it be organized? In what format
should the Department of Justice publish it?
33. How would industry monitor this list?
Would it be more costly for industry if the
list were updated continually or only at
certain points in time? If updates were made
on an individual basis or in batches? Please
be specific.
34. How quickly after a covered person is
added to the list (or an existing listing is
modified) could industry take account of the
new information in its compliance programs?
35. Are there specific sources that the
Department of Justice should consult to
identify potential candidates for designation?
If so, which ones?
36. Should the Department of Justice
maintain a public-facing channel for the
public to report potential candidates for
designation? Why or why not? If yes, who
should be permitted to make such reports
and what information should they be
required to provide? Would it be preferrable
that the information submitted be protected
from public disclosure?
37. Are there any aspects of processes used
by other Federal agencies for persons to
request or petition for the removal or
modification of a designation or listing that
would be especially useful for this list? If so,
which ones and why?
38. Are there any aspects of the IEEPA
designations appeals processes maintained
by other Federal agencies that are not
necessary for this list? If so, which ones and
why not?
G. Prohibitions
The Order specifically directs the
Attorney General to promulgate
regulations to prohibit or otherwise
restrict United States persons from
engaging in any acquisition, holding,
use, transfer, transportation, or
exportation of, or dealing in, any
property in which a foreign country or
national thereof has any interest
(‘‘transaction’’), where the transaction:
i. Involves bulk U.S. sensitive personal
data or United States Government-related
data, as further defined by regulations issued
by the Attorney General;
ii. Is a member of a class of transactions
that has been determined by the Attorney
General, in regulations issued by the
Attorney General, to pose an unacceptable
risk to the national security of the United
States because the transactions may enable
countries of concern or covered persons to
access bulk U.S. sensitive personal data or
United States Government-related data in a
manner that contributes to the national
emergency described in the Order;
iii. Was initiated, is pending, or will be
completed after the effective date of the
regulations issued by the Attorney General;
iv. Does not qualify for an exemption
provided in, or is not authorized by a license
issued pursuant to, the regulations issued by
the Attorney General; and
E:\FR\FM\05MRP1.SGM
05MRP1
15792
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
v. Is not, as defined in final rules
implementing the Order, ordinarily incident
to and part of the provision of financial
services, including banking, capital markets,
and financial insurance services, or required
for compliance with any Federal statutory or
regulatory requirements, including any
regulations, guidance, or orders
implementing those requirements.
The Order further requires the
Attorney General to promulgate
regulations that identify classes of
transactions that meet the criteria
specified above and are thus prohibited
under the Order. The Order describes
additional activities that are, or may be,
prohibited. In particular, any conspiracy
formed to violate the regulations and
any action that has the purpose of
evading, causes a violation of, or
attempts to violate the Order or any
regulation issued thereunder is
prohibited. In addition, the Order
provides authority to the Attorney
General to prohibit U.S. persons from
‘‘knowingly directing transactions’’ that
would be prohibited transactions
pursuant to the Order if engaged in by
a U.S. person. The Department of Justice
may at a future date provide notices of
proposed rulemaking to add classes of
prohibited transactions.
For this ANPRM, the Department of
Justice is considering the following five
prohibitions for covered data
transactions, which would become
effective only upon the effective date of
a final rule.
First, the program would contain a
general prohibition that is subject to
authorized exemptions. The program
would be technology-agnostic and
neutral as to the path or route that bulk
U.S. sensitive personal data or
government-related data travels:
lotter on DSK11XQN23PROD with PROPOSALS1
‘‘Except as otherwise authorized pursuant
to these regulations, no U.S. person, on or
after the effective date, may knowingly
engage in a covered data transaction with a
country of concern or covered person.’’
The Department of Justice currently
intends for the knowingly language in
this and the other prohibitions to apply
to persons who knew or should have
known of the circumstances of the
transaction. In its guidance on what an
individual or entity ‘‘should have
known’’ in such context, the
Department proposes to take into
account the relevant facts and
circumstances, including the relative
sophistication of the individual or entity
at issue, the scale and sensitivity of the
data involved, and the extent to which
the parties to the transaction at issue
appear to have been aware of and sought
to evade the application of these rules.
This is not intended to operate as a
strict-liability standard. The knowingly
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
language is also not intended to require
U.S. persons, in engaging in vendor
agreements and other classes of data
transactions with foreign persons, to
conduct due diligence on the
employment practices of those foreign
persons to determine whether they
qualify as covered persons. But persons
will be prohibited from evading or
avoiding these prohibitions, including
by knowingly structuring transactions
in a manner that attempts to circumvent
these prohibitions.
With respect to the knowingly
language, the prohibitions would
therefore not apply in scenarios such as
the following:
• Example 37. A U.S. person engages
in a vendor agreement involving bulk
sensitive personal data with a foreign
person who is not a covered person. The
foreign person then employs an
individual who is a covered person and
grants them access to bulk U.S. sensitive
personal data without the U.S. person’s
knowledge or direction. There is no
covered data transaction between the
U.S. person and the covered person, and
there is no indication that the parties
engaged in these transactions with the
purpose of evading the regulations (such
as the U.S. person having knowingly
directed the foreign person’s
employment agreement with the
covered person or the parties knowingly
structuring a prohibited covered data
transaction into these multiple
transactions with the purpose of
evading the prohibition).
• Example 38. A U.S. company sells
DNA testing kits to U.S. consumers and
maintains bulk human genomic data
collected from those consumers. The
U.S. company enters into a contract
with a foreign cloud-computing
company (which is not a covered
person) to store the U.S. company’s
database of human genomic data. The
foreign company hires employees from
other countries, including citizens of
countries of concern who primarily
reside in a country of concern, to
manage databases for its customers,
including the U.S. company’s human
genomic database. There is no
indication of evasion, such as the U.S.
company knowingly directing the
foreign company’s employment
agreements or the U.S. company
knowingly engaging in and structuring
these transactions to evade the
regulations). The cloud-computing
services agreement between the U.S.
company and the foreign company
would not be prohibited or restricted
because that covered data transaction is
between a U.S. person and a foreign
company that does not meet the
definition of a covered person. The
PO 00000
Frm 00013
Fmt 4702
Sfmt 4702
employment agreements between the
foreign company and the covered
persons would not be prohibited or
restricted because those agreements are
between foreign persons.
By contrast, the prohibitions would
apply in scenarios such as the
following:
• Example 39. A U.S. subsidiary of a
company headquartered in a country of
concern collects bulk precise
geolocation data from U.S. persons. The
U.S. subsidiary is a U.S. person, and the
parent company is a covered person.
With the purpose of evading the
regulations, the U.S. subsidiary enters
into a vendor agreement with a foreign
company that is not a covered person,
which the U.S. subsidiary knows (or
should know) is a shell company that
subsequently outsources the vendor
agreement to the U.S. subsidiary’s
parent company.
• Example 40. A U.S. company
collects bulk personal health data from
U.S. persons. With the purpose of
evading the regulations, the U.S.
company enters into a vendor agreement
with a foreign company that is not a
covered person, which the U.S.
company knows (or should know) is a
shell company staffed entirely by
covered persons.
Second, the contemplated program
would include a prohibition specific to
data brokerage to address transactions
involving the onward transfer of bulk
U.S. sensitive personal data or
government-related data to countries of
concern and covered persons. The
Department of Justice is considering the
following prohibition: Except as
otherwise authorized pursuant to these
regulations, no U.S. person, on or after
the effective date, may knowingly
engage in a covered data transaction
involving data brokerage with any
foreign person unless the U.S. person
contractually requires that the foreign
person refrain from engaging in a
subsequent covered data transaction
involving the same data with a country
of concern or covered person.
This narrow circumstance would be
the only instance in which the
contemplated program would regulate
third-country covered data transactions
(i.e., U.S. persons’ covered data
transactions in which a country of
concern or covered person is not a
party). The Department of Justice
currently intends this prohibition to
apply to scenarios such as the following:
• Example 41. A U.S. business
knowingly enters into an agreement to
sell bulk human genomic data to a
European business that is not a covered
person. The U.S. business is required to
include in that agreement a limitation
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
on the European business’s right to
resell that data to a country of concern
or covered person.
Third, the contemplated program
would include a prohibition to
specifically address the risks posed by
covered data transactions involving
access by countries of concern to U.S.
persons’ bulk human genomic data and
biospecimens from which that data can
be derived—such as covered data
transactions involving laboratories
owned or operated by covered persons.
The Department of Justice is considering
the following prohibition: Except as
otherwise authorized pursuant to these
regulations, no U.S. person, on or after
the effective date, may knowingly
engage in any covered data transaction
with a country of concern or covered
person that provides that country of
concern or covered person with access
to bulk U.S. sensitive personal data that
consists of human genomic data, or to
human biospecimens from which such
data could be derived, on greater than
[the applicable bulk threshold of] U.S.
persons at any point in the preceding
twelve months, whether in a single
covered data transaction or aggregated
across covered data transactions.
Fourth, as in other IEEPA-based
regulations, the Department of Justice is
considering rules that will also prohibit
evasions, causing violations, attempts,
and conspiracies.
Fifth, the Department of Justice is
considering prohibiting U.S. persons
from knowingly directing any covered
data transaction that would be
prohibited (including restricted
transactions that do not comply with the
security requirements) if engaged in by
a U.S. person. For purposes of this
provision, the Department of Justice is
considering defining knowingly to mean
that the U.S. person had actual
knowledge of, or should have known
about, the conduct, circumstance, or
result. And the Department of Justice is
considering defining directing to mean
that a U.S. person has the authority
(individually or as part of a group) to
make decisions on behalf of a foreign
entity, and exercises that authority to
order, decide, or approve a transaction
that would be prohibited under these
regulations if engaged in by a U.S.
person. The program will clarify that
certain conduct that is attenuated from
the risks to U.S. national security
identified in the Order, such as the
financing or underwriting of a covered
data transaction, the processing,
clearing, or sending of payments by a
bank, and legal services, would not be
covered as directing a transaction as
defined by the regulations. This
approach is narrower than the authority
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
afforded to the Department of Justice
under the Order.
The Department of Justice intends to
use this authority to tailor the
regulations to target the identified
national-security threat by prohibiting
U.S.-person activity such as:
• Example 42. A U.S. person is an
officer, senior manager, or equivalent
senior-level employee at a foreign
company that is not a covered person,
and the foreign company undertakes a
covered data transaction at that U.S.
person’s direction or with that U.S.
person’s approval when the covered
data transaction would be prohibited if
performed by a U.S. person.
• Example 43. Several U.S. persons
launch, own, and operate a foreign
company that is not a covered person,
and that foreign company, under the
U.S. persons’ operation, undertakes
covered data transactions that would be
prohibited if performed by a U.S.
person.
• Example 44. A U.S. person is
employed at a U.S.-headquartered
multinational company that has a
foreign affiliate that is not a covered
person. The U.S. person changes (or
approves changes to) the operating
policies and procedures of the foreign
affiliate with the specific purpose of
allowing the foreign affiliate to
undertake covered data transactions
that would be prohibited if performed
by a U.S. person.
By contrast, the prohibition in the
Order on knowingly directing
transactions would not apply to
scenarios such as the following:
• Example 45. A U.S. bank processes
a payment from a U.S. person to a
covered person, or from a covered
person to a U.S. person, as part of that
U.S. person’s engagement in a
prohibited data transaction. The U.S.
bank’s activity would not be prohibited
(although the U.S. person’s covered data
transaction would be prohibited).
• Example 46. A U.S. financial
institution underwrites a loan or
otherwise provides financing for a
foreign company that is not a covered
person, and the foreign company
undertakes covered data transactions
that would be prohibited if performed
by a U.S. person.
• Example 47. A U.S. person, who is
employed at a foreign company that is
not a covered person, signs paperwork
approving the foreign company’s
procurement of real estate for its
operations. The same foreign company
separately conducts data transactions
that use or are facilitated by operations
at that real-estate location and that
would be prohibited covered data
transactions if performed by a U.S.
PO 00000
Frm 00014
Fmt 4702
Sfmt 4702
15793
person, but the U.S. employee has no
role in approving or directing those
separate data transactions.
• Example 48. A U.S. company owns
or operates a submarine
telecommunications cable with one
landing point in a foreign country that
is not a country of concern and one
landing point in a country of concern.
The U.S. company leases capacity on
the cable to U.S. customers that transmit
bulk sensitive personal data to the
landing point in the country of concern,
including transmissions as part of
prohibited covered data transactions.
The U.S. company’s ownership or
operation of the cable would not be
prohibited (although the U.S. customers’
covered data transactions would be
prohibited).
The ANPRM seeks comment on this
topic, including:
39. How feasible is it to contract with
prospective customers to prevent passthrough sales, re-sale, or onward transfers of
bulk U.S. sensitive personal data or
government-related data to countries of
concern or covered persons? Do technical
means exist to prevent such onward sales or
transfers? If yes, what are such technical
means?
40. What modifications, if any, should be
made to the proposed definitions above to
enhance clarity?
41. What, if any, unintended consequences
could result from the proposed definitions?
42. What, if any, alternate approaches
should the Department of Justice consider to
prevent the conduct in the knowinglydirected example scenarios described above?
H. Exempt Transactions
The Order recognizes that certain
transactions will be exempt from any
final rules. The Department of Justice is
considering mirroring OFAC’s approach
in IEEPA-based sanctions regulations by
explicitly identifying certain classes of
data transactions that are exempt from
the scope of its prohibitions and
restrictions. As explained below, DOJ is
considering exempting from this
program: data transactions involving
certain kinds of data; official business
transactions; financial-services,
payment-processing, and regulatorycompliance-related transactions; intraentity transactions incident to business
operations; and transactions required or
authorized by Federal law or
international agreements.
Data transactions involving certain
kinds of data. The program would
exempt two classes of data transactions
to the extent that they involve data that
is statutorily exempt from regulation
under IEEPA: personal communications
(any postal, telegraphic, telephonic, or
other personal communication that does
not involve the transfer of anything of
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
15794
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
value, as set out under 50 U.S.C.
1702(b)(1)) or information or
informational materials (the importation
from any country, or the exportation to
any country, whether commercial or
otherwise, regardless of format or
medium of transmission, of any
information or informational materials,
as set out under 50 U.S.C. 1702(b)(3))
and as further interpreted and defined
in the contemplated regulations).
Official business. The Order exempts
‘‘transactions for the conduct of the
official business of the United States
Government by employees, grantees, or
contractors thereof, [and] transactions
conducted pursuant to a grant, contract,
or other agreement entered into with the
United States Government.’’ To
implement this provision, the
Department of Justice is considering
exempting data transactions to the
extent that they are for (1) the conduct
of the official business of the United
States Government by its employees,
grantees, or contractors; (2) any
authorized activity of any United States
Government department or agency
(including an activity that is performed
by a Federal depository institution or
credit union supervisory agency in the
capacity of receiver or conservator); or
(3) transactions conducted pursuant to
a grant, contract, or other agreement
entered into with the United States
Government. Most notably, this
exemption would exempt grantees and
contactors of Federal departments and
agencies, including the Department of
Health and Human Services, the
Department of Veterans Affairs, the
National Science Foundation, and the
Department of Defense, so that those
agencies can pursue grant-based and
contract-based conditions to address
risks that countries of concern can
access sensitive personal data in
transactions related to their agencies’
own grants and contracts, as laid out in
section 3(b) of the Order—without
subjecting those grantees and
contractors to dual regulation.
The Department of Justice proposes
that this exemption would apply to, and
thus exempt, scenarios such as the
following:
• Example 49. A U.S. hospital
receives a Federal grant to conduct
research on U.S. persons. As part of that
federally funded human genomic
research, the U.S. hospital contracts
with a foreign laboratory that is a
covered person, hires a researcher that
is a covered person, and gives the
laboratory and researcher access to the
human biospecimens and human
genomic data in bulk. The contract with
the foreign laboratory and the
employment of the researcher would be
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
prohibited covered data transactions if
they were not part of the federally
funded research.
Financial-services, paymentprocessing, and regulatory-compliancerelated transactions. Section 2(a)(v) of
the Order exempts any transaction that
is, as defined by final rules
implementing the Order, ordinarily
incident to and part of the provision of
financial services, including banking,
capital markets, and financial insurance
services, or required for compliance
with any Federal statutory or regulatory
requirements, including any regulations,
guidance, or orders implementing those
requirements. To further define this
exemption, the Department of Justice is
contemplating exempting data
transactions to the extent that they are
ordinarily incident to and part of the
provision of financial services,
including:
(i) Banking, capital-markets, or financialinsurance services;
(ii) A financial activity authorized by 12
U.S.C. 24 (Seventh) and rules and regulations
thereunder;
(iii) An activity that is ‘‘financial in nature
or incidental to a financial activity’’ or
‘‘complementary to a financial activity,’’ as
set forth in section 4(k) of the Bank Holding
Company Act of 1956 and rules and
regulations thereunder;
(iv) The provision or processing of
payments involving the transfer of personal
financial data or covered personal identifiers
for the purchase and sale of goods and
services (such as the purchase, sale, or
transfer of consumer products and services
through online shopping or e-commerce
marketplaces), other than data transactions
that involve data brokerage; and
(v) Compliance with any Federal laws and
regulations, including the Bank Secrecy Act,
12 U.S.C. 1829b, 1951–1960, 31 U.S.C. 310,
5311–5314, 5316–5336; the Securities Act of
1933, 15 U.S.C. 77a et seq.; the Securities
Exchange Act of 1934, 15 U.S.C. 78a et seq.;
the Investment Company Act of 1940, 15
U.S.C. 80a–1 et seq.; the Investment Advisers
Act of 1940, 15 U.S.C. 80b–1 et seq.; the
International Emergency Economic Powers
Act, 50 U.S.C. 1701 et seq.; the Export
Administration Regulations, 15 CFR part 730,
et seq.; or any notes, guidance, orders,
directives, or additional regulations related
thereto.
The Department of Justice would
consult the Department of the Treasury
and other relevant agencies in
interpreting and applying this
exemption, including through guidance,
advisory opinions, or licensing
decisions.
The Department of Justice currently
intends this exemption to apply to, and
thus exempt, scenarios such as the
following:
• Example 50. A U.S. company
engages in a data transaction to transfer
PO 00000
Frm 00015
Fmt 4702
Sfmt 4702
personal financial data in bulk to a
financial institution that is incorporated
in, located in, or subject to the
jurisdiction or control of a country of
concern to clear and settle electronic
payment transactions between U.S.
individuals and merchants in a country
of concern where both the U.S.
individuals and the merchants use the
U.S. company’s infrastructure, such as
an e-commerce platform. Both the U.S.
company’s transaction transferring bulk
personal financial data and the
payment transactions by U.S.
individuals are both exempt.
• Example 51. A U.S. bank or other
financial institution engages in a data
transaction with a covered person that
is ordinarily incident to and part of
ensuring complying with U.S. laws and
regulations (such as OFAC sanctions
and anti-money laundering programs
required by the Bank Secrecy Act).
• Example 52. As ordinarily incident
to and part of securitizing and selling
asset-backed obligations (such as
mortgage and nonmortgage loans) to a
covered person, a U.S. bank provides
bulk U.S. sensitive personal data to the
covered person.
• Example 53. A U.S. bank or other
financial institution, as ordinarily
incident to and part of facilitating
payments to U.S. persons in a country
of concern, stores and processes the
customers’ bulk financial data using a
data center operated by a third-party
service provider in the country of
concern.
• Example 54. As part of operating an
online marketplace for the purchase and
sale of goods, a U.S. company, as
ordinarily incident to and part of U.S.
consumers’ purchase of goods on that
marketplace, transfers bulk contact
information, payment information (e.g.,
credit-card account number, expiration
data, and security code), and delivery
address to a merchant in a country of
concern.
Intra-entity transactions incident to
business operations. The Department of
Justice is considering exempting data
transactions to the extent that they are
(1) between a U.S. person and its
subsidiary or affiliate located in (or
otherwise subject to the ownership,
direction, jurisdiction, or control) of a
country of concern, and (2) ordinarily
incident to and part of ancillary
business operations (such as the sharing
of employees’ covered personal
identifiers for human-resources
purposes; payroll transactions like the
payment of salaries and pension to
overseas employees or contractors;
paying business taxes or fees;
purchasing business permits or licenses;
sharing data with auditors and law firms
E:\FR\FM\05MRP1.SGM
05MRP1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
for regulatory compliance; and riskmanagement purposes).
The Department of Justice currently
intends this exemption to apply to, and
thus exempt, scenarios such as the
following:
• Example 55. A U.S company has a
foreign subsidiary located in a country
of concern, and the U.S. company’s
U.S.-person contractors perform services
for the foreign subsidiary. As ordinarily
incident to and part of the foreign
subsidiary’s payments to the U.S.person contractors for those services,
the U.S. company engages in a data
transaction that gives the subsidiary
access to the U.S.-person contractors’
bulk personal financial data and
covered personal identifiers.
By contrast, the Department of Justice
intends this exemption not to apply to
scenarios such as the following:
• Example 56. A U.S. company
aggregates bulk personal financial data.
The U.S. company has a non-wholly
owned subsidiary that is a covered
person because it is headquartered in a
country of concern. The subsidiary is
subject to the country of concern’s
national-security laws requiring it to
cooperate with and assist the country’s
intelligence services. The exemption
would not apply to the U.S. parent’s
grant of a license to the subsidiary to
access the parent’s databases containing
the bulk personal financial data for the
purpose of complying with a request or
order by the country of concern under
those national-security laws to provide
access to that data.
Transactions required or authorized
by Federal law or international
agreements. The Department of Justice
is considering exempting data
transactions to the extent that they are
required or authorized by Federal law or
pursuant to an international agreement
(such as the exchange of passengermanifest information, INTERPOL
requests, and public-health
surveillance).
The ANPRM seeks comment on this
topic, including:
lotter on DSK11XQN23PROD with PROPOSALS1
43. What modifications, if any, should be
made to the proposed definitions above to
enhance clarity?
44. What, if any, unintended consequences
could result from the proposed definitions?
45. Are there other types of data
transactions that should be exempt? Please
explain why.
I. Security Requirements for Restricted
Transactions
As described above, the Department
of Justice is considering identifying
three classes of restricted covered data
transactions (vendor agreements,
employment agreements, and
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
investment agreements) that would be
otherwise prohibited unless they meet
certain conditions (security
requirements) that mitigate the threats
posed by access to the bulk U.S.
sensitive personal data or governmentrelated data by a country of concern or
covered person. While the security
requirements are still under
development and will be available to
the public at later date, the Department
of Homeland Security, in coordination
with the Department of Justice, has
developed an outline of what the
security requirements might entail, and
that outline is previewed here only as
context for the rest of the contemplated
program and other topics on which
questions are sought in this ANPRM.
The primary goal of the security
requirements is to address nationalsecurity and foreign-policy threats that
arise when countries of concern and
covered persons can access bulk U.S.
sensitive personal data or governmentrelated data that may be implicated by
the classes of restricted covered data
transactions. The contemplated security
requirements would be based on, as
applicable and appropriate, existing
performance goals, guidance, practices,
and controls, such as the Cybersecurity
and Infrastructure Security Agency
(CISA) Cybersecurity Performance Goals
(CPG), National Institute of Standards &
Technology (NIST) Cybersecurity
Framework (CSF), NIST Privacy
Framework (PF), and NIST SP 800–171
rev. 3 (‘‘Protecting Controlled
Unclassified Information in Nonfederal
Systems and Organizations’’). The
Department of Justice proposes to
decline to regulate restricted covered
data transactions until the applicable
security requirements are published,
available to the public, and become
effective by incorporation into the final
rule. The Department of Homeland
Security, in coordination with the
Department of Justice, has outlined the
following approach to the security
requirements.
A restricted covered data transaction
would be permissible if the U.S. person:
(1) implements Basic Organizational
Cybersecurity Posture requirements;
(2) conducts the covered data transaction
in compliance with the following four
conditions: (a) data minimization and
masking; (b) use of privacy-preserving
technologies; (c) development of informationtechnology systems to prevent unauthorized
disclosure; and (d) implementation of logical
and physical access controls; and
(3) satisfies certain compliance-related
conditions, such as retaining an independent
auditor to perform annual testing and
auditing of the requirements in (1) and (2)
above, for so long as the U.S. person relies
on compliance with those conditions to
PO 00000
Frm 00016
Fmt 4702
Sfmt 4702
15795
conduct the restricted covered data
transaction.
Basic Organizational Cybersecurity
Posture requirements applicable to all
restricted covered data transactions
could include practices such as CISA
CPG 1.A, 1.B. 1.E, 1.F, 1.I, 2.P, 2.S, 2.Q,
4.A, and 5.A; NIST PF ID.IM–P1, ID.IM–
P2, ID.BE–P1, and CT.DM–P9; and NIST
CSF PR.AT–4 and PR.AT–5. Required
controls could include NIST SP 800–
171 3.1.1, 3.1.5, 3.3.1, 3.3.2, 3.3.3, 3.9.1,
3.9.2, and 3.14.6.
Data minimization and masking
strategies (e.g., tokenization) could be
used to eliminate bulk U.S. sensitive
personal data or government-related
data from some organizational scope to
which a country of concern or covered
person would have access. Required
practices could include NIST PF
CT.PO–P2, CT.DM–P8, CT.DP–P1, and
CT.DP–P2.
