On February 28, 2024, U.S. President Joe Biden issues an Executive Order on Preventing Access to Massive Sensitive Personal Data of Americans and U.S. Government-Related Data by Countries of Concern (EO), and authorizes the U.S. Attorney General to conduct major authorized to restrict transfers. Providing personal data to “countries of concern.” According to a summary released by the White House, “countries of concern” identified in the EO include China (along with Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela.
Regulation of the data broker industry
The EO represents a concerted effort to govern and regulate the data broker industry. News reports say there are concerns that companies are collecting increasing amounts of personal data, including detailed data, and monetizing it through deals with America’s adversaries.
With the goal of regulating data brokers in mind, the EO asked the Consumer Financial Protection Bureau (CFPB) to “protect Americans from data brokers who illegally collect and sell highly sensitive data. “Consider taking measures consistent with existing legal authorities in the country.” Including those related to the U.S. military. ”
In response, CFPB Director Rohit Chopra issued a press release declaring: [CFPB] We will propose new rules to curb these abuses to protect the security of our families and our nation. ”
Department of Justice directs implementation of key parts of EO
The EO directs the Department of Justice to implement many of its oversight and enforcement provisions. In addition to giving the Attorney General the authority to prohibit large-scale data transfers to certain countries, the EO also authorizes the Department of Justice to “transmit information about government agencies, including geolocation information on sensitive government sites and information about military personnel, “Issue regulations to strengthen the protection of related sensitive data.” ”
The Department of Justice is also working with the Department of Homeland Security to “prevent countries of concern from accessing Americans’ data through other commercial means, including data available through investments, vendors, and employment relationships.” “Establish security standards.”
Following the announcement of the EO, the Department of Justice issued a press release, consulting with other federal agencies to issue regulations “prohibiting or restricting certain categories of data transactions that pose an unacceptable risk to the nation.” It was confirmed that proactive measures would be taken. safety. “
According to a press release from the Department of Justice, the National Security Agency will be tasked with implementing the executive order’s provisions on behalf of the Attorney General. The National Security Agency plans to issue an advance notice of proposed rulemaking (ANPRM) describing the initial categories of transactions involving large amounts of sensitive personal data or certain U.S. government-related data outlined in the EO.
Additionally, the Justice Department will seek public comment on items the agency is considering regulating, including “prohibiting data brokerage and transfer of genomic data, and restricting vendor, employment, and investment agreements.”
The Department of Justice goes on to say that the anticipated data transfer review program will “ do not have Managed through case-by-case review of data transactions. Instead, [DOJ] The Regulation establishes generally applicable and transparent rules for engaging in certain categories of data transactions with certain relevant countries or subjects under their jurisdiction. ”
Personal data included in EO
The EO focuses on “Personal and Confidential Information” including:
- biometric data
- financial data
- genome data
- Geolocation data
- personal health data
- Certain types of personally identifiable information
Specifically, according to a fact sheet (pdf) published by the U.S. Department of Justice (DOJ), “sensitive personal data” covers: do not have Includes:
- Data related to public records, such as court records and other government records
- Legal and publicly available data
- Personal Communications Under 50 USC § 1702(b)(1)
- Expressive information under 50 USC 1702(b)(3), such as videos, artwork, and publications.
crosshair data contract
References to “vendor agreements” in both the EO and the Department of Justice’s ANPRM should be noted by data brokers and businesses that utilize third-party vendors or service providers to transfer personal data. His ANPRM from the Department of Justice is expected to seek restrictions on three types of his contracts related to large-scale data transfers.
- Vendor agreements for the provision of goods and services (Includes cloud service agreement)
- employment contract
- investment agreement
Security requirements applicable to these transactions are established by the Department of Homeland Security Cybersecurity and Infrastructure Agency. Security requirements are designed to reduce the risk of access by relevant countries or subjects and include “basic organizational cybersecurity posture requirements, physical and logical access controls, data masking and minimization, and privacy This may include cybersecurity measures such as “Usage”. It’s about preserving technology. ”
Exempt data transactions
Pursuant to the EO and ANPRM, there are “several blanket exemptions” for certain data transactions. Data transfers exempt from the Department of Justice’s regulatory jurisdiction include:
- Usually incidental to or part of financial services, payment processing, and regulatory compliance (e.g., banking, capital markets, or financial insurance activities, financial activities subject to the jurisdiction of other regulatory authorities, payments involving remittances) (Providing or Processing) Personal Financial Data or Targeted Personally Identifiable Information for the Buying or Selling of Goods or Services, and Compliance with Laws and Regulations)
- Usually incidental to, or part of, ancillary functions (such as payroll or human resources) within a U.S. multinational corporation
- Activities of the U.S. government and its contractors, employees, and grant recipients (e.g., federally funded health and research activities that the funding agency would self-regulate)
- Transactions required or permitted by federal law or international agreements (e.g., exchange of passenger manifest information, Interpol requests, public health surveillance)
Additionally, the upcoming ANPRM will exempt certain investments that “do not convey rights or influence that would otherwise pose an unacceptable national security risk, such as giving a country or subject of concern access to sensitive personal data.” I am considering doing so.
Compliance with Department of Justice Proposed Regulations
According to the Department of Justice, the planned data transfer review program “does not establish general due diligence requirements, active recordkeeping requirements, or active reporting requirements.” Rather, the planned program would be modeled after the economic sanctions program under IEEPA, administered by the Treasury Department’s Office of Foreign Assets Control.
The Department of Justice’s ANPRM envisions U.S. businesses and individuals “developing and implementing compliance programs” tailored to their individual risk profiles. Your individual risk profile includes factors such as your overall size and geographic location of your operations, your specific products and services, and the sophistication of your customers and business partners.
Feasibility of the regulatory framework proposed by the Department of Justice
A key unanswered question regarding the Justice Department’s proposal is whether this compliance model will work. Based on available information, this proposal has some holes and weaknesses, but is not designed to be impermeable and unbreakable.
Instead, as Deputy Attorney General Lisa Monaco stated, “The Department of Justice has long focused on preventing threat actors from stealing data through the proverbial backdoor. This executive order It shuts the front door.”Similarly, speed limit signs do not deter speeding, but they do establish an expectation and basis for punishment.
Penalties for violations
According to the ANPRM, the Department of Justice is considering creating civil penalties for violations and non-compliance. Specific penalties for violations “will vary depending on the facts and circumstances of the violation, including the adequacy of the compliance program.”
Looking to the future
The Department of Justice published the ANPRM, which was published in the Federal Register with a 45-day public comment period. Once the public comment period ends, DOJ will consider the comments submitted on his ANPRM and prepare and issue a Notice of Proposed Rulemaking (NPRM).
The NPRM will be followed by further consideration and preparation of a final rule. Once the final rule goes into effect, businesses and individuals will be required to comply with the regulations.
