Approximately at the same time as the Executive Order that we described in Part 1 was issued, the Attorney General (AG) unofficially released 90 pages of Advanced Notice of Proposed Rulemaking (ANPRM), which will become official once published in the Federal Register.  The AG has proposed several regulations, and has solicited public comments on over 100 questions.  The public can respond within 45 days of publication in the Federal Register.  After evaluation of the responses, the AG will then propose revised regulations, which will also be subject to a public comment period.  These proposed regulations generally address only Section 2 of the Executive Order.

Which countries are “countries of concern”?

China

Cuba

Iran

North Korea

Russia

Venezuela

What is “personally identifiable data” that is “in combination with each other”?

The proposed regulation would define the term to mean any “listed identifier” that is linked to any other “listed identifier.”  The proposed definition of “listed identifier” is

  • Full or truncated government identification or account number (such as a Social Security Number, driver’s license or state identification number, passport number, or Alien Registration Number)  [Note that this definition apparently includes truncated Social Security Numbers.]
  • Full financial account numbers or personal identification numbers associated with a financial institution or financial-services company
  • Device-based or hardware-based identifier (such as International Mobile Equipment Identity (IMEI), Media Access Control (MAC) address, or Subscriber Identity Module (SIM card number)
  • Demographic or contact data (such as first and last name, birth date, birthplace, zip code, residential street or postal address, phone number, and email address and similar public account identifiers)
  • Advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other Mobile Advertising ID (MAID))
  • Account-authorization data (such as account username, account password, or an answer to security questions
  • Network-based identifier (such as Internet Protocol (IP) address or cookie data)
  • Call-detail data (such as Customer Proprietary Network Information (CPNI))

This definition would exclude:

  • Employment history;
  • Educational history;
  • Organizational memberships;
  • Criminal history; or
  • Web-browsing history

The proposed regulation provides some examples to help demonstrate “linking” that becomes “covered personal identifiers”:

  • Example 3.  Demographic or contact data linked only to other demographic or contact data—such as a data set linking first and last names to residential street addresses, email addresses to first and last names, or customer loyalty membership records linking first and last names to phone numbers—would not constitute covered personal identifiers.
  • Example 4.  Demographic or contact data linked to other demographic or contact data and to another listed identifier—such as a data set linking first and last names to email addresses and to IP addresses—would constitute covered personal identifiers.  [Note that the only difference between the two examples is the addition of IP addresses.

With respect to a combination with other data that “makes the personally identifiable data exploitable by a country of concern,” the AG stated:  the Department does not intend to impose an obligation on transacting parties to independently determine whether particular combinations of data would be “exploitable by a country of concern”; rather, the Department intends to identify specific classes of data that, when combined would satisfy this standard.”

As for geolocation data, the Attorney General is proposing to limit this data to “precise” geolocation data, but is seeking public comment on what the distance should be to be “precise geolocation data.”

“Biometric identifiers” are proposed to be defined as “measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and templates created by the system.”

With respect to “human ‘omic” identifiers, the proposed regulation would limit that term to human genomic data only.

For those in healthcare, “personal health data” would mean “individually identifiable health information’ (as defined in 42 U.S.C. § 1302d(6) and 45 CFR 160.103), regardless of whether such information is collected by a “covered entity” or “business associate” as defined in 45 CFR 160.103).”

As for “financial data,” the proposed regulation defines the term as “data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities and debts, and transactions; or data in a credit or “consumer report.”

(at 17-24)

What are the thresholds for “bulk” data?

Recall that the focus of the Executive Order was not on single transactions, but rather bulk transactions of Americans’ personal data.  The proposed regulation stated that:  “To the maximum extent feasible, the bulk thresholds would be set based on a risk-based assessment that examines threat, vulnerabilities, and consequences as components of risk” (at 24).  The characteristics “may include both human-centric characteristics (which describe a data set in terms of its potential value to a human analyst) and machine-centric characteristics (which describe how easily a data set could be processed by a computer system” (at 24).

The regulation also proposes this chart with respect to risk levels and bulk thresholds:

(at 25).

What is included in the special category of “government related data”?

Because data about government and military employees is of special concern, the proposed regulations would define “government-related data” to include two categories: 

(1) any precise geolocation data, regardless of volume, for any location within any area enumerated on a list of specific geofenced areas associated with military, other government, or other sensitive facilities or locations (the Government-Related Location Data List), or (2) any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including the military and Intelligence Community.”

