Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons

SUPPLEMENTARY INFORMATION:

In accordance with 5 U.S.C. 553(b)(4), a plain language summary of the proposed rule is available at www.regulations.gov.

Public Participation

Instructions: We encourage comments to be submitted via https://www.regulations.gov. Please submit comments only, include your name and company name (if any), and cite “Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” in all correspondence. Anyone submitting business confidential information should clearly identify the business confidential portion at the time of submission, file a statement justifying nondisclosure and referring to the specific legal authority claimed, and provide a non-confidential version of the submission. For comments submitted electronically containing business confidential information, the file name of the business confidential version should begin with the characters “BC.” Any page containing business confidential information must be clearly marked “BUSINESS CONFIDENTIAL” at the top of that page. The corresponding non-confidential version of those comments must be clearly marked “PUBLIC.” The file name of the nonconfidential version should begin with the character “P.” Any submissions with file names that do not begin with a “BC” will be assumed to be public and will be posted without change, including any business or personal information provided, such as names, addresses, email addresses, or telephone numbers.

To facilitate an efficient review of submissions, the Department of Justice encourages but does not require commenters to: (1) submit a short executive summary at the beginning of all comments; (2) provide supporting material, including empirical data, findings, and analysis in reports or studies by established organizations or research institutions; (3) describe the relative benefits and costs of the approach contemplated in this NPRM and any alternative approaches; and (4) refer to the specific proposed subpart or defined term to which each comment is addressed. The Department of Justice welcomes interested parties' submissions of written comments discussing relevant experiences, information, and views. Parties wishing to supplement their written comments with a follow-up meeting may request to do so, and the Department of Justice may accommodate such requests as resources permit.

Table of Contents

I. Executive Summary

II. Background

III. Advance Notice of Proposed Rulemaking and Comments

IV. Discussion of the Proposed Rule

A. Subpart C—Prohibited Transactions and Related Activities

1. Section 202.210—Covered Data Transactions

2. Section 202.301—Prohibited Data-Brokerage Transactions

3. Section 202.201—Access

4. Section 202.249—Sensitive Personal Data

5. Section 202.212—Covered Personal Identifiers

6. Section 202.234—Listed Identifier

7. Section 202.242—Precise Geolocation Data

8. Section 202.204—Biometric Identifiers

9. Section 202.224—Human Genomic Data

10. Other Human `Omic Data

11. Section 202.240—Personal Financial Data

12. Section 202.241—Personal Health Data

13. Section 202.206—Bulk U.S. Sensitive Personal Data

14. Section 202.205—Bulk

15. Section 202.222—Government-Related Data

16. Section 202.302—Other Prohibited Data-Brokerage Transactions Involving Potential Onward Transfer to Countries of Concern or Covered Persons

17. Section 202.303—Prohibited Human Genomic Data and Human Biospecimen Transactions

18. Section 202.304—Prohibited Evasions, Attempts, Causing Violations, and Conspiracies

19. Section 202.305—Knowingly Directing Prohibited Transactions

20. Section 202.215—Directing

21. Section 202.230—Knowingly

B. Subpart D—Restricted Transactions

1. Section 202.401—Authorization To Conduct Restricted Transactions; Section 202.402—Incorporation by Reference

2. Section 202.258—Vendor Agreement

3. Section 202.217—Employment Agreement

4. Section 202.228—Investment Agreement

C. Subpart E—Exempt Transactions

1. Section 202.501—Personal Communications; Section 202.502—Information or Informational Materials; and Section 402.503—Travel

2. Section 202.504—Official Business of the United States Government

3. Section 202.505—Financial Services

4. Section 202.506—Corporate Group Transactions

5. Section 202.507—Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance With Federal Law

6. Section 202.508—Investment Agreements Subject to a CFIUS Action

7. Section 202.509—Telecommunications Services

8. Section 202.510—Drug, Biological Product, and Medical Device Authorizations

9. Section 202.511—Other Clinical Investigations and Post-Marketing Surveillance Data

10. Other Exemptions

D. Subpart F—Determination of Countries of Concern

1. Section 202.601—Determination of Countries of Concern

a. China

b. Cuba

c. Iran

d. North Korea

e. Russia

f. Venezuela

E. Subpart G—Covered Persons

1. Section 202.211—Covered Person

2. Section 202.701—Designation of Covered Persons

F. Subpart H—Licensing

1. Section 202.801—General Licenses

2. Section 202.802—Specific Licenses

3. Conditions on General and Specific Licenses

G. Subpart I—Advisory Opinions

1. Section 202.901—Inquiries Concerning Application of This Part

H. Subpart J—Due Diligence and Audit Requirements

1. Section 202.1001—Due Diligence for Restricted Transactions

2. Section 202.1002—Audits for Restricted Transactions

I. Subpart K—Reporting and Recordkeeping Requirements

1. Section 202.1101—Records and Recordkeeping Requirements

2. Section 202.1102—Reports To Be Furnished on Demand

3. Section 202.1103—Annual Reports

4. Section 202.1104—Reports on Rejected Prohibited Transactions

J. Subpart M—Penalties and Finding of Violation

1. Section 202.1301—Penalties for Violations

2. Section 202.1305—Finding of Violation

K. Coordination With Other Regulatory Regimes

L. Severability

V. Analysis for Proposed Bulk Thresholds

A. Analysis of Sensitivity of Each Category of Sensitive Personal Data

1. Human Genomic Data

2. Biometric Identifiers

3. Precise Geolocation Data

4. Personal Health Data

5. Personal Financial Data

6. Covered Personal Identifiers

B. Grouping the Categories Into Tiers by Similar Sensitivity

C. Proposed Bulk Thresholds for Each Tier

VI. Interpretation of “Information or Informational Materials” in IEEPA

A. The Berman Amendment Is Intended To Protect the Free Exchange of Ideas

B. The Berman Amendment Does Not Reach Transactions Involving Sensitive Personal Data Under This Proposed Rule

C. Exclusion for Materials Already Created and in Existence

VII. Regulatory Requirements

A. Executive Orders 12866 (Regulatory Planning and Review) as Amended by Executive Orders 13563 (Improving Regulation and Regulatory Review) and 14094 (Modernizing Regulatory Review)

1. Executive Summary

2. Introduction

3. Market Sectors Impacted by the Proposed Regulation

a. Sensitive Personal Data and Government-Related Data

i. Personal Financial Data

ii. Personal Health Data

iii. Precise Geolocation Data

iv. Human Genomic and Human `Omic Data

v. Biometric Identifiers

vi. Covered Personal Identifiers

b. The Data-Brokerage Market

i. Companies That May Meet the Definition of Data Brokers for the Purposes of the Proposed Rule

ii. Market Size

iii. Products Sold by Data Brokers

iv. Price Information

v. Customers of Data-Brokerage Products

c. Agreements Affected by the Proposed Regulation

i. Vendor Agreements

ii. Employment Agreements

iii. Investment Agreements

iv. Security Requirements

v. Due Diligence and Recordkeeping

vi. Audits

vii. Licenses

4. Need for Regulatory Action

5. Baseline (Without the Proposed Rule)

a. Baseline National Security and Foreign-Policy Risks by Category of Data

i. Human Genomic and Human `Omic Data

ii. Biometric Identifiers

iii. Precise Geolocation Data

iv. Personal Health Data

v. Personal Financial Data

vi. Covered Personal Identifiers

vii. Government-Related Data

b. Baseline: Total Potential U.S. Population Affected by Risks

c. Summary of Baseline (Without the Proposed Rule)

6. Alternative Approaches

7. Benefits of the Proposed Rule

8. Costs of the Proposed Rule

a. Value of Lost and Forgone Transactions

i. Global Market Value of Genomic, Biometric, and Location Data

ii. U.S. Exports to Relevant Specific Categories and to Countries of Concern

iii. Estimates of U.S. Exports of Genomic, Biometric, and Location Data

iv. Estimates of U.S. Exports of Genomic, Biometric, and Location Data to the Six Countries of Concern

v. Total Estimated Value of Lost and Forgone Transactions

vi. Alternative Methodology for Estimating the Value of Lost and Forgone Transactions

b. Security Costs

i. Similar Security Standards and Frameworks

ii. Current Industry Compliance Level

iii. Costs of Compliance

c. Costs Associated With Compliance Program: Due Diligence, Recordkeeping, and Auditing

i. Due Diligence Costs

ii. Recordkeeping Costs

iii. Executive Order on Modernizing Regulatory Review Recordkeeping and Related Costs

iv. Auditing Costs

v. Estimated Recordkeeping Costs From the Reviewed Literature

vi. Summary of a Compliance Program: Due Diligence, Recordkeeping, and Auditing

9. Summary of Regulatory Analysis

B. Regulatory Flexibility Act

1. Succinct Statement of the Objectives of, and Legal Basis for, the Proposed Rule

2. Description of and, Where Feasible, an Estimate of the Number of Small Entities to Which The Proposed Rule Will Apply

3. Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Proposed Rule

4. Identification of all Relevant Federal Rules That May Duplicate, Overlap, or Conflict With the Proposed Rule

C. Executive Order 13132 (Federalism)

D. Executive Order 13175 (Consultation and Coordination With Indian Tribal Governments)

E. Executive Order 12988 (Civil Justice Reform)

F. Paperwork Reduction Act

G. Unfunded Mandates Reform Act

I. Executive Summary

Executive Order 14117 of February 28, 2024, “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“the Order”), directs the Attorney General to issue regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“transaction”), where the transaction: involves United States Government-related data (“government-related data”) or bulk U.S. sensitive personal data, as defined by final rules implementing the Order; falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because it may enable access by countries of concern or covered persons to government-related data or Americans' bulk U.S. sensitive personal data; and meets other criteria specified by the Order. On March 5, 2024, the National Security Division of the Department of Justice (“DOJ” or “the Department”) issued an Advance Notice of Proposed Rulemaking (“ANPRM”) seeking public comment on various topics related to implementation of the Order.

This Notice of Proposed Rulemaking (“NPRM”) addresses the public comments received on the ANPRM, sets forth a proposed rule to implement the Order, and seeks public comment. The proposed rule identifies classes of prohibited and restricted transactions; identifies countries of concern and classes of covered persons with whom the regulations would prohibit or restrict transactions involving government-related data or bulk U.S. sensitive personal data; establishes a process to issue (including to modify or rescind) licenses authorizing otherwise prohibited or restricted transactions and to issue advisory opinions; and addresses recordkeeping and reporting of transactions to inform investigative, enforcement, and regulatory efforts of the Department of Justice.

II. Background

On February 28, 2024, the President issued Executive Order 14117 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“the Order”), pursuant to his authority under the Constitution and the laws of the United States, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (“IEEPA”); the National Emergencies Act (50 U.S.C. 1601 et seq.) (“NEA”); and title 3, section 301 of the United States Code. In the Order, the President expanded the scope of the national emergency declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and further addressed with additional measures in Executive Order 14034 of June 9, 2021 (Protecting Americans' Sensitive Data From Foreign Adversaries). The President determined that additional measures are necessary to counter the unusual and extraordinary threat to U.S. national security posed by the continuing efforts of certain countries of concern to access and exploit government-related data or Americans' bulk U.S. sensitive personal data.

The Order directs the Attorney General, pursuant to the President's delegation of his authorities under IEEPA, to issue regulations that prohibit or otherwise restrict United States persons from engaging in certain transactions in which a foreign country of concern or national thereof has an interest. Restricted and prohibited transactions include transactions that involve government-related data or bulk U.S. sensitive personal data, are a member of a class of transactions that the Attorney General has determined poses an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data, and are not otherwise exempted from the Order or its implementing regulations. The Order directs the Attorney General to issue regulations that identify classes of prohibited and restricted transactions; identify countries of concern and classes of covered persons whose access to government-related data or bulk U.S. sensitive personal data poses the national security risk described in the Order; establish a process to issue (including to modify or rescind) licenses authorizing otherwise prohibited or restricted transactions; further define terms used in the Order; address recordkeeping and reporting of transactions to inform investigative, enforcement, and regulatory efforts of the Department of Justice; and to take whatever additional actions, including promulgating additional regulations, as may be necessary to carry out the purposes of the Order.

The Order and this proposed rule fill an important gap in the United States Government's authorities to address the threat posed by countries of concern accessing government-related data or Americans' bulk U.S. sensitive personal data. As the President determined in the Order, “[a]ccess to Americans' bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities.” As the ANPRM explained, countries of concern can use their access to government-related data or Americans' bulk U.S. sensitive personal data to engage in malicious cyber-enabled activities and malign foreign influence activities and to track and build profiles on U.S. individuals, including members of the military and other Federal employees and contractors, for illicit purposes such as blackmail and espionage. And countries of concern can exploit their access to government-related data or Americans' bulk U.S. sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, or members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties.

As the 2024 National Counterintelligence Strategy explains, “as part of a broader focus on data as a strategic resource, our adversaries are interested in personally identifiable information (PII) about U.S. citizens and others, such as biometric and genomic data, health care data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, and data on individuals' political affiliations and leanings, hobbies, and interests.” These and other kinds of sensitive personal data “can be especially valuable, providing adversaries not only economic and [research and development] benefits, but also useful [counterintelligence] information, as hostile intelligence services can use vulnerabilities gleaned from such data to target and blackmail individuals.”

Nongovernmental experts have underscored these risks. For example, a recent study by the MITRE Corporation summarized open-source reporting, highlighting the threat of blackmail, coercion, identification of high-risk government personnel and sensitive locations, and improved targeting of offensive cyber operations and network exploitation posed by hostile actors' access to Americans' data derived from advertising technology.

The development of artificial intelligence (“AI”), high-performance computing, big-data analytics, and other advanced technological capabilities by countries of concern amplifies the threat posed by these countries' access to government-related data or Americans' bulk U.S. sensitive personal data. For instance, the U.S. National Intelligence Council assessed in 2020 that “access to personal data of other countries' citizens, along with [artificial intelligence]-driven analytics, will enable [the People's Republic of China] to automate the identification of individuals and groups beyond China's borders to target with propaganda or censorship.”

Countries of concern can also exploit their access to government-related data regardless of volume to threaten U.S. national security. One academic study explained that “[f]oreign and malign actors could use location datasets to stalk or track high-profile military or political targets,” revealing “sensitive locations—such as visits to a place of worship, a gambling venue, a health clinic, or a gay bar—which again could be used for profiling, coercion, blackmail, or other purposes.” The MITRE report further explained that location datasets could reveal “U.S. military bases and undisclosed intelligence sites” or “be used to estimate military population or troop buildup in specific areas around the world or even identify areas of off-base congregation to target.” As another example of these data risks and the relative ease with which they can be exploited, journalists were able to commercially acquire from a data broker a continuous stream of 3.6 billion geolocation data points that were lawfully collected on millions of people from advertising IDs. The journalists were then able to create “movement profiles” for tens of thousands of national security and military officials, and from there, could determine where they lived and worked as well as their names, education levels, family situations, and hobbies.

The Order and this proposed rule seek to mitigate these and other national security threats that arise from countries of concern accessing government-related data or Americans' bulk U.S. sensitive personal data.

No current Federal legislation or rule categorically prohibits or imposes security requirements to prevent U.S. persons from providing countries of concern or covered persons access to sensitive personal data or government-related data through data brokerage, vendor, employment, or investment agreements. For example, the scope and structure of the Protecting Americans' Data from Foreign Adversaries Act of 2024 ( seePub. L. 118-50, div. I, 118th Cong. (2024)) do not create a comprehensive regulatory scheme that adequately and categorically addresses these national security risks, as explained in part IV.K of this preamble. Likewise, the Committee on Foreign Investment in the United States (“CFIUS”) has authority to assess the potential national security risks of certain investments by foreign persons in certain United States businesses that “maintain[] or collect[] sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.” CFIUS only reviews certain types of investments in U.S. businesses; it does so on a transaction-by-transaction basis, instead of prescribing prospective and categorical rules regulating all such transactions; and its authorities do not extend to other activities that countries of concern may use to gain access to government-related data or Americans' bulk U.S. sensitive personal data, such as through purchases of such data on the commercial market or through vendor or employment agreements.

Similarly, Executive Order 13873 prohibits any acquisition, importation, transfer, installation, dealing in or use of by U.S. persons from acquiring certain information and communication technologies and services (“ICTS”) designed, developed, manufactured, or supplied by foreign adversaries where, among other things, the Secretary of Commerce determines that the transaction poses an “unacceptable risk to the national security of the United States or the security and safety of United States persons.” In building upon the national emergency declared in Executive Order 13873, the President, in Executive Order 14034, determined that connected software applications operating on U.S. ICTS “can access and capture vast swaths of . . . personal information and proprietary business information,” a practice that “threatens to provide foreign adversaries with access to that information.” However, as with CFIUS legal authorities, the orders do not broadly empower the United States Government to prohibit or otherwise restrict the sale of government-related data or Americans' bulk U.S. sensitive personal data, and the orders do not broadly restrict other commercial transactions, such as investment, employment, or vendor agreements, that may provide countries of concern access to government-related data or Americans' bulk U.S. sensitive personal data.

The proposed rule would complement these statutory and regulatory authorities. It prescribes forward-looking, categorical rules that prevent U.S. persons from providing countries of concern or covered persons access to government-related data or Americans' bulk U.S. sensitive personal data through commercial data-brokerage transactions. The proposed rule also imposes security requirements on other kinds of commercial transactions, such as investment, employment, and vendor agreements, that involve government-related data or Americans' bulk U.S. sensitive personal data to mitigate the risk that a country of concern could access such data. The proposed rule would address risks to government-related data or Americans' bulk U.S. sensitive personal data that current authorities leave vulnerable to access and exploitation by countries of concern and provide predictability and regulatory certainty by prescribing categorical rules regulating certain kinds of data transactions that could give countries of concern or covered persons access to government-related data or Americans' bulk U.S. sensitive personal data.

III. Advance Notice of Proposed Rulemaking and Comments

The National Security Division of the Department published an ANPRM on March 5, 2024 (former RIN: 1105-AB72), soliciting public comment on various topics related to the Order. The Department received and carefully reviewed 64 timely comments in response to the ANPRM from trade associations, public interest advocacy groups, think tanks, private individuals, and companies, as well as comments from several foreign governments. The Department also received two additional ex parte comments after the comment period closed, which DOJ publicly posted on regulations.gov.

During the comment period, the Department of Justice, both on its own and with other agencies, met with businesses, trade groups, and other stakeholders potentially interested in or impacted by the contemplated regulations to discuss the ANPRM. For example, the Department discussed the ANPRM with the Consumer Technology Association, the Information Industry Technology Council, Pharmaceutical Research and Manufacturers of America, the Biotechnology Innovation Organization, the Bioeconomy Information Sharing Analysis Center, the U.S. Chamber of Commerce, Tesla, Workday, Anthropic, and the Special Competitive Studies Project, and it provided briefings to the Secretary of Commerce and Industry Trade Advisory Committees 6, 10, and 12 administered by the Office of the U.S. Trade Representative and the Department of Commerce. The Department also discussed the Order and contemplated regulations with stakeholders at events open to the public, including ones hosted by the American Conference Institute, the American Bar Association, the Center for Strategic and International Studies, and the R Street Institute, and through other public engagements such as the Lawfare Podcast, ChinaTalk Podcast, CyberLaw Podcast, and the Center for Cybersecurity Policy & Law's Distilling Cyber Policy podcast.

After the comment period closed, the Department of Justice, along with the Department of Commerce, followed up with commenters who provided feedback regarding the bulk thresholds to discuss that topic in more detail, including the Council on Government Relations Industry Association, Association of American Medical Colleges, Airlines for America, Bank Policy Institute, the Business Roundtable, Information Technology Industry Council, Centre for Information Policy Leadership, Biotechnology Innovation Organization, Software and Information Industry Association, Cellular Telephone Industries Association, the internet and Television Association, US Telecom, Ford Motor Company, Bioeconomy Information Sharing and Analysis Center, Coalition of Services Industries, Enterprise Cloud Coalition, Electronic Privacy Information Center, Center for Democracy and Technology, Business Software Alliance, Global Data Alliance, Interactive Advertising Bureau, U.S.-China Business Council, IBM, Workday, and individuals Justin Sherman, Mark Febrizio, and Charlie Lorthioir. The Department has also discussed the Order and the ANPRM with foreign partners to ensure that they understood the Order and contemplated program and how they fit into broader national security, economic, and trade policies.

The Department considered each comment submitted, including the ex parte comments that have since been publicly posted. Many of the comments were general in nature and supported the Department's efforts and approach with respect to the proposed rule. Overall, commenters were generally supportive of the intent of the proposed rule. However, several commentators representing industry questioned the effectiveness of the proposed rule as compared to the passage of a holistic federal privacy law, proposed revisions, and highlighted areas where the proposed rule would benefit from further clarity. The Department discusses comments, and any edits or revisions made in response to the comments, in the discussion of the proposed rule in part IV of this preamble.

