DOJ Issues New Rule Regulating Handling of Bulk Sensitive Personal Data

The Department of Justice (DOJ) has proposed a rule that would regulate certain transactions involving bulk sensitive personal data. Public comments are due in 30 days from the notice date.
The rule would implement a complex regulatory framework, with civil and criminal enforcement, that is similar to sanctions and export licensing regimes. It also implicates federal cybersecurity requirements, government contracting and CFIUS actions.
Businesses that handle significant amounts of sensitive personal data, as well as those that handle any amount of certain U.S. government data, should ensure they are prepared for these significant new potential regulations.
On Oct. 21, 2024, the National Security Division of the Department of Justice (DOJ NSD) issued a notice of proposed rulemaking (NPRM) that would establish a comprehensive regulatory framework to prevent and restrict the transfer of “bulk sensitive personal data” to countries and entities that are deemed a risk to U.S. national security. As explained in a prior insight regarding an advance notice of proposed rulemaking on this issue, the DOJ is issuing this rule after the Biden administration directed federal agencies to issue regulations to respond to the concern of misuse of sensitive data that could impact national security. The NPRM addresses comments provided through the advance notice process, details the proposed rule, and provides for an additional 30-day comment period. As discussed below, the proposed rule is a significant effort to regulate data through civil and criminal enforcement mechanisms akin to sanctions and export control regulations. Businesses potentially subject to its reach should carefully consider how to handle the rule’s implementation.

Summary of the Rule

The DOJ NSD rule would prohibit or restrict the transfer of “bulk sensitive personal data” or “government-related data” to certain “countries of concern” and “covered persons,” unless the transaction meets certain cybersecurity requirements or a license permitting the transaction is provided by the Department of Justice. Certain transactions are exempt from this rule. Some of the key provisions include the following:

• Countries of Concern. The six countries of concern are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela, but it can be amended by the Attorney General to remove or add additional countries.
• Covered Persons. A “covered person” is defined as one of four classes of entities or individuals that are connected to the countries of concern in some fashion, or otherwise added to a “Covered Persons List” by the Attorney General.
• “Bulk” Data and Government-Related Data. The rule defines “bulk” data as sensitive personal data relating to U.S. persons, whether the data is anonymized, pseudonymized, de-identified, or encrypted, that exceeds certain aggregate thresholds in the 12 months before a covered transaction. Government-related data consists of certain types of sensitive location data and sensitive personal data — in any amount — related to current or recent former government employees, officials or contractors.
• Prohibited Transactions. Transactions with a country of concern or covered person involving “data brokerage” and access to bulk human genomic data or biospecimens are prohibited.
• Restricted Transactions & Cybersecurity Requirements. Vendor, employment, and non-passive investment agreements with countries of concern or covered persons may be conducted, provided the U.S. entity involved in the transaction meets cybersecurity requirements developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), which were concurrently released for public comment.
• Exempt Transactions. The proposed rule exempts eleven categories of transactions, including personal communications, certain telecommunications services, certain financial services transactions, certain FDA-regulated data, and certain investment agreements subject to the Committee on Foreign Investment in the United States (CFIUS) actions.
• License Requirements. DOJ would have the ability to issue both “general” licenses (a license that permits an entity to engage in repeated transactions) and “specific” licenses (a license to engage in a particular transaction) to authorize otherwise prohibited or restricted transactions.
• Civil and Criminal Enforcement Mechanisms. Promulgated under the International Economic Emergency Powers Act (IEEPA), the government would be authorized to conduct investigations, issue civil penalties of up to $368,136 or twice the amount of the transaction, whichever is greater, and pursue criminal prosecutions for willful violations that can lead to fines of up to $1 million and 20 years imprisonment. As explained in a prior insight, the statute of limitations for civil and criminal violations of IEEPA was recently extended from five years to 10 years.

What Does This Mean?