Background

The NPRM aims to restrict the ability of designated countries of concern and persons subject to their jurisdiction (“covered persons”) to access U.S. government-related data or bulk sensitive personal data by restricting or prohibiting certain transactions. There are six countries of concern that the NPRM identifies: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

The NPRM would impose restrictions or prohibitions on transactions that: (1) involve access to bulk U.S. sensitive personal data or any government-related data and (2) involve data brokerages or vendor, employment, or investment agreements.

Given the broad definitions of key concepts such as in-scope “sensitive personal data” and the categories of covered transactions, U.S. organizations will need to carefully assess whether their data is accessible to countries of concern or covered persons and, if so, develop compliance programs to address the contractual and reporting obligations set forth in the NPRM.

Broad range of covered entities

The NPRM is targeted at data transfers to countries of concern (i.e., China, Cuba, Iran, North Korea, Russia, and Venezuela) and covered persons subject to their jurisdiction, which include:

• Foreign entities that are 50% or more owned (directly or indirectly) by a country of concern;
• Foreign entities that are organized or chartered under the laws of countries of concern;
• Foreign entities with a principal place of business in a country of concern;
• Foreign entities that are 50% or more owned (directly or indirectly) by another covered person;
• Foreign employees or contractors of countries of concern or of entities described in a) — d) or g);
• Foreign individuals who reside primarily in a country of concern; and
• Foreign or U.S. persons designated by the Attorney General as covered persons;

Under the proposed rule, U.S. persons (including U.S. subsidiaries) would not be categorically treated as covered persons. However, U.S. persons may be designated as covered persons on an individual basis by the Attorney General, pursuant to criterion g) above. The Attorney General is expected to issue a sanctions-style list of covered persons, where it determines that such persons:

• Are, have been, or are likely to become subject to the ownership, control, jurisdiction, or direction of a country of concern or covered person;

• Act, have acted, purport to act, or are likely to act for or on behalf of countries of concern or covered persons; or

• Have or are likely to knowingly cause or direct violations of the regulations.

Broad range of prohibited transactions 

The NPRM would prohibit data brokerage transactions involving access to bulk U.S. sensitive personal data and transactions involving access to bulk human genomic data or biospecimens from which such data can be derived. Such transactions are strictly prohibited unless licensed by DOJ (discussed in section F). Vendor, employment, and investment agreements that involve access to government-related data or bulk U.S. sensitive personal data would be subject to a broad range of restrictions (discussed in section D).

The NPRM’s definition of “data brokerage” is much broader than standard usage. The standard definition of “data broker” is an entity that sells personal information of individuals with whom the entity does not have a direct relationship. Under the NPRM, however, an entity that sells, licenses access to, or engages in similar commercial transactions involving the transfer of data to a recipient that did not collect the data directly from individuals is engaging in a data brokerage. An example provided in the NPRM is when a U.S.-owned and operated mobile application offers advertising inventory for sale and provides precise geolocation, IP addresses, and advertising IDs of U.S. users to an ad exchange based in a country of concern (e.g., China).

The NPRM’s definition of “sensitive personal data” is notably broad, going beyond current definitions of “sensitive” personal data in U.S. state consumer privacy laws and Committee on Foreign Investment in the United States (CFIUS) regulations. According to the proposed rule, sensitive personal data includes: (1) combinations of personal identifiers (including government identifiers, device IDs, financial account numbers, login credentials, demographic identifiers, and call records), (2) personal financial data, (3) personal health data, (4) precise geolocation data, (5) biometric identifiers, and (6) human genomic data. So, under the NPRM, a name linked to an advertising identifier would be deemed sensitive personal data.

The thresholds for what would be considered “bulk” are rather low, and data transactions would be assessed over a 12-month period. For example, in-scope data brokerage transactions would be prohibited if, over a one-year period, common types of information related to 100,000 or more U.S. persons were disclosed. And the prohibition would hold even if the data were encrypted, anonymized, or de-identified. Lower thresholds apply to other types of data.

Although the NPRM prohibits only those data brokerage transactions involving countries of concern or certain persons subject to their jurisdiction, all data brokerage transactions involving foreign persons (e.g., EU-based organizations) would be impacted by the NPRM. Under the proposed rule, data brokerage transactions with any foreign person would be prohibited unless the U.S. person (1) contractually requires the foreign person to refrain from subsequent data brokerage of the same data with a country of concern or covered person and (2) reports any known or suspected violations of the required contractual provision within 14 days of becoming aware of them.

All data brokerage transactions involving government-related location data (precise geolocation data for any location within the Government-Related Location Data List with a high risk of revealing insights about locations controlled by the Federal Government or their local populations) and personnel data (sensitive personal data marketed as linked or linkable to current or former government employees, contractors, or senior officials) are prohibited, regardless of the number of individuals impacted.

The NPRM also prohibits all covered transactions that involve access to bulk human genomic data or bulk human biospecimens. Such transactions are strictly prohibited even if they involve a vendor, employment, or investment agreement.