IV. Discussion of the Proposed Rule

The proposed rule implements the Order through categorical rules that regulate certain data transactions involving government-related data or bulk U.S. sensitive personal data that could give countries of concern or covered persons access or the ability to access such data and present an unacceptable risk to U.S. national security. The proposed rule (1) identifies certain classes of highly sensitive transactions with countries of concern or covered persons that the proposed rule would prohibit in their entirety (“prohibited transactions”) and (2) identifies other classes of transactions that would be prohibited except to the extent they comply with predefined security requirements (“restricted transactions”) to mitigate the risk of access to bulk U.S. sensitive personal data by countries of concern. The Attorney General has determined that the prohibited and restricted transactions set forth in the proposed rule pose an unacceptable risk to the national security of the United States because they may enable countries of concern or covered persons to access and exploit government-related data or bulk U.S. sensitive personal data.

In addition to identifying classes of prohibited and restricted transactions that pose an unacceptable risk to national security, the proposed rule identifies certain classes of transactions that are exempt from the proposed rule. For example, the proposed rule exempts transactions for the conduct of the official business of the United States Government by employees, grantees, or contractors thereof, and transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States Government, including those for outbreak and pandemic prevention, preparedness, and response. The proposed rule also defines relevant terms; identifies countries of concern; defines covered persons; and creates processes for the Department to issue general and specific licenses, to issue advisory opinions, and to designate entities or individuals as covered persons. The proposed rule also establishes a compliance and enforcement regime.

The Department relied upon unclassified and classified sources to support the proposed rule. Although the unclassified record fully and independently supports the proposed rule without the need to rely on the classified record, the classified record provides supplemental information that lends additional support to the proposed rule. The proposed rule would be the same even without the classified record.

Some commenters offered overarching comments. A few commenters made suggestions that addressed issues unrelated to the proposed rule, such as expressing views on U.S. positions in certain international negotiations over digital trade. No change was made in response to these comments. These comments addressed unrelated issues that are not relevant to the scope of the proposed rule and that are directed to other agencies and forums, and they generally did not suggest any specific changes to the contemplated program. To the extent that these comments intended to suggest that the Order's and proposed rule's restrictions on access to sensitive personal data are inconsistent with international commitments by the United States, the Department disagrees.

The proposed rule's prohibitions and restrictions on access to U.S. sensitive personal data and government-related data by countries of concern are consistent with access restrictions on sensitive personal data that have long been imposed in other national security contexts, including for some transactions reviewed by CFIUS and the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (“Team Telecom”). Those access restrictions, in turn, are consistent with or otherwise permissible under trade and other international agreements. For example, the World Trade Organization's (“WTO”) General Agreement on Trade in Services (“GATS”), like other trade agreements to which the United States is a party, includes an essential security interests exception that states that nothing in the agreement shall be construed to prevent a party to such an agreement from taking any action that it considers necessary for the protection of its essential security interests. As a result, rather than prohibiting such access restrictions, GATS and other relevant international agreements to which the United States is a party explicitly authorize national security-based restrictions on data access and data flows through the longstanding essential security exception. The proposed rule, like conditions restricting access in CFIUS or Team Telecom mitigation agreements to address identified national security risks, is necessary to protect the essential security interests of the United States and is thus consistent with such international agreements to which the United States is a party. Notably, consistent with the United States Government's long-standing support of cross-border data flows, the proposed rule does not require data localization or wholly restrict data flows to any specific country. Rather, the proposed rule only limits data transfers in narrow, specifically defined circumstances necessary to safeguard security interests, and it is being developed through a process that enables stakeholder consultation and input. The proposed rule is also consistent with the United States' longstanding support for Data Free Flows Trust (“DFFT”). The categories of prohibited and restricted transactions in the proposed rule identify circumstances that present an unacceptable national security risk of enabling countries of concern to access and exploit Americans' sensitive personal data—circumstances that lack the trust required for free data flows.

Several commenters suggested various revisions to borrow or incorporate aspects of international or State privacy laws into this proposed rule. The Department generally declines to adopt these suggestions, except on a discrete issue discussed in part IV.A.7 of this preamble. The Department supports privacy measures and national security measures as complementary protections for Americans' sensitive personal data. Despite some overlap, privacy protections and national security measures generally focus on different challenges associated with sensitive personal data. General privacy protections focus on addressing individual rights and preventing individual harm, such as protecting the rights of individuals to control the use of their own data and reducing the potential harm to individuals by minimizing the collection of data on the front end and limiting the permissible uses of that data on the back end. National security measures, by contrast, focus on collective risks and externalities that may result from how individuals and businesses choose to sell and use their data, including in lawful and legitimate ways.

For example, some commenters suggested adding a new exemption for transactions in which a U.S. individual consents to the sale or disclosure of their data to a country of concern or covered person. The proposed rule declines to adopt this exemption. Such a consent-based exemption would leave unaddressed the threat to national security by allowing U.S. individuals and companies to choose to share government-related data or Americans' bulk U.S. sensitive personal data with countries of concern or covered persons. It is precisely those choices that, in aggregate, help create the national security risk of access by countries of concern or covered persons, and the purpose of the Order and the proposed rule is to address the negative externality that is created by individuals' and companies' choices in the market in the first place. It would also be inconsistent with other national security regulations to leave it up to market choices to decide whether to give American technology, capital, or data to a country of concern or covered person. Export controls do not allow U.S. companies to determine whether their sensitive technology can be sent to a foreign adversary, and sanctions do not allow U.S. persons to determine whether their capital and material support can be given to terrorists and other malicious actors. Likewise, the proposed rule would not allow U.S. individuals to determine whether to give countries of concern or covered persons access to their sensitive personal data or government-related data. One of the reasons that the public is not in a position to assess and make decisions about the national security interests of the United States is that the public typically does not have all of the information available to make a fully informed decision about the national security interests of the United States.

Each subpart of the proposed rule, including any relevant comments received on the corresponding part of the ANPRM, is discussed below in the remaining sections of this preamble.

A. Subpart C—Prohibited Transactions and Related Activities

The proposed rule identifies transactions that are categorically prohibited unless the proposed rule otherwise authorizes them pursuant to an exemption or a general or specific license or, for the categories of restricted transactions, in compliance with security requirements and other requirements set forth in the proposed rule.

1. Section 202.210—Covered Data Transactions

The Order authorizes the Attorney General to issue regulations that prohibit or otherwise restrict U.S. persons from engaging in a transaction where, among other things, the Attorney General has determined that a transaction “is a member of a class of transactions . . . [that] pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data in a manner that contributes to the national emergency declared in this [O]rder.” Pursuant to the Order, the proposed rule categorically prohibits or, for the categories of restricted transactions, imposes security and other requirements on certain covered data transactions with U.S. persons and countries of concern or covered persons because the covered data transactions may otherwise enable countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data to harm U.S. national security.

The proposed rule defines a “covered data transaction” as any transaction that involves any access to any government-related data or bulk U.S. sensitive personal data and that involves: (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement. See § 202.210. The Department has determined that these categories of covered data transactions pose an unacceptable risk to U.S. national security because they may enable countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data to engage in malicious cyber-enabled activities, track and build profiles on United States individuals for illicit purposes, including blackmail or espionage, and to intimidate, curb political dissent or political opposition, or otherwise limit civil liberties of U.S. persons opposed to countries of concern, among other harms to U.S. national security. For instance, one study has demonstrated that foreign malign actors can purchase bulk quantities of sensitive personal data about U.S. military personnel from data brokers “for coercion, reputational damage, and blackmail.” Countries of concern or covered persons could also exploit vendor, employment, or investment agreements to obtain access to government-related data or bulk U.S. sensitive personal data to harm U.S. national security.

In response to the ANPRM, commenters asked that the Department clarify when a transaction “involves” government-related data or bulk U.S. sensitive personal data. The Department has responded to those comments by revising the definition of a “covered data transaction” to any transaction that involves any access to the data by the counterparty to a transaction (rather than any transaction that involves government-related data or bulk U.S. sensitive personal data).

2. Section 202.301—Prohibited Data-Brokerage Transactions

The proposed rule prohibits any U.S. person from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or a covered person. The proposed rule defines “data brokerage” as the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data from any person (“the provider”) to any other person (“the recipient”), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. See § 202.214.

Because the data brokerage prohibition, along with the other prohibitions and restrictions, center around data transactions involving access to government-related data or bulk U.S. sensitive personal data, the Department addresses each of those key terms and related terms in detail in the following discussion.

3. Section 202.201—Access

Adopting the approach contemplated in the ANPRM without change, the proposed rule defines “access” as logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software.

One commenter suggested that the Department remove the term “divert” from the definition of “access” to avoid unintentionally capturing activities that do not involve actual access to data and that, according to the commenter, do not pose a risk to national security. The Department declines to do so. The definition of “access” is intentionally broad. It includes the term “divert” to ensure that the proposed rule covers data transactions that would enable a covered person to divert government-related data or bulk U.S. sensitive personal data from an intended recipient to a country of concern or a covered person, either for their own use or for the use of countries of concern or other covered persons, and to prevent countries of concern or covered persons from amassing data (including anonymized, encrypted, aggregated, or pseudonymized data), as discussed in part IV.A.13 of this preamble.

4. Section 202.249—Sensitive Personal Data

As previewed in the ANPRM, the proposed rule builds on the Order by further defining the six categories of “sensitive personal data” that could be exploited by a country of concern to harm U.S. national security if that data is linked or linkable to any identifiable U.S. individual or to a discrete and identifiable group of U.S. persons. These six categories are: (1) covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data; (5) personal health data; and (6) personal financial data. The proposed rule also categorically excludes certain categories of data from the definition of the term “sensitive personal data.” These exclusions include public or nonpublic data that does not relate to an individual, including trade secrets and proprietary information, and data that is, at the time of the transaction, lawfully publicly available from government records or widely distributed media, personal communications as defined in § 202.239, and information or informational materials as defined in § 202.226. Nothing in the proposed rule shall be construed to affect the obligations of U.S. Government departments and agencies under the Foundations for Evidence-Based Policymaking Act of 2018, Public Law 115-435 (2019), 44 U.S.C. 3501 et seq.

5. Section 202.212—Covered Personal Identifiers

The Order defines “covered personal identifiers” as “specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that—whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern—could be used to identify an individual from a data set or link data across multiple data sets to an individual,” subject to certain exclusions. The ANPRM thus contemplated three subcategories of covered personal identifiers: (1) listed identifiers in combination with any other listed identifier; (2) listed identifiers in combination with other sensitive personal data; and (3) listed identifiers in combination with other data that are disclosed by a transacting party pursuant to the transaction that makes the listed identifier exploitable by a country of concern, if they could be used to identify an individual from a dataset or to link data across multiple datasets to an individual. The ANPRM also contemplated two exceptions: (1) demographic or contact data that is linked only to other demographic or contact data; and (2) a network-based identifier, account-authentication data, or call-detail data that is linked only to other network-based identifiers, account-authentication data, or call-detail data as necessary for the provision of telecommunications, networking, or similar services. The proposed rule expands the approach described in the ANPRM by making the exceptions applicable to all subcategories of covered personal identifiers, instead of being applicable only to listed identifiers in combination with any other listed identifiers. The listed identifiers are described in more detail in the next section.

With respect to the first subcategory, listed identifiers in combination with any other listed identifier: The ANPRM contemplated a list-based approach that would identify a comprehensive list of eight classes of data determined by the Attorney General to be reasonably linked to an individual under the Order's definition of “covered personal identifiers.”

With respect to the second subcategory, listed identifiers in combination with other sensitive personal data: The ANPRM contemplated treating these combinations as combined data subject to the lowest bulk threshold applicable to the categories of data present. The proposed rule generally adopts the approach described in the ANPRM, but instead of addressing this category in the definition of “listed identifiers,” the proposed rule incorporates this category as part of the definition of “bulk.”

With respect to the third subcategory, listed identifiers in combination with other data that are disclosed by a transacting party pursuant to the transaction that makes the listed identifier exploitable by a country of concern: The ANPRM indicated that the Department did not intend to impose an obligation on transacting parties to independently determine whether particular combinations of data would be “exploitable by a country of concern.” The ANPRM provided several examples intended to be within the scope of this subcategory and several examples intended to be outside the scope of this subcategory and sought comment on ways in which this subcategory could be further defined. In response, multiple commenters suggested anchoring this subcategory to the reasonable foreseeability that the other data could be used to link the listed identifier to a U.S. individual. As these commenters explained, without the connection to foreseeability, nearly any public data could become covered personal identifiers, because it is possible that the transacting party receiving the data could find some way of linking any public data point to an individual using the listed identifier.

The proposed rule largely adopts this suggestion. Rather than requiring companies to determine when linkage is reasonably foreseeable on a case-by-case basis, the proposed rule would define a category of data for which the Department believes it is reasonably foreseeable that the other data could be used to link the listed identifier to a U.S. individual: other data that makes the listed identifier linked or linkable to other listed identifiers or to other sensitive personal data. The proposed rule thus narrows the third subcategory to any listed identifier in combination with other data that is disclosed by a transacting party such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data. See § 202.212(a)(2). The proposed rule also incorporates the examples described in the ANPRM and additional examples to illustrate how this subcategory would and would not apply.

6. Section 202.234—Listed Identifier

Adopting the approach contemplated in the ANPRM, the proposed rule defines a “listed identifier” as any piece of data in any of the following data fields: (1) full or truncated government identification or account number (such as a Social Security Number, driver's license or State identification number, passport number, or Alien Registration Number); (2) full financial account numbers or personal identification numbers associated with a financial institution or financial-services company; (3) device-based or hardware-based identifier (such as International Mobile Equipment Identity (“IMEI”), Media Access Control (“MAC”) address, or Subscriber Identity Module (“SIM”) card number); (4) demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers); (5) advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID (“MAID”)); (6) account-authentication data (such as account username, account password, or an answer to a security question); (7) network-based identifier (such as internet Protocol (“IP”) address or cookie data); or (8) call-detail data (such as Customer Proprietary Network Information (“CPNI”)). See § 202.234.

Under this definition, the term “covered personal identifiers” refers to a much narrower set of material than that covered by certain laws and policies aimed generally at protecting personal privacy. It encompasses only the types of data and combinations thereof that are expressly listed. For example, the proposed rule's definition of “covered personal identifiers” would not include an individual's employment history, educational history, organizational memberships, criminal history, or web-browsing history. Some commenters suggested that the Department adopt a broader definition that aligns with the definition of “personally identifiable information” used in State or European Union (”EU”) privacy laws to ease the burden of compliance. The Department declines to adopt this approach, and the proposed rule retains the definition stated in the ANPRM without change. Although it may be true that “personally identifiable information” is a familiar term in laws and guidance addressing the privacy and security of data held by the private sector and government, it is such a broad term that adopting a definition akin to it would significantly expand the scope of the regulations and therefore require that the Department regulate more commercial transactions or relationships than seem necessary, at least at this time, to mitigate the highest priority national security risks articulated in the Order. Furthermore, the commenters supplied no data to suggest that any cost savings realized from adopting an existing definition would outweigh the added burdens of regulating a larger swath of transactions.

Similarly, another commenter suggested broadening the definition of “covered personal identifiers” to add categories of data from State and EU privacy laws, such as web-browsing data and data that identifies or could lead to inferences about membership in protected classes such as race, religion, and national origin. The proposed rule makes no change in response to this comment. As previewed in the ANPRM, the proposed rule's definition of “covered personal identifiers” is tailored to address the national security risks identified in the Order, and the Department is establishing the program by issuing proposed rulemakings in tranches based on priority. Also, the Department intends to regularly monitor the effectiveness and impact of the regulations once they become effective. Absent more specific information from commenters on this topic about the cross-border use of these additional kinds of identifiers by foreign governments in ways that could harm Americans, the proposed rule retains the definition stated in the ANPRM without change at this time.

One commenter suggested that the Department remove basic contact information from the listed identifiers. The proposed rule maintains the approach in the ANPRM without change. The Order already contains an exception to the definition of “covered personal identifiers” for demographic or contact data that is linked only to other demographic or contact data. The proposed rule implements the exception articulated in the Order and previewed in the ANPRM, which excludes such data from the definition of “covered personal identifiers.”

By contrast, another commenter recommended that “covered personal identifiers” be expanded to include demographic or contact data that is linked only to other demographic or contact data, because most Americans believe that information to be deserving of privacy protections. The Department declines to adopt this addition to the definition of “covered personal identifiers.” Such an expansion of the definition would be contrary to the Order, which specifically exempts this kind of data from its scope. Additionally, as the commenter acknowledges, a significant amount of this information is already publicly available to countries of concern, and therefore country of concern access to this type of information does not carry the same national security risk as access to the other covered personal identifiers identified in these regulations, even if it may raise separate privacy considerations.

A few commenters advocated removing truncated government identification and account numbers from the definition of “listed identifiers,” given their widescale use. One commenter supported the inclusion of these truncated identifiers because they are regularly used to identify individuals. The proposed rule continues to include these truncated identifiers as contemplated in the ANPRM because, as one commenter points out, they could be, and are, “used to identify an individual from a data set or link data across multiple data sets to an individual[.]” They therefore fall within the Order's definition of “covered personal identifiers” when they are combined with certain other categories of data. Although these truncated numbers may be used widely, the proposed rule would not regulate how they are used in most transactions. Specifically, it would not regulate how these truncated numbers are used domestically, a company's internal use of that data (other than with respect to covered persons who are employees), or transactions abroad involving third countries (other than with respect to certain conditions for the data brokerage to address onward sale).

The proposed rule also contains a non-substantive change in language designed to be more technically accurate and to clarify that any piece of data in any of the listed classes of data constitutes a listed identifier. See § 202.234. This change remains consistent with the examples previewed in the ANPRM and in the proposed rule showing that multiple pieces of data (such as account username and account password) in the same data field (account-authentication data) each count as separate listed identifiers.

7. Section 202.242—Precise Geolocation Data

The proposed rule defines “precise geolocation data” as data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters. Examples of “precise geolocation data” include GPS coordinates and IP address geolocation. To help develop this definition, the Department examined the settings available to software developers in Android and iOS, the two most popular mobile device operating systems, for the precision of geolocation readings. Available options included accuracy to within 10 meters, 100 meters, 1,000 meters, 3,000 meters, and 10,000+ meters. The Department selected 1,000 meters as the option that most carefully balanced the risk that countries of concern or covered persons could exploit U.S. persons' precise geolocation data and current technology practices and standards. The Department also considered State privacy laws, with which companies are already familiar and which provide examples of the level of precision at which a device's location warrants protection.

A few commenters suggested that the Department define “precise geolocation data” as that term is defined in the California Privacy Rights Act, which includes a geographic radius of 1,850 feet (approximately 563 meters). The Department did not accept this suggestion because our assessment of the relevant national security interests required a broader geographic area, in part due to the types of United States Government personnel and locations (such as military bases with large surrounding footprints) that are relevant to national security. By contrast, the California standard does not take these national security interests relating to Government personnel into account. One commenter suggested that the Department omit the phrase “based on electronic signals or inertial sensing units,” which was included in the ANPRM definition of “precise geolocation data,” to make the term more technology-neutral as to the method of collection. The Department has adopted this suggestion and deleted that phrase from the proposed definition.

8. Section 202.204—Biometric Identifiers

Adopting the approach contemplated in the ANPRM without change, the proposed rule defines “biometric identifiers” as measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.

9. Section 202.224—Human Genomic Data

Adopting the approach contemplated in the ANPRM without change, the proposed rule defines “human genomic data” as data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual's “genetic test” (as defined in 42 U.S.C. 300gg-91(d)(17)) and any related human genetic sequencing data. The term “human genomic data” does not include non-human data, such as pathogen genetic sequence data, that is derived from or integrated into human genomic data.

10. Other Human ’Omic Data

The Department of Justice is considering regulating, as prohibited or restricted transactions in the final rule, certain transactions in which a U.S. person provides a country of concern (or covered person) with access to bulk human ’omic data, other than human genomic data, as defined in § 202.224. At a high level, the ’omics sciences examine biological processes that contribute to the form and function of cells and tissues. The categories of ’omic data that the Department is considering regulating could include human epigenomic data, glycomic data, lipidomic data, metabolomic data, meta-multiomic data, microbiomic data, phenomic data, proteomic data, and transcriptomic data. The Department does not intend the definition of meta-multiomic data to include nonhuman data separated from human data or for the definition of microbiomics data to include data related to individual pathogens, even when derived from human sources. The Department is considering whether to include the following definitions of these terms in the final rule:

1. Epigenomic data: data derived from the analysis of human epigenetic modifications, which are changes in gene expression or cellular phenotype that do not involve alterations to the DNA sequence itself. These epigenetic modifications include modifications such as DNA methylation, histone modifications, and non-coding RNA regulation.

2. Glycomic data: data derived from the analysis of the structure, function, and interactions of glycans (complex carbohydrates) within human biological systems. The field of glycomics generally aims to understand the roles of glycans in cell-cell communication, immune responses, and various diseases.

3. Lipidomic data: data derived from a systems-level characterization of lipids from a human or human cell, including their identification, quantification, and characterization in biological systems. Routine clinical measurements of lipids for individualized patient care purposes would not be considered lipidomic data because such measurements would not entail a systems-level analysis of the complete set of lipids found in such a sample.