Privacy-preserving technologies (e.g.,
based on homomorphic encryption or
traditional encryption) could be
deployed to enable restricted covered
data transactions to proceed without
exposing the bulk U.S. sensitive
personal data or government-related
data itself to countries of concern and
covered persons. Required practices
could include CISA CPG 2.K and 2.L;
NIST PF CT.DP–P1; and NST PF/CSF
PR DS–P1 and PR DS–P2. Required
controls could include NIST SP 800–
181 3.13.8, 3.13.10, and 3.13.11, and
ones analogous to the controls described
in 15 CFR 734.18(a)(5).
Logical and physical access controls
could include role-based access
management, such as credentialed
access to both data systems and
physical facilities containing bulk U.S.
sensitive personal data or governmentrelated data. Required practices could
include CISA CPG 2.B, 2.D, 2.F, 2.G,
2.H, 2.T, 2.U, and 2.V; and NIST PF/CSF
PR.AC–P1, PR.AC–P2, PR.AC–P3,
PR.AC–P4, PR.AC–P5, PR.AC–P6, and
PR.AC–P7. Required controls could
include NIST SP 800–171 3.1.2, 3.1.3,
3.1.8, 3.1.10, 3.1.11, 3.1.12, 3.5.1, 3.5.3,
3.5.5, 3.5.7, 3.10.1, 3.10.2, and 3.10.7.
Under the contemplated program, a
restricted covered data transaction
would become prohibited if the parties
fail to comply with the security
requirements.
The Department of Homeland
Security will propose and solicit public
comment on the security requirements
through a separate process.
J. Licenses
The Order authorizes the Attorney
General, in concurrence with the
Departments of State, Commerce, and
Homeland Security, and in consultation
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
15796
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
with other relevant agencies, to issue
(including to modify or rescind) licenses
authorizing covered data transactions
that would otherwise be prohibited or
restricted. The Department of Justice is
considering a license regime that would
be modeled on the licensing regime
used by OFAC and would incorporate
both general and specific licenses.
These licenses would approve, or
impose conditions on, covered data
transactions that are prohibited or
restricted and would include an
interagency consultation process to
ensure that agencies with relevant
equities and expertise may weigh in.
The Department of Justice is considering
this type of licensing regime because,
among other reasons, it could give
regulated parties the ability to bring
specific concerns to the Department of
Justice and seek appropriate regulatory
relief. Licensing could also provide the
Department of Justice with flexibility to
resolve marginal, unique, or particularly
sensitive cases, either generally or in
individual matters.
General licenses. Under the regime
that the Department of Justice is
considering, the Attorney General could
issue and publish general licenses
authorizing, under appropriate terms
and conditions, certain types of covered
data transactions that are subject to the
requirements contained in the rules.
Persons availing themselves of certain
general licenses may be required to file
reports and statements in accordance
with the instructions specified in those
licenses. Failure to timely file all
required information in such reports or
statements may nullify the authorization
otherwise provided by the general
license and result in violations of the
applicable prohibitions that may be
subject to enforcement action. General
licenses could also be used to ease
industry’s transition once the rules
become effective by potentially, for
example, authorizing orderly winddown conditions for covered data
transactions that would otherwise be
prohibited by the rules.
Specific licenses. The Department of
Justice is also considering whether, as
part of the rulemaking, to impose
certain requirements that would apply
to all persons who receive specific
licenses. Those requirements could
include, for example: (1) an ongoing
obligation to provide reports regarding
the authorized transactions; or (2) a
requirement that any person receiving a
specific license to transact in bulk U.S.
sensitive personal data or governmentrelated data must, to the extent feasible,
provide assurances that any data
transferred pursuant to such
transactions can be recovered,
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
irretrievably deleted, or otherwise
rendered non-functional. The
Department of Justice is also
considering requiring applicants for
specific licenses to use forms and
procedures published by the
Department of Justice, and allowing
applicants and any other party in
interest to request reconsideration of the
denial of a license based on new facts
or changed circumstances. The ANPRM
seeks comment on this topic, including:
K. Interpretive Guidance
and any regulations implementing th[e]
order.’’ 12 The Department of Justice is
currently considering creating a
program to provide guidance in the form
of written advisory opinions, similar to
processes used by OFAC and BIS, and
by the Department of Justice with
respect to the Foreign Corrupt Practices
Act (FCPA) and the Foreign Agents
Registration Act (FARA). The
Department of Justice is considering
permitting any U.S. person engaging in
covered data transactions regulated by
the program to request an interpretation
of any part of these regulations from the
Attorney General. Examples of such
requests could include guidance on (1)
whether a particular transaction is a
covered data transaction and whether it
is prohibited or restricted; (2) whether
the Attorney General would be likely to
issue a license governing a particular
data transaction; and (3) whether a
person satisfies the definitions of these
regulations (e.g., U.S. person, foreign
person, covered person). Consistent
with other Federal advisory-opinion
programs, the Department of Justice is
considering requiring that advisory
opinions may only be requested for
actual—not hypothetical—data
transactions, but need not involve only
prospective conduct.
The Department of Justice is
considering requiring requests for
interpretive guidance to be made using
forms and procedures published by the
Department of Justice. These rules may
include, for example: (1) a requirement
that all requests must be made in
writing; (2) a requirement that all
requests must identify all participants in
the data transaction for which the
opinion is being sought (i.e., a
prohibition on anonymous requests); (3)
a requirement that the requesting party
cannot use the advisory opinion, or
permit it to be used, as evidence that the
United States Government determined
that the data transactions described in
the advisory opinion are compliant with
any Federal or State law or regulation
other than the rules; and (4) a
requirement that advisory opinions may
be requested only for actual, not
hypothetical, conduct.
The Department of Justice is also
considering whether to publish some or
all advisory opinions once issued,
provided that such publication complies
with applicable laws and regulations
(e.g., regarding the protection of
confidential business information).
Finally, in addition to advisory opinions
The Order requires the Attorney
General to ‘‘establish, as appropriate,
mechanisms to provide additional
clarity to persons affected by th[e] order
12 With respect to the security requirements, the
Secretary of Homeland Security, in coordination
with the Attorney General, shall issue any
interpretive guidance.
46. Would general and specific licenses be
useful to regulated parties? Why or why not?
47. Should any or all specific licenses be
published, provided that such publication
complies with applicable laws and
regulations (e.g., regarding the protection of
confidential business information)? If so,
how should they be published? How could
the publication of specific licenses assist or
harm regulated parties?
48. How should the Department of Justice
assess or evaluate the purported costs of
complying with the conditions of a general
license or a specific license? Are the costs of
reporting on licensed transactions, auditing
them, or ensuring that they can be rendered
non-functional if noncompliant likely to
scale with transaction size? With data
volume? Based on other factors?
49. What, if any, general licenses would be
useful to assist in the industry’s transition
once the rules take effect? Why? Please be
specific.
50. How should the Department of Justice
assess time limitations on general licenses or
specific licenses? For example, how should
the Department of Justice calculate
reasonable wind-down periods?
51. What factors should the Department of
Justice assess when considering whether to
grant or deny a specific license application?
52. Are there classes of data transactions
that may become the subject of specific
license applications that the Department of
Justice should presumptively grant or
presumptively deny? Why?
53. What is the technical feasibility of
recovering, irretrievably deleting, or
otherwise rendering non-functional data
transferred pursuant to a licensed covered
data transaction? What technical measures,
solutions, or controls could be used for this
purpose?
54. What forms or procedures should the
Department of Justice consider when
establishing the requirements for an
application for a specific license?
55. Are there any aspects of the OFAC and
BIS licensing processes that would be
especially useful for this program? If so,
which ones and why?
56. Are there any aspects of the OFAC and
BIS licensing processes that would not be
useful for this program? If so, which ones and
why not?
PO 00000
Frm 00017
Fmt 4702
Sfmt 4702
E:\FR\FM\05MRP1.SGM
05MRP1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
addressing specific requests, the
Department of Justice is considering the
publication of more general interpretive
guidance, such as Frequently Asked
Questions.
The ANPRM seeks comment on this
topic, including:
lotter on DSK11XQN23PROD with PROPOSALS1
57. Would an advisory opinion process in
general be useful? What effect, if any, should
the issuance of an advisory opinion have for
the party or parties who requested it? For
third parties?
58. Should industry groups or other
associations be permitted to request advisory
opinions or interpretive guidance on behalf
of one or more of their members (noting that
such requests would still need to identify all
relevant participants in a data transaction)?
59. Should some or all advisory opinions
be published? How might the possibility of
publication affect a request (noting that any
publication would comply with applicable
laws regarding confidential business
information and similar topics)?
60. If the Department of Justice decides to
publish some or all advisory opinions, how
should it do so?
61. How should the Department of Justice
address circumstances in which an advisory
opinion no longer applies (e.g., the relevant
country of concern at the time the opinion
was issued no longer meets the requirements
for being a country of concern).
62. What forms or procedures should the
Department of Justice consider when
establishing the requirements for an
acceptable advisory opinion request?
63. Are there additional models or other
forms of interpretive guidance that the
Department of Justice should consider? For
example, should the Department of Justice be
free to issue guidance even if no party has
inquired about the relevant topic? Should
these other forms of guidance be published?
If so, how?
L. Compliance & Enforcement
The Order delegates to the Attorney
General, in consultation with relevant
agencies, the full extent of the authority
vested in the President by IEEPA, and
expressly states that the rules will
‘‘address the need for, as appropriate,
recordkeeping and reporting of
transactions to inform investigative,
enforcement, and regulatory efforts.’’
The Department of Justice wishes to
achieve widespread compliance, and to
gather the information necessary to
administer and enforce the program,
without unduly burdening U.S. persons
or discouraging data transactions that
the program is not intended to address.
Any enforcement guidance issued by
the Department of Justice regarding the
security requirements will be issued in
coordination with the Department of
Homeland Security.
Accordingly, the Department of
Justice is currently considering creating
and implementing a compliance and
enforcement program modeled on the
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
Department of the Treasury’s IEEPAbased economic sanctions, which are
administered by OFAC.
Due diligence and recordkeeping.
With respect to due diligence and
recordkeeping, the Department of
Justice is considering a model in which
U.S. persons subject to the
contemplated program employ a riskbased approach to compliance by
developing, implementing, and
routinely updating a compliance
program. The compliance program
suitable for a particular U.S. person
would be based on that U.S. person’s
individualized risk profile and would
vary depending on a variety of factors,
including the U.S. person’s size and
sophistication, products and services,
customers and counterparties, and
geographic locations. The Department of
Justice is not proposing to prescribe
general due-diligence or affirmative
recordkeeping requirements on all U.S.
persons engaged in covered data
transactions with foreign persons. The
Department of Justice is considering
whether a U.S. person’s failure to
develop an adequate due-diligence
program would have consequences if
that U.S. person violates the regulations,
such as treating this failure as an
aggravating factor in any enforcement
action.
The Department of Justice is currently
considering imposing affirmative duediligence and recordkeeping
requirements only as a condition of
engaging in a restricted covered data
transaction or as a condition of a general
or specific license. This limited set of
affirmative due-diligence and
recordkeeping requirements would
include ‘‘know your vendor’’ and
‘‘know your customer’’ requirements.
Consistent with OFAC’s practice in
IEEPA-based sanctions programs, the
Department of Justice is considering
requiring U.S. persons subject to the
due-diligence requirements to keep
records of their due diligence to assist
in inspections and enforcement.
Reporting. Similarly, the Department
of Justice is considering reporting
requirements modeled on existing
IEEPA-based reporting requirements.
The contemplated program would not
prescribe general reporting requirements
for all U.S. persons engaged in data
transactions with foreign persons (or
even with all covered persons). Rather,
the Department of Justice is considering
requiring reporting only as conditions of
certain categories of U.S. persons that
are engaging in restricted covered data
transactions or as conditions of a
general or specific license, or in certain
narrow circumstances to identify
attempts to engage in prohibited covered
PO 00000
Frm 00018
Fmt 4702
Sfmt 4702
15797
data transactions. DOJ is considering
these reporting requirements to help
DOJ identify covered data transactions
that are the highest priority for ongoing
compliance and enforcement efforts.
The categories of U.S. persons subject to
affirmative reporting requirements
could include:
• A U.S. person that (a) is engaged in
restricted covered data transactions
involving cloud computing services or
licensed covered data transactions
involving data brokerage or cloudcomputing services, and (b) has 25
percent or more of its equity interests
owned (directly or indirectly, through
any contract, arrangement,
understanding, relationship, or
otherwise) by a country of concern or
covered person; or
• Any U.S. person that has received
and affirmatively rejected an offer from
another person to engage in a prohibited
covered data transaction involving data
brokerage.
Likewise, the Department of Justice is
considering requiring any person
granted a license under the rules to
provide annual certifications supported
by available documentation that they
have abided by the terms of any license
granted.
Audits. To assist in ensuring
compliance with the security
requirements for restricted covered data
transactions and with licenses issued
pursuant to the rules, the Department of
Justice is considering whether to require
a U.S. person to comply with certain
conditions in conducting a restricted
covered data transaction (whether
conducted pursuant to a license or not)
or a prohibited covered data transaction
pursuant to a license. These conditions
may include (i) appointing an
accredited auditor to annually assess
compliance with and the effectiveness
of the security requirements or
conditions of the license, and (ii)
delivering the results of the audit to the
Department of Justice. The audit will
need to address (i) the nature of the U.S.
person’s covered data transaction and
(ii) whether it is in accordance with
applicable security requirements, the
terms of any license issued by the
Attorney General, or any other aspect of
the regulations.
Investigation and enforcement. To
assist in the investigation of potential
noncompliance with the rules, the
Department of Justice is considering
requiring any U.S. person ‘‘to keep a full
record of, and to furnish under oath, in
the form of reports or otherwise,’’ as
may be required by the Attorney
General, ‘‘complete information relative
to’’ any covered data transaction subject
to a prohibition or restriction. 50 U.S.C.
E:\FR\FM\05MRP1.SGM
05MRP1
15798
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
1702(a)(2). For the avoidance of doubt,
neither the Order nor its implementing
regulations will create any new right of
access by the U.S. Government to U.S.
persons’ sensitive personal data or
government-related data, or give the
U.S. Government a new right to monitor
U.S. persons’ communications.
The Department of Justice is also
considering establishing a process for
imposing civil monetary penalties
similar to the processes followed by
OFAC and CFIUS, with mechanisms for
pre-penalty notice, an opportunity to
respond, and a final decision. Penalties
could be based on noncompliance with
the regulations, making material
misstatements or omissions, making
false certifications or submissions, or
other actions or factors. The Department
of Justice would, consistent with dueprocess requirements, give companies
the relevant non-classified information
that forms the basis of any enforcement
action and a meaningful opportunity to
respond.
The ANPRM seeks comment on this
topic, including:
64. What additional guidance should the
Department of Justice provide in describing
what constitutes having ‘‘received and
affirmatively rejected’’ a covered data
transaction involving data brokerage for
purposes of the reporting requirements?
65. Would reports about rejected covered
data transactions involving data brokerage
yield information that the Department of
Justice could use to calibrate regulations,
prioritize enforcement, and identify areas for
further guidance in implementing the Order?
66. What new compliance and
recordkeeping controls will U.S. persons
anticipate needing to comply with the
program as described in this ANPRM? To
what extent would existing controls for
compliance with other United States
Government laws and regulations be useful
for compliance with this program? How
could the Department of Justice reduce the
paperwork burden of any new compliance
requirements?
67. What additional information will U.S.
persons need to collect for compliance
purposes as a result of this program?
68. What types of information would be
useful to include in the know-your-customer
and know-your-vendor due diligence
described above? Do customers and vendors
generally have this information readily
available?
69. Is this due diligence already being done
by U.S. persons in connection with
transactions that would be covered data
transactions—e.g., for other regulatory
purposes, prudential purposes, or otherwise?
If so, please explain. What, if any, third-party
services are used to perform due diligence as
it relates to transactions involving the
countries of concern more generally?
70. What are the practicalities of
complying with this obligation? What, if any,
changes to the way that U.S. persons
undertake due diligence would be required
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
because of this standard? What might be the
cost to U.S. persons of undertaking such due
diligence? Please be specific.
71. For how long should the Department of
Justice consider requiring entities to retain
records that the rules require them to
maintain?
72. Are there additional examples of highpriority data transactions that should be
included in the reporting requirement?
Should any of the examples given above be
excluded?
73. What should the Department of
Justice’s role be in nominating, approving, or
otherwise participating in the selection of an
accredited auditor charged with monitoring
compliance with the security requirements or
a license under the rules? What should the
Department of Justice consider when
reviewing a candidate to be an auditor under
this provision? What types of service
providers currently exist that could play this
role?
74. How, if at all, should penalties and
other enforcement mechanisms be tailored to
the size, type, or sophistication of the U.S.
person or to the nature of the violation?
75. What factors should the Department of
Justice analyze when determining to impose
a civil penalty, as well as the amount?
76. What, if any, additional procedural
steps should the Department of Justice
require as part of its process to impose
penalties?
77. Other than noncompliance with the
regulations, making material misstatements
or omissions, and making false certifications
or submissions, what other types of actions
or factors should the Department of Justice
consider as a predicate for a penalty?
78. What should the Department of Justice
consider when deciding to issue a subpoena
or other investigative demand pursuant to the
rules?
79. Have limitations or complications
arisen regarding the service of IEEPA-based
subpoenas or investigative demands in the
past under programs administered by other
Federal agencies?
80. What transaction sources should the
Department of Justice use to monitor
compliance with this program?
M. Coordination With Other Regulatory
Regimes
The Order requires the Department of
Justice to address, as appropriate,
coordination with other United States
Government entities, such as CFIUS,
OFAC, BIS, and other entities
implementing relevant programs,
including those implementing Executive
Order 13873 of May 15, 2019 (Securing
the Information and Communications
Technology and Services Supply Chain)
and Executive Order 14034 of June 9,
2021 (Protecting Americans’ Sensitive
Data From Foreign Adversaries); and
Executive Order 13913 of April 4, 2020
(Establishing the Committee for the
Assessment of Foreign Participation in
the United States Telecommunications
Services Sector). The Department of
Justice does not currently intend or
PO 00000
Frm 00019
Fmt 4702
Sfmt 4702
anticipate that this program will have
significant overlap with existing
authorities. Existing authorities do not
provide prospective, categorical rules to
address the national-security risks
posed by transactions between U.S.
persons and countries of concern (or
persons subject to their ownership,
control, jurisdiction, or direction) that
pose an unacceptable risk of providing
those countries with access to bulk U.S.
sensitive personal data or governmentrelated data.
With respect to investment
agreements between U.S. persons and
countries of concern (or covered
persons) that are also ‘‘covered
transactions’’ subject to CFIUS review,
see generally 50 U.S.C. 4565, the
Department of Justice is considering an
approach in which this program would
independently regulate, as restricted
covered data transactions, investment
agreements that are also ‘‘covered
transactions’’ subject to review by
CFIUS, unless and until CFIUS enters
into or imposes mitigation measures to
resolve national-security risk arising
from a particular covered transaction (a
‘‘CFIUS Action’’). A CFIUS Action
could take the form of, for example, a
CFIUS interim order, a CFIUS
determination to conclude action with
respect to a covered transaction based
on an order or mitigation agreement of
data-security risks, or CFIUS’s entry into
a mitigation agreement governing the
voluntary abandonment of the covered
transaction. Once such a CFIUS Action
occurs, the program proposed under this
ANPRM would cease to apply to the
particular investment agreement that
constitutes the covered transaction
subject to the CFIUS Action. This
exemption in the regulations would
apply categorically for all covered
transactions that are subject to a CFIUS
Action; the Department of Justice would
not be required to issue a specific
license for each investment agreement
addressed by a CFIUS Action.
This approach would preserve
CFIUS’s authority to develop bespoke
protections to mitigate risks arising from
investment agreements that also qualify
as CFIUS covered transactions—or
recommend the President prohibit such
a covered transaction—where CFIUS
deems such action necessary to address
national security risk arising from the
covered transaction and would ensure
that parties do not have overlapping
obligations under more than one
regulatory regime. To the extent that
CFIUS identifies an unresolved
national-security risk regarding access
to sensitive personal data that arises
from a particular covered transaction,
the program’s security requirements
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
would set an important baseline for
CFIUS to draw on in mitigating the
unresolved risk, consistent with
CFIUS’s transaction-specific approach.
Under this approach, a CFIUS Action
would not be considered to have
occurred where CFIUS has not reviewed
a particular investment agreement or
action concludes with respect to an
investment agreement without any
mitigation of data-security risks. In
those instances, this program would
continue to independently regulate the
investment agreement as a restricted
covered data transaction. This approach
allows this program to continue to
address risks that may arise outside of
CFIUS’s reach, such as (1) risks
associated with investment agreements
that are not ‘‘covered transactions’’ and
thus outside of CFIUS’s authority (e.g.,
non-controlling investments involving
sensitive personal data below CFIUS’s
one-million-person threshold or data
that is not identifiable); (2) risks
associated with ‘‘covered transactions’’
where the risk does not ‘‘arise[ ] as a
result of the covered transaction,’’ 50
U.S.C. 4565(l)(3)(A)(i); and (3) risks that
may arise in the temporal gap that
occurs after parties enter into an
investment agreement but before the
particular covered transaction is filed
with CFIUS and becomes subject to a
CFIUS Action.
This proposed approach contemplates
that CFIUS would retain its existing
authority to enforce CFIUS Actions, and
DOJ would retain the authority to
enforce violations of obligations under
the program. Since the program would
no longer apply to a particular covered
data transaction once a CFIUS Action
has been taken, CFIUS and the datasecurity regulations would not create
dual or overlapping obligations:
Violations of the obligations under the
data-security regulations could occur
only before the occurrence of the CFIUS
Action. DOJ would retain authority, at
any time, to enforce any violations of
obligations under the program that were
committed while the program applied to
the covered data transaction, even if the
enforcement action occurs after a CFIUS
Action has occurred. In such instances,
DOJ would coordinate with CFIUS.
Regardless of the manner in which the
regulations address investment
agreements, the program’s other rules
for classes of covered data transactions
would still apply. Even if the program
proposed under this ANPRM ceased to
apply to a particular investment
agreement subject to a CFIUS Action,
U.S. persons would still have to comply
with the program’s rules for covered
data transactions involving data
brokerage, the provision of bulk human
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
genomic data and human biospecimens,
vendor agreements, employment
agreements, and other investment
agreements not subject to a CFIUS
Action.
The ANPRM seeks comment on this
topic, including:
81. How should the program address
investment agreements that are also ‘‘covered
transactions’’ subject to the jurisdiction of
CFIUS? What are the pros and cons of the
approach under consideration?
82. In terms of compliance, what are the
considerations with the approach described
above where this program would govern
unless or until a CFIUS Action occurs?
83. What other potential overlaps or gaps,
if any, may exist between the program
contemplated here and existing authorities?
How should this program address them? In
particular, should the Department of Justice
consider any adjustments to the program
contemplated here in light of the consumerreporting rulemaking under the Fair Credit
Reporting Act that the Consumer Financial
Protection Bureau is considering? See Final
Report of the Small Business Review Panel
on the CFPB’s Proposals and Alternatives
Under Consideration for the Consumer
Reporting Rulemaking (Dec. 15, 2023),
https://files.consumerfinance.gov/f/
documents/cfpb_sbrefa-final-report_
consumer-reporting-rulemaking_2024-01.pdf
[https://perma.cc/K75B-MKR3].
N. Economic Impact
The Department of Justice is
committed to ensuring that the
contemplated program is carefully
scoped to the kinds of data transactions
that present unacceptable nationalsecurity risks and minimizes
unintended economic impacts. The
Department of Justice currently
anticipates that this program would
have the following economic impacts.
For each of the two classes of
prohibited covered data transactions
(those involving data brokerage and
those involving the provision of human
genomic data or human biospecimens
from which that data can be derived),
the Department of Justice anticipates
that the primary economic impacts will
fall into two categories: (1) direct costs
in the form of the lost economic value
of the covered data transactions that are
prohibited or forgone, and (2) indirect
costs, such as the compliance costs to
perform due diligence to ensure that
transactions with foreign persons
comply with the prohibitions. For each
of the three classes of restricted covered
data transactions (vendor agreements,
employment agreements, and
investment agreements), the Department
of Justice anticipates that the primary
economic impacts will fall into two
categories: (1) direct costs in the form of
the lost economic value of covered data
transactions that are prohibited or
PO 00000
Frm 00020
Fmt 4702
Sfmt 4702
15799
forgone, and (2) indirect costs, such as
the costs of complying with the security
requirements to conduct restricted
covered data transactions and with the
reporting requirements.
Direct costs. As a preliminary matter,
there does not appear to be a complete
or reliable estimate of the markets for,
or economic value of, each of these
classes of covered data transactions—
especially at the level of granularity
required to accurately account for the
details of the contemplated program,
such as the specific classes of prohibited
and restricted covered data
transactions, the countries of concern,
the kinds of sensitive personal data, the
classes of exempt transactions (such as
financial-services transactions), and
other carve-outs and definitions being
considered for this program.
