What Happened.
The US Department of Justice issued a Notice of Proposed Rule Making (NPRM) October 21, 2024 that, if finalized, will prohibit or restrict a significant amount of international data sharing with countries of concern, currently identified as China, Russia, Iran, North Korea, Cuba, and Venezuela, and covered persons in these countries (individual residents and entities meeting certain criteria). The NPRM is preparatory to issuing rules pursuant to President Biden’s Executive Order 14117 (“EO14117”) issued February 28, 2024. EO14117, entitled “Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” expands on Executive Order 13873, issued by President Trump on May 15, 2019 and Executive Order 14034, issued by President Biden on June 9, 2021 to further establish a policy “to restrict access by countries of concern to Americans’ bulk sensitive personal data and United States Government-related data when such access would pose an unacceptable risk to the national security of the United States.” The EO mandates the Attorney General to issue regulations restricting the sharing of bulk sensitive personal data and US government-related data with “foreign adversaries.” The NPRM adds clarification to the types and volumes of data and the types of international transactions for which sharing will be prohibited once the final rule is issued.
The proposed rules are very restrictive and require adoption of policies, recordkeeping, auditing, and reporting for certain US entities. US entities should start considering now whether they engage in any transactions likely to be covered by the rule and begin planning to implement compliance requirements once required by the final rule.
What it Means.
Types and Volumes of Data Covered:
The NPRM applies to what it calls “Bulk Sensitive Personal Data” and “United States Government-Related Data.” It applies to all data falling within one of the defined categories regardless of whether the data has been anonymized or pseudonymized to any state law standard, de-identified to the HIPAA standard, or encrypted. The categories and threshold for those categories being considered “bulk” (if the threshold is met in a 12 month period) are as follows:
(a) Human genomic data – 100 U.S. persons;
(b) Biometric identifiers – 1,000 U.S. persons;
(c) Precise geolocation – 1,000 U.S. devices;
(d) Personal health data – 10,000 U.S. persons;
(e) Personal financial data – 10,000 U.S. persons;
(f) Covered personal identifiers – 100,000 U.S. persons; or
(g) Combined data where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.
Who are “Covered Persons”:
A “Covered Person” is an individual or entity that falls into one of the classes of covered persons or that the Attorney General has designated as a covered person.
- An entity is a covered person if it is a foreign person that: (1) is 50 percent or more owned, directly or indirectly, by a country of concern; (2) is organized or chartered under the laws of a country of concern; or (3) has its principal place of business in a country of concern.
- An entity is also a covered person if it is a foreign person that is 50-percent or more owned, directly or indirectly, by a covered person.
- Any foreign individual who is an employee or a contractor of such an entity or of the country of concern itself is also a covered person.
- Any foreign person who is primarily a resident in the territorial jurisdiction of a country of concern is also a covered person.
Types of Transactions Covered:
The NPRM applies to transactions if they involve any access to any covered data and that involves a vendor agreement, employment agreement, investment agreement or “data brokerage.” “Data brokerage” is a broad term that includes not only the sale of data that comes to mind from the term but also any licensing of access to data or similar commercial transactions that involve the transfer of data from any person to any other person where the recipient did not collect or process the data directly from the data subjects.
Notable Exceptions:
Some transactions that would otherwise be prohibited are nevertheless permitted if they fall into one of the following categories:
- “Restricted Transactions” – defined as data transactions involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person where the U.S. person complies with certain security requirements and the transaction does not involve human genomic data or human biospecimens from which human genomic data can be derived
- Transactions not within the president’s authority pursuant to 50 USC 1702 which are included as:
- Personal transactions that do not involve the transfer of anything of value
- The exportation of “information or informational materials”
- Transactions ordinarily incident to travel to or from any country
- Official business of the US Government
- Transactions ordinarily incident to and part of the provision of financial services
- Transactions within a corporate family where one of the affiliates is located within a country of concern and ordinarily incident to and part of administrative or ancillary business operations
- Transactions required or authorized by Federal law or international agreements or necessary for compliance with Federal law (such as collaboration with countries of concern for public health and criminal matters)
- Investment agreements subject to a CFIUS action
- Transactions that do not constitute data brokerage and that are ordinarily incident to and part of the provision of telecommunications services
- Sharing de-identified regulatory approval data necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or combination product in a country of concern subject to recordkeeping and reporting requirements
- This also includes data from post-market clinical investigations (conducted under applicable FDA regulations), clinical care data, and post-marketing surveillance, including data on adverse events
- In addition and also relevant to the clinical investigations exception below, the Department is presently considering the transfer of personal data to covered persons or third party vendors in the country of concern under these two potential exceptions to be either a restricted or prohibited transaction as further discussed below
- Transactions ordinarily incident to and part of clinical investigations regulated by the FDA to support an FDA application for a research or marketing permit or de-identified data incident to pharmacovigilance and post-marketing safety monitoring of products
- Note, DOJ is seeking comment on whether the exemption should exempt clinical investigations data related to other products, such as foods (including dietary supplements) that bear a nutrient content claim or a health claim, food and color additives, and electronic products, as those terms are defined in the FD&C Act
- DOJ is also seeking comments on these issues, including the costs and feasibility of adopting policies or protocols and the likely effect on medical product research and development and obtaining or maintaining regulatory authorization
Other Provisions of Note:
In addition to the prohibition and/or restriction of data sharing, the NPRM includes additional terms of note as follows:
- Advisory opinions may be requested to determine if the DOJ considers a specific transaction to be covered by the rule;
- US entities will be expected to engage in due diligence regarding the entities and individuals to whom they will provide data or access to data and to audit continued compliance with the section for restricted transactions;
- Specific records will be required for restricted transactions as well as annual reports;
- US entities will be obligated to report to the DOJ prohibited transactions for which they receive a request, even if they reject the request;
- Penalties for violations can range from warnings to civil monetary penalties to criminal penalties including imprisonment.
