Key Insights: DOJ's Proposed Rule to Protect Bulk Sensitive Personal Data—What Companies Need to Know

10 min

Earlier this year, the Biden administration issued Executive Order (EO) 14117, which instructed the Department of Justice (DOJ) to create a framework that would prohibit certain data transactions. Specifically, the EO looked to prohibit transactions that provide access to personal data about Americans or certain government data to entities in specific countries of concern, and it would restrict other transaction types with entities in those countries. DOJ released an Advance Notice of Proposed Rulemaking (ANPRM) in March to request information about how it could create this framework. On October 21, the DOJ released the Notice of Proposed Rulemaking (NPRM) to advance these restrictions, which carries over many of the concepts from the proposals set forth in the ANPRM. Comments on the NPRM are due November 29, 2024.

Below we review key aspects of the proposed rule. If enacted as drafted, the NPRM will have significant implications for all businesses within the data-driven economy, given the broad definition of "data brokerage." If a company provides data access to third parties that are "covered persons," such as advertisers and analytics companies in countries of concern, these activities may fall under the rule's restrictions. Additionally, if a company employs individuals or vendors, such as cloud computing providers, that qualify as covered persons and can access data about Americans, the rule's requirements may necessitate implementing new systems and procedures to ensure compliance for those engagements with foreign service providers.

As an example of the potentially wide-ranging impact of the proposed rule, it could affect automotive industry entities of all sizes, from start-up AV developers to massive original equipment manufacturers (OEMs) and parts suppliers of all sizes. OEMs and AV developers will need to consider all the data their vehicles may be collecting on drivers and passengers, and how, if at all, that data is being shared with third parties. Parts suppliers will likewise need to determine if any data collected and shared by their components could fall within the proposed rule's requirements.

Select Definitions

1. Covered Person

The NPRM defines and provides specific examples of covered persons, clarifying which individuals or entities fall under the rule and which do not. Unlike the Protecting Americans' Data from Foreign Adversaries Act, this definition offers U.S. companies more clarity about which business partners and providers may be covered persons. The NPRM provides for five types of covered persons:

  1. A foreign entity that is 50% or more owned by a country of concern (defined in the NPRM as China, Cuba, Iran, North Korea, Russia, and Venezuela), organized under the laws of the country of concern, or has its principal place of business in a country of concern
  2. Foreign entities that are 50% or more owned by a covered person as defined in (A), (D), or (E)
  3. Foreign employees or contractors of countries of concern or entities that are covered persons as defined in (A), (B), or (E)
  4. Foreign individuals who are primarily residents of a country of concern and
  5. Any person that the attorney general designates as a covered person

This definition could help compliance-focused companies create screening processes to help prevent penalties for engaging in restricted transactions involving bulk U.S. sensitive personal data or U.S. government-related data by setting clearer thresholds for when a potential client or partner may be considered a covered person.

2. Bulk Thresholds

The NPRM proposes specific thresholds of amounts of data to determine whether a transaction is restricted based on the "bulk" amount of sensitive personal data involved in the transaction. Specifically, the thresholds are as follows: 1) human genomic data on over 100 U.S. persons; 2) biometric identifiers on over 1,000 U.S. persons; 3) precise geolocation data on over 1,000 U.S. devices; 4) personal health data on over 10,000 U.S. persons; 5) personal financial data on over 10,000 U.S. persons; and 6) certain covered personal identifiers on more than 100,000 U.S. persons.

3. Government-Related Data

The NPRM defines government-related data to include government location data based on areas identified on the Government-Related Location Data List (for example, the list may include duty stations, military installations, embassies) and sensitive personal data that the data provider markets as linked or linkable to current or recent former U.S. government employees or contractors. The DOJ would maintain the location list and identify areas for inclusion, suggesting eight such geofenced locations in the NPRM.

4. Sensitive Personal Data

The NPRM defines sensitive personal data to include certain personal identifiers, precise geolocation data, biometric identifiers, human genomic data, personal health data, and financial data. The definition excludes public or nonpublic data that does not relate to an individual (for example, trade secrets) and data that is already lawfully publicly available from government records or widely distributed media.

5. Covered Identifiers and Listed Identifiers

The NPRM defines specific identifiers as key categories of sensitive data linked to U.S. individuals. The proposed rule states that a listed identifier becomes a "covered" identifier when it is disclosed in combination with other identifiers or in a transaction that would allow the identifier to be linked or linkable to other listed identifiers or sensitive personal data. "Listed identifiers" is broadly defined, including not only full names and email addresses, government ID numbers and financial account data, but also device-based identifiers such as cookie IDs, IP addresses, advertising identifiers, and MAC addresses.

6. Data Brokerage

The NPRM would impose a prohibition on transferring personal data to countries of concern through a data brokerage transaction. The NPRM defines such transactions as commercial ones where the recipient gains access to data they did not collect or process from the individual to whom the data pertains. This broad definition of "data brokerage" could include companies not typically considered "data brokers" under state laws, causing them to be classified as such under this rule if finalized. For example, the NPRM states that a U.S. mobile app company providing advertising space to Chinese advertisers and sharing data like users' location, IP addresses, and unique identifiers could be engaging in prohibited data brokerage if the number of identifiers meets the "bulk data" thresholds.