For example, with respect to data
brokerage, estimates for the total global
data broker market vary widely from
around $50 billion to over $300 billion
and do not appear to have clear or
reliable methodologies whose validity
can be easily assessed.13 The United
States is widely perceived as the largest
market for data brokerage; for instance,
major U.S. data brokerage firms report
that a majority of their global revenues
come from the domestic market and that
Asia-Pacific revenues (which are not
broken down further for markets for
specific countries) account for
approximately one to six percent of
their global markets.14 Likewise,
13 See, e.g., Catherine Tucker & Nico Neumann,
Buying Consumer Data? Tread Carefully, Harvard
Business Review (May 1, 2020), https://hbr.org/
2020/05/buying-consumer-data-tread-carefully
[https://perma.cc/GDY3-AWKQ]; OnAudience,
Global Data Market Size: 2017–2021 at 4, 8 (Nov.
2020), https://pressmania.pl/wp-content/uploads/
2020/12/Global-Data-Market-Size-2017-2021OnAudience-Report.pdf [https://perma.cc/7NQS3TXK]; Knowledge Sourcing Intelligence, Global
Data Broker Market Size, Share, Opportunities,
COVID–19 Impact, And Trends By Data Type
(Consumer Data, Business Data), By End-User
(BFSI, Retail, Automotive, Construction, Others),
And By Geography—Forecasts from 2023 to 2028
(June 2023), https://www.knowledge-sourcing.com/
report/global-data-broker-market [https://perma.cc/
2ED8-WU9K]; Transparency Market Research, Data
Brokers Market (July 2022), https://
www.transparencymarketresearch.com/databrokers-market.html [https://perma.cc/GL3MMQMR]; Maximize Market Research, Data Broker
Market: Global Industry Analysis and Forecast
(2024–2030) (Jan. 2024), https://
www.maximizemarketresearch.com/market-report/
global-data-broker-market/55670/ [https://
perma.cc/V2VJ-VX9A].
14 See, e.g., TransUnion, TransUnion Announces
Fourth Quarter 2022 Results (Feb. 14, 2023), https://
newsroom.transunion.com/transunion-announcesfourth-quarter-2022-results/ [https://perma.cc/
S8QW-D8RS]; Experian, Trading update, first
quarter (July 13, 2023), https://
www.experianplc.com/content/dam/marketing/
global/plc/en/assets/documents/results-and-
E:\FR\FM\05MRP1.SGM
Continued
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
15800
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
although trade in services data from the
U.S. Bureau of Economic Analysis
(BEA) provides an alternative potential
approach for identifying cross-border
transactions in sensitive personal data,
the BEA data is not measured in a way
that allows any direct comparison to the
program contemplated here. The BEA
categories of ‘‘Database and Other
Information Services’’ and
‘‘Telecommunications, Computer, and
Other Information Services’’ appear to
be the two closest. But those BEA
categories are over-inclusive and underinclusive relative to the categories of
covered data transactions that would be
prohibited or restricted under the
contemplated program: These two BEA
categories, for instance, include trade
that would be outside the scope of the
contemplated program, such as kinds of
data (e.g., web-browser history) and
activities (e.g., computer hardware,
dissemination of data and databases like
directories, mailing lists, and websearch portals, newspaper and
periodical subscriptions, and library/
archive services). Similarly, for
instance, these two BEA categories
exclude transactions that would be
within the scope of the contemplated
program, such as activity from
advertising, trade in human genomic
data, and exports by credit bureaus
(which report their data exports
separately under the broader heading of
‘‘Financial Services’’). Nevertheless, as a
point of comparison, the BEA data
suggests that, in 2022, the United States
exported $317 million in ‘‘Database and
Other Information Services’’ to China
and a combined $3.4 billion in
‘‘Telecommunications, Computer, and
Other Information Services’’ to China
and Hong Kong.
For restricted covered data
transactions, the net direct lost
economic value will also depend on the
extent to which U.S. persons continue
to pursue otherwise-prohibited vendor
agreements, employment agreements,
and investment agreements in
compliance with the security
requirements. Where U.S. persons
determine not to pursue vendor,
employment, or investment agreements
with covered persons, the net cost will
depend on the extent to which such
agreements can be easily replaced with
vendors, employers, and investors that
will not be subject to such restrictions.
It is plausible, for example, that—faced
with higher costs associated with
executing a vendor agreement with a
vendor based in a country of concern—
a U.S. company will opt to drop its datapresentations/2023/experian-q1-fy24-tradingupdate.pdf [https://perma.cc/3FCZ-U4CY].
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
processing contract with that vendor
and instead rely on a vendor based
outside of a country of concern. Relative
to the current status quo, this switch
could represent a financial loss to the
original U.S. company (which could
now face a higher cost for data
processing) while providing a net gain
to the alternative data processing
vendor. The opposite could also be true:
that the relevant costs associated with
complying with this program would not
justify a U.S. business switching from a
vendor based in a country of concern
but instead would justify continuing
with that vendor by implementing the
security requirements.
We request economic data to further
evaluate these direct costs.
Indirect costs. In addition to the direct
costs of prohibited and restricted
covered data transactions, U.S.
companies that handle and transfer bulk
U.S. sensitive personal data or
government-related data may also incur
costs to ensure that they are complying
with the contemplated program. The
universe of firms that transact in bulk
U.S. sensitive personal data is larger
than the subset of such firms that
knowingly transfer such data to
countries of concern or covered persons;
this larger universe of firms will need to
undertake some due-diligence measures
to ensure their typical data transfers are
not in fact going to countries of concern
or covered persons (for prohibited
covered data transactions) and to
comply with the security requirements
(for restricted covered data
transactions). Such compliance costs
will vary by sector and size of firm.
For prohibited covered data
transactions, the costs of due diligence
would likely vary significantly across
companies, as with the costs of
compliance for economic sanctions,
export controls, and other nationalsecurity and law-enforcement
regulations. As explained above, the
contemplated program would employ a
risk-based approach, like sanctions and
export controls, in which regulated U.S.
persons implement compliance
programs based on their individualized
risk profiles. For example, in addition to
complying with other aspects of the
contemplated program, the upfront duediligence compliance costs for
companies with robust existing
compliance programs (such as sanctions
and export controls) may be lower,
whereas other companies with less
robust compliance programs or no
existing compliance programs may
incur greater costs. Any estimate of duediligence compliance costs would
benefit greatly from more robust
information on the size of the industries
PO 00000
Frm 00021
Fmt 4702
Sfmt 4702
for each of the classes of prohibited
covered data transactions, per-company
costs, and per-transaction costs.
Similarly, for restricted covered data
transactions, the costs of complying
with the security requirements will vary
across U.S. companies depending on the
level of cybersecurity maturity. At one
end of the spectrum, many U.S.
companies already have foundational
baseline cybersecurity protocols and
technology in place, and may face only
the marginal cost of tailoring or redeploying those existing protocols and
technology against the particular
security requirements contemplated
here. At the other end of the spectrum,
other U.S. companies with less mature
cybersecurity programs may face greater
costs to acquire and implement baseline
cybersecurity protocols and technology.
The overall costs to comply with the
security requirements will depend on
the number and distribution of U.S.
companies within the markets for the
classes of restricted covered data
transactions with countries of concern.
Economic reasoning suggests, however,
that companies that choose to deploy
security measures to conduct restricted
covered data transactions would not
incur compliance costs that are greater
than the revenue they could realize by
implementing these measures.
For U.S. persons that do find they
need to invest in additional duediligence programs to ensure
compliance with the security
requirements, such spending may also
create offsetting benefits in the form of
lower risks of data breaches and cyber
attacks. For example, a July 2023 study
noted that the global average cost of a
data breach was $4.45 million the
previous year and a 15% increase over
the previous three years.15
U.S. persons subject to the reporting
requirements may also incur costs to
comply with the reporting
requirements—costs that may also vary
by company depending on their
individualized risk profile.
The net impact of these indirect costs
appears difficult to measure accurately
with available data. We request
economic data to support measurement
of these indirect costs.
The ANPRM seeks comment on this
topic, including:
15 Industrial Cyber, Data breach costs for critical
infrastructure sector exceed $5 million, as time ‘new
currency’ in cybersecurity (July 25, 2023), https://
industrialcyber.co/reports/data-breach-costs-forcritical-infrastructure-sector-exceed-5-million-astime-new-currency-in-cybersecuritydata-breachcosts-for-critical-infrastructure-sector-exceed-5million-as-time-new/ [https://perma.cc/9QDT37CN].
E:\FR\FM\05MRP1.SGM
05MRP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
84. To what extent do the current markets
for the classes of covered data transactions
involve the categories of sensitive personal
data contemplated here? What is the average
estimated commercial value of these covered
data transactions? What are reliable sources
of information on the size, extent, and growth
of the markets for each of the classes of
prohibited and restricted covered data
transactions?
85. What is the value of covered data
transactions with countries of concern that
would be impacted by this regulation?
86. How many covered data transactions
with countries of concern or covered persons
that meet the bulk threshold requirements are
typically conducted each year?
87. What are the economic sectors that will
be expected to be impacted by the regulation?
What is the average size, in both revenue and
number of employees, of the firms impacted
by the regulation? What is the expected
impact per firm, as a percentage of overall
revenue? What are the program’s likely
effects on existing jobs and new employment
opportunities for affected firms and sectors?
88. What specific types of data are
involved in covered data transactions that
involve data brokerage? What is the general
purpose of these transactions? How is this
data stored? Is U.S. persons’ data that is sold
to customers in countries of concern stored
on or retrieved from the same systems used
to store or retrieve U.S. persons’ data sold to
customers outside the countries of concern?
If not, what segmentation exists?
89. What kinds of best practices do U.S.
persons engaged in data brokerage
implement to screen potential customers in
the countries of concern (or markets that
present similar risk profiles)? How widely
implemented are these best practices in the
industry?
90. What is the estimated economic size of
the data brokerage market? What are the best,
most reliable sources of data for the size,
extent, and growth rate of this market? What
is the average value of a covered data
transaction involving data brokerage?
91. How can service providers be grouped
in the third-party data brokerage market?
What is the difference between a large,
medium, and small broker? How
consolidated is the market? What are key
factors, business features or other models that
providers use to differentiate themselves? To
what degree are providers differentiated by
features other than the size and scope of
individual data sets?
92. What are the estimated sizes of the
global data brokerage market for each of the
six types of data identified in this
contemplated regulation (i.e., covered
personal identifiers, personal financial data,
precise geolocation data, personal health
data, biometric identifiers, human genomic
data)? What is the estimated size of each of
these markets in the United States and each
of the identified countries of concern?
93. What is the estimated transaction
volume for the data brokerage market (both
first-party and third-party brokerage)? What
percentage of these transactions involve one
or more of the six categories of regulated
sensitive personal data? What percentage of
these transactions involves a country of
concern?
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
94. How are transactions conducted in the
data brokerage market? What percentage of
the economic value of this market involves
transfer of data? What percentage involves
subscription access to centrally managed
databases? What percentage involves
analyzed or processed data? What percentage
involves access to raw, unprocessed data?
95. To what extent do U.S. persons
engaged in data brokerage use any service
providers in countries of concern connected
to their brokerage activities—such as hiring
outsourcing companies for cleaning and
labeling datasets or signing agreements with
cloud service providers to store datasets?
What is the estimated economic value of
these services?
96. How many firms will be impacted by
the prohibition on the use of vendors from
countries of concern? What will be the
average cost per firm of switching from
vendors subject to restrictions to vendors not
subject to restrictions? Which sectors will
they be in? What will be the average size of
such a firm?
97. Are there any sectors, markets, or
product or service categories where, after
excluding restricted vendors, there is
unlikely to be a sufficient number of firms
available to supply the overall level of
service required by the market?
98. What proportion and segments of the
cloud-computing services market will be
impacted by this regulation? What will be the
specific impacts on the cloud infrastructure,
platform, and services markets? What will be
the impact on U.S. cloud computing
companies seeking to do business in
countries of concern?
99. What will be the impact on cloudcomputing service companies based in
countries of concern? Are there
circumstances under which U.S. companies
may still wish or be required to do business
with cloud-computing service companies
based in countries of concern after the
implementation of this regulation? In these
circumstances, will U.S. companies still be
able to conduct necessary business after the
implementation of this regulation?
100. What will be the economic impact of
prohibiting any covered data transaction that
provides a country of concern or covered
person with access to bulk U.S. human
genomic data and human biospecimens from
which that sensitive personal data can be
derived, taking into account the proposed
exemptions?
101. What sectors are involved in access to
bulk U.S. human genomic data and human
biospecimens? Are there any sectors that
involve access to one, but not both, of these
categories? What is the estimated size of
these markets, as well as the overall volume
and value of the covered data transactions
involving this type of data?
102. What types of commercial
transactions involve human genomic data
and human biospecimens? Do any of these
transactions involve exchange of the data? Do
any of these transactions involve access to—
but not exchange of—this sensitive personal
data?
103. Is there sufficient commercial demand
available outside countries of concern to
replace demand lost as a result of the
PO 00000
Frm 00022
Fmt 4702
Sfmt 4702
15801
prohibition, and if so, where is such demand
located? What is the timeline for pivoting to
meet new demand?
104. What percentage of the U.S. workforce
would be affected by the restrictions on
employment agreements? How many firms
will be impacted by this prohibition? Which
sectors will they be in? What will be the
average size of such a firm?
105. What will be the major cost
components of a regulatory compliance
program? What will be the average cost of
each of these components per firm? Which of
these components will be flat cost, regardless
of the size of firm? Which will have a
variable, per-employee cost?
106. What is the estimated cost of
implementing the security requirements
contemplated in the regulation on a per-firm
basis? What are the basic components of
these costs? Which of these components are
fixed, one-time costs? Which will be ongoing,
recurring costs?
107. How could the Department of Justice
mitigate the costs of compliance, particularly
for small- and medium-sized enterprises? Are
there measures that could be taken to reduce
the economic impact of the regulatory regime
without altering the fundamental scope or
thresholds associated with the regulation?
108. Are there legitimate commercial
reasons for a covered person to access data
or information covered as part of the classes
of restricted covered data transactions? To
what degree will an inability to access this
data affect that company’s ability to provide
goods or services to U.S. companies and
individuals?
109. What would be the commercial
impact on U.S. persons if countries of
concern must conduct business in the United
States without access to data covered by
restricted covered data transactions? Are
there other economic arrangements by which
a company could obtain the benefits of the
data without directly accessing the data
itself?
110. What additional costs and benefits
should the Department of Justice consider,
and how should they be estimated? Is there
additional data on the economic costs and
benefits that the Department of Justice should
examine?
O. Overarching and Additional Inquiries
111. What additional example scenarios
should the Department of Justice consider,
evaluate, and address in a proposed
rulemaking to provide clarity?
112. What time, if any, will U.S. persons
that are currently engaged in the prohibited
covered data transactions contemplated here
need to wind-down those transactions? What
time, if any, will U.S. persons that are
currently engaged in the restricted covered
data transactions contemplated here need to
comply with the security requirements or
else wind-down those transactions?
113. What costs would be incurred by
maintaining the status quo (i.e., forgoing the
contemplated regulations) with respect to
any of the classes of prohibited and restricted
covered data transactions under
consideration?
114. Are there additional topics on which
the Department of Justice should be seeking
E:\FR\FM\05MRP1.SGM
05MRP1
15802
Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 / Proposed Rules
comment? If so, what are they and what is
their relevance?
IV. Regulatory Certifications
This ANPRM has been drafted and
reviewed in accordance with the
Principles of Regulation in section 1(b)
of Executive Order 12866 of September
30, 1993 (Regulatory Planning and
Review), as amended by Executive
Order 14094 of April 6, 2023
(Modernizing Regulatory Review), and
in accordance with the General
Principles of Regulation in section 1(b)
of Executive Order 13563 of January 18,
2011 (Improving Regulation and
Regulatory Review). This ANPRM is a
‘‘significant’’ regulatory action pursuant
to Executive Order 12866, as amended
by Executive Order 14094 and,
accordingly, has been reviewed by the
Office of Information and Regulatory
Affairs (OIRA) at the Office of
Management and Budget (OMB). This
action does not propose or impose any
requirements; rather, this ANPRM is
being published to seek information and
comments from the public to inform the
notice of proposed rulemaking required
to implement the Order.
The requirements of the Regulatory
Flexibility Act do not apply to this
action because, at this stage, it is an
ANPRM and not a ‘‘rule’’ as defined in
5 U.S.C. 601.
Following review of the comments
received in response to this ANPRM, the
Department of Justice will conduct all
relevant analyses as required by statute
or Executive order for the notice of
proposed rulemaking required to
implement the Order.
Dated: February 28, 2024.
Matthew G. Olsen,
Assistant Attorney General for National
Security.
[FR Doc. 2024–04594 Filed 3–4–24; 8:45 am]
BILLING CODE 4410–PF–P
FEDERAL COMMUNICATIONS
COMMISSION
47 CFR Part 64
[CG Docket No. 02–278; FCC 24–24; FR ID
205124]
lotter on DSK11XQN23PROD with PROPOSALS1
Strengthening the Ability of
Consumers To Stop Robocalls
Federal Communications
Commission.
ACTION: Proposed rule.
AGENCY:
In this document, the Federal
Communications Commission
(Commission) seeks comment on
whether the Telephone Consumer
Protection (TCPA) applies to robocalls
SUMMARY:
VerDate Sep<11>2014
16:33 Mar 04, 2024
Jkt 262001
and robotexts from wireless providers to
their own subscribers and therefore
whether such providers must have
consent to make robocalls and send
robotexts to their own subscribers. To
the extent that wireless providers have
consent to robocall or robotext their
own subscribers, the Commission seeks
comment on whether wireless
subscribers can exercise their right to
revoke such consent by communicating
a revocation of consent request to their
wireless provider and that such requests
must be honored. In addition, the
Commission seeks comment on a
request to require automated opt-out
mechanisms on every call that uses an
artificial or prerecorded voice.
DATES: Comments are due on or before
April 4, 2024, and reply comments are
due on or before April 19, 2024. Written
comments on the Paperwork Reduction
Act (PRA) proposed information
collection requirements must be
submitted by the public, Office of
Management and Budget (OMB), and
other interested parties on or before May
6, 2024.
ADDRESSES: Pursuant to §§ 1.415 and
1.419 of the Commission’s rules, 47 CFR
1.415, 1.419, interested parties may file
comments and reply comments on or
before the dates indicated in this
document. Comments and reply
comments may be filed using the
Commission’s Electronic Comment
Filing System (ECFS). See Electronic
Filing of Documents in Rulemaking
Proceedings, 63 FR 24121 (1998).
Interested parties may file comments or
reply comments, identified by CG
Docket No. 02–278 by any of the
following methods:
• Electronic Filers: Comments may be
filed electronically using the internet by
accessing ECFS: https://www.fcc.gov/
ecfs/.
• Paper Filers: Parties who choose to
file by paper must file an original and
one copy of each filing.
• Filings can be sent by commercial
overnight courier, or by first-class or
overnight U.S. Postal Service mail. All
filings must be addressed to the
Commission’s Secretary, Office of the
Secretary, Federal Communications
Commission.
• Commercial overnight mail (other
than U.S. Postal Service Express Mail
and Priority Mail) must be sent to 9050
Junction Drive, Annapolis Junction, MD
20701.
• U.S. Postal Service first-class,
Express, and Priority mail must be
addressed to 45 L Street NE,
Washington, DC 20554.
• Effective March 19, 2020, and until
further notice, the Commission no
PO 00000
Frm 00023
Fmt 4702
Sfmt 4702
longer accepts any hand or messenger
delivered filings. This is a temporary
measure taken to help protect the health
and safety of individuals, and to
mitigate the transmission of COVID–19.
See FCC Announces Closure of FCC
Headquarters Open Window and
Change in Hand-Delivery Policy, Public
Notice, 35 FCC Rcd 2788 (March 19,
2020), https://www.fcc.gov/document/
fcc-closes-headquarters-open-windowand-changes-hand-delivery-policy.
People with Disabilities: Contact the
FCC to request reasonable
accommodations (accessible format
documents, sign language interpreters,
CART, etc.) by email: FCC504@fcc.gov
or phone: 202–418–0530.
FOR FURTHER INFORMATION CONTACT: For
further information, please contact
Richard D. Smith, Competition Policy
Division, Consumer and Governmental
Affairs Bureau, at Richard.Smith@
fcc.gov or at (717) 338–2797. For
additional information concerning the
Paperwork Reduction Act proposed
information collection requirements
contained in this document, send an
email to PRA@fcc.gov or contact Cathy
Williams at (202) 418–2918.
SUPPLEMENTARY INFORMATION: This is a
summary of the Commission’s Further
Notice of Proposed Rulemaking
(FNPRM) in CG Docket No. 02–278,
adopted on February 15, 2024, and
released on February 16, 2024. The full
text of this document is available for
public inspection at the following
internet address: https://docs.fcc.gov/
public/attachments/FCC-24-24A1.pdf.
To request materials in accessible
formats for people with disabilities (e.g.,
braille, large print, electronic files,
audio format, etc.), send an email to
fcc504@fcc.gov or call the Consumer &
Governmental Affairs Bureau at (202)
418–0530 (voice).
In addition to filing comments with
the Secretary, a copy of any comments
on the Paperwork Reduction Act
proposed information collection
requirements contained herein should
be submitted to the Federal
Communications Commission email to
PRA@fcc.gov and to Cathy Williams,
FCC, via email to Cathy.Williams@
fcc.gov.
Paperwork Reduction Act
This document may contain proposed
new or modified information collection
requirements. The Commission, as part
of its continuing effort to reduce
paperwork burdens, invites the general
public and OMB to comment on the
information collection requirements
contained in this document, as required
by the Paperwork Reduction Act of
E:\FR\FM\05MRP1.SGM
05MRP1
]]>Agencies
[Federal Register Volume 89, Number 44 (Tuesday, March 5, 2024)]
[Proposed Rules]
[Pages 15780-15802]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-04594]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 89, No. 44 / Tuesday, March 5, 2024 /
Proposed Rules��
[[Page 15780]]
DEPARTMENT OF JUSTICE
28 CFR Part 202
[Docket No. NSD 104]
RIN 1105-AB72
National Security Division; Provisions Regarding Access to
Americans' Bulk Sensitive Personal Data and Government-Related Data by
Countries of Concern
AGENCY: National Security Division, Department of Justice.
ACTION: Advance notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Executive order of February 28, 2024, ``Preventing Access
to Americans' Bulk Sensitive Personal Data and United States
Government-Related Data by Countries of Concern'' (the Order), directs
the Attorney General to issue regulations that prohibit or otherwise
restrict United States persons from engaging in any acquisition,
holding, use, transfer, transportation, or exportation of, or dealing
in, any property in which a foreign country or national thereof has any
interest (``transaction''), where the transaction: involves U.S.
Government-related data or bulk U.S. sensitive personal data, as
defined by final rules implementing the Order; falls within a class of
transactions that has been determined by the Attorney General to pose
an unacceptable risk to the national security of the United States
because it may enable access by countries of concern or covered persons
to Americans' bulk sensitive personal data or U.S. government-related
data; and meets other criteria specified by the Order. This advance
notice of proposed rulemaking (ANPRM) seeks public comment on various
topics related to the implementation of the Order.
DATES: Written comments on this ANPRM must be received by April 19,
2024.
ADDRESSES: You may send comments, identified by Docket No. NSD 104, by
either of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for sending comments.
Mail: U.S. Department of Justice, National Security
Division, Foreign Investment Review Section, 175 N Street NE, 12th
Floor, Washington, DC 20002.
Instructions: We encourage comments to be submitted via https://www.regulations.gov. Please submit comments only and include your name
and company name (if any) and cite ``Provisions Pertaining to
Preventing Access to Americans' Bulk Sensitive Personal Data and U.S.
Government-Related Data by Countries of Concern'' in all
correspondence. Anyone submitting business confidential information
should clearly identify the business confidential portion at the time
of submission, file a statement justifying nondisclosure and referring
to the specific legal authority claimed, and provide a non-confidential
version of the submission. For comments submitted electronically
containing business confidential information, the file name of the
business confidential version should begin with the characters ``BC.''
Any page containing business confidential information must be clearly
marked ``BUSINESS CONFIDENTIAL'' at the top of that page. The
corresponding non-confidential version of those comments must be
clearly marked ``PUBLIC.'' The file name of the nonconfidential version
should begin with the character ``P.'' Any submissions with file names
that do not begin with either a ``BC'' or a ``P'' will be assumed to be
public and will be posted without change, including any business or
personal information provided, such as names, addresses, email
addresses, or telephone numbers.
To facilitate an efficient review of submissions, the Department of
Justice encourages but does not require commenters to: (1) submit a
short executive summary at the beginning of all comments; (2) provide
supporting material, including empirical data, findings, and analysis
in reports or studies by established organizations or research
institutions; (3) consistent with the questions below, describe the
relative benefits and costs of the approach contemplated in this ANPRM
and any alternative approaches; and (4) refer to the numbered
question(s) herein to which each comment is addressed. The Department
of Justice welcomes interested parties' submissions of written comments
discussing relevant experiences, information, and views. Parties
wishing to supplement their written comments in a meeting may request
to do so, and the Department of Justice may accommodate such requests
as resources permit. Additionally, in consultation with other United
States Government agencies, the Department of Justice expects to seek
additional opportunities to engage in discussions with certain
stakeholders, including foreign partners and allies.
