The Department of Justice Issues Revised Proposal for Regulating Bulk Sensitive Data Transfers -- An Unprecedented Cross-Border Data Regulatory Regime Version 2.0

The U.S. Department of Justice (“DOJ”) issued a revised proposed rule with new details about the most recent regulatory regime governing transactions involving certain sensitive data of U.S. persons and certain countries of concern. In last week’s Notice of Proposed Rulemaking (“NPRM”), the DOJ further refined its proposed program for implementing President Biden’s Executive Order (“E.O.”) that seeks to limit foreign adversaries’ ability to access, collect, and purchase data that can be exploited for malicious purposes. While the NPRM added some new exemptions, the proposed regulation will be a game changer for U.S. companies that collect sensitive data and transfer, share, or sell the data abroad.

I. NPRM Developments

II. Why This Is Significant

III. Overview of Proposed Regulatory Regime

A. Countries of Concern and Covered Persons

B. Data Categories

C. Prohibited and Restricted Transactions

D. Exemptions

E. Program Mechanics

IV. Outlook

I. NPRM Developments

The NPRM largely tracks the DOJ’s March 24, 2024 Advanced Notice of Proposed Rulemaking (“ANPRM”). However, notable changes or additions to the NPRM include:

• definitions of key terms and bulk data thresholds for covered transactions;
• the simultaneous release of proposed security requirements from the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) that would apply to restricted transactions;
• clarifications of certain exemptions, such as those for corporate group transactions for data transfers between U.S. entities and foreign subsidiaries;
• the addition of new exemptions for telecommunications services, drug and medical device authorizations, and other clinical investigations;
• a description of the affirmative compliance obligations for entities that engage in restricted transactions, and notification requirements to the DOJ of certain prohibited transactions and other violations of the regulatory program;
• a description of the overlap between the Bulk Sensitive Data Regulatory Program and several related government initiatives, such as the Protecting Americans’ Data from Foreign Adversaries Act, the Committee on Foreign Investment in the United States, and actions taken under the Commerce Department’s Information Communication Technology and Services authorities; and
• a detailed analysis explaining the risks of the sensitive data impacted in the program.

The DOJ is accepting comments on the NPRM until November 29, 2024, which it will consider before publishing a final version of the regulations. CISA is also accepting public comments on the proposed security requirements. The date the new regulations will go into effect is not final, but is anticipated to occur next year.

Back to Top

II. Why This Is Significant

This new regime is a dramatic policy shift for the United States, which has long resisted restrictions on cross-border transfers of personal information and has no comprehensive privacy law or regulations. This regime will impact individuals and companies who are U.S. persons or that operate within the United States, respectively, if they collect or sell certain sensitive data within the program’s ambit. In practice, this new regulatory regime is likely to upend routine business decisions and make certain conduct potentially unlawful.

• Data Access, Citizenship, and Work Location Matter: The proposed regime does not just regulate the sale of sensitive data; it regulates who can have access to the data, including employees, vendors, investors, and senior personnel, and how entities must protect information implicated by the regime. Violations also depend on the citizenship and location of individuals who access sensitive data—facts potentially difficult to ascertain.
• Asset Inventories and Data Mapping: Entities that collect information from U.S. persons will need asset and data inventories and to scrutinize where their data goes, how it gets there, who has access to it, and how it is protected. And these entities may need to revamp compliance, diligence, and know-your-customer and know-your-vendor programs to meet these new requirements.
• New Security Requirements: The proposed regulations impose new cyber and data security requirements on entities that engage in restricted transactions, which include: updating asset inventories monthly, patching non-exploited critical patches within 15 days, implementing multifactor authentication on all covered systems, storing relevant logs for 12 months, including an “allow” list by default, annually updating key policies (e.g., Incident Response Plan, and Data Deletion/Retention), and having detailed encryption requirements.
• Reporting and Compliance Requirements: The NPRM requires U.S. companies to affirmatively report to the DOJ within 14 days when they receive and reject an offer from another person to engage in a prohibited transaction. Further, for companies who engage in restricted transactions, the compliance requirements are significant, including a requirement for an annual, independent audit.
• Enforcement Is Real: The program will be administered by the DOJ, which can pursue civil and criminal penalties.

