Bulk Sensitive Data Transfer Rule Would Tighten Security Controls

President Joe Biden’s executive order limiting the transfer of sensitive US personal data closes a significant gap in US regulation concerning sensitive personal data.

Previously, a foreign investor seeking to invest in US companies that hold sensitive data could be restricted from making an investment through the CFIUS process, but if the same foreign actor sought to buy the same sensitive information without investing, there was no mechanism for the government to take action. Now, the government is preparing a rule that will broadly restrict sharing bulk sensitive personal data of US persons.

Companies affected by the upcoming regulations can submit comments, assess their risk profiles, and adjust their compliance programs to get ahead of the proposed rulemaking.

In recent years, US national security officials have expressed increased concern about the risks related to the sale of sensitive personal information to foreign actors. A 2018 study noted that a fitness app that published a map based on users’ geolocation data showed the outlines of sensitive US military bases. Media reports have also highlighted how sensitive data sets on military personnel, including information about health conditions and financial metrics, can easily be obtained from “data brokers.”

The Feb. 28 executive order instructs the Department of Justice to undertake a rulemaking process with notice and comment. As a first step in that process, the DOJ issued an advanced notice of proposed rulemaking. The proposed rule will prohibit certain types of transactions and subject other transactions to security-related restrictions through a new regulatory system.

The proposal would cover a broad array of transactions related to sensitive data. First, the DOJ broadly defines bulk sensitive US personal data to include a wide array of “personal identifiers” linked to US persons’ digital identity—cookies, IP addresses, call-detail data, social security numbers, SIM card numbers—in addition to geolocation data, personal health, financial data, and other types of data.

Second, the rule broadly defines whose covered by the rule, including any company or national in China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, or Venezuela.

The contemplated rule includes any entity that is 50% owned by such a company or national—meaning that overseas subsidiaries or investment funds in Europe, the Middle East, or elsewhere could be included in the scope of the rule. The DOJ didn’t explicitly state whether US subsidiaries of Chinese companies would be included as covered persons: The “50% rule” suggests that they may.

The rule would broadly prohibit “covered persons” from accessing bulk sensitive US data, whether through a sale or a license or subscription. This would apply to data brokers that sell access to this type of information.

However, it could also apply to US companies that may not consider themselves to be in the data business. For instance, a US company that shares information about its customers with a Chinese company as part of a partnership or business venture could be implicated by this prohibition.

The rule would restrict investment agreements, employment agreements, and vendor agreements with those covered, requiring that they be subject to security requirements by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

While those requirements aren’t published yet, they will provide physical and cybersecurity requirements to prevent those covered by the rule from accessing sensitive bulk data. For example, they may require a US company with an office in China to put in place security requirements to limit the access of the Chinese employees to sensitive data.

How to Prepare

First, given the potential broad scope of the proposed rule, companies may want to provide comment individually or through trade associations. Written comments will be accepted through April 19.

Second, a senior DOJ official said March 8 that multinational companies get started now developing “risk-based compliance programs tailored to their individualized risk profiles” by reviewing the data they have, reviewing who has access to that data (including vendors and consultants), and reviewing what sales or other agreements are in place that provide access to that data.

Third, the rule may have second-order effects that businesses should consider. For instance, Chinese competitors looking to establish a footprint in US markets may be limited to industries where data covered by the proposed rules would be less prevalent. This could impact market dynamics in key industries including healthcare, defense, telecommunications, and other critical sectors.

The executive order is another example of a trend over the last 15 years where presidents are invoking national security to develop new regulatory frameworks. There are a growing number of regulatory systems, including the proposed “outbound investment” regulations and the recent information and communications technology and services’ regulations that were issued pursuant to the president’s national security authorities. We expect that this broadening of national security regulation by the executive will continue.

Based on what has been released so far, we expect that the final rule will be a significant development for some US companies, with implications for business lines and compliance programs.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

John P. Carlin is co-chair of Paul Weiss’s cybersecurity & data protection practice and chair of the national security practice.

L. Rush Atkinson is a partner in the litigation department and member of the firm’s cybersecurity & data protection practice.

Samuel Kleiner is an associate in the litigation department.

Write for Us: Author Guidelines