FOR FURTHER INFORMATION CONTACT: Email (preferred):
[email protected]. Otherwise, please contact: Lee Licata,
Deputy Chief for National Security Data Risks, Foreign Investment
Review Section, National Security Division, U.S. Department of Justice,
175 N Street NE, Washington, DC 20002; telephone: 202-514-8648.
SUPPLEMENTARY INFORMATION:
I. Background
On February 28, 2024, the President issued the Order pursuant to
his authority under the Constitution and laws of the United States,
including the International Emergency Economic Powers Act (50 U.S.C.
1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et
seq.) (NEA), and section 301 of title 3, United States Code. In the
Order, the President expanded the scope of the national emergency
declared in Executive Order 13873 of May 15, 2019 (Securing the
Information and Communications Technology and Services Supply Chain),
and further addressed with additional measures in Executive Order 14034
of June 9, 2021 (Protecting Americans' Sensitive Data from Foreign
Adversaries). The President determined that additional measures are
necessary to counter the unusual and extraordinary threat to U.S.
national security posed by the continuing efforts of certain countries
of concern to access and exploit Americans' bulk sensitive personal
data and U.S. Government-related data (``government-related data'').
Unrestricted transfers of bulk sensitive personal data and
government-related data to countries of concern, through commercial
transactions or otherwise, present a range of threats to
[[Page 15781]]
U.S. national security and foreign policy. Countries of concern can use
their access to Americans' bulk sensitive personal data to engage in
malicious cyber-enabled activities and malign foreign influence, and to
track and build profiles on U.S. individuals, including members of the
military and Federal employees and contractors, for illicit purposes
such as blackmail and espionage. Countries of concern can also use
access to U.S. persons' bulk sensitive personal data to collect
information on activists, academics, journalists, dissidents, political
figures, or members of non-governmental organizations or marginalized
communities in order to intimidate such persons; curb political
opposition; limit freedoms of expression, peaceful assembly, or
association; or enable other forms of suppression of civil liberties.
The Office of the Director of National Intelligence (ODNI) has made
clear that ``[o]ur adversaries increasingly view data as a strategic
resource. They are focused on acquiring and analyzing data--from
personally identifiable information on U.S. citizens to commercial and
government data--that can make their espionage, influence, kinetic and
cyber-attack operations more effective; advance their exploitation of
the U.S. economy; and give them strategic advantage over the United
States.'' \1\ Advanced technologies--including big-data analytics,
artificial intelligence (``AI''), high-performance computing, and other
capabilities--increasingly enable countries of concern to exploit bulk
amounts of Americans' sensitive personal data and government-related
data to achieve these goals.
---------------------------------------------------------------------------
\1\ Office of the Director of National Intelligence, Annual
Threat Assessment of the U.S. Intelligence Community at 26 (Feb. 6,
2023), https://www.odni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf [https://perma.cc/4B2Y-7NVD].
---------------------------------------------------------------------------
As ODNI has assessed, countries of concern are ``increasing their
ability to analyze and manipulate large quantities of personal
information in ways that will allow them to more effectively target and
influence, or coerce, individuals and groups in the United States and
allied countries.'' \2\ Countries of concern ``almost certainly are
already applying data-analysis techniques to hone their efforts against
U.S. targets.'' \3\ For example, AI is making it easier to extract, re-
identify, link, infer, and act on sensitive information about people's
identities, locations, habits, and desires, as outlined in Executive
Order 14110 of October 30, 2023 (Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence).\4\ Likewise, as the
National Counterintelligence and Security Center has explained, ``[t]he
combination of stolen [personally identifiable information], personal
health information, and large [human] genomic data sets collected from
abroad'' gives countries of concern ``vast opportunities to precisely
target individuals in foreign governments, private industries, or other
sectors for potential surveillance, manipulation, or extortion.'' \5\
Moreover, access to bulk sensitive personal data can fuel the creation
and refinement of AI, big-data, and other analytical capabilities, the
development of which requires large amounts of human data--ultimately
compounding the risks.
---------------------------------------------------------------------------
\2\ National Intelligence Council, Assessment: Cyber Operations
Enabling Expansive Digital Authoritarianism at 3 (Apr. 7, 2020)
(declassified Oct. 5, 2022), https://www.dni.gov/files/ODNI/
documents/assessments/NICM-Declassified-Cyber-Operations-Enabling-
Expansive-Digital-Authoritarianism-20200407_2022.pdf [https://perma.cc/ZKJ4-TBU6].
\3\ Id.
\4\ See also id. at 4-5 (explaining that China's ``commercial
access to personal data of other countries' citizens, along with AI-
driven analytics,'' can ``enable it to automate the identification
of individuals and groups,'' and ``China can draw on ample Western
commercial models for large-scale algorithm-driven delivery of
targeted content and behavior-shaping microincentives'').
\5\ National Counterintelligence and Security Center, China's
Collection of Genomic and Other Healthcare Data From America: Risks
to Privacy and U.S. Economic and National Security at 4 (Feb. 2021),
https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/NCSC_China_Genomics_Fact_Sheet_2021revision20210203.pdf [https://perma.cc/BL4H-WJSW].
---------------------------------------------------------------------------
These risks are not merely hypothetical and have been tested. As a
recent study has explained, for example, ``[a]ggregated insights from
location data'' could be used to damage national security \6\--such as
in 2018, when the publication of a global heatmap of users' location
data collected by a popular fitness app enabled researchers to quickly
identify and map the locations of military and government facilities
and activities.\7\ Similarly, in 2019, New York Times writers were able
to combine a single set of bulk location data collected from cell
phones and bought and sold by location-data companies--which was
anonymized and represented ``just one slice of data, sourced from one
company, focused on one city, covering less than one year''--with
publicly available information to identify, track, and follow
``military officials with security clearances as they drove home at
night,'' ``law enforcement officers as they took their kids to
school,'' and ``lawyers (and their guests) as they traveled from
private jets to vacation properties.'' \8\
---------------------------------------------------------------------------
\6\ Justin Sherman et al., Data Brokers and the Sale of Data on
U.S. Military Personnel at 15 (Nov. 2023), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf [https://perma.cc/M9S8-MYAA].
\7\ E.g., Richard P[eacute]rez-Pe[ntilde]a and Matthew
Rosenberg, Strava Fitness App Can Reveal Military Sites, Analysts
Say, The New York Times (Jan. 29, 2018), https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html [https://perma.cc/VZF9-X7LJ]; Jeremy Hsu, The Strava Heat Map and the End of Secrets,
WIRED (Jan. 29, 2018 7:14 p.m.), https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy [https://perma.cc/B9KT-E75J].
\8\ Stuart A. Thompson and Charlie Warzel, Twelve Million
Phones, One Dataset, Zero Privacy, The New York Times (Dec. 19,
2019), https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html [https://perma.cc/X3VB-429P].
---------------------------------------------------------------------------
Countries of concern can also exploit access to government-related
data, regardless of volume. As one report has explained, for example,
tracking location data on individual military or government targets can
``reveal sensitive locations--such as visits to a place of worship, a
gambling venue, a health clinic, or a gay bar--which again could be
used for profiling, coercion, blackmail, or other purposes,'' or could
reveal ``reputationally damaging lifestyle characteristics'' that could
be exploited, ``such as infidelity.'' \9\
---------------------------------------------------------------------------
\9\ Sherman et al., supra note 6, at 15.
---------------------------------------------------------------------------
Accordingly, transactions that may enable countries of concern to
access bulk amounts of Americans' sensitive personal data or
government-related data, as defined by the Order, pose particular and
unacceptable risks to national security and foreign policy. This risk
of access to U.S. persons' bulk sensitive personal data and government-
related data is not limited to transactions directly involving the
governments of countries of concern. Persons who are owned by,
controlled by, or subject to the jurisdiction or direction of a country
of concern may enable the government of that country to indirectly
access such data. For example, countries of concern may have cyber,
national security, and intelligence laws that, without sufficient legal
safeguards, can obligate such persons to provide that country's
intelligence services access to U.S. persons' bulk sensitive personal
data and government-related data.
Countries of concern can leverage their access to Americans' bulk
sensitive personal data and government-related data to engage in a
variety of nefarious activities, including malicious cyber-enabled
activities, espionage, and blackmail. Countries of concern can exploit
Americans' bulk sensitive personal data and government-related data to
track and build profiles on U.S.
[[Page 15782]]
persons, including Federal employees and contractors, military
servicemembers, and members of the Intelligence Community to support
espionage operations and to identify and exploit vulnerabilities for
malicious cyber activities. Countries of concern can also access U.S.
persons' bulk sensitive personal data and government-related data to
collect information on activists, academics, journalists, dissidents,
political figures, and members of non-governmental organizations and
marginalized communities to intimidate opponents of countries of
concern, curb dissent, and limit Americans' freedom of expression and
other civil liberties. The risks posed by access to Americans' bulk
sensitive personal data and government-related data are exacerbated by
AI and other data processing tools that exploit large datasets in
increasingly sophisticated and effective ways to the detriment of U.S.
national security. These tools, and the access to Americans' bulk
sensitive personal data and government-related data upon which the
tools rely, enable countries of concern to target U.S. persons more
effectively by recognizing patterns across multiple, unrelated datasets
to identify individuals whose links to, for example, the Federal
Government, would be otherwise obscured in a single database.
As the President affirmed in the Order, the United States remains
committed to promoting an open, global, interoperable, reliable, and
secure internet; promoting open, responsible scientific collaboration
to drive innovation; protecting human rights online and offline;
supporting a vibrant, global economy by promoting cross-border data
flows to enable international commerce and trade; and facilitating open
investment. Accordingly, the Order authorizes the Attorney General to
take specific, carefully calibrated actions to minimize the risks
associated with access to Americans' bulk sensitive personal data and
government-related data by countries of concern and persons that are
``owned by, controlled by, or subject to the jurisdiction or direction
of'' countries of concern, while minimizing disruption to commercial
activity. For example, the Order exempts certain classes of
transactions that are less likely to pose these unacceptable national-
security risks, including financial-services transactions, and
authorizes the Attorney General to exempt additional classes of
transactions. Also consistent with the Order, this ANPRM does not
propose generalized data-localization requirements either to store
Americans' bulk sensitive personal data or government-related data
within the United States or to locate computing facilities used to
process Americans' bulk sensitive personal data or government-related
data within the United States. Nor does it seek to broadly prohibit
U.S. persons from conducting commercial transactions with entities and
individuals located in countries of concern or impose measures aimed at
a broader decoupling of the substantial consumer, economic, scientific,
and trade relationships that the United States has with other
countries. This carefully calibrated action instead reflects the U.S.
Government's longstanding support for the concept of ``Data Free Flow
with Trust,'' in recognition of its importance to the economy and human
rights online.
The Order has two primary components relevant to this ANPRM. First,
it directs the Attorney General, in coordination with the Secretary of
Homeland Security and in consultation with the relevant agencies, to
issue regulations identifying for prohibition specific classes of
transactions that may enable access by countries of concern or covered
persons to defined categories of Americans' bulk sensitive personal
data or government-related data, and that the Attorney General
determines pose an unacceptable risk to U.S. national security and
foreign policy. Second, it instructs the Attorney General, in
coordination with the Secretary of Homeland Security and in
consultation with the relevant agencies, to issue regulations
identifying specific classes of transactions that will be required to
comply with security requirements, to be established by the Secretary
of Homeland Security through the Director of the Cybersecurity and
Infrastructure Security Agency, that mitigate the risks of access to
Americans' bulk sensitive personal data or government-related data by
countries of concern. As previewed in this ANPRM, the security
requirements could include (1) organizational requirements (e.g., basic
organizational cybersecurity posture), (2) transaction requirements
(e.g., data minimization and masking, use of privacy-preserving
technologies, requirements for information-technology systems to
prevent unauthorized disclosure, and logical and physical access
controls), and (3) compliance requirements (e.g., audits).\10\
---------------------------------------------------------------------------
\10\ The Order contains other provisions, which are not directly
relevant to this ANPRM, to enhance existing authorities to address
data-security risks, including directing the Committee for the
Assessment of Foreign Participation in the United States
Telecommunications Services Sector to take certain actions with
respect to submarine cables; instructing the Secretaries of Defense,
Health and Human Services, and Veterans Affairs, and the Director of
the National Science Foundation, to consider taking certain steps
regarding the provision of Federal assistance; and encouraging the
Consumer Financial Protection Bureau to take consider taking steps
to address the role that data brokers play in contributing to the
national-security risks.
---------------------------------------------------------------------------
II. Program Overview
The Department of Justice is considering implementing the Order
through categorical rules that regulate certain data transactions
involving bulk U.S. sensitive personal data and government-related data
that present an unacceptable risk to U.S. national security, pursuant
to section 2(c) of the Order. To that end, the Department of Justice is
considering establishing a program that would (1) identify certain
classes of highly sensitive transactions that would be prohibited in
their entirety (``prohibited transactions''), and (2) identify other
classes of transactions that would be prohibited except to the extent
they comply with predefined security requirements (``restricted
transactions'') to mitigate the risk of access to bulk sensitive
personal data by countries of concern.
Under this framework, the Department of Justice would establish the
program by issuing proposed rulemakings in tranches based on priority,
including the limits of current authorities, and effective
administration of the program. This ANPRM takes the foundational steps
by seeking the input needed to establish the structure of the program,
including, as described in section 2(c) of the Order, identifying
classes of prohibited and restricted transactions that pose an
unacceptable risk to national security, defining relevant terms,
identifying countries of concern, creating processes for administrative
licensing and entity designations, and establishing a compliance and
enforcement regime. This ANPRM is focused on identifying discrete
classes of prohibited transactions that raise the highest national-
security risks, focusing on data transactions between U.S. persons and
countries of concern (or persons subject to their ownership, control,
jurisdiction, or direction where the transaction involves property in
which a foreign country or national thereof has an interest) that pose
direct risks. As contemplated by this ANPRM, the rulemaking would
target only transactions between a U.S. person and a country of concern
(or person subject to its ownership, control, jurisdiction, or
[[Page 15783]]
direction), with one discrete exception described below. The program
would not regulate purely domestic transactions between U.S. persons
(who are not otherwise designated as covered persons acting on behalf
of a country of concern), such as the collection, maintenance,
processing, or use of data by U.S. persons within the United States.
Section 2(f) of the Order authorizes the Department of Justice to
engage in subsequent rulemakings to tailor the regulatory program to
the national-security risks identified in the Order, and to the costs
and benefits of administering and complying with the regulatory
program. Where practical, the proposed program, its structure, and
definitions would be modeled on existing regulations based on IEEPA
that are generally familiar to the public, such as those administered
by the United States Department of the Treasury's Office of Foreign
Assets Control (OFAC) and the United States Department of Commerce's
Bureau of Industry and Security (BIS).
Under section 2(a)(ii) of the Order, the Attorney General is
authorized to determine and identify classes of transactions that
``pose an unacceptable risk to the national security of the United
States because the transactions may enable countries of concern or
covered persons to access bulk sensitive personal data or United States
Government-related data.'' Specifically, the Department of Justice is
considering identifying two classes of prohibited data transactions
between U.S. persons and countries of concern (or covered persons) to
address critical risk areas involving bulk U.S. sensitive personal data
or government-related data: (1) data-brokerage transactions; and (2)
any transaction that provides a country of concern or covered person
with access to bulk human genomic data (a subcategory of human `omic
data) or human biospecimens from which that human genomic data can be
derived. These classes of prohibited data transactions are not directly
regulated under existing Federal authorities, and these types of
transactions necessarily provide access to bulk sensitive personal data
or government-related data directly to countries of concern or persons
subject to their ownership, control, jurisdiction, or direction.
The Department of Justice is also considering identifying three
classes of restricted data transactions to address critical risk areas
to the extent they involve countries of concern or covered persons and
bulk U.S. sensitive personal data: (1) vendor agreements (including,
among other types, agreements for technology services and cloud-service
agreements), (2) employment agreements, and (3) investment agreements.
These classes of restricted transactions represent significant means
through which countries of concern can access bulk U.S. sensitive
personal data or government-related data, but the national-security
risks associated with these transactions can be mitigated through
appropriate security-related conditions.
The program would cover transactions involving six defined
categories of bulk U.S. sensitive personal data--U.S. persons' covered
personal identifiers, personal financial data, personal health data,
precise geolocation data, biometric identifiers, and human genomic
data--and combinations of those categories, as laid out in the Order
and defined below. These categories would be clearly defined and, for
covered personal identifiers, significantly narrower than the broad
categories of material typically implicated by privacy-focused
regulatory regimes.
In addition to addressing data transactions involving bulk U.S.
sensitive personal data, and as also laid out in the Order, the program
would also address the heightened national-security risks posed by U.S.
persons' transactions with countries of concern (or covered persons)
and two kinds of government-related data regardless of volume: (1)
geolocation data in listed geofenced areas associated with certain
military, other government, and other sensitive facilities (which could
threaten national security by revealing information about those
locations and U.S. persons associated with them), and (2) sensitive
personal data that is marketed as linked or linkable to current or
recent former employees or contractors, or former senior officials, of
the U.S. government, including the military and Intelligence Community.
Consistent with the Order, the program would be implemented as a
carefully calibrated national-security authority to address specific
national security threats, including counterintelligence threats, posed
by data-security risks to U.S. persons and government-related data. The
program is not intended as a commercial regulation of all cross-border
data flows between the United States and our foreign partners, or as a
comprehensive program to regulate Americans' data privacy. Also
consistent with the Order, the Department of Justice intends to
implement the program consistent with longstanding U.S. policy to
promote trusted cross-border data transfers among partners that respect
democratic values and the rule of law, as the program would address
only the national-security risks posed by countries of concern because
of their potential to target and misuse Americans' sensitive personal
data.
Importantly, the program is also not intended to impede all U.S.
persons' data transactions with countries of concern or persons subject
to their jurisdiction. The program, under the rulemaking under
consideration, would prohibit or restrict specific classes of data
transactions between U.S. persons and countries of concern (or persons
subject to their ownership, control, jurisdiction, or direction) that
involve either (1) specific categories of sensitive personal data above
certain bulk-volume thresholds or (2) specific categories of
government-related data regardless of volume. The program under
consideration would also identify classes of exempt data transactions
and would provide a process for the Department of Justice to issue
general and specific licenses using procedures that are generally
familiar to the public.
The Department of Justice does not contemplate that the program
will rely on case-by-case review of individual data transactions.
Rather, the Department of Justice will affirmatively identify classes
of prohibited and restricted data transactions. Importantly, the
Department of Justice believes that a categorical approach provides
bright-line rules to data-transaction parties. The program would not
apply retroactively (before the effective date of the final rule).
However, the Department of Justice may, after the effective date of the
regulations, request information about transactions by United States
persons that were completed or agreed to after the date of the issuance
of the Order to better inform the development and implementation of the
program.
III. Issues for Comment
The Department of Justice welcomes comments and views from a wide
range of stakeholders on all aspects of how the Attorney General should
implement this new program under the Order. The Department of Justice
is particularly interested in obtaining information on the topics
discussed below. This ANPRM does not necessarily identify the full
scope of potential approaches the Department of Justice might
ultimately undertake in regulations to implement the Order.
A. Overview
The Order frames the key terms that will be developed through
rulemaking. Under the rules that the Department of Justice is
considering, U.S. persons
[[Page 15784]]
would be prohibited from engaging in classes of covered data
transactions, which (as further defined below) have been determined by
the Attorney General to pose an unacceptable risk to the national
security of the United States because these classes of covered data
transactions may enable countries of concern or covered persons to
access bulk U.S. sensitive personal data or government-related data.
Some otherwise-prohibited covered data transactions may be restricted
and be permitted to proceed only subject to certain conditions,
including security requirements published by the Department of Homeland
Security in coordination with the Department of Justice. Prohibited or
restricted covered data transactions may also be permitted to proceed
based on applicable general or specific licenses. None of the program's
requirements would apply to a U.S. person engaged in an exempt data
transaction.
Definitions under consideration for these and related terms are
italicized and discussed below, along with questions on which the
Department of Justice seeks comment.
B. Bulk U.S Sensitive Personal Data
The Order authorizes the Attorney General to prohibit or otherwise
restrict United States persons from engaging in any transaction where
the transaction involves bulk sensitive personal data and meets other
criteria specified in section 2(a) of the Order. The Order defines
``bulk'' as ``an amount of sensitive personal data that meets or
exceeds a threshold over a set period of time, as specified in
regulations issued by the Attorney General pursuant to section 2 of
th[e] order.'' The Order also defines ``sensitive personal data'' as
``covered personal identifiers, geolocation and related sensor data,
biometric identifiers, human `omic data, personal health data, personal
financial data, or any combination thereof,'' as further defined in
final rules implementing the Order, ``that could be exploited by a
country of concern to harm United States national security if that data
is linked or linkable to any identifiable United States individual or
to a discrete and identifiable group of United States individuals.''
The Department of Justice is considering elaborating on and providing
greater detail to the Order's definitions of ``sensitive personal
data'' and ``bulk.''
Sensitive personal data. The Department of Justice is considering
further defining each of the six categories of sensitive personal data
identified in the Order as follows:
1. Covered personal identifiers. The Order defines ``covered
personal identifiers'' as ``specifically listed classes of personally
identifiable data that are reasonably linked to an individual, and
that--whether in combination with each other, with other sensitive
personal data, or with other data that is disclosed by a transacting
party pursuant to the transaction and that makes the personally
identifiable data exploitable by a country of concern--could be used to
identify an individual from a data set or link data across multiple
data sets to an individual.'' The Department is considering further
defining the term covered personal identifiers as follows.
1(a). With respect to the subcategory of listed classes of
personally identifiable data ``in combination with each other,'' the
term covered personal identifiers would mean any listed identifier that
is linked to any other listed identifier, except:
(a) The term covered personal identifiers does not include
demographic or contact data that is linked only to other demographic
or contact data; and
(b) The term covered personal identifiers does not include a
network-based identifier, account-authentication data, or call-
detail data that is linked only to other network-based identifier,
account-authentication data, or call-detail data as necessary for
the provision of telecommunications, networking, or similar
services.
Listed identifiers would include the following classes of data
determined by the regulations to be ``reasonably linked to an
individual'' under the Order's definition of ``covered personal
identifiers.'' The final rule will include a comprehensive list of
listed identifiers.
Full or truncated government identification or account number
(such as a Social Security Number, driver's license or state
identification number, passport number, or Alien Registration Number)
Full financial account numbers or personal identification
numbers associated with a financial institution or financial-services
company
Device-based or hardware-based identifier (such as
International Mobile Equipment Identity (IMEI), Media Access Control
(MAC) address, or Subscriber Identity Module (SIM) card number)
Demographic or contact data (such as first and last name,
birth date, birthplace, zip code, residential street or postal address,
phone number, and email address and similar public account identifiers)
Advertising identifier (such as Google Advertising ID, Apple
ID for Advertisers, or other Mobile Advertising ID (MAID))
Account-authentication data (such as account username, account
password, or an answer to security questions)
Network-based identifier (such as internet Protocol (IP)
address or cookie data)
Call-detail data (such as Customer Proprietary Network
Information (CPNI))
Under this definition, the term covered personal identifiers would
be much narrower than the categories of material typically covered by
laws and policies aimed generally at protecting personal privacy.\11\
It would not include any combinations of types of data that are not
expressly listed. For example, this definition of covered personal
identifiers would not include an individual's:
---------------------------------------------------------------------------
\11\ Cf., e.g., California Consumer Privacy Act of 2018, Cal.
Civ. Code section 1798.140(v)(1) (defining ``personal information''
in the context of a generalized privacy-focused regime); Regulation
(EU) 2016/679 of the European Parliament and of the Council, ``On
the protection of national persons with regard to the processing of
personal data and on the free movement of such data, and repealing
Directive 95/46/EC'' (General Data Protection Regulation), art. 4(1)
(27 April 2016) (defining ``personal data'' in the context of a
generalized data privacy regime).
Employment history;
Educational history;
Organizational memberships;
Criminal history; or
Web-browsing history.
For purposes of defining covered personal identifiers only, the
Department of Justice is considering defining identifiers as linked
when the identifiers involved in a single covered data transaction, or
in multiple covered data transactions or a course of dealing between
the same or related parties, are capable of being associated with the
same specific person(s). Identifiers would not be considered linked
when additional identifiers or data not involved in the relevant
covered data transaction(s) would be necessary to associate the
identifiers with the same specific person(s). For example, if a U.S.
person transferred two listed identifiers in a single spreadsheet--such
as a list of names of individuals and associated MAC addresses for
those individuals' devices--the names and MAC addresses would be
considered linked. The same would be true if the names and MAC
addresses were transferred to two related parties in two different
covered data transactions, provided that the receiving parties were
capable of determining which names corresponded to which MAC addresses.
On the other hand, a standalone list of MAC
[[Page 15785]]
addresses, without any additional listed identifiers, would not be
covered personal identifiers. That standalone list of MAC addresses
would not become covered personal identifiers even if the receiving
party is capable of obtaining separate sets of other listed identifiers
or sensitive personal data through separate covered data transactions
with unaffiliated parties that would ultimately permit the association
of the MAC addresses to specific persons. The MAC addresses would not
be considered linked to those separate sets of other listed identifiers
or sensitive personal data.