Back to Top

III. Overview of Proposed Regulatory Regime

The new regime, which builds on previous executive orders,[1] establishes a regulatory program (hereafter, the “Bulk Sensitive Data Regulatory Program” or “Program”) to prevent certain transfers of, and access to, sensitive data of U.S. persons and sensitive U.S. government data to foreign countries that are considered a national security threat. The United States will now join dozens of other jurisdictions, including the EU Member States and China, in limiting the cross‑border transfer of certain types of information.

The Bulk Sensitive Data Regulatory Program will be established pursuant to the President’s authorities under the International Emergency Economic Powers Act (“IEEPA”). It is intended to prevent foreign adversaries from: (1) collecting and purchasing sensitive data of U.S. persons or sensitive U.S. government data through legal means; (2) collating, leveraging, and exploiting that information with artificial intelligence and data analytics; and (3) using that information to facilitate malicious purposes such as cyber operations, espionage, and transnational repression. The Program will not regulate all cross-border data flows from the United States; rather it will block certain transfers and condition others.

The Bulk Sensitive Data Regulatory Program will apply generally to transactions of specific sensitive data involving “covered persons” linked to six countries of concern. These will be regulated based on the nature and volume of data, although for transactions involving sensitive U.S. government data, there is no volume requirement. The Program contemplates a two-tiered system regulating data transactions:

(1) transactions that are prohibited, and

(2) transactions that are restricted, which may proceed subject to the security requirements promulgated by CISA.  

Back to Top

A. Countries of Concern and Covered Persons

The Bulk Sensitive Data Regulatory Program is intended to cover transactions with certain counterparties (covered persons) that are connected to six countries identified as “countries of concern”—China (including Hong Kong and Macau), Russia, Iran, North Korea, Venezuela, and Cuba.[2] As shown in the graphic below, the NPRM lists five ways that an entity or individual may be connected to a country of concern for the regulations to apply. The Program also allows the Attorney General to designate specific persons linked to or acting on behalf of these countries of concern. Such designated individuals would be on a public list.[3] Critically, a person or entity need not be designated to be subject to the Program.

The NPRM also makes clear that the Program would not apply to data transactions involving entities or persons that have connections to the United States. For example, citizens of countries of concern who reside in the United States or a non-listed country would not be considered a covered person unless they were individually designated by the Attorney General. Of particular interest for most U.S. companies, any U.S. entity that is organized under the laws of the United States and has a foreign branch in a country of concern is considered to be a U.S. person. However, if a U.S. parent company has a subsidiary organized under the laws of a country of concern, the subsidiary is considered a foreign person while the parent company is considered a U.S. person.

Back to Top

B. Data Categories

The Bulk Sensitive Data Regulatory Program would regulate two types of data.

1.  Sensitive Personal Data: The NPRM defines six categories of U.S. sensitive personal data to be regulated. The DOJ has ranked the six categories of data in order of sensitivity (listed in descending order): (i) human genomic data, (ii) biometric identifiers, (iii) precise geolocation data, (iv) personal health data, (v) personal financial data, and (vi) covered personal identifiers. A regulated transaction must be with a covered person, involve one or more of the six types of sensitive personal data, and exceed certain volume thresholds detailed in the graphic below.

2.  Government-Related Data: Transactions with covered persons involving government‑related data, or data relating to government geolocations or attributable to government and employees and contractors, will be prohibited, regardless of volume. The NPRM published a list of eight specific geofenced areas near government facilities in the Washington, D.C. metro area, Georgia, Hawaii, and Texas.

Back to Top

C. Prohibited and Restricted Transactions

The Program creates a two-tiered system for transactions covered by the regulations. Certain types of transactions are prohibited regardless of the type of data; other data transactions are restricted and could proceed if the security requirements promulgated by CISA are satisfied. Companies engaged in restricted transactions are also subject to data compliance program requirements, independent annual audits, and recordkeeping requirements.

1.  Prohibited Data Transactions

• Data-Brokerage Transactions: As currently proposed, “data brokerage” is defined as the sale or transfer of data from any person to a recipient that did not collect or process the data directly from the individual to whom the data relates. For example, if a U.S. organization maintained bulk personal health data, and they license that data to a covered person, it would constitute a prohibited transaction. The NPRM also prohibits “onward” transactions by placing an affirmative obligation on U.S. persons involved with data-brokerage transactions to contractually require any foreign person counterparty from subsequently selling the same data to a covered person, and to report any known or suspected violations to the DOJ. 
• Genomic Data Transactions: Genomic data transactions, including investments, that involve bulk human genomic data or biological specimens from which such data can be derived.

