United States Proposes and Issues Cross-Border Data Regulation
-
Market Insight 28 May 2024 28 May 2024
-
Asia Pacific, North America
-
Regulatory & Investigations
On 28 February 2024, President Biden issued the “Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”). Concurrently, the Department of Justice issued an “Advanced Notice of Proposed Rulemaking, the Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern” (the “ANPRM”). The EO creates a framework that regulates for the first time the cross-border flow of data from the United States to “countries of concern”. The ANPRM provides key detail on the scope of regulation, key definitions, prohibitions and restrictions, exemptions, a licensing regime, and penalties. The ANPRM is the first step in a regulatory process that will end with the publication of detailed final implementation rules.
On 25 April 2024, President Biden signed the “21st Century Peace Through Strength Act” passed by the U.S. Congress, which included in its provisions the “Protecting Americans’ Data from Foreign Adversaries Act of 2024” (the “Act”). The Act is currently a binding, legally effective law. It contains provisions that mirror the EO’s proposed prohibitions on data brokerage transactions.
Countries of Concern and Covered Persons Only
Unlike other global cross-border data transfer regulatory regimes such as Europe’s GDPR and the PRC’s cybersecurity regime, the ANPRM and the Act do not regulate the cross-border flow of data from the US to all jurisdictions, only “countries of concern” and “foreign adversary countries”, respectively.
The proposed “countries of concern” under the ANPRM are the PRC (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, along with companies subject to their jurisdiction (i.e. “covered persons”), such as entities engaged in business activities or research and development in the PRC.
The term “foreign adversary country”[1] means the PRC, along with Russia, Iran, and North Korea.
Key Points of the ANPRM
Prohibitions and Restrictions: The ANPRM prohibits “covered data transactions” involving “data brokerage” and human genomic data. It restricts “covered data transactions” involving vendor agreements, employment agreements, and investment agreements. Restricted transactions require security standards that effectively requires data anonymization.
What is Regulated / Key Terms: A “covered data transaction” is one that involves “US bulk sensitive personal data” or “government-related data” and one of i) “data brokerage” [prohibited], ii) “vendor agreements” [restricted], iii) “employment agreements” [restricted], or iv) “investment agreements” [restricted]. The proposed standards for “US bulk sensitive personal data” are below. The term “covered personal identifier’ is broadly defined and effectively includes all information that can be traced back to a particular individual.
Human Genomic Data | Biometric Identifiers | Precise Geolocation Data | Personal Health Data | Personal Financial Data | Covered Personal Identifiers | |
Low | More than 100 U.S. persons | More than 100 U.S. persons (for biometric identifiers) or U.S. devices (for precise geolocation data) |
More than 1,000 U.S. persons |
More than 10,000 U.S. persons | ||
High | More than 1,000 U.S. persons | More than 10,000 U.S. persons (for biometric identifiers) or U.S. devices (for precise geolocation data) | More than 1,000,000 U.S. persons | More than 1,000,000 U.S. persons |
The term “data brokerage” includes both the sale and licensing of data, but does not explicitly specify whether inter-company affiliate transfers are covered. This requires clarification given the Act’s definition clearly states it does not. The term “vendor agreements” includes the providing of cloud computing services.
Exemptions: Proposed exemptions relate to personal communications (e.g. text messaging that does not include anything of value) [this is not an exemption under the Act], informational materials, financial transaction such as banking, capital markets, and financial insurance, payments processing, and inter-company sharing of ancillary business data such as human resources and payroll data.
Licensing Regime and Penalties: The ANPRM proposes a licensing regime for transactions that would otherwise be prohibited or restricted, as well as an advisory opinion regime very similar to the one that already exists for U.S. export controls. Penalties are currently only contemplated as monetary, though no threshold is set.
Key Points of the Act
The Act prohibits any transaction of “personally identifiable sensitive data” by a “data broker” to any entity “controlled by a foreign adversary”. Unlike the ANPRM, there is no minimum data threshold for this prohibition.
The term “controlled by a foreign adversary” means a non-U.S. entity incorporated in or with a principal place of business in, a “foreign adverse country”, or any 20% non-U.S. owner of such entity. This is the same definition as the one set forth in the law requiring the divestment of Tiktok.
The term “data broker” means any entity that transacts for valuable consideration U.S. sourced data, where such “entity did not collect directly from such individuals to another entity that is not acting as a service provider”. Unlike the ANPRM definition, this definition would expressly exclude inter-company affiliate transfers from a data collecting entity (e.g. U.S. entity with U.S. operations) to a non-U.S. affiliate entity, as a “data broker” here has to acquire data from someone else.
The term “personally identifiable sensitive data” is broadly construed to include more than personally identifiable information, and includes social media communications, content preferences, and online tracking information.
Potential Impact
The practical effect of the Act is to effectively ban all data brokerage transactions where the recipient is in the PRC or is 20% owned by PRC interests. Technically, this would include portfolio companies whereby a PRC investor (e.g. large Internet companies) owns a 20% or more stake, even if these portfolio companies are based outside of the PRC.
The ANPRM’s proposed prohibitions are not different than those in the Act unless data brokerage transactions under the ANPRM include inter-company affiliate transfers. The ANPRM’s proposed restricted transactions would potentially place heavy compliance burdens on cloud computing providers, effectively requiring them to anonymize data. Multinationals would also need to ensure that their internal data sharing mechanisms comply with the ANPRM’s requirements on employment information.
For more information on how we can help you navigate US-China tensions, please contact Charles Wu at Charles.Wu@clydeco.com
[1] There is no clarification regarding Hong Kong and Macau like in the ANPRM, but since they are legally recognized as part of the PRC, they would in all likelihood be subject to the same jurisdiction as Mainland China.
End