The Department of Justice currently intends the category of covered
personal identifiers to apply as follows:
Example 1. A standalone listed identifier in isolation
(i.e., that is not linked to another listed identifier, sensitive
personal data, or other data that is disclosed by a transacting party
pursuant to the transaction that makes the personally identifiable data
exploitable by a country of concern)--such as a data set of only Social
Security Numbers or only account usernames--would not constitute
covered personal identifiers.
Example 2. A listed identifier linked to another listed
identifier--such as a data set of first and last names linked to Social
Security Numbers, driver's license numbers linked to passport numbers,
device MAC addresses linked to residential addresses, account usernames
linked to first and last names, or mobile advertising IDs linked to
email addresses--would constitute covered personal identifiers.
Example 3. Demographic or contact data linked only to
other demographic or contact data--such as a data set linking first and
last names to residential street addresses, email addresses to first
and last names, or customer loyalty membership records linking first
and last names to phone numbers--would not constitute covered personal
identifiers.
Example 4. Demographic or contact data linked to other
demographic or contact data and to another listed identifier--such as a
data set linking first and last names to email addresses and to IP
addresses--would constitute covered personal identifiers.
Example 5. Account usernames linked to passwords as part
of a sale of a data set would constitute covered personal identifiers.
Those types of account-authentication data are not linked as part of
the provision of telecommunications, networking, or similar services.
1(b). With respect to the subcategory of listed classes of
personally identifiable data ``in combination . . . with other
sensitive personal data,'' the Department is considering treating these
combinations as combined data subject to the lowest bulk threshold
applicable to the categories of data present, as separately discussed
below with respect to the definition of the term bulk U.S. sensitive
personal data.
1(c). With respect to the subcategory of listed classes of
personally identifiable data ``in combination . . . with other data
that is disclosed by a transacting party pursuant to the transaction
that makes the personally identifiable data exploitable by a country of
concern,'' the Department does not intend to impose an obligation on
transacting parties to independently determine whether particular
combinations of data would be ``exploitable by a country of concern'';
rather, the Department intends to identify specific classes of data
that, when combined, would satisfy this standard. The Department seeks
comment on other ways in which it can further define this subcategory.
As context, the Department intends this subcategory to apply to
scenarios such as the following:
Example 6. A foreign person who is a covered person asks a
U.S. company for a list of MAC addresses from devices that have
connected to the wireless network of a U.S. fast-food restaurant
located in a particular government building. The U.S. company then
sells the list of MAC addresses, without any other listed identifiers
or sensitive personal data, to the covered person. The data disclosed
by the covered person's inquiry for MAC addresses from ``devices that
have connected to the wireless network of a U.S. fast-food restaurant
located in a particular government building'' makes the list of MAC
addresses exploitable by a country of concern.
Example 7. A U.S. company sells to a country of concern a
list of full names that the company describes (in a heading in the list
or to the country of concern as part of the transaction) as ``members
of a country of concern's opposition political party in New York
City,'' or as ``active-duty LGBTQ+ military officers'' without any
other listed identifiers or sensitive personal data. The data disclosed
by the U.S. company's description of the list of names as ``members of
a country of concern's opposition political party in New York City'' or
``active-duty LGBTQ+ military officers'' makes the list of names
exploitable by a country of concern.
By contrast, the Department does not intend this subcategory to
apply to scenarios such as the following:
Example 8. A covered person asks a U.S. company for a bulk
list of birth dates for ``any American who visited a Starbucks in
Washington, DC in December 2023.'' The U.S. company then sells the list
of birth dates, without any other listed identifiers or sensitive
personal data, to the covered person.
Example 9. A U.S. company sells to a covered person a list
of full names that the company describes (in a heading in the list or
to the covered person as part of the transaction) as ``Americans who
watched more than 50% of episodes'' of a popular TV show, without any
other listed identifiers or sensitive personal data.
2. Geolocation and related sensor data. The Department of Justice
currently intends for its first rulemaking to regulate covered data
transactions involving geolocation and related sensor data only to the
extent that such transactions involve precise geolocation data. Precise
geolocation data would mean data, whether real-time or historical, that
identifies the physical location of an individual or a device with a
precision of within [number of meters/feet] based on electronic signals
or inertial sensing units.
3. Biometric identifiers. The term biometric identifiers means
measurable physical characteristics or behaviors used to recognize or
verify the identity of an individual, including facial images, voice
prints and patterns, retina and iris scans, palm prints and
fingerprints, gait, and keyboard usage patterns that are enrolled in a
biometric system and the templates created by the system.
4. Human `omic data. The Department of Justice currently intends
for its first rulemaking to regulate covered data transactions
involving human `omic data only to the extent that such transactions
involve human genomic data. The term human genomic data means data
representing the nucleic acid sequences that comprise the entire set or
a subset of the genetic instructions found in a human cell, including
the result or results of an individual's ``genetic test'' (as defined
in 42 U.S.C. 300gg-91(d)(17)) and any related human genetic sequencing
data.
5. Personal health data. The term personal health data means
``individually identifiable health information'' (as defined in 42
U.S.C. 1302d(6) and 45 CFR 160.103), regardless of whether such
information is collected by a ``covered entity'' or ``business
associate'' (as defined in 45 CFR 160.103).
[[Page 15786]]
6. Personal financial data. The term personal financial data means
data about an individual's credit, charge, or debit card, or bank
account, including purchases and payment history; data in a bank,
credit, or other financial statement, including assets, liabilities and
debts, and transactions; or data in a credit or ``consumer report'' (as
defined under 15 U.S.C. 1681a).
With respect to the definition of the term sensitive personal data,
the Department of Justice is considering or further defining
categorical exclusions to the extent that data consists of:
i. Public or nonpublic data that does not relate to an
individual, including such data that meets the definition of a
``trade secret'' (as defined in 18 U.S.C. 1839(3)) or ``proprietary
information'' (as defined in 50 U.S.C. 1708(d)(7));
ii. Data that is lawfully available to the public from a
Federal, State, or local government record or in widely distributed
media (such as court records or other sources that are generally
available to the public through unrestricted and open-access
repositories);
iii. Personal communications that do not transfer anything of
value (see 50 U.S.C. 1702(b)(1)); or
iv. Information or informational materials (see 50 U.S.C.
1702(b)(3)), which would be defined further in the regulations. The
Department of Justice anticipates interpreting the phrase
``information or informational materials'' as including expressive
information, like videos and artwork, and excluding non-expressive
data, consistent with the speech-protective purpose of 50 U.S.C.
1702(b)(3).
Bulk thresholds. The program would establish volume-based
thresholds for each category of sensitive personal data and for
combined datasets. The Department of Justice is considering the
following approach to determine the bulk thresholds.
To the maximum extent feasible, the bulk thresholds would be set
based on a risk-based assessment that examines threat, vulnerabilities,
and consequences as components of risk. In the context of the bulk
thresholds, a risk-based assessment would account for the
characteristics of datasets that affect the data's vulnerability to
exploitation by countries of concern and that affect the consequences
of exploitation. These characteristics may include both human-centric
characteristics (which describe a data set in terms of its potential
value to a human analyst) and machine-centric characteristics (which
describe how easily a data set could be processed by a computer
system). The framework's human-centric characteristics may include how
many individuals a data set covers (size), how the data could be used
(purpose), how easy it is to deliberately change the data
(changeability), who tracks and manages the data (control), and how
easy the data is to obtain (availability). The framework's machine-
centric characteristics may include the number of data points in a
dataset (volume), how quickly the dataset evolves (velocity), how
specifically a data set targets a sensitive group (correlation), and
how much processing is required to use the data (quality). Applying
this style of framework would allow for a particularized assessment of
the relative sensitivity of each of the six categories of sensitive
personal data and would inform the volume threshold applicable to each
category.
Based on a preliminary risk assessment, the Department of Justice,
in consultation with other agencies, is considering adopting bulk
thresholds within the following ranges, and would welcome additional
analysis about the costs and benefits of specific thresholds for each
category:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Precise geolocation Personal financial Covered personal
Human genomic data Biometrics identifiers data Personal health data data identifiers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Low:
More than 100 U.S. persons..... More than 100 U.S. persons (for biometric
identifiers) or U.S. devices (for precise
geolocation data).
More than 1,000 U.S. persons. More than 10,000 U.S.
persons..
--------------------------------------------------------------------------------------------------------------------------------------------------------
High:
More than 1,000 U.S. persons... More than 10,000 U.S. persons (for biometric
identifiers) or U.S. devices (for precise
geolocation data).
More than 1,000,000 U.S. persons. More than 1,000,000
U.S. persons..
--------------------------------------------------------------------------------------------------------------------------------------------------------
The Department of Justice proposes to operationalize these bulk
thresholds as follows:
The term bulk U.S. sensitive personal data means a collection or
set of data relating to U.S. persons, in any format, regardless of
whether the data is anonymized, pseudonymized, de-identified, or
encrypted and that includes, at any point in the preceding twelve
months, whether through a single covered data transaction or
aggregated across covered data transactions involving the same
foreign person or covered person:
(i) Human genomic data collected or maintained on more than
[number of] U.S. persons;
(ii) Biometric identifiers collected or maintained on more than
[number of] U.S. persons;
(iii) Precise geolocation data collected or maintained on more
than [number of] U.S. devices;
(iv) Personal health data collected or maintained on more than
[number of] U.S. persons;
(v) Personal financial data collected or maintained on more than
[number of] U.S. persons;
(vi) Covered personal identifiers collected or maintained on
more than [number of] U.S. persons; or
(vii) Combined data, meaning any collection or set of data that
contains more than one of categories (i) through (vi), or that
contains any listed identifier linked to categories (i) through (v),
that meets the threshold number of persons or devices collected or
maintained in the aggregate for the lowest number of U.S. persons or
U.S. devices in any category of data present.
The ANPRM seeks comment on this topic, including:
1. In what ways, if any, should the Department of Justice
elaborate or amend the definition of bulk U.S. sensitive personal
data? If the definition should be elaborated or amended, why?
2. Should the Department of Justice treat data that is
anonymized, pseudonymized, de-identified, or encrypted differently?
If so, why?
3. Should the Department of Justice consider amending the
definitions applicable to any of the six categories of sensitive
personal data? If the definition should be elaborated or amended,
why?
4. Are there categories of bulk U.S. sensitive personal data
that should be added to the definition? Are there categories
proposed that should be removed? Please explain.
5. The Executive order directs a report and recommendation
assessing the risks and benefits of regulating transactions
involving other specified types of human `omic data. Should data
transactions involving these other types of human `omic data be
regulated? If so, which types of human `omic data? What risks,
scientific value, and economic costs should be considered?
6. What, if any, possible unintended consequences could result
from the definition (including the bulk thresholds) under
consideration? In particular, to what extent would the approach
contemplated here affect individuals' rights to share their own
biospecimens and health, genomic, and other data?
[[Page 15787]]
7. What thresholds for datasets should apply with respect to
each category of bulk U.S. sensitive personal data under
consideration, and why is each such threshold appropriate? Should
any category of sensitive personal data (e.g., covered personal
identifiers) have different thresholds for different subtypes or
specific fields of data based on sensitivity, purpose, correlation,
or other factors?
8. Are there other factors or characteristics that the
Department of Justice should evaluate as part of the proposed
analytical framework for determining the bulk thresholds?
9. What data points, specific use cases, or other information
should the Department of Justice consider in determining the bulk
thresholds for bulk U.S. sensitive personal data?
10. At what level should the Department of Justice set the
precision (i.e., numbers of meters/feet) in defining precise
geolocation data? What are common commercial applications of
geolocation data, and what level of precision is required to support
those applications? When geolocation data is ``fuzzed'' in some
commercial applications to reduce potential privacy impacts, what
are common techniques for ``fuzzing'' the data, what is the
resulting reduction in the level of precision, and how effective are
those techniques in reducing the sensitivity of the data? To what
extent should the definition be informed by the level of precision
for geolocation data used in certain state data-privacy laws, such
as a radius of 1,850 feet (see, e.g., Cal. Civ. Code section
1798.140(w)) or a radius of 1,750 feet (see, e.g., Utah Civ. Code
section 13-61-101(33(a)))?
11. Should the Department of Justice consider changing any of
the categorical exclusions to the definition of sensitive personal
data? How should the program define the exclusion for data that is
lawfully a matter of public record, particularly in light of data
that is scraped from the internet or data points that are themselves
public but whose linkage to the same individual is not public? What
types of data are generally available to the public through open-
access repositories?
12. How do businesses use each category of sensitive personal
data, particularly in the cross-border context, and how would the
ranges of bulk thresholds under consideration affect businesses'
ability to engage in data transactions with countries of concern or
covered persons?
13. Should the classes of listed identifiers, such as for
government identification numbers and financial account numbers,
include truncated versions of the full numbers? If so, how should
``truncated'' be defined?
14. With respect to defining linked for purposes of covered
personal identifiers, should the Department of Justice consider
placing a time limit on when listed identifiers would be considered
linked to address a scenario in which, for example, a U.S. person
sells a bulk list of names to a covered person on day one (which
would not be a covered data transaction) and then sells a list of
Social Security Numbers associated with those names years later?
Would the lack of such a time limit require or encourage U.S.
companies, such as data brokers, to retain sensitive personal data
that they would otherwise purge in the normal course of business?
15. With respect to defining the term covered personal
identifiers, how should the Department define the subcategory of
listed classes of personally identifiable data ``in combination . .
. with other data that is disclosed by a transacting party pursuant
to the transaction that makes the personally identifiable data
exploitable by a country of concern''?
16. How should the Department define information or
informational materials? What factors should the Department take
into account in its definition? What relevant precedents from other
IEEPA-based programs should the Department take into account when
defining the term?
C. Government-Related Data
In addition to authorizing the Attorney General to address the
national-security risks posed by transactions involving bulk sensitive
personal data, the Order also authorizes the Attorney General to
prohibit or otherwise restrict U.S. persons from engaging in certain
transactions involving government-related data regardless of volume.
The Order defines the term ``United States Government-related data'' as
sensitive personal data that, regardless of volume, the Attorney
General determines poses a heightened risk of being exploited by a
country of concern to harm United States national security and that (1)
a transacting party identifies as being linked or linkable to
categories of current or recent former employees or contractors, or
former senior officials, of the Federal Government, including the
military, as specified in regulations issued by the Attorney General
pursuant to section 2 of the order; (2) is linked to categories of data
that could be used to identify current or recent former employees or
contractors, or former senior officials, of the Federal Government,
including the military, as specified in regulations issued by the
Attorney General pursuant to section 2 of the order; or (3) is linked
or linkable to certain sensitive locations, the geographical areas of
which will be specified publicly, that are controlled by the Federal
Government, including the military.
The Department of Justice is considering further defining the term
government-related data to include two data categories: (1) any precise
geolocation data, regardless of volume, for any location within any
area enumerated on a list of specific geofenced areas associated with
military, other government, or other sensitive facilities or locations
(the Government-Related Location Data List), or (2) any sensitive
personal data, regardless of volume, that a transacting party markets
as linked or linkable to current or recent former employees or
contractors, or former senior officials, of the U.S. government,
including the military and Intelligence Community.
With respect to the location subcategory, the Government-Related
Location Data List would be created through an interagency process in
which each agency identifies any geofenced areas relative to its
equities for inclusion on the list, and DOJ would maintain and publish
the list.
The Department of Justice currently intends the personnel
subcategory to apply to scenarios such as the following:
Example 10. A U.S. company advertises the sale of a set of
sensitive personal data as belonging to ``active duty'' personnel,
``military personnel who like to read,'' ``DoD'' personnel,
``government employees,'' or ``communities that are heavily connected
to a nearby military base.''
Example 11. In discussing the sale of a set of sensitive
personal data with a foreign counterparty, a U.S. company describes the
data set as belonging to members of a specific organization, which
restricts membership to current and former members of the military and
their families.
The ANPRM seeks comment on this topic, including:
17. In what ways, if any, should the Department of Justice
elaborate or amend the definition of government-related data,
including with respect to ``recent former'' employees or
contractors, and ``former senior officials''?
18. Are there categories of government-related data that should
be added to the definition? Are there categories proposed that
should be removed? Please explain.
19. How should the Department of Justice define data that is
``marketed as linked or linkable'' to current or recent former
employees or contractors, or former senior officials, of the U.S.
Government (including the military or Intelligence Community)? What
are the current industry practices?
20. How would the contemplated definitions of bulk sensitive
personal data and government-related data affect health and related
research activities, such as genomic research on deceased U.S.
persons who were former senior U.S. officials or recent former
employees or contractors? To what extent do such activities involve
covered data transactions with countries of concern or covered
persons that would be prohibited or regulated under this program?
Should the Department of Justice consider a general license for such
activities, and if so, what should the parameters be for such a
license?
21. What, if any, possible unintended consequences could result
from the definition of government-related data under consideration?
[[Page 15788]]
D. Covered Data Transactions
The Order authorizes the Attorney General to prohibit or otherwise
restrict United States persons from engaging in transactions meeting
several criteria and requires the Attorney General to identify classes
of transactions subject to those prohibitions or restrictions. With
respect to defining what would constitute a covered data transaction,
the Department of Justice proposes to carefully tailor the program to
achieve the Order's intent and effect. Consequently, the Department of
Justice is considering adopting the following definitions relevant to
the concept of a covered data transaction. A transaction is any
acquisition, holding, use, transfer, transportation, exportation of, or
dealing in any property in which a foreign country or national thereof
has an interest. A covered data transaction is any transaction that
involves any bulk U.S. sensitive personal data or government-related
data and that involves: (1) data brokerage; (2) a vendor agreement; (3)
an employment agreement; or (4) an investment agreement.
Under this definition of covered data transactions and the
definition of access below (which includes both actual, as well as
``the ability to'' exercise, physical or logical access), prohibited
transactions would be those covered data transactions that are
categorically determined to pose an unacceptable risk to national
security because they may enable countries of concern or covered
persons to access bulk U.S. sensitive personal data or government-
related data. Likewise, under these definitions, restricted
transactions would be those covered data transactions that are
categorically determined to pose an unacceptable risk to national
security because they may enable countries of concern or covered
persons to access bulk U.S. sensitive personal data or government-
related data unless the security requirements are implemented. The
program would take a categorical approach to regulating covered data
transactions; it would not rely on transacting parties or the
government to determine whether specific covered data transactions
within the classes of prohibited and restricted transactions
individually pose unacceptable risks of access.
Basic terms. The Department of Justice is considering defining the
term access to mean ``logical or physical access, including the ability
to obtain, read, copy, decrypt, edit, divert, release, affect, alter
the state of, or otherwise view or receive, in any form, including
through information-technology systems, cloud-computing platforms,
networks, security systems, equipment, or software.'' The Department of
Justice is considering defining the term U.S. device to mean ``any
device that is linked or linkable to a U.S. person.'' The Department of
Justice is also considering defining the terms entity, foreign person,
person, and U.S. person as follows, consistent with the definitions of
those terms in other IEEPA-based regulations, including those contained
in relevant sections of title 31 of the Code of Federal Regulations:
The term entity means a partnership, association, trust, joint
venture, corporation, group, subgroup, or other organization.
The term foreign person means any person that is not a U.S.
person. (For clarity, a foreign branch of a U.S. company would
generally be treated the same as the U.S. company itself--as a U.S.
person, not a foreign person.)
The term person means an individual or entity.
The term U.S. person means any United States citizen, national,
or lawful permanent resident; or any individual admitted to the
United States as a refugee under 8 U.S.C. 1157 or granted asylum
under 8 U.S.C. 1158; or any entity organized solely under the laws
of the United States or any jurisdiction within the United States
(including foreign branches); or any person in the United States.
Example 12. An individual is a citizen of a country of
concern and is in the United States. The individual is a U.S.
person.
Example 13. An individual is a U.S. citizen. The
individual is a U.S. person, regardless of location.
Example 14. An individual is a dual citizen of the
United States and a country of concern. The individual is a U.S.
person, regardless of location.
Example 15. An individual is a citizen of a country of
concern, is not a permanent resident alien of the United States, and
is outside the United States. The individual is a foreign person.
Data brokerage. The program would define data brokerage as the sale
of, licensing of access to, or similar commercial transactions
involving the transfer of data from any person (the provider) to any
other person (the recipient), where the recipient did not collect or
process the data directly from the individuals linked or linkable to
the collected or processed data. The Department of Justice currently
intends data brokerage to apply to scenarios such as the following:
Example 16. A U.S. company sells bulk U.S. sensitive
personal data to an entity headquartered in a country of concern.
Example 17. A U.S. company enters into an agreement that
gives a covered person a license to access government-related data held
by the U.S. company.
Example 18. A U.S. organization maintains a database of
bulk U.S. sensitive personal data and offers annual memberships for a
fee that provide members a license to access that data. Providing an
annual membership to a covered person would constitute a prohibited
data brokerage.
Vendor agreement. The contemplated program would define a vendor
agreement as any agreement or arrangement, other than an employment
agreement, in which any person provides goods or services to another
person, including cloud-computing services, in exchange for payment or
other consideration. Cloud-computing services would be defined as
services related to the provision or use of ``cloud computing,''
including ``Infrastructure-as-a-Service (IaaS),'' ``Platform-as-a-
Service (PaaS),'' and ``Software-as-a-Service (SaaS)'' (as those terms
are defined in NIST Special Publication 800-145). The Department of
Justice currently intends vendor agreements to apply to scenarios such
as the following:
Example 19. A U.S. company collects bulk precise
geolocation data from U.S. users through an app. The U.S. company
enters into an agreement with a company headquartered in a country of
concern to process and store this data.
Example 20. A medical facility in the United States
contracts with a company headquartered in a country of concern to
provide IT-related services. The medical facility has bulk personal
health data on its U.S. patients. The IT services provided under the
contract involve access to the medical facility's systems containing
the bulk personal health data.
Example 21. A U.S. company, which is owned by an entity
headquartered in a country of concern and has been designated a covered
person, establishes a new data center in the United States to offer
managed services. The U.S. company's data center serves as a vendor to
various U.S. companies to store bulk U.S. sensitive personal data
collected by those companies.
Example 22. A U.S. company develops mobile games that
collect bulk precise geolocation data and biometric identifiers of U.S.
person users. The U.S. company contracts part of the software
development to a foreign person who is primarily resident in a country
of concern and is a covered person. The software-development services
provided by the covered person under the contract involve access to the
bulk precise geolocation data and biometric identifiers.
[[Page 15789]]
By contrast, the Department of Justice currently does not intend
this category to apply to scenarios such as the following:
Example 23. A U.S. multinational company maintains bulk
U.S. sensitive personal data of U.S. persons. This company has a
foreign branch, located in a country of concern, that has access to
this data. The foreign branch contracts with a local company located in
the country of concern to provide cleaning services for the foreign
branch's facilities. Although the foreign branch is a U.S. person, the
local company is a covered person, and the contract is a vendor
agreement, the services performed under this contract do not
``involve'' the bulk U.S. sensitive personal data and thus would not be
a covered data transaction subject to regulation.
Employment agreement. The program would define an employment
agreement as any agreement or arrangement in which an individual, other
than as an independent contractor, performs work or performs job
functions directly for a person in exchange for payment or other
consideration, including employment on a board or committee, executive-
level arrangements or services, and employment services at an
operational level. The Department of Justice currently intends
employment agreements to apply to scenarios such as the following:
Example 24. A U.S. company that conducts consumer genomic
testing collects and maintains bulk human genomic data from U.S.
consumers. The U.S. company has global IT operations, including
employing a team of individuals that are citizens of and primarily
reside in a country of concern to provide back-end services. Employment
as part of the global IT operations team includes access to the U.S.
company's systems containing the bulk human genomic data.
Example 25. A U.S. company develops its own mobile games
and social media apps that collect the bulk U.S. sensitive personal
data of its U.S. users. The U.S. company distributes these games and
apps in the United States through U.S.-based digital distribution
platforms for software applications. Although the U.S. company's
development team does not employ any covered persons, the U.S. company
intends to hire as CEO an individual designated by the Attorney General
as a covered person because of evidence the CEO acts on behalf of a
country of concern. The individual's authorities and responsibilities
as CEO involve access to all data collected by the apps, including the
bulk U.S. sensitive personal data.
Example 26. A U.S. company has amassed U.S persons' bulk
sensitive personal data by scraping public photos from social-media
platforms and then enrolls those photos in a database of bulk biometric
identifiers developed by the U.S. company, including face-data scans,
for the purpose of training or enhancing facial-recognition software.
The U.S. company intends to hire a foreign person, who primarily
resides in a country of concern, as a project manager responsible for
the database. The individual's employment as the lead project manager
would involve access to the bulk biometric identifiers. The employment
agreement would be a covered data transaction.
Example 27. A U.S. financial-services company seeks to
hire a data scientist who is a citizen of a country of concern who
primarily resides in that country of concern and who is developing a
new AI-based personal assistant that could be sold as a standalone
product to the company's customers. As part of that individual's
employment, the data scientist would have administrator rights that
allow that individual to access, download, and transmit bulk quantities
of personal financial data not ``ordinarily incident to and part of''
the company's underlying provision of financial services to its
customers.
