DOJ Proposes Restrictions on Transactions Involving Bulk Sensitive Data

BACKGROUND

On February 28, 2024, President Biden issued EO 14117, entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The EO directs the Attorney General to issue regulations that prohibit or otherwise restrict US persons from engaging in “any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (transaction),” where the transaction:

• Involves US-government-related data or bulk US sensitive personal data, as defined by final rules implementing the EO;
• Falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because the transactions may enable access by countries of concern or covered persons to government-related data or bulk US sensitive personal data; and
• Meets other criteria specified by the EO.

DOJ’s proposed rule identifies six countries of concern:

• People’s Republic of China, along with the Special Administrative Region of Hong Kong and the Special Administrative Region of Macau.
• Russian Federation.
• Islamic Republic of Iran.
• Democratic People’s Republic of Korea.
• Republic of Cuba.
• Bolivarian Republic of Venezuela.

The goal of the proposed rule is to protect “sensitive personal data” from being exploited by a country of concern to harm US national security, particularly if that data is linked or linkable to any identifiable US individual or to a discrete and identifiable group of US persons. As a result, relevant entities would be prohibited from sharing bulk sensitive data with the six countries identified as a threat to national security.

The proposed rule provides specific definitions of sensitive personal data and what constitutes “bulk.” It clarifies exceptions and exemptions (which are particularly relevant for certain healthcare entities), as well as proposed penalties.

DEFINITIONS AND PROPOSED THRESHOLDS

The proposed rule defines of six categories of sensitive personal data:

• Covered personal identifiers.
• Precise geolocation data.
• Biometric identifiers.
• Human genomic data.
• Personal health data.
• Personal financial data.

DOJ also proposes four tiers of sensitivity, which tie to numerical thresholds for bulk sensitive personal data. Relevant proposed definitions and thresholds are discussed below.

Bulk US sensitive personal data. The proposed rule defines this as a collection or set of sensitive personal data relating to US persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.

The proposed rule defines “bulk” as any amount of such data that meets or exceeds the specified thresholds during a given 12-month period, whether through one covered data transaction or multiple covered data transactions involving the same US person and the same foreign person or covered person.

Covered person. The proposed rule identifies a “covered person” as an individual or entity that the Attorney General has designated as a covered person or that falls into one of the following classes of covered persons:

• Is 50% or more owned, directly or indirectly, by a country of concern.
• Is organized or chartered under the laws of a country of concern.
• Has its principal place of business in a country of concern.

An entity is also a covered person if it is a foreign person that is 50% or more owned, directly or indirectly, by a covered person. Any foreign individual who is an employee or a contractor of such an entity or of the country of concern itself is also a covered person.

The proposed rule would not treat any US person, including a US subsidiary of a covered person, as a covered person unless the DOJ has designated the US subsidiary as a covered person pursuant to the process described in the proposed rule. No US person, including the US subsidiary of a covered person, would be categorically treated as a covered person under the proposed rule.

Human genomic data. The proposed rule has been identified as the most sensitive category, and DOJ proposes that human genomic data be on its own in the first tier of sensitivity. The bulk threshold for human genomic data would be more than 100 US persons. Anything below this amount would not trigger the limitations in the proposed rule.

The proposed rule defines “human genomic data” as data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual’s “genetic test” and any related human genetic sequencing data. The term “human genomic data” does not include non-human data, such as pathogen genetic sequence data, that is derived from or integrated into human genomic data.

Biometric identifiers. Biometric identifiers and precise geolocation data would be grouped under tier two of sensitivity. The proposed bulk threshold for biometric identifiers is more than 1,000 US persons. Anything below this amount would not trigger the limitations in the proposed rule.

The proposed rule defines “biometric identifiers” as measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.

Personal health data. Personal health data and personal financial data would be grouped in the third tier of sensitivity. The proposed bulk threshold for personal health data is more than 10,000 US persons. Anything below this amount would not trigger the limitations in the proposed rule.

The proposed rule uses the Health Insurance Portability and Accountability Act of 1996 (HIPAA) definition of “individually identifiable health information” as the starting point for its personal health data definition and then revises it so that the proposed rule’s definition does not turn on whether data is handled by HIPAA covered entities or business associates. Personal health data is not defined in terms of whether the data identifies an individual, because the proposed rule would apply regardless of whether data is de-identified.

