U.S. Issues Final Rules Regulating the Cross-Border Flow of Data for the First Time

On February 28, 2024, President Biden issued the “Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”. Concurrently, the Department of Justice issued an “Advanced Notice of Proposed Rulemaking, the Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern”. On October 21, 2024, it issued a “Notice of Proposed Rulemaking” with proposed rules. On December 27, 2024, it issued the final rules “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rules”), which will be effective three months after issuance.

The Final Rules create a framework that regulates for the first time the cross-border flow of data from the United States to “countries of concern”. The Final Rules largely build on the concepts introduced in the proposed rules, and contain more detailed implementation guidelines and helpful working examples. These working examples reveal that in practice, the Final Rules will regulate the cross-border flow of data from U.S. subsidiaries to parent entities headquartered in “countries of concern”. Furthermore, the Final Rules create what could be interpreted as a “backdoor CFIUS” mechanism that restricts investment transactions in U.S. businesses by investors in “countries of concern”, even if these transactions are cleared by CFIUS.

Jurisdictional Reach - Countries of Concern and Covered Persons Only

Unlike other global cross-border data transfer regulatory regimes such as Europe’s GDPR and the PRC’s cybersecurity regime, the Final Rules do not regulate the cross-border flow of data from the U.S. to all jurisdictions, only “countries of concern”, namely China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
 

A “covered person” consists of a government or legal entity in a “country of concern” and includes businesses whose principal place of business is in a “country of concern”, 50% or more owned subsidiaries (modelled after the 50 percent rule from the U.S. sanctions regime), and the employees and contractors of each of them. Applied in practice, this means that Chinese companies with offshore Cayman structures would nevertheless be covered as their principal place of business is in China. Furthermore, the reach of the Final Rules extends to their employees and their U.S. subsidiaries to the extent they own 50% or more of them directly or indirectly.

Prohibitions, Restrictions, Exemptions, Licensing, and Penalties

Prohibitions: The Final Rules prohibit “covered data transactions” involving “data brokerage” or human genomic data access with a “country of concern” or a “covered person”.

A “covered data transaction” involves government related data or “bulk U.S. sensitive personal data”, which meets the following thresholds:

A “covered personal identifier” means any identifier in combination with another identifier, but excluding demographic or contact data that is only linked to other demographic or contact data. The contours of these concepts are explained in more detail in working examples. A standalone listed identifier, such as an account username, would not be a covered personal identifier. A demographic or contact data linked to any other demographic or contact data, such as a name linked to a residential address, would not be covered personal identifiers. However, a listed identifier linked with another listed identifier, or a listed identifier linked with demographic or contact data, would be covered personal identifiers. These include a name linked to an e-mail or IP address, and a username linked to a password.

“Data brokerage” means the sale or license of data that is not collected directly by the recipient. The working examples provide clarity on whether inter-company data transfers count as “data brokage”. Except in the cases of personal communications subject the Bremer amendment (which would save TikTok from these rules), they are. In one example, a U.S. subsidiary of a parent headquartered in a “country of concern” operates an autonomous driving platform in the U.S. that collects precise geolocation data of its cars. The license of such data from the U.S. subsidiary to the parent is a prohibited transaction.  In another example, the U.S. subsidiary of a parent headquartered in a “country of concern” develops an AI chatbot with covered data sourced from the U.S. To the extent its parent can access the raw data underlying the AI chatbot, such access would be considered a prohibited transaction.

Restrictions: Vendor agreements, employment agreements, and non-passive investment agreements are restricted, meaning they require the U.S. business to adhere to a set of security standards that have the effect of data anonymization.  The term “vendor agreement” includes the provision of cloud computing services.

With respect to non-passive investments, the Final Rules effectively contain a “backdoor CFIUS” mechanism. Non-passive investments in U.S. companies, defined as 10% or more investments or investments involving operational control including board representation, by investors in “countries of concern”, are now restricted and subject to the security standards in the Final Rules. This is true even if the underlying transaction was cleared by CFIUS without conditions.

Exemptions: Exemptions relate to personal communications (e.g. text messaging that does not include anything of value), informational materials, financial transaction such as banking, capital markets, and financial insurance, payments processing, and inter-company sharing of ancillary business data such as human resources and payroll data. 

Licensing Regime and Penalties: The Final Rules include a licensing regime for transactions that would otherwise be prohibited or restricted, as well as an advisory opinion regime very similar to the one that already exists for U.S. export controls.

Penalties: Liability is tied to the IEEPA as it is for U.S. export controls and sanctions, meaning violations may result in a fine of not more than US$368,136 (adjusted for inflation) or 2x the amount of the transaction, whichever is higher, or in the case of wilful violations, US$1,000,000 and/or imprisonment of not more than 20 years.  

Potential Impact

There are two potential overarching themes in the Final Rules, one of which is general and the other of which involves the new compliance burdens of the Final Rules in practice.

The general theme is that the Final Rules represent what is likely to be the opening salvo in the national regulation of the cross-border flow of data from the U.S. to outside of the U.S., making the U.S. as a third rail in data privacy schemes alongside the European Union and China.

The compliance burdens of the Final Rules do not just impact the U.S. businesses of companies headquartered in “countries of concern”, but also all multinationals who are involved in the sale or licensing of data they collect in the U.S. The “backdoor CFIUS” mechanism also adds a new layer of complexity that may be expanded to the U.S. businesses of companies that have significant operations in “countries of concern”, as evidenced by CFIUS’ recent focus on the Chinese operations of Japanese acquirers of U.S. businesses. 

To learn more about our U.S. corporate, M&A, venture capital, and compliance practices, please contact Charles Wu at Charles.Wu@clydeco.com