2. Restricted Data Transactions

• Vendor Agreements: A vendor agreement is defined as an agreement for goods or services, including cloud-computing services, in exchange for payment. For example, if a U.S. company collects bulk precise geolocation data from U.S. users on a mobile app and enters into an agreement with a covered person to process and store the data, the U.S. company would be engaging in a restricted transaction.
• Employment Agreements: An employment agreement is any agreement or arrangement for employment (not for independent contractors), including on a board of directors or committee. For example, an app provider that collects bulk sensitive personal information and intends to hire an executive who is a covered person and would have access to that data could be engaging in a restricted transaction.
• Investment Agreements: An investment agreement is any agreement in which a person obtains direct or indirect ownership of a U.S. legal entity or real estate in the United States. The DOJ provided an example of a restricted transaction: a foreign private-equity fund, located in a country of concern, agrees to provide capital for the construction of a data center for a U.S. company that stores sensitive data in exchange for acquiring a majority ownership stake in the data center.

i.  Security Requirements

Alongside the NPRM, CISA released proposed security requirements that will apply to restricted transactions, including any sharing or access with a covered vendor, employee, or investor. These security requirements mandate: (1) organizational and system-level requirements and (2) data-level requirements that include:

• maintaining an asset inventory that is updated monthly;
• patching vulnerabilities on certain timelines (e.g., 14 days for known exploited vulnerabilities and 15 days for non-exploited critical vulnerabilities);
• documenting all vendor agreements;
• storing logs for covered systems for at least 12 months;
• applying a combination of data minimization and masking;
• using MFA, encryption, and cryptographic key management; and
• creating an allow list for specific systems by default.

In addition, entities will need to implement logical and physical access controls on covered systems to prevent covered persons from accessing the data. In practice, this will require entities to cross‑reference work locations and job responsibilities (likely from their HR system), with system accesses (i.e., active directory) of employees and contractors. 

ii. Compliance Program, Audits, and Recordkeeping

For any entity engaging in restricted transactions, the NPRM mandates due diligence requirements such as: (i) identifying transacting parties, including the ownership, citizenship, and residence of individuals; (ii) written compliance policies and procedures for implementing security requirements; and (iii) verifying data flows in auditable manner for any restricted transaction.

In addition, the NPRM requires an independent, external audit to review annually restricted transactions and the company’s procedures. Entities engaged in restricted transactions must also maintain records for at least 10 years, including: a full and accurate record of every transaction, the annual audit reports, the written policies related to their data compliance program, the identity and due diligence of the transaction parties and any associated agreements or contracts, and annual compliance certifications.

Back to Top

D. Exemptions

Several categories of transactions will be exempt from these regulations. The NPRM also expanded the exemptions, which include the following:

• Financial Services: Transactions ordinarily incident to and part of financial services, payment processing, and regulatory compliance. Examples include banking, capital markets, or financial-insurance activities; the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services; and legal and regulatory compliance.
• Corporate Groups Transactions: Transactions between a U.S. entity and a subsidiary or affiliate located in a country of concern and “ordinarily incident to and part of ancillary business operation” (such as human resources and payroll). For example, if a U.S. company sends bulk sensitive data to a subsidiary in a country of concern for the purposes of developing a software tool, it is not an exempt transaction. In contrast, if a U.S. company sends sensitive bulk sensitive data to a foreign branch located in a country of concern, it would satisfy the corporate group transaction exemption because the foreign branch would be considered part of the U.S. company. In the latter scenario, however, if covered persons employed by the foreign branch have access to the sensitive data, it would be a restricted transaction.
• Telecommunication Services: Data transactions related to telecommunication service, international calling, and data roaming are exempt. Data brokerage transactions, however, by U.S. telecommunications providers are not exempt.
• Drug and Medical Authorizations, and Clinical Investigations: Transactions will be exempt if the transactions involve “regulatory approval data” necessary to obtain or maintain regulatory approval in a country of concern. “Regulatory approval data” consists of de-identified sensitive personal data required by a regulatory entity to research or market a drug, biological product, device, or combination product, including post-marketing studies and surveillance. It excludes data not necessary for assessing safety and effectiveness.
• U.S. Government: Activities of the U.S. government and its contractors, employees, and grantees, such as federally funded health and research activities.
• Investment Agreements: Investment agreements that are subject to mitigation or other actions that CFIUS explicitly designates as exempt.
• Required by Federal Law: Transactions required or authorized by federal law or international agreements, such as the exchange of passenger manifest information, Interpol requests, and public health surveillance.