4. Metabolomic data: data derived from the analysis of metabolites, the small molecules produced during metabolism, that aim to understand disease mechanisms, identify biomarkers for diagnosis, and develop targeted treatments by revealing the dynamic biochemical activities in a living system. This data provides a general snapshot of an organism, tissue, or cell, offering insights into physiological and pathological processes.

5. Meta-multiomic data: The Department is considering the following options for defining meta-multiomic data:

(i) Datasets that include two or more categories of human ’omic data identified in this regulation, which can include data derived from the human genome, proteome, transcriptome, epigenome, or metabolome; or

(ii) Datasets that include two or more categories of human ’omic data identified in this regulation and that include ’omic data from another species.

6. Microbiomic data: data derived from analysis of all the microorganisms of a given community within the human body (including a particular site on the human body). Microbiomic data is implicated in the field of metagenomics, which generally aims to investigate and understand genetic material of entire communities of organisms, including the composition of a microbial community.

7. Phenomic data: data derived from analysis of human phenotypes, including physical traits, physiological parameters, and behavioral characteristics.

8. Proteomic data: data derived from analysis of human proteomes, which refers to the entire set of proteins expressed by a human genome, cell, tissue, or organism. The field of proteomics generally aims to identify and characterize proteins and study their structures, functions, interactions, and post-translational modifications.

9. Transcriptomic data: data derived from analysis of a human transcriptome, which is the complete set of RNA transcripts produced by the human genome under specific conditions or in a specific cell type. The field of transcriptomics generally aims to understand gene expression patterns, alternative splicing, and regulation of RNA molecules.

The Department is considering excluding from the definition of other human ’omic data pathogen-specific data embedded in ’omic data sets.

The Department welcomes input from commenters regarding the potential risks and benefits that may arise from restricting or prohibiting covered data transactions with a country of concern or covered person involving some or all of these categories of other human ’omic data. The Department is particularly interested in comments addressing the health, economic, or scientific impacts of regulating such data transactions, as well as any national security implications. Specifically:

• In what ways, if any, should the Department of Justice elaborate or amend the definitions of these classes of other human ’omic data? If the definitions should be elaborated or amended, why?
• Should bulk data transactions involving these types of other human ’omic data be regulated? If so, which types of human ’omic data—including any not listed—should be regulated, why should they be regulated, and how should they be regulated? Additionally, what bulk thresholds should apply and why?
• To what extent would the regulation of bulk data transactions involving these types of other human ’omic data affect individuals' rights to share their own biological samples (e.g., blood, urine, tissue, etc.) or health, ’omic, and other data?
• What would be the effects of prohibiting or restricting transactions involving these data classes in the final rule, particularly with respect to:

○ health outcomes

○ health supply chain impacts

○ research and administrative costs

○ economic costs due to (1) imposing these regulations, or (2) allowing unregulated bulk access to human ’omic data

○ innovation costs

• What additional risks should be considered if these bulk data transactions are not regulated, specifically as they relate to:

○ risks stemming from exploitable health information

○ manipulation of bulk data for strategic advantage over the United States

○ use of bulk datasets for the creation and refinement of AI or other similar advanced technologies

11. Section 202.240—Personal Financial Data

Adopting the approach contemplated in the ANPRM without change, the proposed rule defines “personal financial data” as data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data, including assets liabilities, debts, and transactions in a bank, credit, or other financial statement; or data in a credit report or in a “consumer report” (as defined in 15 U.S.C. 1681a(d)).

One commenter sought clarification that personal financial data does not include inferences based on that data, suggesting, for example, that hotel record transactions may be personal financial data but an ultimate inference that the person is interested in business travel should not be considered personal financial data. As set forth in the Order and previewed in the ANPRM, the proposed rule would prohibit or restrict only certain categories of transactions in government-related data or bulk U.S. sensitive personal data, neither of which include inferences on their own.

12. Section 202.241—Personal Health Data

The ANPRM contemplated defining “personal health data” as “individually identifiable health information,” as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), “regardless of whether such information is collected by a `covered entity' or `business associate.' ”

Several commenters supported defining personal health data as “individually identifiable health information.” That definition is similar to how those terms are defined in HIPAA and its implementing regulations. However, one commenter expressed confusion as to how cross-referencing that definition in this program would relate to “covered entities” or “business associates” under HIPAA. The proposed rule adopts much of the substance of the approach in the ANPRM while providing greater clarity to address this confusion. Instead of defining “personal health information” by cross referencing and incorporating HIPAA, the proposed rule reproduces the relevant substance of the HIPAA definition to provide greater clarity that the definition does not turn on the HIPAA-specific inquiry of whether data is handled by covered entities or business associates. Further, unlike the HIPAA definition, the proposed rule would not define health information in terms of whether the information identifies individuals, because the proposed rule applies regardless of whether data is de-identified.

As a result, the proposed rule defines “personal health data” as health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. The term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications. The proposed rule would operate on a categorical basis and would determine that the category of personal health data generally meets the requirements of being “exploitable by a country of concern to harm United States national security” and “is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals” under section 7(l) of the Order. To be sure, it is possible to hypothesize a limited data set of discrete information related to an individual's physical or mental health condition that is not inherently linked or linkable to U.S. individuals (such as a data set of only heights or weights with no identifying information). But based on the information currently available, it does not appear that such limited datasets accurately reflect how personal health data is stored, transmitted, and used in the real world, and thus it does not appear appropriate to adjust the proposed rule to account for this hypothetical at this time. The Department welcomes comments on the extent to which such datasets exist and are the subject of covered data transactions between U.S. persons and countries of concern or covered persons.

13. Section 202.206—Bulk U.S. Sensitive Personal Data

Adopting the approach contemplated in the ANPRM without change, the prohibitions and restrictions apply to “bulk U.S. sensitive personal data,” which the proposed rule defines as a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. The bulk thresholds of data set by the proposed rule are addressed in detail in part V of this preamble.

Several commenters requested that the Department align the categories of sensitive personal data with State data privacy laws, particularly to exclude encrypted, pseudonymized, de-identified, or aggregated data from the proposed rule's coverage. In contrast, other commenters supported the Department's treatment of pseudonymized, de-identified, or encrypted data, including to prevent the data from being re-identified in the future and to recognize that not all techniques for pseudonymization, de-identification, encryption, or aggregation are equally effective. The Department declines to adjust the proposed rule to exclude anonymized, encrypted, pseudonymized, or de-identified data, and the proposed rule adopts the approach described in the ANPRM without change. As the Order emphasizes, even where types of sensitive personal data are “anonymized, pseudonymized, or de-identified, advances in technology, combined with access by countries of concern to large datasets, increasingly enable countries of concern that access this data to re-identify or de-anonymize data,” which could reveal exploitable sensitive personal information on U.S. persons. As the Department has recently explained, “[o]pen-source reporting has repeatedly raised concern[s] that supposedly anonymized data is rarely, if ever, truly anonymous.” As a recent study has explained, for example, “[a]ggregated insights from location data” could be used to damage national security. Examples abound. Researchers in 2024 used a little more than a year's worth of “raw, `ping'-level data, a year's worth of location data from de-identified smartphones in 26 major metropolitan areas encompassing nearly every SEC office and most public firm headquarters to identify non-public investigations and enforcement actions, and glean insights about how those visits affected financial markets. In 2018, the publication of a global heatmap of anonymized users' location data collected by a popular fitness app enabled researchers to quickly identify and map the locations of military and government facilities and activities. Similarly, in 2019, New York Times writers were able to combine a single set of bulk location data collected from cell phones and bought and sold by location-data companies—which was anonymized and represented “just one slice of data, sourced from one company, focused on one city, covering less than one year”—with publicly available information to identify, track, and follow “military officials with security clearances as they drove home at night,” “law enforcement officers as they took their kids to school,” and “lawyers (and their guests) as they traveled from private jets to vacation properties.” A 2019 research study concluded that “99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes,” thus “suggest[ing] that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by [the EU's General Data Protection Regime] and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.” Other studies and reports have reported similar results. As a result, as the Department recently explained, “[a]dversaries can use these datasets to reverse-engineer anonymized data and identify people, subjects, or devices that were supposedly anonymized.”

Similar concerns exist with respect to encrypted data. Countries of concern amass large quantities of encrypted data including by harvesting encrypted data now in order to decrypt it in the future should advances in quantum technologies render current standard public-key cryptographic algorithms ineffective. Encryption keys can also be stolen, handed over under compulsion, and otherwise obtained for use in decrypting datasets.

A few commenters suggested that the approach contemplated in the ANPRM would weaken national security by failing to differentiate between data that is encrypted or otherwise protected and data that is not. In their view, encryption is an important tool to secure data from unauthorized access, and treating encrypted and non-encrypted data alike could discourage the use of encryption, weakening the overall security of data. Other commenters, however, supported treating pseudonymized, encrypted, de-identified, and aggregated data as sensitive personal data because of the ability to re-identify such data and the rapid advancements in re-identification techniques. The Department declines to modify the proposed rule in response to these comments. As contemplated in the ANPRM, the proposed rule explicitly recognizes and relies upon the privacy and national security-preserving value of high quality, effective methods of encryption, de-identification, pseudonymization, and aggregation by specifically authorizing certain otherwise prohibited transactions so long as they meet the security requirements described in part IV.B.1 of this preamble, including by using data-level control(s) such as these techniques in combination with other security requirements. At the same time, as contemplated in the ANPRM, the proposed rule also recognizes that ineffective methods of encryption, de-identification, pseudonymization, and aggregation present the same unacceptable national security risk of access by countries of concern and covered persons as the risks posed by such access to identifiable data that is not secured through any of these techniques. The proposed rule thus allows otherwise prohibited employment agreements, vendor agreements, and investment agreements only if they use any combination of the data-level requirements necessary to prevent access to covered data by covered persons or countries of concern, as requirements laid out in the security requirements to be published by the Department of Homeland Security (“DHS”), in addition to organizational- and system-level requirements.

Commenters also requested that the Department use existing State privacy law definitions to define the categories of sensitive personal data, such as personal financial data. Commenters stated that many companies already know how to comply with State privacy laws. The Department has considered these comments. However, as discussed in part IV.A.6 of this preamble, the cited definitions do not necessarily align with the specific national security goals of these regulations. Therefore, the proposed rule adopts the approach described in the ANPRM without change and does not adopt the State privacy law definitions of the terms in the proposed rule.

14. Section 202.205—Bulk

As previewed in the ANPRM, the proposed rule's prohibitions apply to bulk amounts of U.S. sensitive personal data (in addition to the separate category of government-related data). The proposed rule defines “bulk” as any amount of such data that meets or exceeds thresholds during a given 12-month period, whether through one covered data transaction or multiple covered data transactions involving the same U.S. person and the same foreign person or covered person. The proposed rule sets specific thresholds for each category of sensitive personal data. See § 202.205. Certain specified data transactions that exceed those thresholds are “covered data transactions” and thus subject to the proposed rule's prohibitions unless they are otherwise authorized by the proposed rule. See § 202.210. The Department has determined the proposed bulk thresholds based on the analysis previewed in the ANPRM and described in more detail in part V of this preamble.

A few commenters expressed concerns that it would be necessary to decrypt data to determine whether it meets a relevant bulk threshold and suggested discarding the bulk thresholds as a result. They noted that decrypting data is generally less secure and could lead to unauthorized access. The proposed rule makes no change in response to these comments, for several reasons. First, many businesses engaging in the categories of prohibited and restricted transactions generally use the data in the course of operating their business, rather than merely serving as a pass-through for encrypted data as the comments suggest. While encrypting data in transit and data at rest is and should be a standard security technique, and encrypting data in use is increasingly common, data is routinely decrypted while it is being actively accessed, processed, filtered, sorted, searched, analyzed, displayed, and otherwise used by a business (for example, when an authorized employee or user opens and searches an encrypted file or database). However, nothing in the proposed rule imposes a legal requirement to decrypt data to comply. Instead, the proposed rule requires only that U.S. persons implement a risk-based compliance program tailored to their individual risk profiles. And data may also be encrypted using cryptographic methods that permit some computation and analysis to be performed on cyphertext that ascertains the kinds and volume of data without decrypting the data. Businesses can map the kinds and volumes of their data to evaluate it against the bulk thresholds in the data life cycle in which it is either decrypted for access or encrypted in use.

Second, even beyond mapping data in use, companies choosing to engage in these categories of data transactions can and should have some awareness of the volume of data they possess and in which they are transacting. For example, typically data-using entities maintain metrics, such as user statistics, that can help estimate the number of impacted individuals for the purposes of identifying whether a particular transaction meets the bulk threshold. Given that the bulk thresholds are built around order-of-magnitude evaluations of the quantity of user data, it is reasonable for entities to conduct similar order-of-magnitude-based assessments of their data stores and transactions for the purposes of regulatory compliance. Companies already must understand, categorize, and map the volumes of data they have for other regulatory requirements, such as State laws requiring notification of data breaches of specific kinds of data above certain thresholds.

Third, this concern appears premised on a scenario in which a U.S. business handles only encrypted data on which no computational functions can be performed to determine the kinds and volume of data, never accesses the decrypted data in its business, does not have other proxies or metrics to determine the kinds and volumes of data in which it is transacting, and must comply with the prohibitions and restrictions in the proposed rule. This scenario appears to be an edge case at best, and the comments do not provide a real-world example of this scenario or its frequency. Indeed, as discussed in some of the examples contained in the proposed rule, if a U.S. entity merely provides a platform for, or transports data between, a U.S. customer and a covered person or country of concern, and thus does not know or reasonably should not know of the kind or volume of data involved, then it generally would not “knowingly” engage in a prohibited transaction if the U.S. customer uses that platform or infrastructure to engage in a prohibited transaction with a covered person. Instead, the U.S. customer would generally be responsible for having “knowingly” engaged in the prohibited transaction, as illustrated in the clarification of the “knowingly” standard and the new examples incorporated into the proposed rule. See § 202.230. Similarly, if a U.S. entity merely stores encrypted data on behalf of a U.S. customer and does not possess the encryption key, and if the U.S. entity does not know or reasonably should not know the kind or volume of data involved, the U.S. entity generally would not meet the “knowingly” standard of the proposed rule.

Fourth, to the extent that there is a U.S. business that handles only encrypted data on which no computational functions can be performed to determine the kinds and volume of data, never accesses the decrypted data in its business, does not have other proxies or metrics to determine the kinds and volumes of data it is transacting, and is subject to the prohibitions and restrictions in the proposed rule, that U.S. business would have choices under the proposed rule. It would be able to engage with the Department and seek an advisory opinion or a specific license tailored to its business. Similarly, it would have choices about how best to comply as part of its individualized, risk-based compliance program. For example, it can choose not to engage in prohibited or restricted transactions with countries of concern or covered persons as part of its individualized risk-based compliance program. If the U.S. business chooses to engage in categories of transactions potentially subject to the proposed rule, it can conduct reasonable due diligence on the source of its encrypted data (such as engaging with and obtaining contractual commitments from its customers) to determine the volume and kinds of data in which it is transacting. Or, if it chooses to engage in restricted transactions with countries of concern or covered persons, it can assume that its transactions involve bulk volumes of sensitive personal data and comply with the security requirements and other applicable conditions out of an abundance of caution.

Even if this hypothetical U.S. business were to choose to engage in categories of transactions potentially subject to the proposed rule, and it voluntarily decided to briefly decrypt the data to determine the kinds and volume of its data as part of its risk-based compliance program, commentors have not provided evidence that such a brief decryption would meaningfully increase the risks of unauthorized access relative to the risks involved in routine decryption for business use. Encryption is one security tool designed to mitigate the risk of unauthorized access to data. Entities should use encryption as a tool whenever possible, including when data is at rest, in transit, and in use. However, using encryption does not eliminate risk or the requirement to perform appropriate due diligence. If an entity is using data at any point or has access to both encrypted data and the encryption key, that entity has full se into and control over the data on its systems for the purposes of this regulation. Entities are responsible for balancing risks within their systems, with encryption serving as one available tool for achieving risk management goals alongside other tools like data governance and data minimization plans, role-based and least-privilege access controls, and identity management through multifactor authentication.

It is the responsibility of the regulated entity to manage risk that already exists, which includes making choices about the best way to manage its own particular risk and tradeoffs between various data risk management strategies, including technical measures like encryption, organizational policies, and access management. Other options include altering commercial activities to minimize the size and scope of covered data transactions and utilizing a strong data governance regime to minimize the type and quantity of data collected. If data cannot remain encrypted while in use, the risk of temporarily decrypting data to comply with regulations can be offset by measures such as well-designed data collection, data management, and data security programs. Given these factors, any risk associated with a hypothetical U.S. business' decision to temporarily decrypt data that would otherwise remain encrypted at all times in the business' life cycle would appear to be much more remote and attenuated than the risk that accrues by allowing the U.S. business to engage in a transaction that grants a country of concern or covered person access to encrypted government-related data or bulk U.S. sensitive personal data.

15. Section 202.222—Government-Related Data

As set forth in § 202.222, the proposed rule would not impose any bulk threshold requirements on transactions involving government-related data. The proposed rule defines subcategories of government-related data for locations and personnel, as contemplated in the ANPRM. For the location subcategory, the proposed rule defines “government-related data” as any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in § 202.1401 that the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights to the detriment of national security about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, because of the nature of those locations or the personnel who work there. The purpose of this list is to prevent countries of concern from exploiting the geolocation data in these locations, such as by using aggregated geolocation data to draw inferences about facilities, activities, or populations located there that could undermine U.S. national security or foreign policy or to conduct intelligence or counterintelligence operations against government employees or contractors, or against government facilities, as discussed in parts II, IV(D) and V(A) of this preamble. As set forth in the proposed rule, the locations that the Department might add to this list may include the worksites or duty stations of Federal Government employees or contractors who occupy national security positions, as that term is defined in 5 CFR 1400.102(a), wherever they are located. The locations may also include military installations, embassies or consulates, or other facilities worldwide that support the Federal Government in achieving its national security, defense, intelligence, law enforcement, or foreign policy missions. The proposed rule thus modifies the definition contemplated in the ANPRM by setting forth more details about the types of locations that will be listed on the Government-Related Location Data List.

The proposed rule also proposes a format for the Government-Related Location Data List and proposes some areas for inclusion on that List. See § 202.1401. This is not yet a comprehensive list of locations. The Department anticipates that the final rule will include additional locations associated with military, other Government, or other sensitive facilities or locations that meet the criteria in the definition. These locations may include, for example, military bases, embassies, or law enforcement facilities.

For the personnel subcategory, the proposed rule adopts the ANPRM's contemplated definition without change by defining “government-related data” as any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and intelligence community.

Commenters were generally supportive of the proposed rule's protections for government-related data. A few commenters requested that the proposed rule provide clarity as to what constitutes a “former senior official” and a “recent former employee.” The proposed rule defines “recent former employees or contractors” as employees or contractors who have worked for or provided services to the United States Government, in a paid or unpaid status, within the 2 years preceding a proposed covered data transaction. See § 202.245. The proposed rule defines a “former senior official” as either a “former senior employee” or “former very senior employee,” as those terms are defined in the ethics regulations pertaining to post-employment conflicts of interest for former Executive Branch or independent agency employees. 5 CFR 2641.104. See § 202.220.

One commenter expressed concern that, with respect to the personnel subcategory, companies will have to ask individuals whether they are former government employees when collecting their data and retain that information to ensure they can comply with the regulations. The commenter argued that this could have the unintended consequence of inadvertently creating a database of sensitive information that bad actors could target. While the Department appreciates that concern and agrees that this unintended consequence should be avoided, the Department has designed the proposed rule to specifically avoid this problem by defining the personnel subcategory based on how the U.S. person markets the data, not on whether a particular dataset contains data on former government employees or contractors. In other words, the personnel subcategory applies only to transactions in which the U.S. person has already identified and described sensitive personal data as being about certain government personnel. This subcategory does not apply on the basis of the presence or absence of data linked to certain government personnel in the underlying sensitive personal data.

One commenter suggested removing the qualifier that data had to be “marketed” as data about members of the military or intelligence community because certain data can still be “linked or linkable” to members of the military through geolocation without being explicitly marketed as such. As the Order's second category of government-related data confirms, sensitive personal data that is linked to categories of data that could be used to identify current or certain former government personnel can present a national security risk, even if a transacting party does not market it as linked or linkable to those personnel. The Department is still considering how to address this issue, specifically whether to include, and how to define, this category of information in the proposed rule while minimizing the unintended consequence described above in this section. The Department appreciates any views from the public.

16. Section 202.302—Other Prohibited Data-Brokerage Transactions Involving Potential Onward Transfer to Countries of Concern or Covered Persons

As previewed in the ANPRM, the proposed rule also includes a prohibition specific to data brokerage to address transactions involving the onward transfer or resale of government-related data or bulk U.S. sensitive personal data to countries of concern and covered persons.See § 202.302. The proposed rule defines “data brokerage” as the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data from any person (“the provider”) to any other person (“the recipient”), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. See § 202.214. The proposed rule prohibits any U.S. person from knowingly engaging in a covered data transaction involving data brokerage with any foreign person that is not a covered person unless the U.S. person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving that data with a country of concern or covered person. This narrow circumstance is the only instance in which the proposed rule's regulation of covered data transactions could impact transactions involving third countries ( i.e., U.S. persons' covered data transactions in which a country of concern or covered person is not a party).

