For this week’s edition, we are taking a bit of a detour in this already turbulent new year to discuss a most recent development: U.S. Data Restrictions to “Countries of Concern.” Earlier this month, the United States Department of Justice (“DOJ”) published a final ruling on Executive Order 14117, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Executive Order detailed a “continuing effort of certain countries of concern to access Americans’ sensitive personal data and United States Government-related data,” thus creating a threat to the national security and foreign policy of the United States. More specifically, the concern lies with the ability of these “countries of concern” to “analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States.” The Executive Order also outlines that these risks are not merely based on direct contact or access with these countries, but the risk also (and arguably most importantly) lies with the indirect access of such data through entities or individuals that are either owned, controlled, or subject to the jurisdiction of the country of concern. Think recent TikTok headlines, for example.
The 412-page final rule covers ad nauseum the types of prohibited transactions and activities, regulatory requirements, determination of Countries of Concern, and penalties, amongst others. Following are the most salient points of this final rule:
Countries of Concern: Designates six (6) countries as “countries of concern” as follows: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The designation of these countries is simply because they have engaged in a long-term pattern of conduct adverse to national security, and they pose a significant risk of exploiting bulk U.S. sensitive personal and government-related data.
Covered Persons: Covered persons can be individuals or entities, and there are four types:
(1) foreign entities that are 50 percent or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern;
(2) foreign entities that are 50 percent or more owned by a covered person;
(3) foreign employees or contractors of countries of concern or entities that are covered persons; and
(4) foreign individuals primarily resident in countries of concern. This list is not exhaustive as the Department can still designate any person, irrespective of their location, that they determine to be a covered person.
Sensitive Personal Data: The final rule defines sensitive personal data by outlining six (6) categories that have the potential to be exploited to harm U.S. national security. The six categories include:
(1) certain covered personal identifiers (e.g., names linked to device identifiers, social security numbers, driver’s license, or other government identification numbers);
(2) precise geolocation data (e.g., GPS coordinates);
(3) biometric identifiers (e.g., facial images, voice prints and patterns, and retina scans);
(4) human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic);
(5) personal health data (e.g., height, weight, vital signs, symptoms, test results, diagnosis, digital dental records, and psychological diagnostics); and
(6) personal financial data (e.g., information related to an individual’s credit, debit cards, bank accounts, and financial liabilities, including payment history).
As to such data, the DOJ went out of its way to explain that the very nature of how “sensitive personal data” is defined automatically rules out certain categories of data. For instance, data that does not relate to a specific individual (e.g., trade secrets and proprietary information) or data that is lawfully publicly available are out of the scope under the executive order.
We can only assume that the DOJ deemed trade secrets and proprietary information to have other protections under the law, so that this final rule is not cluttered with potentially contradictory provisions. And, otherwise “publicly available” information would be impossible to protect, of course.
Bulk Sensitive Personal Data Thresholds & U.S Government-Related Data: Relative to many privacy laws currently active, the term “Bulk” in this case is actually quite slim, resulting in a very broad application. The thresholds for each category are as follows:
- human genomic data on over 100 U.S. persons, and the three other covered categories of human ‘omic data on over 1,000 U.S. persons,
- biometric identifiers on over 1,000 U.S. persons,
- precise geolocation data on over 1,000 U.S. devices,
- personal health data and personal financial data on over 10,000 U.S. persons,
- certain covered personal identifiers on over 100,000 U.S. persons, or
- any combination of these data types that meets the lowest threshold for any category in the dataset.
Of course, as broad as these designations may be, there are some exemptions. For example, personal communications that do not transfer anything of value, travel information, Official U.S. Government activities, or transactions required or authorized by Federal law or international agreements, to name a few, are exempt from these restrictions. Additionally, the DOJ can issue general licenses to authorize certain categories that may otherwise be considered prohibited or restricted transactions under specific conditions. The DOJ may also specify licenses for specific transactions, if the applicant discloses the details of the intended transactions to the Department.
As far as when these rules and restrictions become effective, it is sooner than you think: the general effectiveness begins on April 8th, three short months (90 days) from the date of the publication of the final rule. The due diligence and audit requirements for restricted transactions, however, will begin by October 5th (270 days from publishing).
As mentioned in last week’s blog, the year 2025 will be challenging for all entities when it comes to data privacy and governance. New comprehensive laws are now in the books, thereby magnifying the number of restrictions and regulations that must be followed. This final rule adds to the complexity.
The information you obtain at this site, or this blog is not, nor is it intended to be, legal advice. You should consult an attorney for advice regarding your individual situation. We invite you to contact us through the website, email, phone, or through LinkedIn. Contacting us does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established.