The Biden administration is preparing to establish a new licensing program for companies as part of its crackdown on bulk sales and transfers of sensitive personal data to China and other countries it sees as national security risks.
Bulk transfers from data brokers and of human genomic data would be prohibited to six countries under a US Department of Justice proposal that accompanied President Joe Biden’s executive order issued on Wednesday. “Restricted transactions” by entities such as cloud service providers would have to meet certain security requirements that will be established by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
The Justice Department will accept comment on how to implement a proposed program to license general exemptions to the administration’s restrictions, as well as specific data transfers, according to an unpublished advance notice of proposed rulemaking posted Feb. 28. Under the proposal, companies could seek licenses allowing covered data transfers through an interagency approval process involving the Justice, State, Commerce and Homeland Security departments.
The program may address private sector concerns that complying with the new restrictions could prove burdensome and may provide a “release valve” for emerging technologies, said Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute.
“You don’t want to unduly limit business and data flows either, and I think the rules have the potential to strike that balance if done right,” Pugh said. “Licensing is a way to provide some flexibility to businesses moving forward.”
A licensing program would involve bright-line rules, unlike more bureaucratic case-by-case approaches to evaluating data transfers such as that of the Committee on Foreign Investment in the United States, said Adam Hickey, a cyber and national security partner at Mayer Brown LLP who helped develop the Justice Department’s initial approach as an official there.
The Justice Department proposal offers ranges for what constitutes a bulk data transfer depending on the data type and level of sensitivity.
A licensing program would come with compliance headaches of its own, however. The Justice Department’s focus includes comment on six possible categories of sensitive bulk data that could be eligible for licenses: personal identifiers, precise geolocation, and biometric identifiers, as well as financial, health, and human genomic data.
The department wants to know whether it should require licensees to maintain data transfer records, file reports, and submit to audits for compliance with the executive order’s security requirements. It also proposed making licensing violations subject to fines.
“This will turn out to be a very robust area of enforcement, particularly because DOJ is involved,” Hickey said.
Data transactions could be made slower and incur “huge” compliance costs given the breadth of the proposed requirements compared to export controls processes, said Chinmayi Sharma, a cybersecurity and internet governance law professor at Fordham University School of Law.
“The amount of information that needs to be sorted is enormous,” Sharma said. “You’ve gone from submitting a short letter of what the transactions are supposed to be to needing to share all of the terms and relevant information about the transaction.”
National Security Questions
The Justice Department identified China, Russia, Iran, North Korea, Cuba, and Venezuela as “countries of concern.” But there are few cross-border data flows with those last four nations because of existing sanctions, Hickey said.
The executive order does not impose any immediate legal obligations onto companies. It comes, however, amid growing that countries of concern can easily purchase Americans’ sensitive information that could be used to compromise national security and fuel global competition.
“The administration is pretty clearly and explicitly focusing on China because there are a lot of economic relationships between American companies and Chinese companies and American researchers,” he said.
Companies are likely to weigh in during the comment process on whether the proposed thresholds make sense, said Pugh.
While emails or home addresses could fall into the personal identifier category in a bulk data set covering 1 million US citizens, the DOJ is proposing lower thresholds for more sensitive data, such as genomic data.
“It takes more of this information to get the same amount of volume of sensitive inferences or insights you can get” from more sensitive data, Sharma said about the personal identifiers threshold, which could cover email and home addresses.
The Justice Department repeatedly referred to Office of Foreign Asset Control restrictions in its initial proposal. That suggests that covered entities should approach the proposed regulation “as yet another trade restriction” by developing a compliance program to avoid investigations and enforcement actions, Hickey said.
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.