Investment agreement. The program would define an investment
agreement as any agreement or arrangement in which any person, in
exchange for payment or other consideration, obtains direct or indirect
ownership interests in or rights in relation to (1) real estate located
in the United States or (2) a U.S. legal entity. The Department of
Justice currently intends investment agreements to apply to scenarios
such as the following:
Example 28. A U.S. company intends to build a data center
located in a U.S. territory. The data center will store bulk personal
health data on U.S. persons. A foreign private-equity fund located in a
country of concern agrees to provide capital for the construction of
the data center in exchange for acquiring a majority ownership stake in
the data center.
Example 29. A foreign technology company subject to the
jurisdiction of a country of concern and that the Attorney General has
designated as a covered person enters into a shareholders' agreement
with a U.S. business that develops mobile games and social media apps,
acquiring a minority equity stake in the U.S. business. These games and
apps systematically collect bulk U.S. sensitive personal data of its
U.S. users. The investment agreement explicitly gives the foreign
technology company the ability to access this data.
Example 30. Same as Example 29, but the investment
agreement either does not explicitly give the foreign technology
company the right to access the data or explicitly forbids that access.
The investment agreement would still fall into the class of restricted
covered data transactions that have been determined to pose an
unacceptable risk to national security because they may enable
countries of concern or covered persons to access the bulk U.S.
sensitive personal data; whether the specific investment agreement
poses a risk of access does not affect whether the agreement is
restricted.
By contrast, the Department of Justice does not intend to restrict
investment agreements in scenarios such as the following:
Example 31. Same as Example 29, but the U.S. business does
not maintain or have access to any bulk U.S. sensitive personal data or
government-related data (e.g., a pre-commercial company or start-up
company). Because the data transaction does not involve any bulk U.S.
sensitive personal data or government-related data, this investment
agreement does not meet the definition of covered data transaction.
The Department of Justice is considering categorically excluding
certain passive investments that do not convey the ownership interest
or rights (including those that provide meaningful influence that could
be used to obtain such access) that ordinarily pose an unacceptable
risk to national security because they may give countries of concern or
covered persons access to bulk sensitive personal data or government-
related data. Specifically, the Department of Justice is considering
categorically excluding, from the definition of investment agreement,
any investment that:
(1) I made:
(a) Into a publicly traded security, with ``security'' defined
in section 3(a)(10) of the Securities Exchange Act of 1934, Public
Law 73-291 (as codified as amended at 15 U.S.C. 78c(a)(10)),
denominated in any currency that trades on a securities exchange or
through the method of trading that is commonly referred to as
``over-the-counter,'' in any jurisdiction;
(b) Into an index fund, mutual fund, exchange-traded fund, or a
similar instrument (including associated derivatives) offered by an
``investment company'' (as defined in section 3(a)(1) of the
Investment Company Act of 1940, Public Law 76-768, as codified as
amended at 15 U.S.C. 80a-3(a)(1)) or by a private investment fund;
or
[[Page 15790]]
(c) As a limited partner into a venture capital fund, private
equity fund, fund of funds, or other pooled investment fund, if the
limited partner's contribution is solely capital into a limited
partnership structure or equivalent and the limited partner cannot
make managerial decisions, is not responsible for any debts beyond
its investment, and does not have the formal or informal ability to
influence or participate in the fund's or a U.S. person's decision-
making or operations;
(2) Gives the covered person less than [a de minimis threshold]
in total voting and equity interest in a U.S. person; and
(3) Does not give a covered person rights beyond those
reasonably considered to be standard minority shareholder
protections, including (a) membership or observer rights on, or the
right to nominate an individual to a position on, the board of
directors or an equivalent governing body of the U.S. person, or (b)
any other involvement, beyond the voting of shares, in substantive
business decisions, management, or strategy of the U.S. person.
Finally, the Department of Justice is considering how the program
should address investment agreements that are ``covered transactions''
subject to the jurisdiction of the Committee on Foreign Investment in
the United States (CFIUS) under section 721 of the Defense Production
Act of 1950, Public Law 81-774, as codified as amended at 50 U.S.C.
4565. This topic is discussed separately in the section on
``Coordination with Other Regulatory Regimes.''
The ANPRM seeks comment on this topic, including:
22. What modifications to enhance clarity, if any, should be
made to the definitions under consideration for data brokerage,
vendor agreements, employment agreements, and investment agreements?
23. With respect to the exclusion from the definition of
investment agreements for certain low-risk investments, what de
minimis threshold of voting or equity interest should the Department
of Justice consider establishing?
24. Are there any elements of the data brokerage ecosystem that
would not be included in the definition of data brokerage under
consideration?
25. Are there any additional scenarios or types of data
transactions that would be helpful to identify whether or not they
would be restricted?
E. Countries of Concern
The Order requires the Attorney General to identify countries of
concern. The Order defines ``country of concern'' as any foreign
government that, as determined by the Attorney General with the
concurrence of the Secretaries of State and Commerce, ``(1) has engaged
in a long-term pattern or serious instances of conduct significantly
adverse to the national security of the United States or security and
safety of United States persons, and (2) poses a significant risk of
exploiting bulk U.S. sensitive personal data or United States
Government-related data to the detriment of the national security of
the United States or the security and safety of U.S. persons, as
specified in regulations issued by the Attorney General pursuant to
section 2 of th[e] order.''
The Department of Justice is considering adopting the Order's
definition of the term country of concern without elaboration or
amendment. The Department of Commerce, in implementing Executive Order
13873--in which the President declared a national emergency stemming
from foreign adversaries' ability to exploit information and
communications and technology services to, among other things, engage
in malicious cyber-enabled activities--identified the following
countries as having engaged in a long-term pattern or serious instances
of conduct significantly adverse to the national security of the United
States or security and safety of the United States: the People's
Republic of China, along with the Special Administrative Region of Hong
Kong and the Special Administrative Region of Macau; the Russian
Federation; the Islamic Republic of Iran; the Democratic People's
Republic of Korea; the Republic of Cuba; and the Bolivarian Republic of
Venezuela. See 15 CFR 7.4. This Order expands the scope of the national
emergency declared by the President in Executive Order 13873.
Accordingly, the Department of Justice is considering identifying the
same countries as countries of concern under the Order, as will be
explained further in the notice of proposed rulemaking.
The ANPRM seeks comment on this topic, including:
26. Should the Department of Justice further elaborate in any
way on the definition of country of concern to provide greater
clarity?
27. Are there other factors or considerations relating to the
abilities of the proposed countries of concern to access and exploit
bulk sensitive personal data or government-related data to engage in
nefarious activities that the Department of Justice should take into
account when determining whether to identify the same countries as
countries of concern?
F. Covered Persons
The Order requires the Attorney General to identify classes of
covered persons, as appropriate, for the purposes of the Order.
``Covered person'' is defined by the Order as ``an entity owned by,
controlled by, or subject to the jurisdiction or direction of a country
of concern; a foreign person who is an employee or contractor of such
an entity; a foreign person who is an employee or contractor of a
country of concern; a foreign person who is primarily resident in the
territorial jurisdiction of a country of concern; or any person
designated by the Attorney General as being owned or controlled by or
subject to the jurisdiction or direction of a country of concern, as
acting on behalf of or purporting to act on behalf of a country of
concern or other covered person, or as knowingly causing or directing,
directly or indirectly, a violation'' of the Order or its implementing
regulations. The Department of Justice is considering an approach that
would identify a covered person as a person that meets the definition
either by (1) falling into one of the classes without having been
individually designated by the Department of Justice or (2) having been
individually designated by the Department of Justice on a public list
maintained and updated by the Department of Justice.
The Department of Justice is considering defining the term covered
person as:
(1) An entity that is 50 percent or more owned, directly or
indirectly, by a country of concern, or that is organized or
chartered under the laws of, or has its principal place of business
in, a country of concern;
(2) An entity that is 50 percent or more owned, directly or
indirectly, by an entity described in category (1) or a person
described in categories (3), (4), or (5);
(3) A foreign person who is an employee or contractor of a
country of concern or of an entity described in categories (1), (2),
or (5);
(4) A foreign person who is primarily resident in the
territorial jurisdiction of a country of concern; or
(5) Any person designated by the Attorney General as being owned
or controlled by or subject to the jurisdiction or direction of a
country of concern, or as acting on behalf of or purporting to act
on behalf of a country of concern or covered person, or knowingly
causing or directing a violation of these regulations.
Under this contemplated definition, citizens of countries of
concern located in third countries (i.e., not located in the United
States and not primarily resident in a country of concern) would not be
categorically treated as covered persons. Instead, only a subset of
country-of-concern citizens in third countries would qualify
categorically as covered persons: those working for the government of a
country of concern or for a covered entity (as described in category 3
above). All other country-of-concern citizens located in third
countries would not qualify as covered
[[Page 15791]]
persons except to the extent that the Attorney General designates them.
The term covered person would thus apply as follows to country-of-
concern citizens:
Example 32. Foreign persons primarily resident in Cuba,
Iran or another country of concern would be categorically treated as
covered persons.
Example 33. Chinese or Russian citizens located in the
United States would be treated as U.S. persons and would not be covered
persons (except to the extent individually designated). They would be
subject to the same prohibitions and restrictions as all other U.S.
persons with respect to engaging in covered data transactions with
countries of concern or covered persons.
Example 34. Citizens of a country of concern who are
primarily resident in a third country, such as Russian citizens
primarily resident in the European Union or Cuban citizens primarily
resident in South America, would not be covered persons except to the
extent they are individually designated or to the extent that they are
employees or contractors of a country-of-concern government or a
covered entity.
Example 35. A foreign person located abroad is employed by
a company headquartered in the People's Republic of China. Because the
foreign person is the employee of a covered entity, the person is a
covered person.
Example 36. A foreign person located abroad is employed by
a company that has been designated as a covered person. Because the
foreign person is the employee of a covered entity, the person is a
covered person.
With respect to individually designated covered persons, the
Department of Justice is considering maintaining a public list of
persons determined to be covered persons, modeled on various sanctions
designations lists maintained by OFAC. Inclusion on the Department of
Justice's covered person list would have no effect on a person's
inclusion on OFAC or other U.S. Government designation lists. As
indicated by the contemplated definition of covered person, this list
would identify ``any person designated by the Attorney General as being
owned or controlled by or subject to the jurisdiction or direction of a
country of concern, or as acting on behalf of or purporting to act on
behalf of a country of concern or covered person, or knowingly causing
or directing a violation of these regulations.'' This designations list
would supplement the defined categories in the definition of covered
person to provide direct and actual notice to regulated parties of
specific designated persons, would inform the public regarding the
specific designated persons subject to this regulation's requirements
regarding prohibited and restricted covered data transactions, and
would serve enforcement purposes. Importantly, however, the public list
would not exhaustively include all covered persons, as any person that
satisfies the criteria contained in the relevant definitions will be
considered a covered person under the regulation, regardless of whether
the person is identified on the public list.
The Department of Justice would establish a process to add to,
remove from, or modify this list. The process would be similar to the
internal processes used by other United States Government agencies that
make designations based on IEEPA authorities, including interagency
consultation to ensure that agencies with relevant equities and
expertise may weigh in. For example, the Department of Justice would be
free to consider, to the extent compliant with applicable law, any
classified or unclassified information from any Federal agency or other
source. A person would be able to seek administrative reconsideration
of the Department of Justice's determination that they are a covered
person, or assert that the circumstances resulting in the determination
no longer apply, and thus seek to have the designation rescinded
pursuant to applicable administrative procedures. This administrative
appeals process would be based on, and substantially similar to,
analogous programs maintained by other Federal agencies that exercise
IEEPA authorities.
The ANPRM seeks comment on this topic, including:
28. How would the U.S. party to a data transaction ascertain
whether a counterparty to the transaction is a covered person as
defined above? What kind of diligence would be necessary?
29. What are the considerations as to whether a person is
``controlled by[] or subject to the jurisdiction or direction of'' a
country of concern? What, if any, changes should be made to the
definitions above to make their scope and application clearer? Why?
What, if any changes should be made to broaden or narrow them? Why?
30. With respect to the part of the definition of covered person
addressing ``a foreign person who is primarily resident in the
territorial jurisdiction of a country of concern,'' how should the
Department of Justice address temporary travel to or in a country of
concern by foreign individuals who are not citizens of a country of
concern? Should the standard be ``primarily resident in,''
``resident in,'' ``located in,'' or something else?
31. Other than certain lists maintained by OFAC and BIS, are
there other designation lists accessible to industry that the
Department of Justice should consider as a model for identifying
potential covered persons?
32. How should the list be published? How should it be
organized? In what format should the Department of Justice publish
it?
33. How would industry monitor this list? Would it be more
costly for industry if the list were updated continually or only at
certain points in time? If updates were made on an individual basis
or in batches? Please be specific.
34. How quickly after a covered person is added to the list (or
an existing listing is modified) could industry take account of the
new information in its compliance programs?
35. Are there specific sources that the Department of Justice
should consult to identify potential candidates for designation? If
so, which ones?
36. Should the Department of Justice maintain a public-facing
channel for the public to report potential candidates for
designation? Why or why not? If yes, who should be permitted to make
such reports and what information should they be required to
provide? Would it be preferrable that the information submitted be
protected from public disclosure?
37. Are there any aspects of processes used by other Federal
agencies for persons to request or petition for the removal or
modification of a designation or listing that would be especially
useful for this list? If so, which ones and why?
38. Are there any aspects of the IEEPA designations appeals
processes maintained by other Federal agencies that are not
necessary for this list? If so, which ones and why not?
G. Prohibitions
The Order specifically directs the Attorney General to promulgate
regulations to prohibit or otherwise restrict United States persons
from engaging in any acquisition, holding, use, transfer,
transportation, or exportation of, or dealing in, any property in which
a foreign country or national thereof has any interest
(``transaction''), where the transaction:
i. Involves bulk U.S. sensitive personal data or United States
Government-related data, as further defined by regulations issued by
the Attorney General;
ii. Is a member of a class of transactions that has been
determined by the Attorney General, in regulations issued by the
Attorney General, to pose an unacceptable risk to the national
security of the United States because the transactions may enable
countries of concern or covered persons to access bulk U.S.
sensitive personal data or United States Government-related data in
a manner that contributes to the national emergency described in the
Order;
iii. Was initiated, is pending, or will be completed after the
effective date of the regulations issued by the Attorney General;
iv. Does not qualify for an exemption provided in, or is not
authorized by a license issued pursuant to, the regulations issued
by the Attorney General; and
[[Page 15792]]
v. Is not, as defined in final rules implementing the Order,
ordinarily incident to and part of the provision of financial
services, including banking, capital markets, and financial
insurance services, or required for compliance with any Federal
statutory or regulatory requirements, including any regulations,
guidance, or orders implementing those requirements.
The Order further requires the Attorney General to promulgate
regulations that identify classes of transactions that meet the
criteria specified above and are thus prohibited under the Order. The
Order describes additional activities that are, or may be, prohibited.
In particular, any conspiracy formed to violate the regulations and any
action that has the purpose of evading, causes a violation of, or
attempts to violate the Order or any regulation issued thereunder is
prohibited. In addition, the Order provides authority to the Attorney
General to prohibit U.S. persons from ``knowingly directing
transactions'' that would be prohibited transactions pursuant to the
Order if engaged in by a U.S. person. The Department of Justice may at
a future date provide notices of proposed rulemaking to add classes of
prohibited transactions.
For this ANPRM, the Department of Justice is considering the
following five prohibitions for covered data transactions, which would
become effective only upon the effective date of a final rule.
First, the program would contain a general prohibition that is
subject to authorized exemptions. The program would be technology-
agnostic and neutral as to the path or route that bulk U.S. sensitive
personal data or government-related data travels:
``Except as otherwise authorized pursuant to these regulations,
no U.S. person, on or after the effective date, may knowingly engage
in a covered data transaction with a country of concern or covered
person.''
The Department of Justice currently intends for the knowingly
language in this and the other prohibitions to apply to persons who
knew or should have known of the circumstances of the transaction. In
its guidance on what an individual or entity ``should have known'' in
such context, the Department proposes to take into account the relevant
facts and circumstances, including the relative sophistication of the
individual or entity at issue, the scale and sensitivity of the data
involved, and the extent to which the parties to the transaction at
issue appear to have been aware of and sought to evade the application
of these rules. This is not intended to operate as a strict-liability
standard. The knowingly language is also not intended to require U.S.
persons, in engaging in vendor agreements and other classes of data
transactions with foreign persons, to conduct due diligence on the
employment practices of those foreign persons to determine whether they
qualify as covered persons. But persons will be prohibited from evading
or avoiding these prohibitions, including by knowingly structuring
transactions in a manner that attempts to circumvent these
prohibitions.
With respect to the knowingly language, the prohibitions would
therefore not apply in scenarios such as the following:
Example 37. A U.S. person engages in a vendor agreement
involving bulk sensitive personal data with a foreign person who is not
a covered person. The foreign person then employs an individual who is
a covered person and grants them access to bulk U.S. sensitive personal
data without the U.S. person's knowledge or direction. There is no
covered data transaction between the U.S. person and the covered
person, and there is no indication that the parties engaged in these
transactions with the purpose of evading the regulations (such as the
U.S. person having knowingly directed the foreign person's employment
agreement with the covered person or the parties knowingly structuring
a prohibited covered data transaction into these multiple transactions
with the purpose of evading the prohibition).
Example 38. A U.S. company sells DNA testing kits to U.S.
consumers and maintains bulk human genomic data collected from those
consumers. The U.S. company enters into a contract with a foreign
cloud-computing company (which is not a covered person) to store the
U.S. company's database of human genomic data. The foreign company
hires employees from other countries, including citizens of countries
of concern who primarily reside in a country of concern, to manage
databases for its customers, including the U.S. company's human genomic
database. There is no indication of evasion, such as the U.S. company
knowingly directing the foreign company's employment agreements or the
U.S. company knowingly engaging in and structuring these transactions
to evade the regulations). The cloud-computing services agreement
between the U.S. company and the foreign company would not be
prohibited or restricted because that covered data transaction is
between a U.S. person and a foreign company that does not meet the
definition of a covered person. The employment agreements between the
foreign company and the covered persons would not be prohibited or
restricted because those agreements are between foreign persons.
By contrast, the prohibitions would apply in scenarios such as the
following:
Example 39. A U.S. subsidiary of a company headquartered
in a country of concern collects bulk precise geolocation data from
U.S. persons. The U.S. subsidiary is a U.S. person, and the parent
company is a covered person. With the purpose of evading the
regulations, the U.S. subsidiary enters into a vendor agreement with a
foreign company that is not a covered person, which the U.S. subsidiary
knows (or should know) is a shell company that subsequently outsources
the vendor agreement to the U.S. subsidiary's parent company.
Example 40. A U.S. company collects bulk personal health
data from U.S. persons. With the purpose of evading the regulations,
the U.S. company enters into a vendor agreement with a foreign company
that is not a covered person, which the U.S. company knows (or should
know) is a shell company staffed entirely by covered persons.
Second, the contemplated program would include a prohibition
specific to data brokerage to address transactions involving the onward
transfer of bulk U.S. sensitive personal data or government-related
data to countries of concern and covered persons. The Department of
Justice is considering the following prohibition: Except as otherwise
authorized pursuant to these regulations, no U.S. person, on or after
the effective date, may knowingly engage in a covered data transaction
involving data brokerage with any foreign person unless the U.S. person
contractually requires that the foreign person refrain from engaging in
a subsequent covered data transaction involving the same data with a
country of concern or covered person.
This narrow circumstance would be the only instance in which the
contemplated program would regulate third-country covered data
transactions (i.e., U.S. persons' covered data transactions in which a
country of concern or covered person is not a party). The Department of
Justice currently intends this prohibition to apply to scenarios such
as the following:
Example 41. A U.S. business knowingly enters into an
agreement to sell bulk human genomic data to a European business that
is not a covered person. The U.S. business is required to include in
that agreement a limitation
[[Page 15793]]
on the European business's right to resell that data to a country of
concern or covered person.
Third, the contemplated program would include a prohibition to
specifically address the risks posed by covered data transactions
involving access by countries of concern to U.S. persons' bulk human
genomic data and biospecimens from which that data can be derived--such
as covered data transactions involving laboratories owned or operated
by covered persons. The Department of Justice is considering the
following prohibition: Except as otherwise authorized pursuant to these
regulations, no U.S. person, on or after the effective date, may
knowingly engage in any covered data transaction with a country of
concern or covered person that provides that country of concern or
covered person with access to bulk U.S. sensitive personal data that
consists of human genomic data, or to human biospecimens from which
such data could be derived, on greater than [the applicable bulk
threshold of] U.S. persons at any point in the preceding twelve months,
whether in a single covered data transaction or aggregated across
covered data transactions.
Fourth, as in other IEEPA-based regulations, the Department of
Justice is considering rules that will also prohibit evasions, causing
violations, attempts, and conspiracies.
Fifth, the Department of Justice is considering prohibiting U.S.
persons from knowingly directing any covered data transaction that
would be prohibited (including restricted transactions that do not
comply with the security requirements) if engaged in by a U.S. person.
For purposes of this provision, the Department of Justice is
considering defining knowingly to mean that the U.S. person had actual
knowledge of, or should have known about, the conduct, circumstance, or
result. And the Department of Justice is considering defining directing
to mean that a U.S. person has the authority (individually or as part
of a group) to make decisions on behalf of a foreign entity, and
exercises that authority to order, decide, or approve a transaction
that would be prohibited under these regulations if engaged in by a
U.S. person. The program will clarify that certain conduct that is
attenuated from the risks to U.S. national security identified in the
Order, such as the financing or underwriting of a covered data
transaction, the processing, clearing, or sending of payments by a
bank, and legal services, would not be covered as directing a
transaction as defined by the regulations. This approach is narrower
than the authority afforded to the Department of Justice under the
Order.
The Department of Justice intends to use this authority to tailor
the regulations to target the identified national-security threat by
prohibiting U.S.-person activity such as:
Example 42. A U.S. person is an officer, senior manager,
or equivalent senior-level employee at a foreign company that is not a
covered person, and the foreign company undertakes a covered data
transaction at that U.S. person's direction or with that U.S. person's
approval when the covered data transaction would be prohibited if
performed by a U.S. person.
Example 43. Several U.S. persons launch, own, and operate
a foreign company that is not a covered person, and that foreign
company, under the U.S. persons' operation, undertakes covered data
transactions that would be prohibited if performed by a U.S. person.
Example 44. A U.S. person is employed at a U.S.-
headquartered multinational company that has a foreign affiliate that
is not a covered person. The U.S. person changes (or approves changes
to) the operating policies and procedures of the foreign affiliate with
the specific purpose of allowing the foreign affiliate to undertake
covered data transactions that would be prohibited if performed by a
U.S. person.
By contrast, the prohibition in the Order on knowingly directing
transactions would not apply to scenarios such as the following:
Example 45. A U.S. bank processes a payment from a U.S.
person to a covered person, or from a covered person to a U.S. person,
as part of that U.S. person's engagement in a prohibited data
transaction. The U.S. bank's activity would not be prohibited (although
the U.S. person's covered data transaction would be prohibited).
Example 46. A U.S. financial institution underwrites a
loan or otherwise provides financing for a foreign company that is not
a covered person, and the foreign company undertakes covered data
transactions that would be prohibited if performed by a U.S. person.
Example 47. A U.S. person, who is employed at a foreign
company that is not a covered person, signs paperwork approving the
foreign company's procurement of real estate for its operations. The
same foreign company separately conducts data transactions that use or
are facilitated by operations at that real-estate location and that
would be prohibited covered data transactions if performed by a U.S.
person, but the U.S. employee has no role in approving or directing
those separate data transactions.
Example 48. A U.S. company owns or operates a submarine
telecommunications cable with one landing point in a foreign country
that is not a country of concern and one landing point in a country of
concern. The U.S. company leases capacity on the cable to U.S.
customers that transmit bulk sensitive personal data to the landing
point in the country of concern, including transmissions as part of
prohibited covered data transactions. The U.S. company's ownership or
operation of the cable would not be prohibited (although the U.S.
customers' covered data transactions would be prohibited).
The ANPRM seeks comment on this topic, including:
39. How feasible is it to contract with prospective customers to
prevent pass-through sales, re-sale, or onward transfers of bulk
U.S. sensitive personal data or government-related data to countries
of concern or covered persons? Do technical means exist to prevent
such onward sales or transfers? If yes, what are such technical
means?
40. What modifications, if any, should be made to the proposed
definitions above to enhance clarity?
41. What, if any, unintended consequences could result from the
proposed definitions?
42. What, if any, alternate approaches should the Department of
Justice consider to prevent the conduct in the knowingly-directed
example scenarios described above?
H. Exempt Transactions
The Order recognizes that certain transactions will be exempt from
any final rules. The Department of Justice is considering mirroring
OFAC's approach in IEEPA-based sanctions regulations by explicitly
identifying certain classes of data transactions that are exempt from
the scope of its prohibitions and restrictions. As explained below, DOJ
is considering exempting from this program: data transactions involving
certain kinds of data; official business transactions; financial-
services, payment-processing, and regulatory-compliance-related
transactions; intra-entity transactions incident to business
operations; and transactions required or authorized by Federal law or
international agreements.