The NPRM exempts types of investments by category that do not convey rights that the DOJ believes pose an unacceptable national security risk by giving countries of concern or covered persons access to or influence over data within the ambit of the Program. These transactions include investments in publicly traded securities, index funds, or mutual funds, and made as a limited partner into an investment fund. These carveouts are meant to ensure that cross‑border commercial data flows are not impacted by the Program, in line with the Administration’s expressed goal of ensuring that the U.S. remains a global economic leader and protector of cross‑border data flows.   

Back to Top

E. Program Mechanics

The Program’s structure and definitions will be modeled on existing U.S. regulations based on IEEPA, such as those administered by the Treasury Department’s Office of Foreign Asset Control. Like those programs, the Bulk Sensitive Data Regulatory Program will establish processes for the DOJ to issue general and specific licenses, and it will not operate on a transaction‑by-transaction basis like the Committee on Foreign Investment in the United States. To supplement general and specific licenses, the DOJ will also issue advisory opinions in response to requests, similar to the DOJ’s Foreign Agent Registration Act and Foreign Corrupt Practices Act regulatory programs.

The Program will also require U.S. entities to report any received and rejected offers from persons to engage in prohibited data brokerage transactions, which must be filed within 14 days of rejection. The DOJ will likely use these reports for investigative purposes to identify entities engaging in prohibited transactions or seeking sensitive data of U.S. persons.

Once the Program is implemented, individuals who fail to comply with its prohibitions or conditions could face civil and criminal penalties.

Back to Top

IV. Outlook

Key takeaways from this announcement include:

• The Program does not just regulate the sale of sensitive data; it regulates who can access data. Although the Program is not intended to prevent all transactions with countries of concern that involve the data of U.S. persons, as drafted the Program appears to cast a wide net. Given the broad categories of data and transactions, parties will need to understand (1) whether they engage with sensitive data and (2) who has access to that data, including members of the board of directors, investors, third-party vendors, and affiliates.
• Intra-company data flows and access should be scrutinized. As currently conceived, the Program could restrict intra-entity data transfers (i.e., transfers between affiliates or foreign branches)—but only certain types. The NPRM exempts corporate group transactions to the extent that they are: (i) between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, or jurisdiction) a country of concern; and (ii) ordinarily incident to and part of ancillary business operations (e.g., sharing sensitive personal data for human resources purposes, payroll transactions, etc.). Companies with operations or affiliates in countries of concern will need to assess their operations and data access to determine if they are engaging in activities that may become unlawful.
• Citizenship and location of individuals who access data may be the basis for liability. Citizens of countries of concern who reside in the United States are not covered by the Program unless individually designated, and citizens of countries of concern located in third countries would not automatically be treated as covered persons either. But if a U.S. company hires an employee who is a covered person and that individual has access to sensitive bulk data, that could be considered a restricted transaction. The nuance to this framework is important; the NPRM’s requirements do not flow from citizenship alone.
• The enforcement risk is real. Rather than setting up the program in Treasury or Commerce, the DOJ is establishing a licensing process to authorize otherwise prohibited transactions and enforce violations. This indicates that the Administration expects the DOJ to use its investigative tools and experience to identify and enforce violations. Ultimately, the U.S. government will now have a powerful new tool that can be adapted and expanded, via Executive Order or additional rulemaking.
• Compliance programs will need to be revamped—or overhauled. Current export compliance, sanctions, and data privacy compliance programs are unlikely to adequately deal with the new framework. Organizations will need to examine: (1) the types of information they collect, (2) the entities or individuals to which they sell or with whom they share that information, and (3) the entities or individuals involved in data collection and processing. Entities should ensure that compliance programs are updated accordingly.

The Bulk Sensitive Data Regulatory Program is a transformative addition to the U.S. government’s growing set of tools aimed at blocking foreign adversaries’ access to Americans’ data. It is critical to recognize that this new regime is not limited to the sale of bulk data—it is focused on the transfer of and access to such data. Once finalized, we expect that the DOJ will not hesitate to employ these new authorities. 

Back to Top

[1] See Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain (May 15, 2019); Executive Order 14034, Protecting Americans’ Sensitive Data from Foreign Adversaries (June 9, 2021).

[2] These are the same six countries that are covered by the Department of Commerce’s information and communications technology and services regulations.

[3] This public list would be similar to the U.S. Treasury Department’s Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons list.