(at 30).

What types of data brokerage transactions are in-scope?

The proposed regulation, in keeping with the Executive Order’s focus on permitting commercial transactions, proposed a definition of “data brokerage” as “the sale of, license of access to, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data” (at 34).  The proposed regulations state:

Except as otherwise authorized pursuant to these regulations, no U.S. person, on or after the effective date, may knowingly engage in a covered data transaction involving data brokerage with any foreign person unless the U.S. person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving the same data with a country of concern or covered person.

(at 50).

What are “vendor agreements”?

The proposed regulation would define vendor agreements as “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration” (at 34-35).  These agreements would include not only sending covered data for storage to a company headquartered in a country of concern but also:

  • Example 20.  A medical facility in the United States contracts with a company headquartered in a country of concern to provide IT-related services.  The medical facility has bulk personal health data on its U.S. patients.  The IT services provided under the contract involve access to the medical facility’s systems containing the bulk personal health data.
  • Example 22.  A U.S. company develops mobile games that collect bulk precise geolocation data and biometric identifiers of U.S. person users.  The U.S. company contracts part of the software development to a foreign person who is primarily resident in a country of concern and is a covered person.  The software-development services provided by the covered person under the contract involve access to the bulk precise geolocation data and biometric identifiers.

(at 35).

Will there be some exempt financial transactions?

The proposed regulations anticipate exempting data transactions “to the extent that they are ordinarily incident to and part of the provision of financial services” including:

(i)         banking, capital-markets, or financial-insurance services;

(ii)        a financial activity authorized by 12 U.S.C. § 24 (Seventh) and rules and regulations thereunder;

(iii)       an activity that is “financial in nature or incidental to a financial activity” or “complementary to a financial activity,” as set forth in section 4(k) of the Bank Holding Company Act of 1956 and rules and regulations thereunder;

(iv)       the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces), other than data transactions that involve data brokerage; and

(v)        compliance with any Federal laws and regulations . . .

(at 55-56).

What about inter-affiliate transactions?

The proposed regulations consider exempting some common inter-affiliate transactions to the extent that they are:

(1) between a U.S. person and its subsidiary or affiliated located in (or otherwise subject to the ownership, direction, jurisdiction, or control) of a country of concern, and (2) ordinarily incident to and part of ancillary business operations (such as the sharing of employees’ covered personal identifiers for human-resources purposes; payroll transactions like the payment of salaries and pension to overseas employees or contractors; paying business taxes or fees; purchasing business permits or licenses; sharing data with auditors and law firms for regulatory compliance; and risk-management purposes).

(at 57).  Note, however, that the proposed regulatory exemption would not apply if the subsidiary wanted access to the bulk personal data “for the purpose of complying with a request order by the country of concern under those national-security laws to provide access to that data” (at 58).

What about due diligence, compliance programs, and recordkeeping?

The Attorney General is considering

a model in which U.S. persons subject to the contemplated program employ a risk-based approach to compliance by developing, implementing, and routinely updating a compliance program.  The compliance program suitable for a particular U.S. person would be based on that U.S. person’s individualized risk profile and would vary depending on a variety of factors, including the U.S. person’s size and sophistication, products and services, customers and counterparties, and geographic locations.

(at 68).  The proposed regulations would impose affirmative reporting obligations only “as conditions of certain categories of U.S. persons that are engaging in restricted covered data transactions or as conditions of a general or specific license, or in certain narrow circumstances to identify attempts to engage in prohibited covered data transactions” (at 69),

What are the proposed penalties?

The proposed penalties would be civil monetary penalties (at 71).

Our Take

This proposal is the Advance Notice of Proposed Rulemaking (ANPRM), which will have a 45-day comment period, and will then be followed by the Notice of Proposed Rulemaking.  Comments received from the ANPRM may affect the wording of the proposed regulations, but at this point, it seems that the simplest way to avoid the proposed regulation is not to do business with the six “countries of concern.”  That advice, however, may not be practical for multinational companies that have affiliates in, or that work with companies in, any of those six countries.

In its current posture, the ANPRM appears to be almost the opposite of GDPR.  The U.S. seems to be approving most transfers of personal data, except where those transfers meet the criteria described in the ANPRM.