Commenters generally supported the feasibility of using contractual requirements to address the resale of data as contemplated in the ANPRM. They noted, however, that it may be difficult for U.S. persons to enforce those requirements or to ensure that the data is not subsequently resold in violation of those provisions. Several aspects of the proposed rule are designed to address these concerns. First, in addition to requiring a contractual commitment from the foreign person not to engage in a subsequent covered data transaction with a country of concern or covered person, as contemplated in the ANPRM, the proposed rule adds a requirement for U.S. persons engaged in such transactions to report any known or suspected violations of the required contractual provision. This requirement creates a mechanism to provide the necessary information for the Department to investigate and take appropriate action to address any violations of the proposed rule. Second, relying on both its own investigations and its investigations of any known or suspected violations reported by private parties, the Department intends to exercise the designation authority under the proposed rule to designate as covered persons, as appropriate, foreign third parties that violate the contractual provisions required by this prohibition. See § 202.701. Third, consistent with the overall approach to compliance and enforcement under the proposed rule, the Department expects U.S. persons engaged in these kinds of data brokerage transactions to take reasonable steps to evaluate whether their foreign counterparties are complying with the contractual provision as part of implementing risk-based compliance programs under the proposed rule. Absent indications of evasion, conspiracy, or knowingly directing prohibited transactions, U.S. persons that conduct adequate due diligence as part of a risk-based compliance program would not have engaged in a prohibited transaction if the foreign counterparty later violates the required contractual provision or if the U.S. person fails to detect such violations. Depending on the circumstances, a U.S. person's failure to conduct adequate due diligence may subject the U.S. person to enforcement actions if that failure would constitute an evasion of the regulations, such as repeatedly knowing of violations by a foreign person and continuing to engage in data-brokerage transactions with that foreign person. The Department welcomes public input on any additional measures that should be considered as part of the final rule. In addition, after the final rule goes into effect, the Department intends to monitor the effectiveness of the measures to address the risk of onward sale and make any appropriate adjustments.

Although not specifically raised by commenters, the Department is considering the specific language used to describe the contractual requirement. As previewed in the ANPRM, the proposed rule frames the contractual requirement as an obligation to provide that the foreign party “refrain from engaging in a subsequent covered data transaction involving the same data with a country of concern or covered person.” See § 202.302(a)(1). The Department invites public comment on this language, including whether any alternative language (such as inserting “knowingly” before “refrain” or “contractually requires that the foreign person use best efforts not to engage”) would be more appropriate.

Commenters expressed varying views about the contemplated definition of “data brokerage.” Several commenters expressed concerns about the breadth of the definition of “data brokerage” in the ANPRM. Some commenters suggested that the proposed term, and in particular the phrase “or similar commercial transactions,” creates uncertainty as to its scope and fails to distinguish between selling data for monetary purposes and transferring data pursuant to normal business operations. Some commenters urged the Department to limit the scope of the proposed rule to “data brokers” by adopting the definition used in existing State privacy laws, such as California's. Others proposed ways that the Department should narrow the definition, including by requiring that the data be sold in exchange for monetary or other valuable consideration; that the data must be the object of the transaction and not shared incident to the development, testing, or sale of a product or service; or that the data must be knowingly transferred or sold. Other commenters suggested that the Department amend the definition of “sale” to exclude the disclosure of sensitive personal data to service providers processing data on behalf of a U.S. company, to third parties for providing products or services requested by a U.S. company, or for disclosures or transfers to subsidiaries or affiliates of U.S. companies. Still other commenters supported the approach contemplated by the ANPRM for defining data brokerage by reference to transactions, not the identities of the parties, noting that the ANPRM's approach is stronger than existing State privacy laws, and encouraged the adoption of a broad definition.

The Department declines to revise the definition of “data brokerage” in response to these comments. The definition of “data brokerage” in the proposed rule is intentionally designed to address the activity of data brokerage that gives rise to the national security risk, regardless of the kind of entity that engages in it. Both first-party data brokerage ( i.e., by the person that directly collected the U.S. person's data) and third-party data brokerage ( i.e., by a person that did not directly collect the U.S. person's data, such as a subsequent reseller) present similar national security risks: the outright sale and transfer of sensitive personal data to a country of concern or covered person. For this reason, the proposed definition intentionally regulates data transactions, including transactions that transfer data to entities in countries of concern for product development, an issue raised by numerous commenters, because those transactions give rise to the risks discussed in the Order. In addition, commenters did not provide any specific evidence that the proposed definition of data brokerage would have any measurable economic impact related to product development or testing. Consequently, the proposed rule maintains the approach described in the ANPRM without change.

A few commenters expressed concern about how this provision might affect the ability of biomedical and pharmaceutical manufacturers to share clinical trial data with drug and device regulators in countries of concern. Relatedly, a few commenters expressed concerns that the proposed rule's inclusion of aggregated and anonymized data would prohibit companies from using clinical trial data to launch clinical trials in countries of concern or sharing safety and efficacy data obtained from clinical trials in the United States with countries of concern. The proposed rule includes two exemptions responsive to these comments, in sections 202.510 and 202.511. These exemptions allow certain transactions relevant to medical research, marketing, and safety, as explained in more detail below.

17. Section 202.303—Prohibited Human Genomic Data and Human Biospecimen Transactions

As previewed in the ANPRM, the proposed rule includes a prohibition to specifically address the risks posed by covered data transactions involving access by countries of concern to U.S. persons' bulk human genomic data and human biospecimens from which that bulk data can be derived, such as covered data transactions that give access to bulk human genomic data to laboratories owned or operated by covered persons or provide them with human biospecimens from which such data can be derived. The proposed rule prohibits any U.S. person from knowingly engaging in any covered data transaction involving human genomic data that provides a country of concern or covered person with access to bulk U.S. sensitive personal data that consists of human genomic data or human biospecimens from which such data could be derived, where the number of U.S. persons in the dataset is greater than the applicable bulk threshold at any point in the preceding 12 months, whether in a single covered data transaction or aggregated across covered data transactions. This prohibition applies to any of the categories of covered data transactions that involve access to bulk human genomic data or human biospecimens from which bulk human genomic data can be derived, even when the transactions involve an employment, investment, or vendor agreement. In other words, transactions falling within the scope of proposed § 202.303 are never treated as restricted transactions under the proposed rule. Relatedly, and as discussed in more detail with respect to the categories of exempt transactions, the proposed rule exempts (1) transactions for the conduct of the official business of the United States Government by employees, grantees, or contractors thereof, or transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States Government, including those for outbreak and pandemic prevention, preparedness, and response; and (2) data transactions, including the sharing of human biospecimens from which human genomic data may be derived, that are required or authorized by certain specified international arrangements addressing global and pandemic preparedness.

One commenter sought clarification that vendor, employment, and investment agreements involving access to bulk human genomic data, or human biospecimens from which such data could be derived, are prohibited transactions under subpart C of the proposed rule rather than restricted transactions under subpart D of the proposed rule. The commenter suggested that the proposed rule should clarify that such vendor, employment, and investment agreements are prohibited because they present the same policy concerns as other categories of transactions involving access to this kind of data. The Department agrees. As shown by Example 49 in the ANPRM, vendor, employment, and investment agreements involving access to this kind of sensitive personal data are prohibited rather than restricted. For the avoidance of doubt, § 202.303 of the proposed rule clarifies that the authorization for restricted transactions, see §§ 202.401-202.402, does not apply to any transactions involving access to bulk human genomic data or bulk human biospecimens.

18. Section 202.304—Prohibited Evasions, Attempts, Causing Violations, and Conspiracies

Adopting the approach contemplated in the ANPRM without change, the proposed rule prohibits any transactions that have the purpose of evading or avoiding the proposed rule's prohibitions, or that cause a violation of or attempt to violate the proposed rule's prohibitions. The proposed rule also prohibits conspiracies formed to violate the proposed rule's prohibitions.

One commenter suggested expanding the scope of the regulations to prohibit transactions involving algorithms or artificial intelligence models that are trained and developed using bulk U.S. sensitive personal data in certain circumstances. The commenter described a scenario in which the transfer of such an algorithm or model provides a means to evade the prohibitions—for example, where a transaction gives a country of concern or covered person access to the model, and the model makes the underlying bulk U.S. sensitive personal data on which it was trained available to that country of concern or covered person. According to the commenter, this access could occur by querying the model in such a way that results in it sharing all of or a highly relevant component of the underlying data on which it was trained, such as a query that resulted in identification of people with a particular medical condition. Apart from concerns over access to the underlying data, a model could also provide insights into counter-intelligence targeting that would not otherwise be observable from the underlying sensitive personal data. The Department shares these concerns. In response to the comment, the proposed rule includes Examples 5 and 6 in § 202.304(b) highlighting how these regulations would apply in certain scenarios where bulk U.S. sensitive personal data would be licensed or sold to support algorithmic development, including cases of evasion, or where sensitive personal data could be extracted from artificial intelligence models. The Department will continue to evaluate the national-security risks in this emerging area as it considers the effectiveness of this regulation. To the extent that there are broader concerns about national-security risks from the export of artificial intelligence models or algorithms regardless of the access they provide to sensitive personal data (such as their ability to provide insights that would not otherwise be observable from the data on which they are trained), the Department believes that other authorities, such as export controls and Executive Order 13859 of February 11, 2019 (Maintaining American Leadership in Artificial Intelligence), are more appropriate in the first instance to address those concerns.

19. Section 202.305—Knowingly Directing Prohibited Transactions

Adopting the approach contemplated in the ANPRM without change, the proposed rule prohibits U.S. persons from knowingly directing any covered data transaction that would be a prohibited transaction (including restricted transactions that do not comply with the security requirements) if engaged in by a U.S. person.

20. Section 202.215—Directing

Adopting the approach contemplated in the ANPRM without change, the proposed rule defines “directing” to mean that the U.S. person has any authority (individually or as part of a group) to make decisions on behalf of a foreign entity and exercises that authority. For example, a U.S. person would direct a transaction by exercising their authority to order, decide to engage, or approve a transaction that would be prohibited under these regulations if engaged in by a U.S. person.

21. Section 202.230—Knowingly

Adopting the approach contemplated in the ANPRM without change, the proposed rule defines “knowingly” to mean, with respect to conduct, a circumstance, or a result, that the U.S. person had actual knowledge of, or reasonably should have known about, the conduct, circumstance, or result. To determine what an individual or entity reasonably should have known in the context of prohibited transactions, the Department will take into account the relevant facts and circumstances, including the relative sophistication of the individual or entity at issue, the scale and sensitivity of the data involved, and the extent to which the parties to the transaction at issue appear to have been aware of and sought to evade the application of these proposed rules. As a result of the knowledge standard, the regulations incorporating the word “knowingly” do not adopt a strict liability standard.

The “knowingly” language is also not intended to require U.S. persons, in engaging in vendor agreements and other classes of data transactions with foreign persons, to conduct due diligence on the employment practices of those foreign persons to determine whether the foreign persons' employees qualify as covered persons. For instance, as illustrated by Examples 37 and 38 in the ANPRM, which are incorporated into the proposed rule, it would not be a prohibited transaction for a U.S. person to enter into a vendor agreement to have bulk U.S. sensitive personal data processed or stored by a foreign person that is not a covered person, even if that foreign person then employs covered persons and grants them access to the data (absent any indication of evasion or knowing direction). In those circumstances, the U.S. person would not be expected to conduct due diligence on the foreign person's employment practices as part of its risk-based compliance program.

Several commenters sought clarity about liability where service providers have little or no knowledge of the data that customers keep or transact on their infrastructure. They also requested that the Department distinguish between data controllers and data processers. In response to these comments, the proposed rule has provided additional examples to clarify the function of the “knowingly” standard. See § 202.230(b)(2)-(6). As the examples demonstrate, if a U.S. entity merely provides a software platform or owns or operates infrastructure for a U.S. customer, and thus does not know or reasonably should not know of the kind or volume of data involved, then the U.S. entity generally would not “knowingly” engage in a prohibited transaction if the U.S. customer uses their platform or infrastructure to engage in a prohibited transaction. Instead, the U.S. customer would generally be responsible for having “knowingly” engaged in the prohibited transaction. Likewise, if a U.S. entity merely stores encrypted data on behalf of a U.S. customer and does not have access to the encryption key (or has access only to an emergency backup encryption key usable only at the customer's explicit request), and if the U.S. entity is reasonably unaware of the kind or volume of data involved, the U.S. entity generally would not meet the “knowingly” standard of the proposed rule.

The Department declines, however, to draw a categorical distinction between processors and controllers in the proposed rule. Inserting a categorical distinction based on the kind of entity would be inconsistent with the structure and overall approach of the proposed rule, which addresses activities that present an unacceptable national security risk. In addition, as the new examples illustrate, the same kinds of entities can engage in different kinds of activities, some of which (such as merely providing a software platform) raise different risks than others (such as providing a software platform and services to handle and process the data). The “knowingly” standard provides the requisite flexibility to address the national security risks while providing a basis to distinguish responsibility based on the activities and roles that particular entities may have. The proposed rule thus adopts the approach described in the ANPRM with the additional examples described above in this section to illustrate the “knowingly” standard.

Similarly, one comment sought clarification that the proposed rule would apply only to U.S. persons that have or maintain control over the bulk U.S. sensitive personal data involved in a prohibited or restricted transaction. As the commenter explained, an automobile manufacturer should not have compliance obligations with respect to bulk U.S. sensitive personal data that is transferred via an aftermarket device that was installed in a vehicle fleet by the owner. As previewed in the ANPRM, the proposed rule imposes prohibitions and restrictions only on U.S. persons that are engaged in covered data transactions that meet certain criteria. In the commenter's example, the U.S. automobile manufacturer has not engaged in a covered data transaction with respect to the aftermarket device. As a result, no change was made to the proposed rule in response to this comment.

B. Subpart D—Restricted Transactions

1. Section 202.401—Authorization To Conduct Restricted Transactions; Section 202.402—Incorporation by Reference

The proposed rule sets forth three classes of transactions (vendor agreements, employment agreements, and investment agreements) that are prohibited unless the U.S. person entering into the transactions complies with the “security requirements” referenced in section 202.248. The goal of the proposed security requirements is to address national security and foreign-policy threats that arise when countries of concern and covered persons access government-related data or bulk U.S. sensitive personal data that may be implicated by the categories of restricted transactions. The security requirements have been developed and proposed by the Cybersecurity and Infrastructure Security Agency (“CISA”) in coordination with the Department. CISA has published the proposed requirements—the CISA Proposed Security Requirements for Restricted Transactions—on its website, as announced via a Federal Register notice requesting comment on those proposed security requirements issued concurrently with this proposed rule. The proposed security requirements require U.S. persons engaging in restricted transactions to comply with organizational and system-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and requirements are in place, as well as data-level requirements, such as data minimization and masking, encryption, or privacy-enhancing techniques. After CISA receives and considers public input, it will revise as appropriate and publish the final security requirements. The Department of Justice will then incorporate by reference the published final security requirements in the final rule that the Department issues. Interested parties can view CISA's proposed security requirements on CISA's website at https://www.cisa.gov/ and can review CISA's notice requesting comments on the proposed security requirements in the notice docketed as CISA-2024-0029 (October 29, 2024).

The proposed rule also clarifies that restricted transactions are not prohibited only if they comply with the security requirements and other applicable requirements for conducting restricted transactions. The proposed rule includes a new example that makes it clear that U.S. persons engaging in restricted transactions may not, absent a license, use measures other than the security requirements and other applicable conditions to mitigate the risk posed by country-of-concern or covered-person access.

Some commenters provided feedback on the security requirements that would govern restricted transactions. As explained in the ANPRM, CISA will be soliciting comments on the proposed security requirements as part of a separate notice-and-comment process in parallel with this NPRM, and the Department urges commenters to provide any comments on the security requirements through that process.

2. Section 202.258—Vendor Agreement

The proposed rule defines a “vendor agreement” as any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration. The ANPRM contemplated defining the term “cloud-computing services” as that term is defined in NIST Special Publication (“SP”) 800-145. NIST SP 800-145 describes cloud computing in a way that includes different essential characteristics, deployment models, and service models, such as “Infrastructure as a Service (IaaS),” “Platform as a Service (PaaS),” and “Software as a Service (SaaS).” Because cloud computing is just one example of several types of services that may be involved in a vendor agreement, it does not appear useful to separately or specially define that term in the proposed rule at this time. The Department may consider issuing guidance in the future that describes cloud computing in reference to the NIST definition.

3. Section 202.217—Employment Agreement

The proposed rule defines an “employment agreement” as any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.

4. Section 202.228—Investment Agreement

The proposed rule defines an “investment agreement” as any agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States or (2) a U.S. legal entity. The proposed rule categorically excludes certain passive investments that do not pose an unacceptable risk to national security because they do not give countries of concern or covered persons a controlling ownership interest, rights in substantive decision-making, or influence through a non-controlling interest that could be exploited to access government-related data or bulk U.S. sensitive personal data. Specifically, the proposed rule excludes from “investment agreement” investments (1) in any publicly traded security, in any security offered by any investment company that is registered with the United States Securities and Exchange Commission, such as index funds, mutual funds, exchange-traded funds, or made as limited partners (or equivalent) into a venture capital fund, private equity fund, fund of funds, or other pooled investment fund, if the limited partner's contributions and influence are circumscribed as set forth in the proposed rule; (2) that give the covered person less than 10 percent of total voting and equity interest in a U.S. person; and (3) that do not give a covered person rights beyond those reasonably considered to be standard minority shareholder protections.

With respect to the requirement of a de minimis percentage of total voting and equity interest, the Department is considering a range of different proposals. The proposed rule's definition of “investment agreement” would apply to investments that give a covered person a certain percentage or more of total voting and equity interest in a U.S. person, even where that investment is not accompanied by other formal rights beyond standard minority shareholder protections. The proposed rule would include this de minimis threshold to account for the unacceptable national security risk posed by otherwise passive investments that may provide investors with meaningful economic leverage or informal influence over access to a company's assets (like sensitive personal data) even when the investors do not obtain formal rights, control, or access beyond standard minority shareholder protections. The proposed rule would tentatively set this threshold number at 10 percent to exclude truly passive investments while also capturing investments that informally may provide covered persons with influence that presents unacceptable national security risks. The Department is also considering de minimis thresholds that are significantly lower and higher than this percentage, such as the 5 percent threshold above which investors must publicly report their direct or indirect beneficial ownership of certain covered securities under the Securities Exchange Act of 1934, 15 U.S.C. 78m(d). As a result, the final figure in the proposed rule could potentially cover passive investments that provide less (or more) than 10-percent voting and equity interests in a U.S. person. The Department invites public comment on the specific de minimis threshold that should be used in this exception for passive investments.

C. Subpart E—Exempt Transactions

As previewed in the ANPRM, the proposed rule exempts several classes of data transactions from the scope of the proposed rule's prohibitions.

1. Section 202.501—Personal Communications; Section 202.502—Information or Informational Materials; and Section 402.503—Travel

The proposed rule exempts three classes of data transactions to the extent that they involve data that is statutorily exempt from regulation under IEEPA: personal communications, information or informational materials, and data that is ordinarily incident to travel to or from another country.

One comment suggested clarifying that the exemption for personal communications that do “not involve a transfer of anything of value” under 50 U.S.C. 1702(b)(1) is “inclusive of business and commercial transactions.” The proposed rule makes no change in response to this comment, as the clarification does not seem necessary at this time, given the scope of the statutory exemption and the proposed rule. Section 1702(b)(1) applies to any “personal communication,” so it would be inappropriate to rely on that statutory language to exempt, as this comment suggests, “business and commercial transactions.” Further, the categories of sensitive personal data encompassed by the proposed rule do not include any personal communications. For example, fingerprints and other biometric identifiers, human genetic testing results, and data about financial assets and liabilities are not “communications” from one person to another. Any clarification of the phrase “a transfer of anything of value,” therefore, does not appear necessary. To the extent the commenters, a group of trade associations representing telecommunications providers, are concerned that personal communications between individuals that do not involve a transfer of anything of value are business transactions from their perspective, as purveyors of telecommunications services, the Department refers the commenters to the qualified exemption for telecommunications services in proposed § 202.509.

The Department discusses the exemption for information or informational materials in part VI of this preamble.

Although not raised by commenters, the proposed rule also adds a separate exemption for data transactions that are ordinarily incident to travel to or from another country, such as arranging travel or importing baggage for personal use. This exemption implements and tracks the statutory exemption in 50 U.S.C. 1702(b)(4).

2. Section 202.504—Official Business of the United States Government

Adopting the approach contemplated in the ANPRM without change, the proposed rule exempts data transactions to the extent that they are for (1) the conduct of the official business of the United States Government by its employees, grantees, or contractors; (2) any authorized activity of any United States Government department or agency (including an activity that is performed by a Federal depository institution or credit union supervisory agency in the capacity of receiver or conservator); or (3) transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States Government. Most notably, this exemption would exempt grantees and contractors of Federal departments and agencies, including the Department of Health and Human Services, the Department of Veterans Affairs, the National Science Foundation, and the Department of Defense, so that those agencies can pursue grant-based and contract-based conditions to address risks that countries of concern can access sensitive personal data in transactions related to their agencies' own grants and contracts, as laid out in section 3(b) of the Order—without subjecting those grantees and contractors to dual regulation.