Considerations for Medical Research:
This rule, once issued and in effect, could have a significant chilling factor on cross-border research with researchers in countries of concern. Sharing of de-identified data sets among academic researchers is common, and many scientific publications require that data supporting a publication must be made available to other researchers upon request. This rule will apply to such uses except where research data is collected pursuant to a US federal grant, in which case, NIH rules will apply. An example to the US Government business exemption makes it clear that research conducted pursuant to a federal grant will be subject to NIH rules and their implementation of EO14117. It is not yet clear what rules the NIH may be considering to implement the restrictions.
Considerations for Pharmaceutical and Medical Device Companies:
Companies in the life sciences area should be aware that while the proposed rule exempts certain classes of data transactions from the scope of its prohibitions and restrictions, including regulatory approval data, pre- and post-market clinical investigations (conducted under applicable FDA regulations), and post-marketing surveillance, these exceptions are narrowly drawn. For example, the regulatory approval exception is limited to data that is de-identified and reasonably necessary to evaluate the safety and effectiveness of the product to obtain and maintain regulatory approval. There are limited examples in the proposed rule of how far these exemptions extend. An example given is that while “de-identified data that is gathered in the course of a clinical investigation” typically required for FDA approval would be covered, “clinical participants’ precise geolocation data, even if required by a country of concern’s regulations, would fall outside the scope of the exemption because such data is not reasonably necessary to evaluate safety or effectiveness.” This requires a critical, step-by-step analysis of the sources for the data at issue, including the underlying study protocols and methodology.
A consistent position taken in the proposed rule concerning these exceptions[1] is that the transfer of personal data to covered persons or third-party vendors in the country of concern constitutes a restricted transaction (or a prohibited transaction if it involves the transfer of bulk human genomic data or biospecimens). For example, a vendor or employment agreement with a covered person to prepare data for submission to a country of concern’s regulatory entity would not fall within the exemption “because the Department does not currently believe that such transactions are necessary to obtain regulatory approval.” Companies’ current regulatory practices, protocols and options may be contrary with the DOJ who “does not currently believe that it is reasonably necessary to use a covered person—as opposed to services provided by the U.S. company itself or by a non-covered person—to prepare data for regulatory submission” even while acknowledging that “regulatory and legal expertise relevant to a country of concern is likely to be concentrated in the country of concern”. This requires scrutiny of the flow of data and when it may be available to or used by a covered person, including companies who outsource regulatory or clinical study activities and/or share certain data with distributors in a country of concern.
DOJ is seeking comment on the proposed scope of the regulatory approval exemption, including on the definition of regulatory approval data and the extent to which data submissions to regulatory entities in countries of concern may involve personally identifiable data. There are several other areas where companies may wish to comment in order to seek clarity and/or make the DOJ aware of the burden, costs and logistical issues that may arise with the proposed rules. These include: comments that address the use of a covered person in carrying out regulatory, clinical study, and post-market surveillance activities, the potential impacts to innovation, clinical research and clinical study design, conflicts with industry norms and companies’ business practices and operations including existing contracts and agreements, costs to companies, the time needed to implement new policies and change business practices and the desired delay of implementation, etc.
Considerations for other International Transactions:
The NPRM states that DOJ may specifically designate entities or individuals as “covered persons.” In addition, however, the NPRM defines “covered person” broadly to include not only country of concern government entities, residents of countries of concern and companies incorporated under the laws of or having a principal place of business in a country of concern but also any entity that is owned, directly or indirectly, 50% or more by a government of a country of concern or an individual resident, employee, or contractor of a country of concern. Accordingly, US companies engaging in covered transactions would need to ensure they are screening transaction parties in this regard. This would be similar to OFAC’s “50% Rule,” which makes any entity owned 50% or more by a Specially Designated National (SDN) an SDN itself. And, like with OFAC’s 50% Rule, screening ownership of transaction parties is certain to present compliance challenges.
Separately, for covered transactions with foreign persons that involve “data brokerage” (which, as mentioned above, is defined broadly), the NPRM provides additional requirements. Specifically, even if the U.S. person is certain that it is not dealing with a covered person, the NPRM would require U.S. persons to contractually require the foreign person to refrain from engaging in a subsequent covered data brokerage transaction with the same data with a country of concern or a covered person. In other words, for all data brokerage transactions with foreign persons, U.S. parties would be required to add a new clause to their contracts.
Take Action
The NPRM was published in the Federal Register on October 29, 2024. Written comments must be submitted on or before November 29, 2024 and can be submitted at this link. We will continue provide updates on the proposed rule as it makes its way through the process of becoming final. In the meantime, please reach out to your Butler Snow attorney if you have questions or concerns about the impact the proposed rule may have on your business operations.
[1] It is also important to recognize that DOJ has also taken a similar position with regard to “corporate group transactions” where the data transaction is exempted if it is between a U.S. person and its subsidiary or affiliate in a country of concern and is “ordinarily incident to and part of administrative or ancillary business operations.” Examples include data shared for HR, payroll, pension, taxes, permits, or licenses, with auditors and law firms for regulatory compliance, and for risk management. Despite prior comments, DOJ has declined to include suppliers and third-party vendors and service providers in the scope of this exception.