The proposed rule defines “personal health data” as health information that relates to:

• The past, present, or future physical or mental health or condition of an individual;
• The provision of healthcare to an individual; or
• The past, present, or future payment for the provision of healthcare to an individual.

The personal health data includes:

• Basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies);
• Social, psychological, behavioral, and medical diagnostic, intervention, and treatment history;
• Test results;
• Logs of exercise habits;
• Immunization data;
• Data on reproductive and sexual health; and
• Data on the use or purchase of prescribed medications.

The proposed rule would operate on a categorical basis and would determine that the category of personal health data generally meets the requirements of being “exploitable by a country of concern to harm U.S. national security” and “is linked or linkable to any identifiable U.S. individual or to a discrete and identifiable group of U.S. individuals.”

Covered personal identifiers. The proposed rule would place covered personal identifiers into the fourth tier. The proposed bulk threshold for covered personal identifiers is more than 100,000 US persons. Anything below this amount would not trigger the limitations in the proposed rule.

The EO defined “covered personal identifiers” as “specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that – whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern – could be used to identify an individual from a data set or link data across multiple data sets to an individual,” subject to certain exclusions.

The proposed rule provides three subcategories of covered personal identifiers:

• Listed identifiers in combination with any other listed identifier.
• Listed identifiers in combination with other sensitive personal data.
• Listed identifiers in combination with other data that a transacting party discloses pursuant to the transaction that make the listed identifier exploitable by a country of concern, if they could be used to identify an individual from a dataset or to link data across multiple datasets to an individual.

There are two proposed exceptions:

• Demographic or contact data that is linked only to other demographic or contact data.
• A network-based identifier, account-authentication data, or call-detail data that is linked only to other network-based identifiers, account authentication data, or call-detail data as necessary for the provision of telecommunications, networking, or similar services

EXCLUSIONS AND EXEMPTIONS

Exclusions from definition of sensitive personal data. The proposed rule would exclude certain categories of data from the definition of the term “sensitive personal data.” These exclusions include:

• Public or nonpublic data that do not relate to an individual, including trade secrets and proprietary information.
• Data that are, at the time of the transaction, lawfully publicly available from government records or widely distributed media.
• Personal communications.

Exclusions from data-brokerage transactions. The proposed rule also includes a prohibition specific to data brokerage to address transactions involving the onward transfer or resale of government-related data or bulk US sensitive personal data to countries of concern and covered persons. The proposed rule defines “data brokerage” as the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.

The proposed rule includes an exemption relevant to healthcare entities. Specifically, grantees and contractors of federal departments and agencies, including the US Department of Health and Human Services, the US Department of Veterans Affairs, the US National Science Foundation, and the US Department of Defense, would be exempt. The exemption allows these agencies to pursue grant- and contract-based conditions to address risks that countries of concern can access sensitive personal data in transactions related to their agencies’ own grants and contracts, without subjecting those grantees and contractors to dual regulation under the rule and the grant or contract.

Drug, biological product, and medical device authorizations exemption. Under the proposed rule, certain data transactions necessary to obtain and maintain regulatory approval to market a drug, biological product, medical device, or combination product in a country of concern would be exempt from the prohibitions in the proposed rule.

This exemption aims to balance the need to mitigate US national security risks related to unrestricted transfer of bulk US sensitive personal data to countries of concern against scientific, humanitarian, and economic interests in enabling the sale of medicines in those countries. This exemption would be limited to data that is:

• De-identified;
• Required by a regulatory entity to obtain or maintain authorization or approval to research or market a drug, biological product, device, or combination product (i.e., covered product); and
• Reasonably necessary to evaluate the safety and effectiveness of the covered product.

For example, de-identified data that is gathered in the course of a clinical investigation and would typically be required for US Food and Drug Administration (FDA) approval of a covered product would generally fall within the exemption. Conversely, clinical participants’ precise geolocation data, even if required by a country of concern’s regulations, would fall outside the scope of the exemption because such data is not reasonably necessary to evaluate safety or effectiveness. DOJ recognizes that data collection and submission continue beyond the initial regulatory approval process, and it intends the term “regulatory approval data” to include data from post-market clinical investigations (conducted under applicable FDA regulations), clinical care data, and post-marketing surveillance (including data on adverse events).