7. Employment, Investment, and Vendor Agreements

The NPRM provides specific examples of employment, investment, and vendor agreements that could be part of a restricted transaction where the foreign person would have access to data about U.S. individuals. For instance, if a U.S.-based financial services company hires a data scientist from and living in China (employment agreement in place) and grants them access to the personal financial data of U.S. individuals, this could be considered a restricted transaction. Companies that engage employees, contractors, and vendors in countries of concern should be aware of the NPRM's requirements for "restricted transactions," discussed below.

8. Knowledge Standard

The NPRM would require a determination of whether a U.S. person acts "knowingly" in violation of the rule's proposed requirements, meaning they had actual knowledge of or reasonably should have known about the conduct, circumstances, or results of a covered data transaction. If the rule goes into effect, the DOJ stated that it will evaluate what a person reasonably should have known by considering all the relevant facts and circumstances surrounding the transaction, including the scope of diligence programs.

9. Personal Health and Financial Data

The NPRM identifies personal health and financial data as categories of sensitive data linked to U.S. individuals. It would exempt the transfer of personal financial data incidental to the purchase and sale of goods or services, as well as certain payment processing or fund transfer activity. The NPRM proposes a broad definition of personal health data, which encompasses more than traditional medical records. Like some state health data privacy laws, the NPRM notes that "health" data can include information entered by a consumer into a fitness tracking app, such as logs of exercise habits.

10. Precise Geolocation Data

The NPRM defines precise geolocation data as data that identifies the physical location of an individual or device with high accuracy (within 1,000 meters).

Transactions Requirements

1. Prohibited Transactions

The NPRM would prohibit data brokerage of bulk U.S. sensitive personal data, access to any covered government-related data, and the transfer of bulk human genomic data to covered persons. In addition to this prohibition, companies would be required to report any rejected requests to engage in a prohibited action to the DOJ. Companies should take note of this reporting responsibility, which requires notification to the DOJ within 14 days of rejecting a prohibited transaction, including if the rejection takes place through automatic means.

Additionally, companies would be prohibited from knowingly engaging in data brokerage with a non-covered foreign person unless contractual provisions are in place that restrict onward transfer of the data to covered persons by the receiving parties. Companies providing access to data that would be subject to the rule would also be required to report any known or suspected violations of these contractual provisions to the DOJ.

2. Restricted Transactions

The NPRM would introduce due diligence, data security, auditing, and reporting requirements as conditions for companies to engage in "restricted transactions" (e.g., transactions involving vendor, employment, or investment agreements with a covered person). The NPRM states that companies involved in restricted transactions would need to implement cybersecurity policies, practices, and requirements, proposed by the Cybersecurity & Infrastructure Security Agency, that are incorporated by reference and all other requirements in the rule. Companies that have operations in a country of concern could review those activities and determine if they are able to comply with the rule or alter those relationships to no longer be considered "restricted" under the rule. The proposed rule would also require certain mandatory reporting for restricted transactions. For example, the rule would establish annual reports for U.S. persons involving cloud computing services if the U.S. company has 25% or more of its equity interest owned by a country of concern or covered persons.

3. Exempt Transactions

The NPRM would carve out certain transactions from coverage of the rule, including personal communications, information or information materials, travel, financial services, transactions authorized by federal law and international agreements, investment agreements subject to the Committee on Foreign Investment in the United States, and corporate group transactions. For instance, the NPRM would define some internal corporate transfer of data (like human resources, payroll, and business-related travel) within the same corporate "family" as generally exempt from the rule's restrictions, provided they meet certain criteria. For example, if a U.S. company has a foreign subsidiary in China and a U.S. contractor performs an HR activity for the foreign subsidiary, this would be an exempt activity.

Licenses

The NPRM would empower the DOJ to issue general and specific licenses, offering flexibility for companies to conduct otherwise-regulated transactions. For companies, these licenses could exempt certain transactions, thereby reducing compliance burdens.

Penalties

The NPRM proposes significant penalties for violations, including a maximum fine of $368,136 or twice the transaction amount, whichever is greater. The NPRM states that willful violations of the rule could lead to criminal fines of up to $1,000,000 and 20 years' imprisonment.

What Can You Do?

While the NPRM still must undergo a notice and comment period before it is final and effective, companies could take steps now to prepare for compliance. For example, companies could make the following preparations.

  1. Data Map. Companies could assess their current data assets, data sharing practices, and vendor relationships to determine if they deal with covered data in a manner that could be impacted by the rule. This could help prioritize and manage any remediation requirements caused by the final rule.
  2. Due Diligence and Intake. Companies could work to update (or create) new vendor and client intake procedures to review and manage any potentially prohibited or restricted transactions on the front end. As the NPRM noted, the DOJ will take these types of programs into account when determining whether a company may have run afoul of the rule in a knowing or willful manner.
  3. Security and Compliance. If a company determines that some of its vendor, employee, or investment agreements are subject to the rule's security requirements, it could begin to update the security position of those employees and vendors that would be subject to the rule now, or prioritize mitigation based on a risk assessment.
  4. Comment with DOJ. The NPRM has a 30-day comment period in which interested parties can engage with the DOJ and make any concerns heard prior to the rule becoming final. Engaging with regulators can help companies stay ahead of new requirements as they are shaped, instead of reacting to the government's actions.