3. Section 202.505—Financial Services

Section 2(a)(v) of the Order exempts any transaction that is “ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any Federal statutory or regulatory requirements, including any regulations, guidance, or orders implementing those requirements.” The proposed rule defines these exempt transactions in further detail. Notably, the proposed rule exempts the transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces, while still prohibiting these marketplaces from conducting data transactions that involve data brokerage), as well as exempting the transfer of personal financial data or covered personal identifiers for the provision or processing of payments or funds transfers.

Numerous commenters expressed support for the financial-services exemption. Commenters expressed appreciation for the exemption's careful scoping to enable business and commercial transactions. Commenters sought specific edits to the payment-processing part of the exemption to ensure that it covers operations involving payment dispute resolution, payor authentication, tokenization, payment gateway, payment fraud detection, payment resiliency, mitigation and prevention, and payment-related loyalty point program administration. The Department appreciates these suggested clarifications, and the proposed rule incorporates these proposed edits by explicitly adding the provision of services ancillary to processing payments and funds transfers, with the suggested examples, to the list of exempt financial services transactions. The financial-services exemption aims to identify the low-risk business and commercial transactions that should continue unimpeded while also ensuring that the Order and its implementing regulations do not serve as a broader economic decoupling from countries of concern. These edits are consistent with that purpose.

Another commenter also suggested that investment-management services be included in the financial-services exemption. The Department does not intend to impede activities that are ordinarily incident to and part of the provision of investment-management services that manage or provide advice on investment portfolios or individual assets for compensation (such as devising strategies and handling financial assets and other investments for clients) or provide services ancillary to investment-management services (such as broker-dealers executing trades within a securities portfolio based upon instructions from an investment advisor). For further clarity, the proposed rule explicitly adds investment-management services to the financial-services exemption set out in §§ 202.505(a)(1) and 202.505(a)(6).

One commenter requested an exemption for cargo-related information containing listed identifiers. The Department believes this comment is focused on scenarios in which bulk personal identifiers are transferred as part of shipping purchased goods internationally. The Department declines to adopt a separate exemption, or an expansion of the scope of the exemption for transfers of data required by or authorized by Federal law or international agreement, for cargo-related information because the proposed rule already exempts the transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services. This existing exemption appears to adequately address the scenario raised by the commenter. Thus, the proposed rule adopts the approach described in the ANPRM.

Although not raised by any commenters, the Department is also considering whether and how the financial-services exemption should apply to employment and vendor agreements between U.S. financial-services firms and covered persons where the underlying financial services provided do not involve a country of concern. Under this exemption, U.S. persons would be required to evaluate whether a particular data transaction (such as a transaction involving data brokerage or a vendor, employment, or investment agreement) is “ordinarily incident to and part of” the provision of financial services such that it is treated as an exempt transaction. At one end of the spectrum, and as previewed by Example 53 in the ANPRM, if a U.S. financial institution or financial-services company uses a data center operated by a covered person in a country of concern to facilitate payments to U.S. persons in that country of concern, the proposed rule would treat that vendor agreement as “ordinarily incident to and part of” the facilitation of those payments—and thus exempt.See § 202.505(b)(3). On the other end of the spectrum, and as previewed by Example 27 in the ANPRM, if a U.S. financial institution or financial-services company hires a covered person as a data scientist with access to its U.S. customers' bulk personal financial data to develop a new app that could be sold as a standalone product to the company's customers, the proposed rule would treat this employment agreement as not “ordinarily incident to and part of” the financial services provided by the U.S. company—and thus not exempt.See § 202.217(b)(4).

Between those two ends of the spectrum, the Department is considering whether the transactions in the following new examples should be treated as exempt transactions or as restricted transactions:

• New example in § 202.505(b)(4). Same as Example 3 ( see § 202.505(b)(3)), but the underlying payments are between U.S. persons in the United States and do not involve a country of concern: A U.S. bank or other financial institution, to facilitate payments that do not involve a covered person or country of concern ( e.g., between U.S. persons in the United States), stores and processes the customers' bulk financial data using a data center operated by a third-party service provider in a country of concern, which is a covered person. Should the vendor agreement with the covered person, which is otherwise a restricted transaction, be treated as “ordinarily incident to and part of” the U.S. financial institution's facilitation of payments that do not involve a covered person or country of concern?
• New example in § 202.505(b)(12). A U.S. company provides wealth-management services and collects bulk personal financial data on its U.S. clients. The U.S. company appoints a citizen of a country of concern, who is located in a country of concern, to its board of directors. In connection with the board's data security and cybersecurity responsibilities, the director could access the bulk personal financial data. Should the employment agreement with the covered person as a board director, which is otherwise a restricted transaction, be treated as “ordinarily incident to and part of” the U.S. company's provision of wealth-management services to its U.S. clients?

The Department is tentatively considering treating the transactions in both examples as restricted transactions because it does not believe that an employment agreement (including the hiring of board members) or a vendor agreement that gives a covered person access to U.S. persons' bulk sensitive personal data is a reasonable and typical practice in providing the underlying financial services that do not otherwise involve covered persons or a country of concern. These transactions therefore appear to pose the same unacceptable national security risk regardless of the kinds of underlying services provided by the U.S. person. The Department welcomes public comment to inform its resolution of this issue, including the extent to which it is reasonable, necessary, and typical practice for U.S. financial-services firms to hire covered persons as employees or vendors with access to U.S. persons' bulk sensitive personal data as part of providing financial services that do not involve a country of concern; why U.S. financial-services firms hire covered persons instead of non-covered persons in those circumstances; and any additional compliance costs that would be incurred if the transactions in these examples were treated as restricted transactions. In addition, after issuance of the final rule, the Department intends to consult the Department of the Treasury and Federal financial regulatory agencies as part of issuing any guidance or advisory opinions regarding the application of the financial-services exemption.

4. Section 202.506—Corporate Group Transactions

As previewed in the ANPRM, the proposed rule exempts covered data transactions to the extent that they are (1) between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and (2) ordinarily incident to and part of administrative or ancillary business operations (such as sharing employees' covered personal identifiers for human-resources purposes; payroll transactions like the payment of salaries and pensions to overseas employees or contractors; paying business taxes or fees; purchasing business permits or licenses; sharing data with auditors and law firms for regulatory compliance; and risk management). The ANPRM called this exemption “intra-entity transactions.” For greater clarity and accuracy, the proposed rule revises the name of this exemption to “corporate group transactions.”

Some commenters requested that the Department broaden the corporate group transactions exemption to include routine business activities performed by third-party service providers. Similarly, commenters proposed augmenting the same exemption to include suppliers and other third-party vendors who are contractually bound to maintain privacy requirements and who engage in product and services development, research, and improvement activities for U.S. companies. The Department declines to incorporate these suggestions because they would not adequately mitigate the threats posed by access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person. Thus, the proposed rule adopts the approach described in the ANPRM without change, permitting restricted transactions involving vendor agreements to proceed as long as they comply with the proposed rule's security requirements designed to mitigate access to the sensitive personal data by countries of concern and covered persons.

One commenter requested clarification that it would not be a prohibited transaction for a U.S. company to provide access to a global company staff directory to its business office and employees located in a country of concern. Consistent with the approach contemplated in the ANPRM, this scenario would not be a prohibited or restricted transaction under the proposed rule for two independent reasons. First, a company directory containing only contact or demographic data linked to other contact or demographic data would not fall within the definition of “covered personal identifiers” and thus would not constitute government-related data or bulk U.S. sensitive personal data. As a result, there would be no covered data transaction in providing such a directory. Second, the U.S. company's sharing of the directory would not be a prohibited or restricted transaction, regardless of whether the business office is a foreign branch or a subsidiary or affiliate: if the business office in the country of concern is a branch of the U.S. company, the branch is part of the same “U.S. person” as the U.S. company, and the U.S. company has not engaged in any transaction with a foreign person in the first place. If, by contrast, the business office is a subsidiary or affiliate of the U.S. company, the sharing is an exempt corporate group transaction because a transaction within a corporate group granting its employees access to a company directory is ordinarily incident to ancillary or administrative business operations. (In different circumstances where that exemption is not applicable, a transaction within a corporate group that gives an employee who is a covered person access to government-related data or bulk U.S. sensitive personal data would generally be a restricted employment agreement.)

5. Section 202.507—Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance With Federal Law

As previewed in the ANPRM, the proposed rule exempts covered data transactions to the extent that they are required or authorized by Federal law, international agreements or specified global health and pandemic preparedness measures, or necessary for compliance with Federal law.

Some commenters requested clarity about whether the exemption for regulatory compliance (which the ANPRM contemplated as part of the financial-services exemption) applies to compliance with all Federal law, not just financial laws. The Department acknowledges that this is a correct understanding of this exemption. To improve clarity and reflect this understanding, the proposed rule moves the exemption for compliance with Federal law from the financial-services exemption to a standalone subpart of the exemption for transactions required or authorized by Federal law or international agreements.

The proposed rule clarifies that, with respect to international agreements authorizing or requiring data transactions, the exemption applies only to international agreements to which the United States is a party. Some commenters requested a non-exhaustive list of international agreements to which this exemption applies. The proposed rule adds an illustrative list of specific international agreements to which this exemption applies.

One commenter sought clarification on whether transactions required or authorized by international agreements include transactions in accordance with arrangements that facilitate international commercial data flows, such as the Global Cross-Border Privacy Rules (“G-CBPR”) and Global Privacy Recognition for Processors (“G-PRP”) Systems of the Global Cross-Border Privacy Rules Forum (“Global CBPR Forum”) and the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“APEC CBPR”) and APEC Privacy Recognition for Processors Systems. These arrangements are outside the scope of the exemption for international agreements. These arrangements consist of frameworks for coordinating national regulatory measures, and they do not facilitate the sharing of data between the U.S. and a country of concern. Thus, data transactions covered by this proposed rule would not be “pursuant to these arrangements as necessary to meet the definitional requirements of the exemption. The Department further declines to expand the scope of the exemption to incorporate these arrangements, which are designed to address general privacy concerns and other issues rather than the national security risks detailed in the Order. The same commenter also sought clarity as to whether the EU-U.S. Data Privacy Framework (“DPF”) would be such an international agreement. The EU-U.S. DPF is similarly an arrangement that falls outside the scope of the exemption. The EU-U.S. DPF fulfills different objectives than the proposed rule and does not facilitate the sharing of information between a U.S. person and a country of concern or covered person. For example, under the EU-U.S. DPF and pursuant to Executive Order 14086 of October 7, 2022 (Enhancing Safeguards for United States Signals Intelligence Activities), the Attorney General determined that the laws of EU/European Economic Area countries require appropriate safeguards for signals intelligence activities affecting U.S. persons' personal data. ⁷⁷ Furthermore, while DPF- and APEC CBPR-certified companies are subject to domestic law, including the Order, no DPF or APEC CBPR countries or jurisdictions are currently designated as countries of concern under this Executive Order. As such, the provisions of the Order would not apply to transfers conducted in reliance on the DPF or APEC CBPR, and any data transactions that the proposed rule does cover would not be “pursuant to” such arrangements as required for this exemption. Therefore, the proposed rule adopts the approach contemplated by the ANPRM without change.

6. Section 202.508—Investment Agreements Subject to a CFIUS Action

Adopting the approach contemplated by the ANPRM, the proposed rule exempts investment agreements to the extent that they are the subject of a “CFIUS action” as defined in section 202.207 ( i.e., CFIUS has suspended a proposed or pending transaction, or entered into or imposed mitigation measures to address a national security risk involving access to sensitive personal data by countries of concern or covered persons). The rationale for this approach is discussed separately in part IV.K of this preamble.

7. Section 202.509—Telecommunications Services

The proposed rule exempts transactions that are ordinarily incident to and part of telecommunications services.

Multiple commenters requested that the proposed rule include an additional exemption for data that is incidental to the provision and delivery of communications services. They asked that this kind of data be carved out from the scope of any restrictions on sensitive personal data for consumers, enterprises, and governments, including but not limited to international calling, mobile voice, and data roaming. Commenters also requested that communications service providers be able to use, disclose, or permit access to covered data obtained from their customers, either directly or indirectly through agents, to initiate, render, bill, and collect for communications services. These commenters assert that global commerce relies on effective and efficient global communications, that restrictions on such bulk U.S. sensitive personal data could hinder the ability of Americans to communicate globally, and that the United States Government has long held a policy of ensuring that communications are enabled even with countries subject to U.S. sanctions.

The Department appreciates the need to ensure Americans' ability to communicate globally, including with and in countries of concern, and does not intend for these regulations to impede the ability of U.S. telecommunications service providers to operate. Accordingly, the Department has included in the proposed rule an exemption that seeks to address this concern. The proposed exemption is intended to be narrowly tailored to ensure that U.S. telecommunications service providers retain the ability to operate unimpeded while also continuing to mitigate the national security risk associated with data brokerage ( i.e., the sale of or leasing of access to customer data) to countries of concern and covered persons.

8. Section 202.510—Drug, Biological Product, and Medical Device Authorizations

Under the proposed rule, certain data transactions necessary to obtain and maintain regulatory approval to market a drug, biological product, medical device, or combination product in a country of concern would be exempt from the prohibitions in the proposed rule. This exemption balances the need to mitigate the risks to U.S. national security from the unrestricted transfer of bulk U.S. sensitive personal data to countries of concern against the scientific, humanitarian, and economic interests in enabling the sale of medicines in those countries. The proposed rule includes reporting requirements that will allow the Department to maintain visibility on the type and amount of data that is being transmitted to countries of concern under this exemption.

This exemption is limited to data that is de-identified; required by a regulatory entity to obtain or maintain authorization or approval to research or market a drug, biological product, device, or combination product ( i.e., covered product); and reasonably necessary to evaluate the safety and effectiveness of the covered product. For example, de-identified data that is gathered in the course of a clinical investigation and would typically be required for Food and Drug Administration (“FDA”) approval of a covered product would generally fall within the exemption. Conversely, clinical participants' precise geolocation data, even if required by a country of concern's regulations, would fall outside the scope of the exemption because such data is not reasonably necessary to evaluate safety or effectiveness.

The Department recognizes that data collection and submission continue beyond the initial regulatory approval process, and it intends the term “regulatory approval data” to include data from post-market clinical investigations (conducted under applicable FDA regulations, including 21 CFR parts 50 and 56), clinical care data, and post-marketing surveillance, including data on adverse events. For example, where continued approval to market a drug in a country of concern is contingent on submission of data from ongoing product vigilance or other post-market requirements, the exemption applies.

The exemption applies even where FDA authorization for a product has not been sought or obtained. The Department does not, in these regulations, intend to require U.S. companies to first seek authorization to market a product in the United States before seeking regulatory approval from a country of concern.

The exemption is limited to transactions that are necessary to obtain or maintain regulatory approval in the country of concern. The Department specifically invites comments on the types of transactions that are necessary to that end. By way of illustration, Example 3 of § 202.510, as proposed, would not exempt a vendor or employment agreement with a covered person to prepare data for submission to a country of concern's regulatory entity because the Department does not currently believe that such transactions are necessary to obtain regulatory approval. The Department seeks comments on whether, and why, such a vendor or employment agreement with a covered person to prepare data for submission is necessary and should be exempt.

As Example 3 reflects, the Department does not currently believe that it is reasonably necessary to use a covered person—as opposed to services provided by the U.S. company itself or by a non-covered person—to prepare data for regulatory submission. Although the marginal risk to national security from granting additional covered persons access to the submission data may be low, given that the submission data is ultimately being transferred directly to the government of a country of concern, the Department believes that a third-party vendor in this scenario may require access to a broader set of data than the regulatory body itself. At the same time, the Department recognizes that regulatory and legal expertise relevant to a country of concern is likely to be concentrated in the country of concern. Employment and vendor transactions in this context would be restricted, not prohibited, transactions, and generally could proceed if the requirements applicable to restricted transactions were followed. The Department welcomes comments that address this scenario and other similar transactions, including the potential impacts to clinical research, medical product development and authorizations, and companies' business practices and operations, as well as the feasibility of obtaining regulatory approval without engaging covered persons to access bulk U.S. sensitive personal data or if such engagements are subject to the security, recordkeeping, and reporting requirements applicable to restricted transactions.

The exemption requires that parties engaged in transactions involving regulatory approval data with countries of concern nonetheless comply with the recordkeeping and reporting requirements otherwise applicable to U.S. persons engaged in restricted transactions, because of the heightened national security risk that arises from transmitting U.S. sensitive personal data or government-related data directly to a government entity in a country of concern.

The Department seeks comment on the proposed scope of this exemption, including on the definition of regulatory approval data and the extent to which data submissions to regulatory entities in countries of concern may involve personally identifiable data.

9. Section 202.511—Other Clinical Investigations and Post-Marketing Surveillance Data

A few commenters expressed concerns that the proposed rule's inclusion of aggregated and anonymized data would prohibit companies from launching clinical investigations in countries of concern. Commenters also noted the possibility that overly restrictive prohibitions might harm biopharmaceutical innovation. The Department has considered these comments and agrees that some exemption or accommodation for clinical research may be appropriate. The Department proposed the exemption in § 202.511 for that purpose. To help inform the appropriate contours of the proposed provision, the Department invites additional comments that illustrate the scope of transactions that might be subject to the proposed rule's restrictions and prohibitions and the consequences for clinical research if the proposed prohibitions and restrictions were applied to that context.

The United States has a national security interest in the development, authorization, and availability of medical products, including medical countermeasures to diagnose, treat, or prevent serious or life-threatening diseases or conditions that may be attributable to biological, chemical, radiological, or nuclear agents. The Department seeks to mitigate the national security risk described in the Order without unduly burdening the biomedical innovation that benefits U.S. persons. The Department is considering how to effectively strike that balance and how to scope an exemption for transactions related to or supporting FDA-regulated research to meet that goal.

The Department is considering the scope of a possible exemption along three axes. First, in terms of the types of data that would be within the exemption; second, in terms of the types of transactions involving that data that would be exempted; and third, in terms of the duration of any exemption.

On the first axis, the Department anticipates that any exemption would concern data obtained in the course of clinical investigations related to drugs, biological products, devices, and combination products, as those terms are defined in the Federal Food, Drug, and Cosmetic Act (“FD&C Act”) and FDA regulations. The Department believes that these products raise the most significant countervailing economic, health, and scientific concerns that might outweigh the national security interests otherwise at stake. The Department seeks comment on whether the exemption should exempt clinical investigations data related to other products, such as foods (including dietary supplements) that bear a nutrient content claim or a health claim, food and color additives, and electronic products, as those terms are defined in the FD&C Act.

The Department also recognizes the existing regulatory framework in these contexts and is evaluating whether these provisions adequately reduce the national security risk associated with the transfer of bulk U.S. sensitive personal data to a country of concern or covered person. The FD&C Act and FDA regulations provide a robust framework to protect the confidentiality and privacy of data collected from subjects in clinical investigations. This current framework of statutory and regulatory requirements protects the rights and safety of human subjects, ensuring that their private information is handled securely. For example, section 505(i) (21 U.S.C. 355(i)) and section 520(g) (21 U.S.C. 360j(g)) of the FD&C Act address the use of investigational new drugs and investigational devices, respectively, in clinical investigations and require that informed consent be obtained from subjects, with certain exceptions.

The implementing regulations established by the FDA in 21 CFR parts 50, 56, 312, and 812 include various requirements, including related to informed consent of human subjects and Institutional Review Boards (“IRBs”). For example, 21 CFR part 56 details requirements for IRB review, approval, and ethical oversight of FDA-regulated clinical investigations. Information about the confidentiality of records must be given to prospective subjects as part of informed consent (21 CFR 50.25(a)(5)), and to approve research, an IRB must determine that, where appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data (21 CFR 56.111(a)(7)). In addition, FDA regulations in 21 CFR part 11 establish requirements to ensure the authenticity, integrity, and, when appropriate, confidentiality of certain electronic records (21 CFR 11.10, 11.30). The FDA further issued a proposed rule in September 2022 proposing to require that certain information about future secondary use of subjects' information or biospecimens be provided to prospective subjects.

These regulations are principally focused on patient privacy, however, and do not directly address the national security concerns that animate the Order. As the Department has explained elsewhere in this preamble, privacy protections, in general, focus on addressing individual rights and preventing individual harm by protecting individuals' right to control the use of their own data and reducing the potential harm to individuals by minimizing the collection of data on the front end and limiting the permissible uses of that data on the back end. National security measures, by contrast, focus on collective risks and externalities that may result from how individuals and businesses choose to sell and use their data, including in lawful and legitimate ways. But the Department is evaluating whether these existing regulations—for example, the requirements for informed consent under 21 CFR part 50—could offer sufficiently robust protection to also mitigate national security concerns.