For example, where continued approval to market a drug in a country of concern is contingent on submission of data from ongoing product vigilance or other post-market requirements, the exemption would apply. The exemption would apply even where FDA authorization for a product has not been sought or obtained. DOJ does not, in the proposed rule, intend to require US companies to seek authorization to market a product in the United States before seeking regulatory approval from a country of concern. The proposed exemption is limited to transactions that are necessary to obtain or maintain regulatory approval in the country of concern.

Other clinical investigations and post-marketing surveillance data exemption. The proposed rule would exempt data that is “ordinarily incident to and part of clinical investigations regulated by the FDA or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products, or infant formula.”

It also would exempt data that is “ordinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA, provided the data is deidentified.”

Other FDA-regulated research exemptions. In the proposed rule, DOJ acknowledges the challenge of balancing national security risk and biomedical innovation that benefits the United States. DOJ is considering how to effectively strike that balance and how to scope an exemption for transactions related to or supporting FDA-regulated research to meet that goal. The DOJ is considering the scope of a possible exemption along three axes:

• Types of data included in the exemption: DOJ anticipates that any exemption would concern data obtained in the course of clinical investigations related to drugs, biological products, devices, and combination products, as those terms are defined in the Federal Food, Drug, and Cosmetic Act and FDA regulations. DOJ believes that these products raise the most significant countervailing economic, health, and scientific concerns that might outweigh the national security interests otherwise at stake.

The exemption would also apply to clinical care data indicating real-world performance or safety of products, or post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), where necessary to support or maintain authorization by the FDA.

DOJ also recognizes the existing regulatory framework in these contexts and is evaluating whether these provisions adequately reduce the national security risk associated with the transfer of bulk US sensitive personal data to a country of concern or covered person.

• Types of transactions involving the data that would be exempted. The proposed rule considers what kinds of transactions to exempt when they involve data that implicate the exemption. This could include bulk US sensitive personal data collected in the course of an FDA-regulated clinical investigation to develop a drug.

One proposal would exempt all transactions that are part of the conduct of the investigation. An alternative proposal would limit an exemption to only certain types of transactions that are especially important to the conduct of a clinical investigation and that cannot feasibly be avoided without jeopardizing the clinical investigation.

The proposed rule contemplates implementing an exemption for clinical investigations, clinical data, and post-marketing surveillance through one or more general licenses as opposed to including the exemption in the final rule. The DOJ believes general licenses may be a more flexible regulatory tool that can be adjusted to varying circumstances, but for the short term, the DOJ believes that a codified exemption would provide more clarity and certainty for relevant entities.

• Duration of exemptions. The proposed rule considers whether any exemption, or parts of it, could feasibly be time-limited to allow industry to shift existing processes and operations out of countries of concern over a transition period. If DOJ does not broadly exempt clinical research from the scope of the prohibitions, the agency may consider delaying the effective date of the proposed rule with respect to such research to enable affected entities to complete ongoing or imminent trials without disruption or delay, while transitioning planning and policies for future trials.

ADVISORY OPINIONS

The proposed rule would create a mechanism for potentially regulated parties to seek opinions about the application of the final regulations and/or the EO to specific transactions. The proposed rule would permit a US person seeking to engage in a transaction potentially subject to the final regulation to request an interpretation of any provision. The proposed rule would require that advisory opinions only be requested regarding actual (not hypothetical) transactions. Advisory opinions could cover, for example:

• Whether a particular transaction is a prohibited transaction or restricted transaction.
• Whether a person is a US person, foreign person, or covered person.

PENALTIES

The proposed rule includes civil monetary penalties based on noncompliance, material misstatements or omissions, false certifications or submissions, or other actions and factors.

The proposed maximum civil monetary penalty for violations would be the greater of $368,136 or twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed. DOJ proposes to make annual adjustments, based on inflation, to the civil monetary penalty. Willful violations would lead to criminal fines of up to $1 million and up to 20 years’ imprisonment.

NEXT STEPS

The proposed rule is open for public comment through November 29, 2024. Healthcare entities and other interested stakeholders should consider commenting on the appropriateness of the proposed exemptions and exclusions, as well as the adequacy and accuracy of the proposed definitions and related thresholds.