Broad range of restricted transactions

The NPRM would restrict (1) vendor agreements, (2) employment agreements, and (3) investment agreements (except certain passive investments) that involve access to bulk sensitive personal data or government-related data. Restricted transactions are prohibited unless they comply with due diligence, audit, reporting, and recordkeeping obligations detailed in the NPRM, or if DOJ issues a license for the transaction (discussed in section F).

• Due diligence obligations: U.S. persons would need to implement a data compliance program that includes written compliance policies as well as risk-based procedures for verifying data flows.

• Audit obligations: The proposed rule would require an annual audit conducted by an external, independent auditor that examines the U.S. person’s transactions and compliance with due diligence, recordkeeping, and security obligations.

• Recordkeeping obligations: U.S. persons would be required to keep a full and accurate record of every restricted transaction and to maintain these records for at least 10 years. They must also keep documents demonstrating compliance with due diligence, audit, and security obligations.  

• Reporting obligations: Reports containing “complete information” about any act or transaction must be furnished to DOJ upon demand. Any U.S. person that has 25% or more of its equity interests owned by a country of concern or covered person and that engages in a restricted transaction involving cloud-computing service must file an annual report.

Restricted transactions must also comply with security obligations issued by CISA. The agency published its proposed security requirements on October 21, 2024, including:

• Organization/system-level requirements that oblige organizational cybersecurity policies and practices, access controls, and data risk assessments.

• Data-level requirements that require data minimization and masking strategies, encryption, privacy enhancing technologies, and authorization management techniques.

Importantly, the safeguards must “fully and effectively prevent” access to covered data by countries of concern and covered persons consistent with a documented risk assessment. That’s a high standard for the private sector to meet when facing the resources of nation states.

Exempt transactions

The NPRM would exempt several classes of transactions from the rule’s coverage, to the extent that they:

• Involve any personal communications that do not involve the transfer of “anything of value”;

• Involve information or informational materials, commercial or otherwise;

• Are ordinarily incident to travel;

• Are for conduct of the official business of the U.S. government;

• Are ordinarily incident to the provision of financial services;

• Are between a U.S. person and its subsidiary or affiliate in or directed by a country of concern and are routine and industry operations to share data within a corporate group;

• Are transactions required or authorized by federal law or international agreements;

• Are investment agreements subject to a CFIUS action;

• Do not involve data brokerage and are usually incident to providing telecommunications services;

• Are necessary for regulatory approval to market a drug or product in a country of concern; or

• Are ordinarily incident to clinical investigations regulated by or supporting applications to the FDA.

DOJ is also considering adding an exemption for covered data transactions involving the transfer or sale of certain human biospecimens for direct medical use, and invites stakeholder input on this question.

Licenses and advisory opinions

The proposed rule would allow DOJ to issue general licenses for classes of prohibited and restricted transactions. Regulated parties may also apply for specific licenses or for reconsideration of a denied license. Organizations should note that licenses may be conditioned on additional obligations.

Potentially regulated parties may also seek advisory opinions concerning actual transactions. Written and signed advisory opinions can be relied upon, but do not bind agencies other than DOJ.

Enforcement

Failure to comply with the proposed rule could result in civil or criminal liability. The NPRM proposes a maximum civil penalty up to $368,136 or twice the amount of the transaction. It also states that anyone who willfully commits, attempts to commit, or conspires to commit a violation of the proposed rule may be fined up to $1,000,000 and/or be imprisoned up to 20 years. DOJ is likely to develop a voluntary self-disclosure program to allow companies to self-disclose potential violations in exchange for mitigation.

Organizations should also note that, while the NPRM doesn’t regulate conduct that occurred prior to the effective date of any final rule, it does apply to continued engagement in covered transactions that were initiated before the proposed rule.

Need for compliance programs

If the NPRM is finalized as-is, any U.S.-based organization engaging in global transactions will need to develop and deploy compliance programs designed to:

• Assess whether the transactions potentially involve prohibited or restricted transactions;

• Determine whether specified exemptions apply (e.g., official U.S. government business, certain financial services, certain transactions performed for legal compliance, certain clinical investigations, and certain corporate group transactions);

• Implement required contractual and security controls for restricted transactions;

• Conduct appropriate diligence of transactions and data recipients;

• Consider whether any specific licenses from DOJ are required; and

• Conform to recordkeeping and reporting requirements.

Even if they do not typically engage in restricted transactions, any U.S. person that receives and rejects an offer to engage in a prohibited transaction must report the offer and rejection to DOJ within 14 business days of the rejection.

Next steps

The DOJ’s NPRM and CISA’s proposed security requirements for restricted transactions were published in the Federal Register on October 29, 2024. Comments for both are due on November 29, 2024.

U.S. companies engaged in transactions involving covered persons or data should review potential implications of the NPRM for their business and consider whether to participate in the rulemaking process.

Authored by Tim Bergreen, Anthony Capobianco, Brian Curran, James Denvil, Scott Loughlin, Ajay Kuntamukkala, Paul Otto, Beth Peters, Anne Salladin, Ari Fridman, Deborah Wei, Lyric Galvin, Lorea Mendiguren, and Ben Kostrzewa.