The exemption would also apply to clinical care data indicating real-world performance or safety of products, or post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), where necessary to support or maintain authorization by the FDA. These submissions to FDA involve deidentified data and the exemption arising under proposed § 202.511(a)(2) would apply only to deidentified data.

On the second axis, the Department is considering what kinds of transactions to exempt when they involve data that implicates the exemption—such as, hypothetically, bulk U.S. sensitive personal data collected in the course of an FDA-regulated clinical investigation to develop a drug. One possibility would be to exempt all transactions that are part of the conduct of the investigation. Another possibility would be to limit an exemption to only certain types of transactions that are especially important to the conduct of a clinical investigation and that cannot feasibly be avoided without jeopardizing the clinical investigation.

The Department does not intend to categorically preclude clinical investigations from being conducted in a country of concern and does not believe that the proposed rule, even without a clinical investigation-focused exemption, does so. The proposed rule generally does not prohibit or restrict the flow of data from a country of concern to the United States and does not apply to data unrelated to U.S. persons. The Department seeks additional comments on whether, why, and to what extent it would be necessary for U.S. persons to transmit bulk U.S. sensitive personal data to a covered person in order to support a clinical investigation taking place in a country of concern.

For example, the Department has considered the following hypothetical:

• A U.S. sponsor conducts a clinical investigation to determine the safety and effectiveness of an investigational drug product. The clinical investigation involves a multinational trial with both U.S. citizens and non-U.S. citizens enrolled in the trial at different sites across the world, including in a country of concern, to support authorization of the product in the intended use populations. As part of the investigation, and pursuant to an employment or vendor agreement, the sponsor transmits bulk U.S. sensitive personal data to covered persons in the country of concern to conduct a data analysis of the product's safety and effectiveness across different population groups. This clinical investigation supports an application for a marketing permit for a product regulated by the FDA (i.e., a drug for human use). The trial in this example is subject to the FDA's regulatory framework for clinical investigations.

The Department believes that, absent an exemption, the employment or vendor agreement described in this hypothetical would be a restricted transaction (or a prohibited transaction, if it involves the transfer of bulk human genomic data or biospecimens from which such data could be derived). The Department seeks comments on whether such a vendor agreement should be considered to be “ordinarily incident to and part of” a clinical investigation; how prevalent and important the practice of sending bulk U.S. sensitive personal data to a covered person in a country of concern is; and the potential impacts to clinical research, medical product development and authorization, and industry if such transactions were restricted or prohibited.

The Department also seeks comments on how these concerns apply in post-marketing scenarios, such as pharmacovigilance and post-marketing safety monitoring necessary to support or maintain authorization. For example, the Department has considered the following hypothetical:

• A U.S. pharmaceutical company is required to submit reports to the FDA of adverse events related to its FDA-approved drug for human use, consistent with the requirements under21 CFR 314.80. The firm markets many other drug products; has a wide global distribution, including in a country of concern; and receives thousands of reports per year for its various marketed products. Under a vendor agreement, the firm may outsource processing of these reports to entities outside of the United States, including in a country of concern. The firm may also need to exchange adverse event information about its FDA-approved drug product with its distributors in a country of concern to pool the data and identify any adverse events trends across different population groups or conditions of use and submit those data to the FDA.

As in the context of the clinical investigation, the Department believes that, absent an exemption, the vendor agreements described in this hypothetical would be restricted or prohibited. The Department seeks comments on how pervasive and important the practice of outsourcing the processing of adverse event reports to a covered person is, as well as on how pervasive and important it is to share adverse event information concerning U.S. persons with drug distributors in a country of concern. The Department seeks comments on the potential impacts to patient safety, industry, and the feasibility of obtaining or maintaining regulatory authorizations if such transactions were to be prohibited.

The Department is also aware that, as appropriate and required, certain data related to post-marketing surveillance are made available to global public health authorities, such as the World Health Organization Vigibase. Submissions by the United States Government itself, such as FDA submissions to Vigibase, would be exempt under proposed § 202.504. The Department expects that similar data transactions by U.S. persons, even if such data transactions were considered to be with a country of concern or a covered person so as to fall within the scope of the restrictions and prohibitions, would nonetheless be exempt under proposed § 202.507. The Department seeks specific comments on the nature and type of such submissions and a list of such global health authorities. The Department also notes that, if it is lawfully available to the public from a Federal, State, or local government record or in widely distributed media, such data would not meet the definition of sensitive personal data under § 202.249(b)(2).

FDA regulations include recordkeeping provisions such that FDA investigators can gather information about any data transactions, including to countries of concern. See21 CFR part 312.62. However, in general, FDA's regulations related to clinical investigations do not require sponsors to report data transactions to the FDA in the manner proposed in the recordkeeping and reporting requirements set forth in §§ 202.1101(a) and 202.1102. The Department is considering requiring reporting even for transactions within any exemption to better evaluate the national security risks going forward and seeks comments on the cost and feasibility for industry of also complying with the recordkeeping and reporting requirements set forth in §§ 202.1101(a) and 202.1102 with respect to transactions related to clinical investigations.

The Department recognizes that U.S. companies employing covered persons—such as foreign persons primarily resident in a country of concern to support a clinical investigation there—may have to adjust data access policies or protocols to limit covered persons' access to bulk U.S. sensitive personal data. The Department seeks comment on this issue, including the costs and feasibility of adopting such policies or protocols and the likely effect of such policies on medical product research and development, as well as obtaining or maintaining regulatory authorization.

The Department also notes that, under § 202.504, covered data transactions that occur as part of federally funded research would be exempt from the proposed rule's prohibitions (although possibly subject to separate restrictions applicable to a Federal grantee, to include requirements established pursuant to section 3(b)(i) of the Order). The Department invites comment on the proportion of pharmaceutical research that would not be exempt under that exemption, the cost and feasibility of complying with different regulatory requirements depending on the source of funding, and the impact on medical product research and development.

If the Department were to implement an exemption for clinical investigations, clinical data, and post-marketing surveillance as described in this section, it could potentially do so through one or more general licenses as opposed to including the exemption in the final rule. General licenses may be a more flexible regulatory tool that can be adjusted to varying circumstances. Preliminarily, however, the Department believes that a codified exemption would provide more clarity and certainty for relevant entities. The Department also invites comments on the best mechanism to implement an exemption for such data transactions.

Finally, on the third axis, the Department is considering whether any exemption, or parts of it, could feasibly be time-limited to allow industry to shift existing processes and operations out of countries of concern over a transition period. The Department is cognizant of the long planning times and high costs associated with clinical research. If the Department does not broadly exempt clinical research from the scope of the prohibitions, it may consider delaying the effective date of the proposed rule with respect to such research to enable affected entities to complete ongoing or imminent trials without disruption or delay, while transitioning planning and policies for future trials. The Department could potentially implement such a delay by general or specific licenses, and could use a set period of time or could limit the exemption to studies already past a certain stage, such as submission of an Investigational New Drug application to the FDA by a set date. The Department seeks comment—taking into account other exemptions, such as for federally funded research—on the number of clinical investigations that would be disrupted, and the extent of such disruption, if the prohibitions were immediately applicable; how long and how to structure any delay to minimize disruption without inviting misplaced reliance; and the best mechanism for implementing such a delay.

10. Other Exemptions

The Department is considering whether it is necessary or appropriate to adopt a tailored exemption that would permit covered data transactions involving the export to countries of concern or transfer or sale to covered persons of certain human biospecimens, like blood plasma, intended for direct medical use that the proposed rule would otherwise prohibit. The Department welcomes views about the specific types of biospecimens exported to countries of concern, or transferred or sold to covered persons for direct medical use that the Department should consider exempting from the prohibition on bulk transfers of human genomic data or biospecimens from which bulk human genomic data could be derived. Important considerations could include the importance of the biospecimens for direct medical use; the relative ease with which a country of concern or covered person could derive bulk human genomic data from the biospecimens; the economic and humanitarian value of permitting such transactions; and any other national security concerns the Department should consider.

A few commenters requested that the Department create a new exemption for data processed by a covered person on behalf of a U.S. person for product research, development, or improvement where the U.S. person directs the manner of data processing and contractually binds the covered person to maintain the privacy and security of the data. These comments were too vague to be addressed or implemented. For example, they did not identify the kinds of products that the U.S. person would seek to develop or the kinds of data that would be required for that development. In any case, as the Department discusses in part IV.D.1 of this preamble, countries of concern have the legal authority and political systems to force, coerce, and influence entities in their jurisdictions to share their data and access with the government. Entities operating in these jurisdictions may be legally compelled to comply with these requests, regardless of their trustworthiness or contractual commitments. The Department assesses that the kind of contractual provisions contemplated by these commenters would not adequately mitigate the risk that countries of concern could compel these covered persons to provide them access to government-related data or Americans' bulk U.S. sensitive personal data. Further, other commenters expressed concern about relying on private parties to monitor and enforce contractual provisions on their own, as discussed in part IV.A.16 of this preamble.

D. Subpart F—Determination of Countries of Concern

1. Section 202.601—Determination of Countries of Concern

As explained in the ANPRM and above in part II of this preamble, countries of concern could exploit government-related data or bulk U.S. sensitive personal data for a range of activities detrimental to U.S. national security, including coercion, blackmail, surveillance, espionage, malicious cyber-enabled activities, malign foreign influence, curbing political dissent and opposition, and tracking and building profiles on potential targets.

The Order instructs the Attorney General to “identify, with the concurrence of the Secretary of State and the Secretary of Commerce, countries of concern.” In the proposed rule, the Attorney General has determined, with the concurrence of the Secretaries of State and Commerce, that the governments of six countries—the People's Republic of China (“China” or “PRC”), along with the Special Administrative Region of Hong Kong and the Special Administrative Region of Macau; the Russian Federation (“Russia”); the Islamic Republic of Iran (“Iran”); the Democratic People's Republic of Korea (“North Korea”); the Republic of Cuba (“Cuba”); and the Bolivarian Republic of Venezuela (“Venezuela”)—have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of U.S. persons, and pose a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or the security and safety of U.S. persons.

In determining that a country has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of U.S. persons, the proposed rule accounts for a range of conduct, including transnational repression; malicious cyber activities; sanctions evasion; theft of intellectual property, trade secrets, and technology; foreign malign influence; and human-rights abuses. Even where human-rights abuses do not directly involve U.S. persons, the Department considers human-rights abuses to be significantly adverse to national security because of their indirect effects. For example, by developing, testing, and using sophisticated surveillance technology on their own populations or conducting surveillance on their own populations, countries can expand the use of those methods and potentially deploy them directly against U.S. persons or U.S. interests in the future. Furthermore, a country that commits human-rights violations shows its disregard for international norms and its intention to use the coercive power of the state to accomplish its policy goals. For example, countries that commit human-rights violations may also attempt to surveil or coerce their citizens in the United States, including through transnational repression. Based on its experience, the Department believes that such factors demonstrate that a country presents a risk that, if provided access, it would exploit government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or the security and safety of U.S. persons.

During the ANPRM's comment period, commenters requested that the proposed rule include criteria and a transparent process for the Department of Justice to designate countries of concern, including by conducting robust interagency discussion and soliciting public comment. The proposed rule makes no change in response to this comment. The Order already requires that prior to amending the list of countries of concern, the Department must obtain concurrence by the Secretary of State and the Secretary of Commerce and undertake a rulemaking that is subject to the ordinary process of robust interagency review and notice and public comment. In addition to the opportunity for notice and public comment on this proposed rule's identification of countries of concern, the Department took the optional step of issuing an ANPRM to permit an additional opportunity for public comment on the contemplated countries of concern.

One commenter supported aligning the list of countries of concern with the list established by the Department of Commerce in 15 CFR 791.4, which was adopted pursuant to Executive Order 13873. The ANPRM already contemplated identifying the same countries as countries of concern under the Order as the Department of Commerce identified as foreign adversaries under Executive Order 13873. The proposed rule adopts that approach and identifies those same countries for reasons explained further in this part.

Other commenters expressed concerns that the list of six countries of concern contemplated in the ANPRM is too narrow and does not adequately address entities based in third countries that engage in or facilitate surveillance on U.S. citizens. The proposed rule makes no change in response to this comment. As the ANPRM described, the Department intends to establish this program by issuing proposed rulemakings in tranches based on priority and effective administration of the program. The Department intends to continue working closely with the Department of State, Department of Commerce, and other agencies to monitor the effectiveness of the regulations and the need for any changes. Similarly, one commenter suggested that the Department consider designating a larger group of countries as countries of concern based upon those countries' lack of privacy laws or lack of enforcement of their privacy laws. The Department declines to adopt this approach at this time. The Order's focus is addressing the national security risk posed by country of concern access to government-related data or Americans' bulk U.S. sensitive personal data. The Order does not establish a general data privacy regime. The proposed rule thus maintains the country of concern framework described in the ANPRM without change.

Informed by the ANPRM comments and the Department's independent research and analysis, which are summarized in part IV.D of this preamble, the Department proposes identifying the same countries of concern as those identified by the Department of Commerce in implementing Executive Order 13873. The proposed rule's definition of each of these countries includes political subdivisions, agencies, or instrumentalities of those countries. In addition, the Order specifically defines a “country of concern,” and the Department has determined that every country included on the list of countries of concern meets that definition.

The Department seeks comment from the public on the proposed countries of concern. The proposed rule identifies these six countries as countries of concern for the following reasons.

a. China

The Department has determined, with the concurrence of the Secretaries of State and Commerce, that China has engaged in a long-term pattern of conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons. Among other conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons, China engages in transnational repression; steals trade secrets and intellectual property; conducts foreign malign influence; commits human rights abuses that could help it develop the capability to surveil, manipulate, or extort U.S. persons; and conducts extensive malicious cyber activities.

According to the Office of the Director of National Intelligence (“ODNI”), China is “the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” China's cyber espionage operations have included “compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations.” China “conducts cyber intrusions that are targeted to affect U.S. and non-U.S. citizens beyond its borders—including journalists, dissidents, and individuals it views as threats—to counter views it considers critical of [Chinese Communist Party] narratives, policies and actions.” It also conducts malign influence operations to “sow doubts about U.S. leadership, undermine democracy, and extend [China's] influence.”

Because China aggressively obtains and exploits data on U.S. persons through both commercial means and theft, and has growing artificial intelligence capabilities, it poses a significant risk of exploiting government-related data or Americans' bulk U.S. sensitive personal data to the detriment of the national security of the United States and the security and safety of U.S. persons.

China aggressively obtains and exploits data on U.S. persons via commercial and illicit means. The National Counterintelligence and Security Center (“NCSC”) has warned that China “views bulk personal data, including healthcare and genomic data, as a strategic commodity to be collected and used for its economic and national security priorities.” As ODNI has also explained, China “has engaged in extensive and years-long efforts to accumulate structured datasets, in particular on U.S. persons, to support its intelligence and counterintelligence operations,” and is “rapidly expanding and improving its artificial intelligence and big data analytics capabilities for intelligence operations.” China “uses a number of methods to obtain data.” For example, China engages in the “wholesale theft” of sensitive personal data of U.S. persons. The following are some examples of the PRC's aggressive campaign to steal and exploit government-related data or bulk U.S. sensitive personal data:

• In 2024, a Federal grand jury returned an indictment against hackers working for Chinese intelligence services for, among other things, targeting high-ranking United States Government officials and staffers for a presidential campaign by sending thousands of malicious emails. The hackers potentially compromised the email and cloud storage accounts and telephone records belonging to millions of Americans.

• In 2020, a Federal grand jury returned an indictment against four members of the PRC's People's Liberation Army for hacking U.S. credit-reporting agency Equifax in 2017. The hackers stole the data of approximately 145 million victims, obtaining, “in a single breach, . . . the sensitive personally identifiable information for nearly half of all American citizens.”

• In 2015, PRC hackers stole the health records of 78.8 million persons from U.S. health insurance provider Anthem, Inc., and stole the background investigation records of 21.5 million prospective, current, and former Federal employees and contractors from the Office of Personnel Management.

• In 2021, a Federal grand jury returned an indictment against four Chinese nationals working for PRC intelligence services for hacking into the computer systems of dozens of companies, universities, and government entities between 2011 and 2018 to steal sensitive technical technology and data, including material related to genetic sequencing.

• In 2021, cyber actors linked to China's intelligence services exploited previously undisclosed vulnerabilities in Microsoft Exchange Server, compromising tens of thousands of computers and networks, including those in the United States, in a massive operation.

• In 2018, a Federal grand jury returned an indictment against two PRC intelligence-affiliated officials for conducting a campaign targeting the computer networks and systems of technology and cloud-service companies in at least a dozen U.S. States, as well as United States Government agencies, to access their customers' data. At least eight major managed service providers were compromised, as well as the National Aeronautics and Space Administration and the Department of Energy. Over 12 years, hackers stole hundreds of gigabytes of data, including the personally identifiable information of over 100,000 U.S. Navy personnel.

As ODNI has explained, China “also tries to leverage access through its relationships with Chinese companies, strategic investments in foreign companies, and by purchasing large data sets.” China and Chinese companies “have sought to acquire sensitive health and genomic data on U.S. persons through, for example, investment in U.S. firms that handle such data or by partnering with healthcare or research organizations in the United States to provide genomic sequencing services.” China also strategically acquires sensitive personal data on U.S. persons through commercial means, such as by investing in U.S. firms through Chinese companies and engaging in partnerships with hospitals, universities, and research organizations. China employs a wide array of means to ensure that the Chinese government benefits from Chinese companies' relationships with U.S. companies. Not only do direct investments by Chinese companies facilitate China's strategic objectives, but those direct investments also promote a strategy of “military-civil fusion” that ensures that China's military can “acquire advanced technologies and expertise developed by [Chinese] companies, universities, and research programs that appear to be civilian entities.”

These commercial means of obtaining sensitive personal data on U.S. persons are paired with China's national-security laws that compel companies to share data they have collected on U.S. persons with the Chinese government. As the Department has explained, “China has enacted the world's most comprehensive set of laws, regulations, and national plans to broadly define its national and public security interests in data and to govern data collection, sales, sharing, and storage.” Given “the authoritarian structures and laws of the PRC regime, Chinese companies lack meaningful independence from the PRC's agenda and objectives,” and “even putatively `private' companies based in China do not operate with independence from the government and cannot be analogized to private companies in the United States.” This regime includes “several laws that, in concert, allow the Chinese government to access sensitive personal data possessed by Chinese companies,” such as the following:

• The National Security Law of the People's Republic of China (promulgated by the Standing Committee of the National People's Congress, July 1, 2015, effective July 1, 2015), which “imposes broad obligations on corporations as well as citizens to assist and cooperate with the Chinese government in protecting what it defines as national security” and to “assist military agencies and relevant departments with national security efforts.”

• The Cybersecurity Law of the People's Republic of China (promulgated by the Standing Committee of the National People's Congress, Nov. 7, 2016, effective June 1, 2017), which “requires Chinese companies to store their data within China, to cooperate with crime and security investigations, and to allow full access to data to Chinese authorities.”

• The Anti-Terrorism Law of the People's Republic of China (promulgated by the Standing Committee of the National People's Congress, Dec. 27, 2015, effective Jan. 1, 2016, amended Apr. 27, 2018), which authorizes the Chinese government to conduct “electronic monitoring,” “irregular inspections,” and “`terrorism' investigations and requires individuals and organizations to comply, in secret, with such investigations”; broadly “defines `terrorism' as “propositions and actions that . . . create social panic, endanger public safety, infringe on personal and property rights, or coerce state organs or international organizations to achieve their political, ideological, and other objectives”; and imposes on all organizations and individuals “the obligation to assist and cooperate with relevant departments in anti-terrorism work.”

• The Counter-Espionage Law of the People's Republic of China (promulgated by the Standing Committee of the National People's Congress, Nov. 1, 2014, amended Apr. 26, 2023, effective July 1, 2023), which authorizes “national security agency staff” to “enter restricted areas, locations, and units” and to “inspect the electronic devices, facilities, and relevant procedures and tools of concerned individuals and organizations,” and also requires “citizens and organizations” to “support and assist” such efforts.

These laws all “contain provisions that prohibit individuals and organizations from revealing when and if the Chinese government has requested any assistance or information from them.” As a result, China can covertly obtain data on U.S. persons in the possession of Chinese companies without meaningful due process and independent judicial oversight. China's commercial acquisitions of data also contribute to the government's growing repository of data on U.S. persons.

China's access to bulk U.S. sensitive personal data—whether via commercial means or outright theft—fuels its development of artificial intelligence capabilities, which China believes will drive the next revolution in military affairs. The Office of the Director of National Intelligence assesses that China is “rapidly expanding and improving its AI and big data analytics capabilities for intelligence operations” and “increasing [its] ability to analyze and manipulate large quantities of personal information in ways that will allow [it] to more effectively target and influence, or coerce, individuals and groups in the United States.” In turn, China's advances in artificial intelligence “deepen[] the threats posed by cyberattacks and disinformation campaigns” that China is using “to infiltrate [U.S.] society, steal [U.S.] data and interfere in [U.S.] democracy.”

b. Cuba

The Department has determined, with the concurrence of the Secretaries of State and Commerce, that Cuba has engaged in a long-term pattern of conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons. The United States has long recognized that the Cuban government presents a national security threat to the United States. Among other conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons, Cuba conducts intelligence operations against the United States; commits human-rights abuses that, among other effects, contribute to a significant increase in migration into the United States and its neighbors; and sponsors terrorism. Because of the Cuban government's actions, the United States has imposed some form of economic sanctions on Cuba since the early 1960s, including under the Trading with the Enemy Act of 1917. The United States currently maintains a comprehensive economic embargo on Cuba.