Data transactions involving certain kinds of data. The program
would exempt two classes of data transactions to the extent that they
involve data that is statutorily exempt from regulation under IEEPA:
personal communications (any postal, telegraphic, telephonic, or other
personal communication that does not involve the transfer of anything
of
[[Page 15794]]
value, as set out under 50 U.S.C. 1702(b)(1)) or information or
informational materials (the importation from any country, or the
exportation to any country, whether commercial or otherwise, regardless
of format or medium of transmission, of any information or
informational materials, as set out under 50 U.S.C. 1702(b)(3)) and as
further interpreted and defined in the contemplated regulations).
Official business. The Order exempts ``transactions for the conduct
of the official business of the United States Government by employees,
grantees, or contractors thereof, [and] transactions conducted pursuant
to a grant, contract, or other agreement entered into with the United
States Government.'' To implement this provision, the Department of
Justice is considering exempting data transactions to the extent that
they are for (1) the conduct of the official business of the United
States Government by its employees, grantees, or contractors; (2) any
authorized activity of any United States Government department or
agency (including an activity that is performed by a Federal depository
institution or credit union supervisory agency in the capacity of
receiver or conservator); or (3) transactions conducted pursuant to a
grant, contract, or other agreement entered into with the United States
Government. Most notably, this exemption would exempt grantees and
contactors of Federal departments and agencies, including the
Department of Health and Human Services, the Department of Veterans
Affairs, the National Science Foundation, and the Department of
Defense, so that those agencies can pursue grant-based and contract-
based conditions to address risks that countries of concern can access
sensitive personal data in transactions related to their agencies' own
grants and contracts, as laid out in section 3(b) of the Order--without
subjecting those grantees and contractors to dual regulation.
The Department of Justice proposes that this exemption would apply
to, and thus exempt, scenarios such as the following:
Example 49. A U.S. hospital receives a Federal grant to
conduct research on U.S. persons. As part of that federally funded
human genomic research, the U.S. hospital contracts with a foreign
laboratory that is a covered person, hires a researcher that is a
covered person, and gives the laboratory and researcher access to the
human biospecimens and human genomic data in bulk. The contract with
the foreign laboratory and the employment of the researcher would be
prohibited covered data transactions if they were not part of the
federally funded research.
Financial-services, payment-processing, and regulatory-compliance-
related transactions. Section 2(a)(v) of the Order exempts any
transaction that is, as defined by final rules implementing the Order,
ordinarily incident to and part of the provision of financial services,
including banking, capital markets, and financial insurance services,
or required for compliance with any Federal statutory or regulatory
requirements, including any regulations, guidance, or orders
implementing those requirements. To further define this exemption, the
Department of Justice is contemplating exempting data transactions to
the extent that they are ordinarily incident to and part of the
provision of financial services, including:
(i) Banking, capital-markets, or financial-insurance services;
(ii) A financial activity authorized by 12 U.S.C. 24 (Seventh)
and rules and regulations thereunder;
(iii) An activity that is ``financial in nature or incidental to
a financial activity'' or ``complementary to a financial activity,''
as set forth in section 4(k) of the Bank Holding Company Act of 1956
and rules and regulations thereunder;
(iv) The provision or processing of payments involving the
transfer of personal financial data or covered personal identifiers
for the purchase and sale of goods and services (such as the
purchase, sale, or transfer of consumer products and services
through online shopping or e-commerce marketplaces), other than data
transactions that involve data brokerage; and
(v) Compliance with any Federal laws and regulations, including
the Bank Secrecy Act, 12 U.S.C. 1829b, 1951-1960, 31 U.S.C. 310,
5311-5314, 5316-5336; the Securities Act of 1933, 15 U.S.C. 77a et
seq.; the Securities Exchange Act of 1934, 15 U.S.C. 78a et seq.;
the Investment Company Act of 1940, 15 U.S.C. 80a-1 et seq.; the
Investment Advisers Act of 1940, 15 U.S.C. 80b-1 et seq.; the
International Emergency Economic Powers Act, 50 U.S.C. 1701 et seq.;
the Export Administration Regulations, 15 CFR part 730, et seq.; or
any notes, guidance, orders, directives, or additional regulations
related thereto.
The Department of Justice would consult the Department of the
Treasury and other relevant agencies in interpreting and applying this
exemption, including through guidance, advisory opinions, or licensing
decisions.
The Department of Justice currently intends this exemption to apply
to, and thus exempt, scenarios such as the following:
Example 50. A U.S. company engages in a data transaction
to transfer personal financial data in bulk to a financial institution
that is incorporated in, located in, or subject to the jurisdiction or
control of a country of concern to clear and settle electronic payment
transactions between U.S. individuals and merchants in a country of
concern where both the U.S. individuals and the merchants use the U.S.
company's infrastructure, such as an e-commerce platform. Both the U.S.
company's transaction transferring bulk personal financial data and the
payment transactions by U.S. individuals are both exempt.
Example 51. A U.S. bank or other financial institution
engages in a data transaction with a covered person that is ordinarily
incident to and part of ensuring complying with U.S. laws and
regulations (such as OFAC sanctions and anti-money laundering programs
required by the Bank Secrecy Act).
Example 52. As ordinarily incident to and part of
securitizing and selling asset-backed obligations (such as mortgage and
nonmortgage loans) to a covered person, a U.S. bank provides bulk U.S.
sensitive personal data to the covered person.
Example 53. A U.S. bank or other financial institution, as
ordinarily incident to and part of facilitating payments to U.S.
persons in a country of concern, stores and processes the customers'
bulk financial data using a data center operated by a third-party
service provider in the country of concern.
Example 54. As part of operating an online marketplace for
the purchase and sale of goods, a U.S. company, as ordinarily incident
to and part of U.S. consumers' purchase of goods on that marketplace,
transfers bulk contact information, payment information (e.g., credit-
card account number, expiration data, and security code), and delivery
address to a merchant in a country of concern.
Intra-entity transactions incident to business operations. The
Department of Justice is considering exempting data transactions to the
extent that they are (1) between a U.S. person and its subsidiary or
affiliate located in (or otherwise subject to the ownership, direction,
jurisdiction, or control) of a country of concern, and (2) ordinarily
incident to and part of ancillary business operations (such as the
sharing of employees' covered personal identifiers for human-resources
purposes; payroll transactions like the payment of salaries and pension
to overseas employees or contractors; paying business taxes or fees;
purchasing business permits or licenses; sharing data with auditors and
law firms
[[Page 15795]]
for regulatory compliance; and risk-management purposes).
The Department of Justice currently intends this exemption to apply
to, and thus exempt, scenarios such as the following:
Example 55. A U.S company has a foreign subsidiary located
in a country of concern, and the U.S. company's U.S.-person contractors
perform services for the foreign subsidiary. As ordinarily incident to
and part of the foreign subsidiary's payments to the U.S.-person
contractors for those services, the U.S. company engages in a data
transaction that gives the subsidiary access to the U.S.-person
contractors' bulk personal financial data and covered personal
identifiers.
By contrast, the Department of Justice intends this exemption not
to apply to scenarios such as the following:
Example 56. A U.S. company aggregates bulk personal
financial data. The U.S. company has a non-wholly owned subsidiary that
is a covered person because it is headquartered in a country of
concern. The subsidiary is subject to the country of concern's
national-security laws requiring it to cooperate with and assist the
country's intelligence services. The exemption would not apply to the
U.S. parent's grant of a license to the subsidiary to access the
parent's databases containing the bulk personal financial data for the
purpose of complying with a request or order by the country of concern
under those national-security laws to provide access to that data.
Transactions required or authorized by Federal law or international
agreements. The Department of Justice is considering exempting data
transactions to the extent that they are required or authorized by
Federal law or pursuant to an international agreement (such as the
exchange of passenger-manifest information, INTERPOL requests, and
public-health surveillance).
The ANPRM seeks comment on this topic, including:
43. What modifications, if any, should be made to the proposed
definitions above to enhance clarity?
44. What, if any, unintended consequences could result from the
proposed definitions?
45. Are there other types of data transactions that should be
exempt? Please explain why.
I. Security Requirements for Restricted Transactions
As described above, the Department of Justice is considering
identifying three classes of restricted covered data transactions
(vendor agreements, employment agreements, and investment agreements)
that would be otherwise prohibited unless they meet certain conditions
(security requirements) that mitigate the threats posed by access to
the bulk U.S. sensitive personal data or government-related data by a
country of concern or covered person. While the security requirements
are still under development and will be available to the public at
later date, the Department of Homeland Security, in coordination with
the Department of Justice, has developed an outline of what the
security requirements might entail, and that outline is previewed here
only as context for the rest of the contemplated program and other
topics on which questions are sought in this ANPRM.
The primary goal of the security requirements is to address
national-security and foreign-policy threats that arise when countries
of concern and covered persons can access bulk U.S. sensitive personal
data or government-related data that may be implicated by the classes
of restricted covered data transactions. The contemplated security
requirements would be based on, as applicable and appropriate, existing
performance goals, guidance, practices, and controls, such as the
Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity
Performance Goals (CPG), National Institute of Standards & Technology
(NIST) Cybersecurity Framework (CSF), NIST Privacy Framework (PF), and
NIST SP 800-171 rev. 3 (``Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations''). The Department
of Justice proposes to decline to regulate restricted covered data
transactions until the applicable security requirements are published,
available to the public, and become effective by incorporation into the
final rule. The Department of Homeland Security, in coordination with
the Department of Justice, has outlined the following approach to the
security requirements.
A restricted covered data transaction would be permissible if the
U.S. person:
(1) implements Basic Organizational Cybersecurity Posture
requirements;
(2) conducts the covered data transaction in compliance with the
following four conditions: (a) data minimization and masking; (b)
use of privacy-preserving technologies; (c) development of
information-technology systems to prevent unauthorized disclosure;
and (d) implementation of logical and physical access controls; and
(3) satisfies certain compliance-related conditions, such as
retaining an independent auditor to perform annual testing and
auditing of the requirements in (1) and (2) above, for so long as
the U.S. person relies on compliance with those conditions to
conduct the restricted covered data transaction.
Basic Organizational Cybersecurity Posture requirements applicable
to all restricted covered data transactions could include practices
such as CISA CPG 1.A, 1.B. 1.E, 1.F, 1.I, 2.P, 2.S, 2.Q, 4.A, and 5.A;
NIST PF ID.IM-P1, ID.IM-P2, ID.BE-P1, and CT.DM-P9; and NIST CSF PR.AT-
4 and PR.AT-5. Required controls could include NIST SP 800-171 3.1.1,
3.1.5, 3.3.1, 3.3.2, 3.3.3, 3.9.1, 3.9.2, and 3.14.6.
Data minimization and masking strategies (e.g., tokenization) could
be used to eliminate bulk U.S. sensitive personal data or government-
related data from some organizational scope to which a country of
concern or covered person would have access. Required practices could
include NIST PF CT.PO-P2, CT.DM-P8, CT.DP-P1, and CT.DP-P2.
Privacy-preserving technologies (e.g., based on homomorphic
encryption or traditional encryption) could be deployed to enable
restricted covered data transactions to proceed without exposing the
bulk U.S. sensitive personal data or government-related data itself to
countries of concern and covered persons. Required practices could
include CISA CPG 2.K and 2.L; NIST PF CT.DP-P1; and NST PF/CSF PR DS-P1
and PR DS-P2. Required controls could include NIST SP 800-181 3.13.8,
3.13.10, and 3.13.11, and ones analogous to the controls described in
15 CFR 734.18(a)(5).
Logical and physical access controls could include role-based
access management, such as credentialed access to both data systems and
physical facilities containing bulk U.S. sensitive personal data or
government-related data. Required practices could include CISA CPG 2.B,
2.D, 2.F, 2.G, 2.H, 2.T, 2.U, and 2.V; and NIST PF/CSF PR.AC-P1, PR.AC-
P2, PR.AC-P3, PR.AC-P4, PR.AC-P5, PR.AC-P6, and PR.AC-P7. Required
controls could include NIST SP 800-171 3.1.2, 3.1.3, 3.1.8, 3.1.10,
3.1.11, 3.1.12, 3.5.1, 3.5.3, 3.5.5, 3.5.7, 3.10.1, 3.10.2, and 3.10.7.
Under the contemplated program, a restricted covered data
transaction would become prohibited if the parties fail to comply with
the security requirements.
The Department of Homeland Security will propose and solicit public
comment on the security requirements through a separate process.
J. Licenses
The Order authorizes the Attorney General, in concurrence with the
Departments of State, Commerce, and Homeland Security, and in
consultation
[[Page 15796]]
with other relevant agencies, to issue (including to modify or rescind)
licenses authorizing covered data transactions that would otherwise be
prohibited or restricted. The Department of Justice is considering a
license regime that would be modeled on the licensing regime used by
OFAC and would incorporate both general and specific licenses. These
licenses would approve, or impose conditions on, covered data
transactions that are prohibited or restricted and would include an
interagency consultation process to ensure that agencies with relevant
equities and expertise may weigh in. The Department of Justice is
considering this type of licensing regime because, among other reasons,
it could give regulated parties the ability to bring specific concerns
to the Department of Justice and seek appropriate regulatory relief.
Licensing could also provide the Department of Justice with flexibility
to resolve marginal, unique, or particularly sensitive cases, either
generally or in individual matters.
General licenses. Under the regime that the Department of Justice
is considering, the Attorney General could issue and publish general
licenses authorizing, under appropriate terms and conditions, certain
types of covered data transactions that are subject to the requirements
contained in the rules. Persons availing themselves of certain general
licenses may be required to file reports and statements in accordance
with the instructions specified in those licenses. Failure to timely
file all required information in such reports or statements may nullify
the authorization otherwise provided by the general license and result
in violations of the applicable prohibitions that may be subject to
enforcement action. General licenses could also be used to ease
industry's transition once the rules become effective by potentially,
for example, authorizing orderly wind-down conditions for covered data
transactions that would otherwise be prohibited by the rules.
Specific licenses. The Department of Justice is also considering
whether, as part of the rulemaking, to impose certain requirements that
would apply to all persons who receive specific licenses. Those
requirements could include, for example: (1) an ongoing obligation to
provide reports regarding the authorized transactions; or (2) a
requirement that any person receiving a specific license to transact in
bulk U.S. sensitive personal data or government-related data must, to
the extent feasible, provide assurances that any data transferred
pursuant to such transactions can be recovered, irretrievably deleted,
or otherwise rendered non-functional. The Department of Justice is also
considering requiring applicants for specific licenses to use forms and
procedures published by the Department of Justice, and allowing
applicants and any other party in interest to request reconsideration
of the denial of a license based on new facts or changed circumstances.
The ANPRM seeks comment on this topic, including:
46. Would general and specific licenses be useful to regulated
parties? Why or why not?
47. Should any or all specific licenses be published, provided
that such publication complies with applicable laws and regulations
(e.g., regarding the protection of confidential business
information)? If so, how should they be published? How could the
publication of specific licenses assist or harm regulated parties?
48. How should the Department of Justice assess or evaluate the
purported costs of complying with the conditions of a general
license or a specific license? Are the costs of reporting on
licensed transactions, auditing them, or ensuring that they can be
rendered non-functional if noncompliant likely to scale with
transaction size? With data volume? Based on other factors?
49. What, if any, general licenses would be useful to assist in
the industry's transition once the rules take effect? Why? Please be
specific.
50. How should the Department of Justice assess time limitations
on general licenses or specific licenses? For example, how should
the Department of Justice calculate reasonable wind-down periods?
51. What factors should the Department of Justice assess when
considering whether to grant or deny a specific license application?
52. Are there classes of data transactions that may become the
subject of specific license applications that the Department of
Justice should presumptively grant or presumptively deny? Why?
53. What is the technical feasibility of recovering,
irretrievably deleting, or otherwise rendering non-functional data
transferred pursuant to a licensed covered data transaction? What
technical measures, solutions, or controls could be used for this
purpose?
54. What forms or procedures should the Department of Justice
consider when establishing the requirements for an application for a
specific license?
55. Are there any aspects of the OFAC and BIS licensing
processes that would be especially useful for this program? If so,
which ones and why?
56. Are there any aspects of the OFAC and BIS licensing
processes that would not be useful for this program? If so, which
ones and why not?
K. Interpretive Guidance
The Order requires the Attorney General to ``establish, as
appropriate, mechanisms to provide additional clarity to persons
affected by th[e] order and any regulations implementing th[e] order.''
\12\ The Department of Justice is currently considering creating a
program to provide guidance in the form of written advisory opinions,
similar to processes used by OFAC and BIS, and by the Department of
Justice with respect to the Foreign Corrupt Practices Act (FCPA) and
the Foreign Agents Registration Act (FARA). The Department of Justice
is considering permitting any U.S. person engaging in covered data
transactions regulated by the program to request an interpretation of
any part of these regulations from the Attorney General. Examples of
such requests could include guidance on (1) whether a particular
transaction is a covered data transaction and whether it is prohibited
or restricted; (2) whether the Attorney General would be likely to
issue a license governing a particular data transaction; and (3)
whether a person satisfies the definitions of these regulations (e.g.,
U.S. person, foreign person, covered person). Consistent with other
Federal advisory-opinion programs, the Department of Justice is
considering requiring that advisory opinions may only be requested for
actual--not hypothetical--data transactions, but need not involve only
prospective conduct.
---------------------------------------------------------------------------
\12\ With respect to the security requirements, the Secretary of
Homeland Security, in coordination with the Attorney General, shall
issue any interpretive guidance.
---------------------------------------------------------------------------
The Department of Justice is considering requiring requests for
interpretive guidance to be made using forms and procedures published
by the Department of Justice. These rules may include, for example: (1)
a requirement that all requests must be made in writing; (2) a
requirement that all requests must identify all participants in the
data transaction for which the opinion is being sought (i.e., a
prohibition on anonymous requests); (3) a requirement that the
requesting party cannot use the advisory opinion, or permit it to be
used, as evidence that the United States Government determined that the
data transactions described in the advisory opinion are compliant with
any Federal or State law or regulation other than the rules; and (4) a
requirement that advisory opinions may be requested only for actual,
not hypothetical, conduct.
The Department of Justice is also considering whether to publish
some or all advisory opinions once issued, provided that such
publication complies with applicable laws and regulations (e.g.,
regarding the protection of confidential business information).
Finally, in addition to advisory opinions
[[Page 15797]]
addressing specific requests, the Department of Justice is considering
the publication of more general interpretive guidance, such as
Frequently Asked Questions.
The ANPRM seeks comment on this topic, including:
57. Would an advisory opinion process in general be useful? What
effect, if any, should the issuance of an advisory opinion have for
the party or parties who requested it? For third parties?
58. Should industry groups or other associations be permitted to
request advisory opinions or interpretive guidance on behalf of one
or more of their members (noting that such requests would still need
to identify all relevant participants in a data transaction)?
59. Should some or all advisory opinions be published? How might
the possibility of publication affect a request (noting that any
publication would comply with applicable laws regarding confidential
business information and similar topics)?
60. If the Department of Justice decides to publish some or all
advisory opinions, how should it do so?
61. How should the Department of Justice address circumstances
in which an advisory opinion no longer applies (e.g., the relevant
country of concern at the time the opinion was issued no longer
meets the requirements for being a country of concern).
62. What forms or procedures should the Department of Justice
consider when establishing the requirements for an acceptable
advisory opinion request?
63. Are there additional models or other forms of interpretive
guidance that the Department of Justice should consider? For
example, should the Department of Justice be free to issue guidance
even if no party has inquired about the relevant topic? Should these
other forms of guidance be published? If so, how?
L. Compliance & Enforcement
The Order delegates to the Attorney General, in consultation with
relevant agencies, the full extent of the authority vested in the
President by IEEPA, and expressly states that the rules will ``address
the need for, as appropriate, recordkeeping and reporting of
transactions to inform investigative, enforcement, and regulatory
efforts.'' The Department of Justice wishes to achieve widespread
compliance, and to gather the information necessary to administer and
enforce the program, without unduly burdening U.S. persons or
discouraging data transactions that the program is not intended to
address. Any enforcement guidance issued by the Department of Justice
regarding the security requirements will be issued in coordination with
the Department of Homeland Security.
Accordingly, the Department of Justice is currently considering
creating and implementing a compliance and enforcement program modeled
on the Department of the Treasury's IEEPA-based economic sanctions,
which are administered by OFAC.
Due diligence and recordkeeping. With respect to due diligence and
recordkeeping, the Department of Justice is considering a model in
which U.S. persons subject to the contemplated program employ a risk-
based approach to compliance by developing, implementing, and routinely
updating a compliance program. The compliance program suitable for a
particular U.S. person would be based on that U.S. person's
individualized risk profile and would vary depending on a variety of
factors, including the U.S. person's size and sophistication, products
and services, customers and counterparties, and geographic locations.
The Department of Justice is not proposing to prescribe general due-
diligence or affirmative recordkeeping requirements on all U.S. persons
engaged in covered data transactions with foreign persons. The
Department of Justice is considering whether a U.S. person's failure to
develop an adequate due-diligence program would have consequences if
that U.S. person violates the regulations, such as treating this
failure as an aggravating factor in any enforcement action.
The Department of Justice is currently considering imposing
affirmative due-diligence and recordkeeping requirements only as a
condition of engaging in a restricted covered data transaction or as a
condition of a general or specific license. This limited set of
affirmative due-diligence and recordkeeping requirements would include
``know your vendor'' and ``know your customer'' requirements.
Consistent with OFAC's practice in IEEPA-based sanctions programs, the
Department of Justice is considering requiring U.S. persons subject to
the due-diligence requirements to keep records of their due diligence
to assist in inspections and enforcement.
Reporting. Similarly, the Department of Justice is considering
reporting requirements modeled on existing IEEPA-based reporting
requirements. The contemplated program would not prescribe general
reporting requirements for all U.S. persons engaged in data
transactions with foreign persons (or even with all covered persons).
Rather, the Department of Justice is considering requiring reporting
only as conditions of certain categories of U.S. persons that are
engaging in restricted covered data transactions or as conditions of a
general or specific license, or in certain narrow circumstances to
identify attempts to engage in prohibited covered data transactions.
DOJ is considering these reporting requirements to help DOJ identify
covered data transactions that are the highest priority for ongoing
compliance and enforcement efforts. The categories of U.S. persons
subject to affirmative reporting requirements could include:
A U.S. person that (a) is engaged in restricted covered
data transactions involving cloud computing services or licensed
covered data transactions involving data brokerage or cloud-computing
services, and (b) has 25 percent or more of its equity interests owned
(directly or indirectly, through any contract, arrangement,
understanding, relationship, or otherwise) by a country of concern or
covered person; or
Any U.S. person that has received and affirmatively
rejected an offer from another person to engage in a prohibited covered
data transaction involving data brokerage.
Likewise, the Department of Justice is considering requiring any
person granted a license under the rules to provide annual
certifications supported by available documentation that they have
abided by the terms of any license granted.
Audits. To assist in ensuring compliance with the security
requirements for restricted covered data transactions and with licenses
issued pursuant to the rules, the Department of Justice is considering
whether to require a U.S. person to comply with certain conditions in
conducting a restricted covered data transaction (whether conducted
pursuant to a license or not) or a prohibited covered data transaction
pursuant to a license. These conditions may include (i) appointing an
accredited auditor to annually assess compliance with and the
effectiveness of the security requirements or conditions of the
license, and (ii) delivering the results of the audit to the Department
of Justice. The audit will need to address (i) the nature of the U.S.
person's covered data transaction and (ii) whether it is in accordance
with applicable security requirements, the terms of any license issued
by the Attorney General, or any other aspect of the regulations.
Investigation and enforcement. To assist in the investigation of
potential noncompliance with the rules, the Department of Justice is
considering requiring any U.S. person ``to keep a full record of, and
to furnish under oath, in the form of reports or otherwise,'' as may be
required by the Attorney General, ``complete information relative to''
any covered data transaction subject to a prohibition or restriction.
50 U.S.C.
[[Page 15798]]
1702(a)(2). For the avoidance of doubt, neither the Order nor its
implementing regulations will create any new right of access by the
U.S. Government to U.S. persons' sensitive personal data or government-
related data, or give the U.S. Government a new right to monitor U.S.
persons' communications.
The Department of Justice is also considering establishing a
process for imposing civil monetary penalties similar to the processes
followed by OFAC and CFIUS, with mechanisms for pre-penalty notice, an
opportunity to respond, and a final decision. Penalties could be based
on noncompliance with the regulations, making material misstatements or
omissions, making false certifications or submissions, or other actions
or factors. The Department of Justice would, consistent with due-
process requirements, give companies the relevant non-classified
information that forms the basis of any enforcement action and a
meaningful opportunity to respond.
The ANPRM seeks comment on this topic, including:
64. What additional guidance should the Department of Justice
provide in describing what constitutes having ``received and
affirmatively rejected'' a covered data transaction involving data
brokerage for purposes of the reporting requirements?
65. Would reports about rejected covered data transactions
involving data brokerage yield information that the Department of
Justice could use to calibrate regulations, prioritize enforcement,
and identify areas for further guidance in implementing the Order?
66. What new compliance and recordkeeping controls will U.S.
persons anticipate needing to comply with the program as described
in this ANPRM? To what extent would existing controls for compliance
with other United States Government laws and regulations be useful
for compliance with this program? How could the Department of
Justice reduce the paperwork burden of any new compliance
requirements?