Because Cuba has engaged in long-standing efforts to target the United States Government and United States Government personnel for intelligence purposes, Cuba poses a significant risk of exploiting government-related data or Americans' bulk U.S. sensitive personal data to the detriment of the national security of the United States and the security and safety of U.S. persons. According to ODNI, Cuba's intelligence capabilities pose a “significant threat[ ]” to the United States. For decades, Cuban intelligence services have sought to obtain information about the United States Government and to target U.S. persons to pursue Cuba's interests, including espionage. For example, in 2024, a former U.S. Department of State employee who served as U.S. Ambassador to Bolivia admitted to secretly acting as an agent of Cuba for decades and received a 15-year prison sentence. In another example, in 2010, a U.S. Department of State official and his wife were sentenced to lengthy prison sentences for participating in a “nearly 30-year conspiracy to provide highly classified U.S. national defense information” to Cuba. In 2004, a Federal grand jury returned an indictment against an individual for conspiring to share information related to U.S. national defense with Cuba, including helping Cuban intelligence services “spot, assess, and recruit U.S. citizens who occupied sensitive national security positions or had the potential of occupying such positions in the future to serve as Cuban agents.” In 2002, an employee at the Defense Intelligence Agency was sentenced to 25 years in prison for spying on behalf of Cuba, including sharing the identities of American undercover intelligence officers working in Cuba with the Cuban government. In 2022, Team Telecom recommended that the Federal Communications Commission (“FCC”) deny an application for a license for a subsea telecommunications cable that would have directly connected the United States to Cuba. Team Telecom highlighted Cuba's history of espionage and intelligence activities targeting the United States. Because Cuba's state-owned telecommunications monopoly would control the cable, Team Telecom concluded that the cable would give the Cuban government the ability and opportunity to access U.S. persons' internet traffic, data, and communications transiting the cable, and make the Cuban government an even greater counterintelligence threat to the United States.

Cuba also has strong ties to both China and Russia and might share any information it obtains on U.S. persons with either of those countries. For example, in 2018, The Diplomat noted that the Cuban government “has been reported to sell its intercept data from U.S. communications to third-party buyers, particularly military adversaries of the [United States],” including China. Team Telecom has also found that Cuba's relationships with China and Russia—which include extensive economic, military and intelligence cooperation—heighten the risk that Cuba could share U.S. sensitive personal data that it obtains with China or Russia.

c. Iran

The Department has determined, with the concurrence of the Secretaries of State and Commerce, that Iran has engaged in a long-term pattern of conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons. Iran engages in transnational repression; commits human-rights abuses, including against U.S. persons; smuggles U.S. technology; evades U.S. sanctions; sponsors terrorism; and conducts malicious cyber activities, among other conduct.

Because Iran has growing cyber expertise and aggressively seeks to obtain and exploit data on U.S. persons, it poses a significant risk of exploiting government-related data or Americans' bulk U.S. sensitive personal data to the detriment of the national security of the United States and the security and safety of U.S. persons. According to ODNI, “Iran's growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied . . . networks and data.” Individuals linked to the Iranian government engage in advanced cyber activities that target U.S. infrastructure, conduct cyber espionage, and steal data from U.S. persons, companies, and government agencies. For example, in 2018, a Federal grand jury returned an indictment against nine Iranians for stealing “more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, [and] five American government agencies,” in part at the behest of the Iranian government.

In particular, Iranian hackers “have engaged in widespread theft of personal information . . . to track targets of interest to the Iranian regime” and influence U.S. persons. During the 2020 U.S. elections, “Iranian cyber actors obtained or attempted to obtain U.S. voter information, sent threatening emails to voters, and disseminated disinformation about the election.” According to ODNI, those same Iranian actors have developed new cyber and influence techniques that Iran could deploy during the 2024 election cycle. Iran-associated individuals also target U.S. persons for assassinations. For example, in 2023, a Federal grand jury returned an indictment against three individuals for plotting the murder of a U.S. citizen targeted by Iran for speaking out against the regime's human-rights abuses. In another example of Iran's exploitation of sensitive personal data, Iranian cyber threat actors engaged in “widespread theft” of personal information, “probably to support surveillance operations that enable Iran's human-rights abuses.” Iranian threat actors also “employed a years-long malware campaign” that targeted Iranian citizens, dissidents, journalists, and foreign organizations, including U.S.-based travel services companies that possess personal information on millions of travelers.

d. North Korea

The Department has determined, with the concurrence of the Secretaries of State and Commerce, that North Korea has engaged in a long-term pattern of conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons. Among other conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons, it develops weapons of mass destruction; commits human-rights abuses, including against U.S. persons; evades U.S. sanctions; and conducts malicious cyber activities.

Regarding North Korea's malicious cyber activities, ODNI has concluded that North Korea's cyber program poses a “sophisticated and agile espionage, cybercrime, and attack threat,” and that North Korea's cyber forces are “fully capable of achieving a variety of strategic objectives against diverse targets” in the United States.

Because North Korea has sophisticated cyber capabilities and attempts to obtain and exploit data on U.S. persons, it poses a significant risk of exploiting government-related data or Americans' bulk U.S. sensitive personal data to the detriment of the national security of the United States and the security and safety of U.S. persons. North Korea conducts cyber-enabled attacks and steals personal information to influence and target U.S. persons. For example, in 2014, North Korea-affiliated hackers attacked U.S. company Sony Pictures Entertainment in retaliation for an American film depicting the North Korean leader. They stole proprietary information, personally identifiable information, and confidential communications; rendered Sony Pictures Entertainment's computers inoperable; and threatened the company's executives and employees. North Korea and North Korea-affiliated hacker groups have repeatedly targeted military networks, critical infrastructure, and other corporate networks to “steal data and conduct disruptive and destructive cyber activities.” For example, in 2017, North Korea was responsible for a massive ransomware attack that infected hundreds of thousands of computers in more than 150 countries. North Korea also “uses cyber capabilities to steal from financial institutions” and “generate revenue for its weapons of mass destruction and ballistic missile programs.” North Korea's cyber actors use a range of tactics “to further their larger espionage and financial goals,” including conducting spear phishing, abusing privileged access to networks while working as information technology contractors, exploiting software vulnerabilities, and attacking supply chains. North Korea is also trying to use AI to further its offensive cyber capabilities.

e. Russia

The Department has determined, with the concurrence of the Secretaries of State and Commerce, that Russia has engaged in a long-term pattern of conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons. According to ODNI, Russia poses “an enduring global cyber threat” and views “cyber disruptions as a foreign policy lever to shape other countries' decisions.” Russia has launched a “full-scale war against Ukraine;” commits human-rights abuses, including against U.S. persons; conducts malign influence campaigns; evades U.S. sanctions; and conducts malicious cyber activities. Russia “continuously refines and employs its espionage, influence, and attack capabilities” against a variety of targets, including critical infrastructure in the United States. For example, in 2019, Russian intelligence services perpetrated a “broad-scope cyber espionage campaign” that exploited the SolarWinds Orion platform and compromised both United States Government agencies and private-sector organizations. The campaign gave Russian intelligence “the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide.” Russian intelligence ultimately used the attack to target United States Government agencies and employees for espionage.

Because Russia has advanced cyber capabilities and aggressively seeks to obtain and exploit data on U.S. persons, including to conduct influence campaigns in the United States, it poses a significant risk of exploiting government-related data or Americans' bulk U.S. sensitive personal data to the detriment of the national security of the United States and the security and safety of U.S. persons. Russia engages in the large-scale theft of sensitive personal data and is “increasing [its] ability to analyze and manipulate large quantities of personal information,” enabling it “to more effectively target and influence, or coerce, individuals and groups in the United States.” For example, in 2013, Russian intelligence services sponsored the theft of information associated with at least 500 million accounts from U.S. web services company Yahoo! and used some of that stolen information to obtain unauthorized access to the email accounts of United States Government officials, among others. In 2020, Russian cyber operations targeted and compromised U.S. State and local government networks and exfiltrated some voter data. In another example, in 2023, a Federal grand jury returned an indictment against two Russian individuals for obtaining unauthorized access to the computers and email accounts of current and former United States Government employees and stealing intelligence related to defense, security policies, and nuclear energy technology from the victims' accounts. In 2024, Russian intelligence services used compromised routers to conduct “spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations.”

Russia also has a legal regime that gives it the capability to covertly access and exploit data through companies subject to its jurisdiction. As the Department of Commerce has explained, “Russian laws compel companies subject to Russian jurisdiction to cooperate with Russian intelligence and law enforcement efforts, to include requests from the Russian Federal Security Service (“FSB”).” These laws include the following:

• Federal Law No. 40-FZ of April 3, 1995, “On the Federal Security Service,” “requires FSB bodies to carry out their activities in collaboration with various entities in Russia” and places private enterprises “under a legal obligation to assist FSB bodies in the execution of the duties assigned to FSB bodies,” including intelligence and counterintelligence activities.

• Federal Law No. 144-EZ of August 12, 1995 (as amended), “On Operational-Investigative Activity,” requires persons subject to Russian jurisdiction to “assist the FSB with operational-investigative activities undertaken in the performance of FSB duties, such as by installing equipment supplied by the FSB for use in obtaining information stored on computers.” This law “makes it clear that, as a general rule, operational-investigative activities may be carried out against anyone anywhere” and “makes it clear that operational-search activities include obtaining computer information.”

• Federal Law No. 149-FZ of July 27, 2006, “On Information, Information Technologies, and Protection of Information,” imposes several “obligations on any entity that qualifies as `an organizer of the dissemination of information on the internet,' ” which is broadly defined to include any “person who carries out activities to ensure the operation of information systems and/or programs for electronic computers that are designed and/or used to receive, transmit, deliver and/or process electronic messages of users of the internet.” These obligations include giving the FSB and other Russian agencies in the field of security “the information necessary to decode” encrypted data.

In short, persons subject to Russia's jurisdiction must “assist the FSB in its counterintelligence and intelligence functions,” which “includes a duty to assist the FSB in operational-investigative activity, in support of FSB counterintelligence and intelligence functions” such as “collecting information from U.S. computers,” “with no need for the FSB to have obtained a court order.”

Finally, Russia also poses a “serious foreign influence threat because of its wide-ranging efforts to . . . sow domestic discord, including among voters inside the United States.” In July 2018, a Federal grand jury returned an indictment against Russian intelligence officers after they conducted a spear phishing campaign against volunteers and employees of a presidential campaign and political committees. The actors hacked into computers, stole emails, covertly monitored the computer activity of campaign employees, and released the hacked information to the public in an attempt to interfere with the 2016 U.S. presidential election.

f. Venezuela

The Department has determined, with the concurrence of the Secretaries of State and Commerce, that Venezuela has engaged in a long-term pattern of conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons. Among other conduct significantly adverse to the national security of the United States and the security and safety of U.S. persons, Venezuela commits human-rights abuses, including against U.S. persons; evades U.S. sanctions; has concerning relationships with other countries of concern; and fosters widespread corruption.

Because Venezuela exploits its demonstrated and systematic relationships with other countries of concern to degrade U.S. national security; aggressively surveils its own population to target perceived government critiques, including with the help of other countries of concern; and, according to credible reports, commits human-rights abuses, including against U.S. citizens, Venezuela's access to government-related data or Americans' bulk U.S. sensitive personal data poses a significant risk to the national security of the United States and the security and safety of U.S. persons. Regarding Venezuela's human-rights abuses, Venezuela surveils its domestic population through telecommunications providers to target perceived opponents, including with the help of other countries of concern. Venezuela's misuse of private telecommunications capabilities for expansive surveillance poses risks to U.S. persons, as the regime has the capability to access data on U.S. persons in Venezuela. For example, in 2021, a report by Spanish telecommunications company Telefonica revealed that Venezuela monitored the communications of nearly 1.5 million of its users, which represents over 20 percent of Telefonica's Venezuela-based customers. In addition to surveillance, there are credible reports that Venezuela perpetrates extensive human-rights abuses, such as torture, extrajudicial killings, and enforced disappearances. Venezuelan security forces detain individuals, including U.S. citizens, for long periods without due process. According to the State Department, the United States Government is not generally notified of the detention of U.S. citizens in Venezuela or granted access to U.S. citizen prisoners in Venezuela.

Venezuela maintains close relationships with other countries of concern that, as described in part IV.D of this preamble, possess sophisticated surveillance capabilities and pose a significant risk of exploiting government-related data or Americans' bulk U.S. sensitive personal data. Given the nature of these relationships, Venezuela might use technology provided by these countries of concern to obtain access to government-related data or bulk U.S. sensitive personal data, or share any access to government-related data or bulk U.S. sensitive personal data with these countries of concern. For example, Venezuela uses equipment provided by Chinese technology company Zhongxing Telecommunication Equipment (“ZTE”) Corporation, which the FCC has designated a national security threat to the U.S. communications network and supply chain, to monitor Venezuelan citizens' social, political, and economic activities. The company has provided Venezuela with identity cards, referred to as “carnet de la patria” or “fatherland cards,” that the regime can use to track citizen behavior. Additionally, Venezuelan and Russian state-owned companies jointly own Evrofinance Mosnarbank, a bank that has financed Venezuela's efforts to use digital currencies to circumvent U.S. financial sanctions. Evrofinance Mosnarbank also provides financial support to Petroleos de Venezuela, a Venezuelan state-owned oil company that has been used to embezzle and launder billions of dollars. Venezuela also has concerning military and intelligence ties with other countries of concern. For example, Russia provides military support to Venezuela. Cuba provides training to Venezuelan intelligence and military personnel, and the two nations support each other's intelligence operations.

E. Subpart G—Covered Persons

1. Section 202.211—Covered Person

The proposed rule identifies a “covered person” as an individual or entity that falls into one of the classes of covered persons or that the Attorney General has designated as a covered person. An entity is a covered person if it is a foreign person that: (1) is 50 percent or more owned, directly or indirectly, by a country of concern; (2) is organized or chartered under the laws of a country of concern; or (3) has its principal place of business in a country of concern. An entity is also a covered person if it is a foreign person that is 50-percent or more owned, directly or indirectly, by a covered person. Any foreign individual who is an employee or a contractor of such an entity or of the country of concern itself is also a covered person. Any foreign person who is primarily a resident in the territorial jurisdiction of a country of concern is also a covered person.

The proposed rule would not categorically treat citizens of countries of concern located in third countries ( i.e., not located in the United States and not primarily resident in a country of concern) as covered persons. Instead, it treats only a subset of country of concern citizens in third countries categorically as covered persons: those working for the government of a country of concern or for an entity that is a covered person. All other country of concern citizens located in third countries would not qualify as covered persons except to the extent that the Attorney General designates them.

Some commenters believed that it would be difficult for U.S. persons subject to the proposed rule to determine whether entities are 50 percent or more owned by countries of concern, particularly where the foreign companies are publicly traded companies. However, this provision is not unique to the proposed rule. It is similar to sanctions regulations issued by the Office of Foreign Assets Control (“OFAC”) within the Department of the Treasury. Such regulations treat any entity owned in the aggregate, directly or indirectly, 50-percent or more by one or more blocked persons as itself a blocked person, regardless of whether the entity itself is designated pursuant to an Executive Order or otherwise identified on OFAC's Specially Designated Nationals and Blocked Persons List. The proposed rule also uses higher ownership thresholds than some regulatory regimes, such as those related to anti-money laundering, which generally require certain companies to identify beneficial owners with 25 percent or more (and, in some cases, 10 percent or more) direct or indirect legal interest in an entity and to collect, verify, and report specific information about them. As other commenters pointed out, businesses and third-party service providers have developed tools and services to assist with screening and due diligence based on corporate ownership in the sanctions, anti-money laundering, and other regulatory contexts. Consequently, the proposed rule adopts the approach described in the ANPRM without change.

One commenter recommended that the Department clarify how the proposed rule would apply to companies headquartered outside a country of concern but with business operations in a country of concern. The proposed rule maintains the framework described in the ANPRM without change, and the Department has provided some additional examples in the proposed rule to demonstrate how the proposed rule treats foreign branches and subsidiaries located in countries of concern. See § 202.256(b)(5)(8). The proposed rule also exempts corporate group transactions that are ordinarily incident to and part of administrative or ancillary business operations, such as human resources, including between U.S. entities and their foreign subsidiaries or affiliates.

Several commenters suggested that the Department rely solely on designations and adopt an exclusively list-based approach to the identification of covered persons (similar to OFAC's Specially Designated Nationals and Blocked Persons List or the Bureau of Industry and Security's (“BIS”) Entity List) rather than applying the prohibitions and restrictions to categories of covered persons supplemented by a non-exhaustive list. The Department declines to adopt the exclusively list-based approach. Such an approach would be inconsistent with the Order, as well as with the national security risk associated with country of concern access to government-related data or bulk U.S. sensitive personal data. Specifically, the national security risk identified in the Order exists with respect to any entity that is subject to the ownership, direction, jurisdiction, or control of a country of concern due to the fact that each of the listed countries of concern in the proposed rule have legal or political systems that allow the countries to obtain sensitive personal data (and access to such data) from persons subject to their ownership, direction, jurisdiction, or control without due process or judicial redress. That risk exists with respect to any person that is meaningfully subject to their ownership, direction, jurisdiction, or control—not only to specific entities designated on a case-by-case basis. Entities that are meaningfully subject to the ownership, direction, jurisdiction, or control of a country of concern are, as the FBI has described, hybrid commercial threats. As the FBI has explained, “[h]ybrid [c]ommercial [t]hreats are businesses whose legitimate commercial activity can facilitate foreign government access to U.S. data, critical infrastructure, and emerging technologies that enable adversaries to conduct espionage, technology transfer, data collection, and other disruptive activities under the disguise of an otherwise legitimate commercial activity.”

As such, trying to apply a list-based approach would be insufficient to mitigate the national security risk identified in the Order and the proposed rule. The categories of covered persons defined in the Order and defined further in the proposed rule identify categories of persons that are meaningfully subject to the ownership, direction, jurisdiction of a country of concern, or control of a country of concern or covered person, and thus present this risk. Processes like those used by OFAC to add blocked persons to the Specially Designated Nationals and Blocked Persons List or by BIS to add entities to the Entity List, which are generally based on a particularized inquiry into whether the target meets the applicable legal criteria for designation, would thus be insufficient by themselves to address the national security risk identified in the Order. An exclusively list-based approach could present considerable compliance and enforcement challenges. It also poses potential evasion risks, similar to those encountered by OFAC, and circumvention threats that could compromise national security. The Department has determined not to exclusively implement a list-based program to mitigate the risk that listed entities, such as corporations, would rename or reorganize themselves in a manner that avoids being subject to the framework. Therefore, the proposed rule adopts the approach described in the ANPRM without change.

One commenter suggested that the Department should not treat trustworthy entities located in countries of concern as covered persons. The Department declines to do so, and the proposed rule retains the framework described in the ANPRM without change. Regardless of the trustworthiness of entities, as explained in part IV.E.1 of this preamble, countries of concern have the legal authority or political systems to force, coerce, or influence entities in their jurisdictions to share their data and access with the government.

One commenter urged the Department to narrow the definition of “covered persons” to exclude individuals who are temporarily in the United States but are otherwise residents of a country of concern. The proposed rule adopts the approach described in the ANPRM without change. As described in the ANPRM, including its Example 33, anyone in the United States (including temporarily in the United States) would be considered a U.S. person, and no U.S. persons (including those temporarily in the United States) would be categorically treated as covered persons. A U.S. person (including a temporary traveler to the United States) would be a covered person only if they had been designated by the Department. The proposed rule adopts this proposal unchanged from the ANPRM.

Two related commenters expressed identical concerns that the definition of “covered persons” would require companies to discriminate based on nationality or race, particularly with respect to employees who are primarily resident in countries of concern. No change was made in response to these comments. As the Order makes clear, status as a covered person does not depend on the nationality or race of an individual, and the Order and proposed rule are directed at persons of any nationality or race who are subject to the ownership, direction, jurisdiction, or control of a country of concern. The definition of “covered person” categorically includes any foreign person that is primarily resident in a country of concern, regardless of their nationality or race. Likewise, the definition of “covered person” categorically includes any foreign person abroad who is an employee or contractor of a country of concern or a covered person that is an entity, regardless of their nationality or race. Similarly, the Department's authority to designate a specific individual as a “covered person” turns on a determination that the individual is subject to the control, jurisdiction, or direction of a country of concern, or is acting on behalf of or purporting to act on behalf of a country of concern or covered person, or has knowingly caused or directed a violation of the proposed rule. The definition of “U.S. person” is also not dependent on a person's nationality or race; it includes, for example, any person in the United States and any U.S. citizen or lawful permanent resident. For example, under the proposed rule, a country of concern citizen located in the United States is a U.S. person (unless individually designated). As a result, a U.S. person of any particular race or nationality would not be categorically treated as a covered person, and the only circumstance in which a U.S. person would be treated as a covered person is by individual designation. Consequently, the proposed rule adopts the approach described in the ANPRM without change.