67. What additional information will U.S. persons need to
collect for compliance purposes as a result of this program?
68. What types of information would be useful to include in the
know-your-customer and know-your-vendor due diligence described
above? Do customers and vendors generally have this information
readily available?
69. Is this due diligence already being done by U.S. persons in
connection with transactions that would be covered data
transactions--e.g., for other regulatory purposes, prudential
purposes, or otherwise? If so, please explain. What, if any, third-
party services are used to perform due diligence as it relates to
transactions involving the countries of concern more generally?
70. What are the practicalities of complying with this
obligation? What, if any, changes to the way that U.S. persons
undertake due diligence would be required because of this standard?
What might be the cost to U.S. persons of undertaking such due
diligence? Please be specific.
71. For how long should the Department of Justice consider
requiring entities to retain records that the rules require them to
maintain?
72. Are there additional examples of high-priority data
transactions that should be included in the reporting requirement?
Should any of the examples given above be excluded?
73. What should the Department of Justice's role be in
nominating, approving, or otherwise participating in the selection
of an accredited auditor charged with monitoring compliance with the
security requirements or a license under the rules? What should the
Department of Justice consider when reviewing a candidate to be an
auditor under this provision? What types of service providers
currently exist that could play this role?
74. How, if at all, should penalties and other enforcement
mechanisms be tailored to the size, type, or sophistication of the
U.S. person or to the nature of the violation?
75. What factors should the Department of Justice analyze when
determining to impose a civil penalty, as well as the amount?
76. What, if any, additional procedural steps should the
Department of Justice require as part of its process to impose
penalties?
77. Other than noncompliance with the regulations, making
material misstatements or omissions, and making false certifications
or submissions, what other types of actions or factors should the
Department of Justice consider as a predicate for a penalty?
78. What should the Department of Justice consider when deciding
to issue a subpoena or other investigative demand pursuant to the
rules?
79. Have limitations or complications arisen regarding the
service of IEEPA-based subpoenas or investigative demands in the
past under programs administered by other Federal agencies?
80. What transaction sources should the Department of Justice
use to monitor compliance with this program?
M. Coordination With Other Regulatory Regimes
The Order requires the Department of Justice to address, as
appropriate, coordination with other United States Government entities,
such as CFIUS, OFAC, BIS, and other entities implementing relevant
programs, including those implementing Executive Order 13873 of May 15,
2019 (Securing the Information and Communications Technology and
Services Supply Chain) and Executive Order 14034 of June 9, 2021
(Protecting Americans' Sensitive Data From Foreign Adversaries); and
Executive Order 13913 of April 4, 2020 (Establishing the Committee for
the Assessment of Foreign Participation in the United States
Telecommunications Services Sector). The Department of Justice does not
currently intend or anticipate that this program will have significant
overlap with existing authorities. Existing authorities do not provide
prospective, categorical rules to address the national-security risks
posed by transactions between U.S. persons and countries of concern (or
persons subject to their ownership, control, jurisdiction, or
direction) that pose an unacceptable risk of providing those countries
with access to bulk U.S. sensitive personal data or government-related
data.
With respect to investment agreements between U.S. persons and
countries of concern (or covered persons) that are also ``covered
transactions'' subject to CFIUS review, see generally 50 U.S.C. 4565,
the Department of Justice is considering an approach in which this
program would independently regulate, as restricted covered data
transactions, investment agreements that are also ``covered
transactions'' subject to review by CFIUS, unless and until CFIUS
enters into or imposes mitigation measures to resolve national-security
risk arising from a particular covered transaction (a ``CFIUS
Action''). A CFIUS Action could take the form of, for example, a CFIUS
interim order, a CFIUS determination to conclude action with respect to
a covered transaction based on an order or mitigation agreement of
data-security risks, or CFIUS's entry into a mitigation agreement
governing the voluntary abandonment of the covered transaction. Once
such a CFIUS Action occurs, the program proposed under this ANPRM would
cease to apply to the particular investment agreement that constitutes
the covered transaction subject to the CFIUS Action. This exemption in
the regulations would apply categorically for all covered transactions
that are subject to a CFIUS Action; the Department of Justice would not
be required to issue a specific license for each investment agreement
addressed by a CFIUS Action.
This approach would preserve CFIUS's authority to develop bespoke
protections to mitigate risks arising from investment agreements that
also qualify as CFIUS covered transactions--or recommend the President
prohibit such a covered transaction--where CFIUS deems such action
necessary to address national security risk arising from the covered
transaction and would ensure that parties do not have overlapping
obligations under more than one regulatory regime. To the extent that
CFIUS identifies an unresolved national-security risk regarding access
to sensitive personal data that arises from a particular covered
transaction, the program's security requirements
[[Page 15799]]
would set an important baseline for CFIUS to draw on in mitigating the
unresolved risk, consistent with CFIUS's transaction-specific approach.
Under this approach, a CFIUS Action would not be considered to have
occurred where CFIUS has not reviewed a particular investment agreement
or action concludes with respect to an investment agreement without any
mitigation of data-security risks. In those instances, this program
would continue to independently regulate the investment agreement as a
restricted covered data transaction. This approach allows this program
to continue to address risks that may arise outside of CFIUS's reach,
such as (1) risks associated with investment agreements that are not
``covered transactions'' and thus outside of CFIUS's authority (e.g.,
non-controlling investments involving sensitive personal data below
CFIUS's one-million-person threshold or data that is not identifiable);
(2) risks associated with ``covered transactions'' where the risk does
not ``arise[ ] as a result of the covered transaction,'' 50 U.S.C.
4565(l)(3)(A)(i); and (3) risks that may arise in the temporal gap that
occurs after parties enter into an investment agreement but before the
particular covered transaction is filed with CFIUS and becomes subject
to a CFIUS Action.
This proposed approach contemplates that CFIUS would retain its
existing authority to enforce CFIUS Actions, and DOJ would retain the
authority to enforce violations of obligations under the program. Since
the program would no longer apply to a particular covered data
transaction once a CFIUS Action has been taken, CFIUS and the data-
security regulations would not create dual or overlapping obligations:
Violations of the obligations under the data-security regulations could
occur only before the occurrence of the CFIUS Action. DOJ would retain
authority, at any time, to enforce any violations of obligations under
the program that were committed while the program applied to the
covered data transaction, even if the enforcement action occurs after a
CFIUS Action has occurred. In such instances, DOJ would coordinate with
CFIUS.
Regardless of the manner in which the regulations address
investment agreements, the program's other rules for classes of covered
data transactions would still apply. Even if the program proposed under
this ANPRM ceased to apply to a particular investment agreement subject
to a CFIUS Action, U.S. persons would still have to comply with the
program's rules for covered data transactions involving data brokerage,
the provision of bulk human genomic data and human biospecimens, vendor
agreements, employment agreements, and other investment agreements not
subject to a CFIUS Action.
The ANPRM seeks comment on this topic, including:
81. How should the program address investment agreements that
are also ``covered transactions'' subject to the jurisdiction of
CFIUS? What are the pros and cons of the approach under
consideration?
82. In terms of compliance, what are the considerations with the
approach described above where this program would govern unless or
until a CFIUS Action occurs?
83. What other potential overlaps or gaps, if any, may exist
between the program contemplated here and existing authorities? How
should this program address them? In particular, should the
Department of Justice consider any adjustments to the program
contemplated here in light of the consumer-reporting rulemaking
under the Fair Credit Reporting Act that the Consumer Financial
Protection Bureau is considering? See Final Report of the Small
Business Review Panel on the CFPB's Proposals and Alternatives Under
Consideration for the Consumer Reporting Rulemaking (Dec. 15, 2023),
https://files.consumerfinance.gov/f/documents/cfpb_sbrefa-final-report_consumer-reporting-rulemaking_2024-01.pdf [https://perma.cc/K75B-MKR3].
N. Economic Impact
The Department of Justice is committed to ensuring that the
contemplated program is carefully scoped to the kinds of data
transactions that present unacceptable national-security risks and
minimizes unintended economic impacts. The Department of Justice
currently anticipates that this program would have the following
economic impacts.
For each of the two classes of prohibited covered data transactions
(those involving data brokerage and those involving the provision of
human genomic data or human biospecimens from which that data can be
derived), the Department of Justice anticipates that the primary
economic impacts will fall into two categories: (1) direct costs in the
form of the lost economic value of the covered data transactions that
are prohibited or forgone, and (2) indirect costs, such as the
compliance costs to perform due diligence to ensure that transactions
with foreign persons comply with the prohibitions. For each of the
three classes of restricted covered data transactions (vendor
agreements, employment agreements, and investment agreements), the
Department of Justice anticipates that the primary economic impacts
will fall into two categories: (1) direct costs in the form of the lost
economic value of covered data transactions that are prohibited or
forgone, and (2) indirect costs, such as the costs of complying with
the security requirements to conduct restricted covered data
transactions and with the reporting requirements.
Direct costs. As a preliminary matter, there does not appear to be
a complete or reliable estimate of the markets for, or economic value
of, each of these classes of covered data transactions--especially at
the level of granularity required to accurately account for the details
of the contemplated program, such as the specific classes of prohibited
and restricted covered data transactions, the countries of concern, the
kinds of sensitive personal data, the classes of exempt transactions
(such as financial-services transactions), and other carve-outs and
definitions being considered for this program.
For example, with respect to data brokerage, estimates for the
total global data broker market vary widely from around $50 billion to
over $300 billion and do not appear to have clear or reliable
methodologies whose validity can be easily assessed.\13\ The United
States is widely perceived as the largest market for data brokerage;
for instance, major U.S. data brokerage firms report that a majority of
their global revenues come from the domestic market and that Asia-
Pacific revenues (which are not broken down further for markets for
specific countries) account for approximately one to six percent of
their global markets.\14\ Likewise,
[[Page 15800]]
although trade in services data from the U.S. Bureau of Economic
Analysis (BEA) provides an alternative potential approach for
identifying cross-border transactions in sensitive personal data, the
BEA data is not measured in a way that allows any direct comparison to
the program contemplated here. The BEA categories of ``Database and
Other Information Services'' and ``Telecommunications, Computer, and
Other Information Services'' appear to be the two closest. But those
BEA categories are over-inclusive and under-inclusive relative to the
categories of covered data transactions that would be prohibited or
restricted under the contemplated program: These two BEA categories,
for instance, include trade that would be outside the scope of the
contemplated program, such as kinds of data (e.g., web-browser history)
and activities (e.g., computer hardware, dissemination of data and
databases like directories, mailing lists, and web-search portals,
newspaper and periodical subscriptions, and library/archive services).
Similarly, for instance, these two BEA categories exclude transactions
that would be within the scope of the contemplated program, such as
activity from advertising, trade in human genomic data, and exports by
credit bureaus (which report their data exports separately under the
broader heading of ``Financial Services''). Nevertheless, as a point of
comparison, the BEA data suggests that, in 2022, the United States
exported $317 million in ``Database and Other Information Services'' to
China and a combined $3.4 billion in ``Telecommunications, Computer,
and Other Information Services'' to China and Hong Kong.
---------------------------------------------------------------------------
\13\ See, e.g., Catherine Tucker & Nico Neumann, Buying Consumer
Data? Tread Carefully, Harvard Business Review (May 1, 2020),
https://hbr.org/2020/05/buying-consumer-data-tread-carefully
[https://perma.cc/GDY3-AWKQ]; OnAudience, Global Data Market Size:
2017-2021 at 4, 8 (Nov. 2020), https://pressmania.pl/wp-content/uploads/2020/12/Global-Data-Market-Size-2017-2021-OnAudience-Report.pdf [https://perma.cc/7NQS-3TXK]; Knowledge Sourcing
Intelligence, Global Data Broker Market Size, Share, Opportunities,
COVID-19 Impact, And Trends By Data Type (Consumer Data, Business
Data), By End-User (BFSI, Retail, Automotive, Construction, Others),
And By Geography--Forecasts from 2023 to 2028 (June 2023), https://www.knowledge-sourcing.com/report/global-data-broker-market [https://perma.cc/2ED8-WU9K]; Transparency Market Research, Data Brokers
Market (July 2022), https://www.transparencymarketresearch.com/data-brokers-market.html [https://perma.cc/GL3M-MQMR]; Maximize Market
Research, Data Broker Market: Global Industry Analysis and Forecast
(2024-2030) (Jan. 2024), https://www.maximizemarketresearch.com/market-report/global-data-broker-market/55670/ [https://perma.cc/V2VJ-VX9A].
\14\ See, e.g., TransUnion, TransUnion Announces Fourth Quarter
2022 Results (Feb. 14, 2023), https://newsroom.transunion.com/transunion-announces-fourth-quarter-2022-results/ [https://perma.cc/S8QW-D8RS]; Experian, Trading update, first quarter (July 13, 2023),
https://www.experianplc.com/content/dam/marketing/global/plc/en/assets/documents/results-and-presentations/2023/experian-q1-fy24-trading-update.pdf [https://perma.cc/3FCZ-U4CY].
---------------------------------------------------------------------------
For restricted covered data transactions, the net direct lost
economic value will also depend on the extent to which U.S. persons
continue to pursue otherwise-prohibited vendor agreements, employment
agreements, and investment agreements in compliance with the security
requirements. Where U.S. persons determine not to pursue vendor,
employment, or investment agreements with covered persons, the net cost
will depend on the extent to which such agreements can be easily
replaced with vendors, employers, and investors that will not be
subject to such restrictions. It is plausible, for example, that--faced
with higher costs associated with executing a vendor agreement with a
vendor based in a country of concern--a U.S. company will opt to drop
its data-processing contract with that vendor and instead rely on a
vendor based outside of a country of concern. Relative to the current
status quo, this switch could represent a financial loss to the
original U.S. company (which could now face a higher cost for data
processing) while providing a net gain to the alternative data
processing vendor. The opposite could also be true: that the relevant
costs associated with complying with this program would not justify a
U.S. business switching from a vendor based in a country of concern but
instead would justify continuing with that vendor by implementing the
security requirements.
We request economic data to further evaluate these direct costs.
Indirect costs. In addition to the direct costs of prohibited and
restricted covered data transactions, U.S. companies that handle and
transfer bulk U.S. sensitive personal data or government-related data
may also incur costs to ensure that they are complying with the
contemplated program. The universe of firms that transact in bulk U.S.
sensitive personal data is larger than the subset of such firms that
knowingly transfer such data to countries of concern or covered
persons; this larger universe of firms will need to undertake some due-
diligence measures to ensure their typical data transfers are not in
fact going to countries of concern or covered persons (for prohibited
covered data transactions) and to comply with the security requirements
(for restricted covered data transactions). Such compliance costs will
vary by sector and size of firm.
For prohibited covered data transactions, the costs of due
diligence would likely vary significantly across companies, as with the
costs of compliance for economic sanctions, export controls, and other
national-security and law-enforcement regulations. As explained above,
the contemplated program would employ a risk-based approach, like
sanctions and export controls, in which regulated U.S. persons
implement compliance programs based on their individualized risk
profiles. For example, in addition to complying with other aspects of
the contemplated program, the upfront due-diligence compliance costs
for companies with robust existing compliance programs (such as
sanctions and export controls) may be lower, whereas other companies
with less robust compliance programs or no existing compliance programs
may incur greater costs. Any estimate of due-diligence compliance costs
would benefit greatly from more robust information on the size of the
industries for each of the classes of prohibited covered data
transactions, per-company costs, and per-transaction costs.
Similarly, for restricted covered data transactions, the costs of
complying with the security requirements will vary across U.S.
companies depending on the level of cybersecurity maturity. At one end
of the spectrum, many U.S. companies already have foundational baseline
cybersecurity protocols and technology in place, and may face only the
marginal cost of tailoring or re-deploying those existing protocols and
technology against the particular security requirements contemplated
here. At the other end of the spectrum, other U.S. companies with less
mature cybersecurity programs may face greater costs to acquire and
implement baseline cybersecurity protocols and technology. The overall
costs to comply with the security requirements will depend on the
number and distribution of U.S. companies within the markets for the
classes of restricted covered data transactions with countries of
concern. Economic reasoning suggests, however, that companies that
choose to deploy security measures to conduct restricted covered data
transactions would not incur compliance costs that are greater than the
revenue they could realize by implementing these measures.
For U.S. persons that do find they need to invest in additional
due-diligence programs to ensure compliance with the security
requirements, such spending may also create offsetting benefits in the
form of lower risks of data breaches and cyber attacks. For example, a
July 2023 study noted that the global average cost of a data breach was
$4.45 million the previous year and a 15% increase over the previous
three years.\15\
---------------------------------------------------------------------------
\15\ Industrial Cyber, Data breach costs for critical
infrastructure sector exceed $5 million, as time `new currency' in
cybersecurity (July 25, 2023), https://industrialcyber.co/reports/data-breach-costs-for-critical-infrastructure-sector-exceed-5-million-as-time-new-currency-in-cybersecuritydata-breach-costs-for-critical-infrastructure-sector-exceed-5-million-as-time-new/
[https://perma.cc/9QDT-37CN].
---------------------------------------------------------------------------
U.S. persons subject to the reporting requirements may also incur
costs to comply with the reporting requirements--costs that may also
vary by company depending on their individualized risk profile.
The net impact of these indirect costs appears difficult to measure
accurately with available data. We request economic data to support
measurement of these indirect costs.
The ANPRM seeks comment on this topic, including:
[[Page 15801]]
84. To what extent do the current markets for the classes of
covered data transactions involve the categories of sensitive
personal data contemplated here? What is the average estimated
commercial value of these covered data transactions? What are
reliable sources of information on the size, extent, and growth of
the markets for each of the classes of prohibited and restricted
covered data transactions?
85. What is the value of covered data transactions with
countries of concern that would be impacted by this regulation?
86. How many covered data transactions with countries of concern
or covered persons that meet the bulk threshold requirements are
typically conducted each year?
87. What are the economic sectors that will be expected to be
impacted by the regulation? What is the average size, in both
revenue and number of employees, of the firms impacted by the
regulation? What is the expected impact per firm, as a percentage of
overall revenue? What are the program's likely effects on existing
jobs and new employment opportunities for affected firms and
sectors?
88. What specific types of data are involved in covered data
transactions that involve data brokerage? What is the general
purpose of these transactions? How is this data stored? Is U.S.
persons' data that is sold to customers in countries of concern
stored on or retrieved from the same systems used to store or
retrieve U.S. persons' data sold to customers outside the countries
of concern? If not, what segmentation exists?
89. What kinds of best practices do U.S. persons engaged in data
brokerage implement to screen potential customers in the countries
of concern (or markets that present similar risk profiles)? How
widely implemented are these best practices in the industry?
90. What is the estimated economic size of the data brokerage
market? What are the best, most reliable sources of data for the
size, extent, and growth rate of this market? What is the average
value of a covered data transaction involving data brokerage?
91. How can service providers be grouped in the third-party data
brokerage market? What is the difference between a large, medium,
and small broker? How consolidated is the market? What are key
factors, business features or other models that providers use to
differentiate themselves? To what degree are providers
differentiated by features other than the size and scope of
individual data sets?
92. What are the estimated sizes of the global data brokerage
market for each of the six types of data identified in this
contemplated regulation (i.e., covered personal identifiers,
personal financial data, precise geolocation data, personal health
data, biometric identifiers, human genomic data)? What is the
estimated size of each of these markets in the United States and
each of the identified countries of concern?
93. What is the estimated transaction volume for the data
brokerage market (both first-party and third-party brokerage)? What
percentage of these transactions involve one or more of the six
categories of regulated sensitive personal data? What percentage of
these transactions involves a country of concern?
94. How are transactions conducted in the data brokerage market?
What percentage of the economic value of this market involves
transfer of data? What percentage involves subscription access to
centrally managed databases? What percentage involves analyzed or
processed data? What percentage involves access to raw, unprocessed
data?
95. To what extent do U.S. persons engaged in data brokerage use
any service providers in countries of concern connected to their
brokerage activities--such as hiring outsourcing companies for
cleaning and labeling datasets or signing agreements with cloud
service providers to store datasets? What is the estimated economic
value of these services?
96. How many firms will be impacted by the prohibition on the
use of vendors from countries of concern? What will be the average
cost per firm of switching from vendors subject to restrictions to
vendors not subject to restrictions? Which sectors will they be in?
What will be the average size of such a firm?
97. Are there any sectors, markets, or product or service
categories where, after excluding restricted vendors, there is
unlikely to be a sufficient number of firms available to supply the
overall level of service required by the market?
98. What proportion and segments of the cloud-computing services
market will be impacted by this regulation? What will be the
specific impacts on the cloud infrastructure, platform, and services
markets? What will be the impact on U.S. cloud computing companies
seeking to do business in countries of concern?
99. What will be the impact on cloud-computing service companies
based in countries of concern? Are there circumstances under which
U.S. companies may still wish or be required to do business with
cloud-computing service companies based in countries of concern
after the implementation of this regulation? In these circumstances,
will U.S. companies still be able to conduct necessary business
after the implementation of this regulation?
100. What will be the economic impact of prohibiting any covered
data transaction that provides a country of concern or covered
person with access to bulk U.S. human genomic data and human
biospecimens from which that sensitive personal data can be derived,
taking into account the proposed exemptions?
101. What sectors are involved in access to bulk U.S. human
genomic data and human biospecimens? Are there any sectors that
involve access to one, but not both, of these categories? What is
the estimated size of these markets, as well as the overall volume
and value of the covered data transactions involving this type of
data?
102. What types of commercial transactions involve human genomic
data and human biospecimens? Do any of these transactions involve
exchange of the data? Do any of these transactions involve access
to--but not exchange of--this sensitive personal data?
103. Is there sufficient commercial demand available outside
countries of concern to replace demand lost as a result of the
prohibition, and if so, where is such demand located? What is the
timeline for pivoting to meet new demand?
104. What percentage of the U.S. workforce would be affected by
the restrictions on employment agreements? How many firms will be
impacted by this prohibition? Which sectors will they be in? What
will be the average size of such a firm?
105. What will be the major cost components of a regulatory
compliance program? What will be the average cost of each of these
components per firm? Which of these components will be flat cost,
regardless of the size of firm? Which will have a variable, per-
employee cost?
106. What is the estimated cost of implementing the security
requirements contemplated in the regulation on a per-firm basis?
What are the basic components of these costs? Which of these
components are fixed, one-time costs? Which will be ongoing,
recurring costs?
107. How could the Department of Justice mitigate the costs of
compliance, particularly for small- and medium-sized enterprises?
Are there measures that could be taken to reduce the economic impact
of the regulatory regime without altering the fundamental scope or
thresholds associated with the regulation?
108. Are there legitimate commercial reasons for a covered
person to access data or information covered as part of the classes
of restricted covered data transactions? To what degree will an
inability to access this data affect that company's ability to
provide goods or services to U.S. companies and individuals?
109. What would be the commercial impact on U.S. persons if
countries of concern must conduct business in the United States
without access to data covered by restricted covered data
transactions? Are there other economic arrangements by which a
company could obtain the benefits of the data without directly
accessing the data itself?
110. What additional costs and benefits should the Department of
Justice consider, and how should they be estimated? Is there
additional data on the economic costs and benefits that the
Department of Justice should examine?
O. Overarching and Additional Inquiries
111. What additional example scenarios should the Department of
Justice consider, evaluate, and address in a proposed rulemaking to
provide clarity?
112. What time, if any, will U.S. persons that are currently
engaged in the prohibited covered data transactions contemplated
here need to wind-down those transactions? What time, if any, will
U.S. persons that are currently engaged in the restricted covered
data transactions contemplated here need to comply with the security
requirements or else wind-down those transactions?
113. What costs would be incurred by maintaining the status quo
(i.e., forgoing the contemplated regulations) with respect to any of
the classes of prohibited and restricted covered data transactions
under consideration?
114. Are there additional topics on which the Department of
Justice should be seeking
[[Page 15802]]
comment? If so, what are they and what is their relevance?
IV. Regulatory Certifications
This ANPRM has been drafted and reviewed in accordance with the
Principles of Regulation in section 1(b) of Executive Order 12866 of
September 30, 1993 (Regulatory Planning and Review), as amended by
Executive Order 14094 of April 6, 2023 (Modernizing Regulatory Review),
and in accordance with the General Principles of Regulation in section
1(b) of Executive Order 13563 of January 18, 2011 (Improving Regulation
and Regulatory Review). This ANPRM is a ``significant'' regulatory
action pursuant to Executive Order 12866, as amended by Executive Order
14094 and, accordingly, has been reviewed by the Office of Information
and Regulatory Affairs (OIRA) at the Office of Management and Budget
(OMB). This action does not propose or impose any requirements; rather,
this ANPRM is being published to seek information and comments from the
public to inform the notice of proposed rulemaking required to
implement the Order.
The requirements of the Regulatory Flexibility Act do not apply to
this action because, at this stage, it is an ANPRM and not a ``rule''
as defined in 5 U.S.C. 601.
Following review of the comments received in response to this
ANPRM, the Department of Justice will conduct all relevant analyses as
required by statute or Executive order for the notice of proposed
rulemaking required to implement the Order.
Dated: February 28, 2024.
Matthew G. Olsen,
Assistant Attorney General for National Security.
[FR Doc. 2024-04594 Filed 3-4-24; 8:45 am]
BILLING CODE 4410-PF-P