Several commenters sought clarification that any U.S. subsidiary of a covered person is considered a U.S. person for purposes of these regulations. The proposed rule would not treat any U.S. person, including a U.S. subsidiary of a covered person, as a covered person unless the Department has designated the U.S. subsidiary as a covered person pursuant to the process described in the proposed rule. No U.S. person, including the U.S. subsidiary of a covered person, would be categorically treated as a covered person under the proposed rule. The proposed rule includes additional examples highlighting the differences in treatment between a U.S. subsidiary and its foreign owner, as well as between U.S. companies and their foreign branches.

2. Section 202.701—Designation of Covered Persons

The proposed rule provides for the Attorney General to publicly designate a person, whether an individual or entity, as a covered person with whom U.S. persons may not knowingly engage in a prohibited transaction, or a restricted transaction that fails to comply with the requirements of subpart D of the proposed rule, except as otherwise authorized under the proposed rule. The Department intends generally to model this process on the processes for designation under the various sanctions lists maintained by OFAC. Inclusion on the Department's Covered Persons List would have no effect on a person's inclusion on other United States Government designation lists, including lists maintained by OFAC.

The Department expects that, in many cases, designation will be unnecessary because a person will be automatically deemed a covered person by operation of the definition of “covered person” discussed in part IV.E.1 of this preamble. For example, an entity that is majority-owned by a country of concern would be a covered person by definition, regardless of whether the entity itself is designated by the Attorney General and included on the Department's Covered Persons List. Designation is not necessary in that circumstance and, except as otherwise authorized under the proposed rule, a U.S. person would be prohibited from knowingly engaging in a prohibited transaction, or a restricted transaction that fails to comply with the requirements of subpart D, with such an entity.

Even in these circumstances, however, the Attorney General may nonetheless designate such an entity and identify that entity as a covered person in the Federal Register and on a Department website. Such designation may serve to provide broader notice to U.S. persons that the entity is a covered person under the Order and the regulations. For example, the definition of “covered person” includes entities that are majority-owned directly or indirectly by a country of concern. In some circumstances, indirect ownership may not be readily apparent, and Attorney General designation, published in the Federal Register , will provide notice that the entity is a covered person. Even in the case of instances in which the covered person status of an entity is clear—such as companies that are openly organized or chartered under the laws of a country of concern or that have their principal place of business in a country of concern—designation and publication in the Federal Register may facilitate compliance with the prohibitions and restrictions under the Order and the regulations. Importantly, however, the public list would not exhaustively include all covered persons, as any person that satisfies the criteria of the relevant definitions will be considered a covered person under the proposed rule, regardless of whether the person is also specifically identified on the public list. Under the proposed rule, for example, every company with its principal place of business in any country of concern is a “covered person”; the Department does not intend to individually designate all such companies.

The proposed rule also authorizes the Department to designate as covered persons other individuals or entities that are not already captured by other elements of the definition. This process is modeled after other IEEPA-related designation processes and contemplates designation based on interagency consultation and consideration of any relevant sources of information (which may include classified information). Under the proposed rule, and consistent with the Order, the Department could designate as a covered person any person that is owned or controlled by or subject to the jurisdiction or direction of a country of concern, is acting on behalf of or purporting to act on behalf of a country of concern or other covered person, or is knowingly causing or directing a violation of these regulations. For example, individual citizens of a country of concern primarily residing in a third country are not generally considered to be covered persons. In specific cases, however, covered data transactions with such individuals may present an unacceptable national security risk because, for example, the individual may be subject to the direction of a country of concern. The proposed rule provides for the Attorney General to designate such an individual—or any other individual or entity that satisfies the substantive criteria in the proposed rule—as a covered person.

Under the proposed rule, designation as a covered person is effective upon the Department's announcement; a U.S. person with actual knowledge of the designated person's status would be prohibited from knowingly engaging in a covered data transaction with that person (except as otherwise authorized under the proposed rule). After publication in the Federal Register , the Department would infer knowledge of the designated person's status on the part of any U.S. person engaging in a covered data transaction with that person. As in the context of asset flight, designations must be immediately effective to prohibit the irreversible transfer of regulated data—and the attendant risk to national security—once a designation is announced. If there were delay, unscrupulous actors could rush to complete transactions that would soon become prohibited, thus inviting precisely the national security risk that the Order, and the designation, is intended to mitigate. Like the OFAC processes on which it is modeled, the proposed rule includes a mechanism for a person designated as a covered person to seek administrative reconsideration of the designation or removal from the list of designated covered persons on the basis of changed circumstances.

Designation as a covered person reflects the risk to national security that attaches to the designated person's relationship—whether voluntary or involuntary—with a country of concern. The definition of “covered person,” for example, includes any foreign person who is primarily resident in the territorial jurisdiction of a country of concern or any person who is an employee or contractor of an entity with its principal place of business in a country of concern. As a general matter, the national security risk from concluding a covered data transaction with such persons arises primarily from the potential actions of the government of the country of concern in relation to that person, not from the intent or personal characteristics of the individual.

A few commenters expressed concern that it will be difficult for businesses subject to the proposed rule to identify entities controlled by or subject to the jurisdiction of countries of concern. However, neither the ANPRM nor the proposed rule would require companies to determine whether entities are subject to the control or jurisdiction of a country of concern. Whether an entity is controlled by or subject to the jurisdiction or direction of a country of concern is part of the criteria applied by the Attorney General in designating individuals and entities as covered persons; it is not a standard to be applied by the private sector. If the Attorney General determines that an individual or entity meets the criteria for designation, the Attorney General will specifically and publicly designate that person, as addressed in the foregoing discussion, and the private sector can screen counterparties against that public list. For entities not so designated, the private sector need only consult the four other categories of covered persons discussed in part IV.E.1 of this preamble; the private sector need not conduct any inquiry into whether such an entity is controlled by or subject to the jurisdiction or direction of a country of concern. Therefore, the proposed rule adopts the approach described in the ANPRM without change.

F. Subpart H—Licensing

The Order authorizes the Attorney General, in concurrence with the Departments of State, Commerce, and Homeland Security and in consultation with other relevant agencies, to issue (including to modify or rescind) licenses authorizing a transaction that would otherwise be a prohibited transaction or a restricted transaction. The proposed rule implements this provision of the Order by providing processes for regulated parties to seek, and for the Attorney General to issue, general and specific licenses. The Department anticipates that licenses will be issued only in rare circumstances as the Attorney General deems appropriate.

1. Section 202.801—General Licenses

General licenses would be published in the Federal Register and could be relied upon by all relevant parties affected by a particular element of these regulations. As deemed appropriate, the Attorney General, in concurrence and consultation with other departments as required by the Order, may issue a general license permitting otherwise prohibited transactions, including pursuant to conditions specified in the license. In those instances, otherwise prohibited transactions that satisfy any applicable conditions would be permitted; there would be no requirement for a party to seek further authorization prior to concluding a transaction covered by such a license. General licenses could be issued to ease industry's transition once the proposed rules become effective by potentially, for example, authorizing orderly wind-down conditions for covered data transactions that would otherwise be prohibited by the proposed rules.

2. Section 202.802—Specific Licenses

Specific licenses, on the other hand, would cover only parties who apply to the Department for such a license and disclose the facts and circumstances of the covered data transaction they seek to engage in. Specific licenses would authorize only the transactions described in the license; a specific license might authorize one or more transactions that would otherwise be prohibited.

3. Conditions on General and Specific Licenses

Both general licenses and specific licenses could include a range of requirements or obligations as the Department deems appropriate. For example, a license might be conditioned on additional disclosure requirements, ongoing reporting obligations, recordkeeping obligations, due diligence requirements, certification requirements, cybersecurity requirements, or inclusion of certain contractual terms. The Department believes, as a general matter, that imposing uniform requirements across licenses to the greatest extent possible will encourage adoption of those practices as a matter of course and will facilitate compliance for parties operating under more than one license. For example, recordkeeping requirements for one license might be identical to those of another license. Nonetheless, the Department believes that it is important to retain flexibility in crafting applicable requirements—especially in the context of specific licenses—to account for varying contexts of the contemplated transactions and other aspects of the license at issue. The proposed rule reflects that flexibility.

The authorization provided by a license is contingent on satisfying all conditions of the license. Transactions not conducted in compliance with a license's conditions would be subject to the regulation's restrictions and prohibitions and may result in violations of the proposed rule and subject the transacting parties to enforcement action. Misrepresentations in the application process may render the license void from the date of issuance and may subject parties to enforcement action. The proposed rule contains provisions authorizing the Department to require applicants for specific licenses to use specific forms and procedures published by the Department. The proposed rule also establishes a process to allow applicants and other parties-in-interest to request reconsideration of the denial of a license based on new facts or changed circumstances.

Under subpart D of the proposed rule, governing restricted transactions, parties may engage in certain otherwise-prohibited transactions if they satisfy the specified security requirements. These provisions operate functionally as a general license to engage in certain prohibited transactions when specific conditions—the security requirements—are met. The Department does not anticipate issuing licenses in the ordinary course to relieve parties from complying with the security requirements for restricted transactions but may do so in unusual or unique circumstances as necessary or appropriate. The Department retains the discretion, however, to issue general or specific licenses that would apply to otherwise restricted transactions.

G. Subpart I—Advisory Opinions

1. Section 202.901—Inquiries Concerning Application of This Part

The proposed rule creates a system for the Attorney General to provide guidance on this part in the form of official guidance or written advisory opinions. The Department may issue official guidance at any time, including to address recurring or novel issues. The Department may also issue guidance in response to specific inquiries received through advisory opinion procedures.

Under the proposed rule, the Department may publish general forms of interpretive guidance, such as Frequently Asked Questions posted online. The Department plans to make any official guidance publicly available to help potentially regulated parties better understand the regulations and the Department's interpretation of the regulations and the Order.

The proposed rule also creates a mechanism for potentially regulated parties to seek opinions about the application of the regulations or the Order to specific transactions. The proposed rule would permit a U.S. person engaging in a transaction potentially regulated by the program to request an interpretation of any provision of this part. Advisory opinions could cover, for example: (1) whether a particular transaction is a prohibited transaction or restricted transaction; and (2) whether a person is a U.S. person, foreign person, or covered person. The proposed rule requires that advisory opinions only be requested regarding actual—not hypothetical—transactions.

The proposed rule sets out procedural and administrative requirements for submitting a request for any advisory opinion, including: (1) that the request be made in writing, see § 202.1201; (2) that the request identify all participants in the transaction for which the opinion is being sought ( i.e., anonymous requests will not be accepted); and (3) that the request describe the actual, not hypothetical, conduct giving rise to the request for an advisory opinion. Advisory opinions issued in response to a party's request may be published as appropriate. A determination regarding whether an advisory opinion or portions of that opinion are appropriate for publication will include consideration of whether publication complies with applicable laws and regulations ( e.g., regarding the protection of confidential business information). In addition, the proposed rule makes clear that each advisory opinion can be relied upon only to the extent that the disclosures made in obtaining the advisory opinion were accurate and complete, and to the extent that those disclosures continue to accurately and completely reflect the circumstances after the advisory opinion is issued. Advisory opinions will reflect the view of the Department of Justice and will not bind any other agency; an advisory opinion does not affect obligations under provisions not specifically discussed in the opinion.

Commenters supported the Department's proposal to provide interpretive guidance to the public. They also requested that the Department publish the decisions for the public's benefit. As stated above, advisory opinions may be published as appropriate in compliance with applicable laws and regulations. One commenter requested that trade associations be allowed to request interpretive guidance on behalf of their members. The proposed rule would allow trade associations to seek guidance on behalf of their members, so long as the guidance sought relates to a specific transaction and identifies the parties to the transaction. Although one commenter requested the ability to seek guidance related to hypothetical transactions, the Department declines to extend the interpretive guidance provision to such transactions to ensure that any such guidance is based on specific, factual circumstances so that it is as helpful to the public as possible. Consequently, the proposed rule adopts the approach described in the ANPRM without change.

H. Subpart J—Due Diligence and Audit Requirements

The Order delegates to the Attorney General, in consultation with relevant agencies, the full extent of the authority granted to the President by IEEPA as may be necessary or appropriate to carry out the purposes of the Order, and it expressly states that the proposed rules will “address the need for, as appropriate, recordkeeping and reporting of transactions to inform investigative, enforcement, and regulatory efforts.” The Department of Justice wishes to achieve widespread compliance with the proposed rule, and to gather the information necessary to administer and enforce the program, without unduly burdening U.S. persons or discouraging data transactions that the program is not intended to address.

The Department will encourage U.S. persons subject to the proposed rule to develop, implement, and update compliance programs as appropriate. The compliance program suitable for a particular U.S. person would be based on that person's individualized risk profile and would vary depending on a variety of factors, including the U.S. person's size and sophistication, products and services, customers and counterparties, and geographic locations. The Department may issue guidance on this topic to assist U.S. persons to develop and implement compliance programs. The Department may also consider the adequacy of a compliance program in any enforcement action.

The proposed rule does not impose affirmative due diligence and recordkeeping requirements on every U.S. person engaging in a covered data transaction with a covered person or country of concern. As discussed in part IV.H.1 of this preamble, the proposed rule only imposes affirmative due diligence and recordkeeping requirements as a condition of engaging in a restricted transaction.

Two related commenters expressed concerns that the proposed rule would require U.S. companies to surveil their employees' communications to comply with the prohibitions and restrictions. No changes have been made in response to this comment. The proposed rule does not, on its face or in practice, require surveillance of employees to achieve compliance. Any U.S. person engaging in activities relevant to the proposed rule should take a risk-based approach to their compliance program and ensure that it aligns with their business profile. Like sanctions, export controls, and other national security regulations, any compliance program may include a mix of policies, processes, resources, and technologies to ensure compliance. Important aspects of an effective compliance program may include, for example, senior management support and buy-in (including adequate resources); a routine and ongoing assessment of the business' risk profile to identify potential issues under the regulations that the business is likely to encounter; internal controls informed by that risk assessment, including policies and procedures to identify and address data transactions that may trigger obligations under the regulations, appointing and empowering responsible compliance personnel, integrating these controls into the company's daily operations, and ensuring that employees have adequate training and job-specific knowledge regarding the proposed rule and internal controls; and testing these controls and remediating any weaknesses or gaps. The Department is considering providing separate guidance on implementing effective risk-based compliance programs.

1. Section 202.1001—Due Diligence for Restricted Transactions

As discussed in part IV.H of this preamble, the Order delegates to the Attorney General, in consultation with relevant agencies, the full extent of the authority granted to the President by IEEPA as may be necessary or appropriate to carry out the purposes of the Order. In accordance with that delegation, and adopting the approach contemplated in the ANPRM, the proposed rule imposes and details affirmative due diligence requirements as a condition of engaging in a restricted transaction. The proposed rule imposes know-your-data requirements, which specifically require that U.S. persons engaging in restricted transactions develop and implement data compliance programs with risk-based procedures for verifying data flows, including the types and volumes of data involved in the transactions, the identity of the transaction parties, and the end-use of the data. The Order also requires that the proposed rule address the need for recordkeeping, as appropriate. The proposed rule imposes affirmative recordkeeping requirements as a condition of engaging in a restricted transaction, and requires U.S. persons subject to these affirmative requirements to maintain documentation of their due diligence to assist in inspections and enforcement, and to maintain the results of annual audits that verify their compliance with the security requirements and, where relevant, the license conditions to which the U.S. persons may be subject.

2. Section 202.1002—Audits for Restricted Transactions

Adopting the approach contemplated in the ANPRM, the proposed rule would impose and details an annual audit requirement as a condition of engaging in a restricted transaction to verify and improve compliance with the security requirements.

I. Subpart K—Reporting and Recordkeeping Requirements

1. Section 202.1101—Records and Recordkeeping Requirements

Adopting the approach contemplated in the ANPRM, the proposed rule would require any U.S. person engaging in a restricted transaction to keep full and accurate records of each restricted transaction and to keep the records available for examination for at least 10 years after the date of such transaction (the length of the statute of limitations for violations of IEEPA). The proposed rule describes the required records in detail, which include a written policy describing the compliance program, a written policy documenting implementation of the security measures for restricted transactions, the results of any audits to evaluate compliance with the security measures, documentation of the due diligence conducted to verify the data flow involved in any restricted transaction, and other pertinent information regarding each transaction.

2. Section 202.1102—Reports To Be Furnished on Demand

Adopting the approach contemplated in the ANPRM, the proposed rule includes provisions to assist the Department in investigating potential noncompliance with the proposed rules of this program. These include requiring any U.S. person to furnish under oath, from time to time and at any time as may be required by the Attorney General, complete information relative to any covered data transaction subject to a prohibition or restriction.

3. Section 202.1103—Annual Reports

Adopting the approach contemplated in the ANPRM, the proposed rule would require reporting by U.S. persons who engage in certain restricted transactions or, in certain narrow circumstances, to identify attempts to engage in prohibited transactions. Specifically, the proposed rule requires annual reports from U.S. persons engaged in restricted transactions involving cloud-computing services where 25 percent or more of that U.S. person's equity interests are owned (directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise) by a country of concern or covered person.

The Department may impose similar reporting requirements on U.S. persons engaging in licensed transactions as conditions of specific or general licenses. Those requirements may vary depending on the nature of the licenses, will be set forth in the licenses themselves, and are not part of the proposed rule.

4. Section 202.1104—Reports on Rejected Prohibited Transactions

Adopting the approach contemplated in the ANPRM, the proposed rule also requires that any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction must submit a report to the Department within 14 business days of rejecting it. These reports will help the Department identify instances in which potential countries of concern or covered persons seek to enter into prohibited transactions with U.S. persons in contravention of the proposed rule, including through evasion. The information submitted by these reports will thus assist the Department in monitoring U.S. persons' compliance with the proposed rule, identifying matters for potential investigation, undertaking enforcement actions, and identifying ways in which to refine the proposed rule in the future.

J. Subpart M—Penalties and Finding of Violation

1. Section 202.1301—Penalties for Violations

Adopting the approach contemplated in the ANPRM, the proposed rule also includes a process for imposing civil monetary penalties similar to those used in other IEEPA-based regimes. See31 CFR part 501, Appendix A; 15 CFR part 764. The proposed rule includes mechanisms for pre-penalty notice, an opportunity to respond, and a final decision. Under the proposed rule, penalties may be based on noncompliance with the proposed rules of this program, material misstatements or omissions in connection with this program, false certifications or submissions pursuant to the proposed rules of this program, or other actions and factors. The proposed rule stipulates that, consistent with due process requirements, the Department of Justice will give the alleged violator any relevant non-classified information that forms the basis of any enforcement action and a meaningful opportunity to respond.

As part of this proposed rulemaking, the Department is adjusting for inflation the civil monetary penalty that can be imposed under IEEPA in accordance with section four of the Federal Civil Penalties Inflation Adjustment Act of 1990 (Pub. L. 101-410, 104 Stat. 890; 28 U.S.C. 2461 note), as amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (Pub. L. 114-74, tit. VII, sec. 701, 129 Stat. 584, 599, 28 U.S.C. 2461 note) (“FCPIA Act”), for penalties assessed after the effective date of this proposed part with respect to violations occurring after November 2, 2015.

For consistency with the civil monetary penalties imposed in other, more widely known IEEPA-based regimes administered by the Department of the Treasury's OFAC, the Department of Justice proposes incorporating OFAC's prior annual adjustments to IEEPA's maximum civil monetary penalty as an initial catch-up adjustment applicable to this part. Those adjustments by OFAC occurred on August 1, 2016 (Implementation of the Federal Civil Penalties Inflation Adjustment Act, 81 FR 43070 (July 1, 2016)), February 10, 2017 (Inflation Adjustment of Civil Monetary Penalties, 82 FR 10434 (Feb. 10, 2017)); March 19, 2018 (Inflation Adjustment of Civil Monetary Penalties, 83 FR 11876 (Mar. 19, 2018)); June 14, 2019 (Inflation Adjustment of Civil Monetary Penalties, 84 FR 27714 (June 14, 2019)); April 9, 2020 (Inflation Adjustment of Civil Monetary Penalties, 85 FR 19884 (Apr. 9, 2020)); March 17, 2021 (Inflation Adjustment of Civil Monetary Penalties, 86 FR 14534 (Mar. 17, 2021)); February 9, 2022 (Inflation Adjustment of Civil Monetary Penalties, 87 FR 7369 (Feb. 9, 2022)); January 13, 2023 (Inflation Adjustment of Civil Monetary Penalties, 88 FR 2229 (Jan. 13, 2023)); and January 12, 2024 (Inflation Adjustment of Civil Monetary Penalties, 89 FR 2139 (Jan. 12, 2024)).

The proposed maximum civil monetary penalty for violations of this part after its effective date would therefore be the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed. The Department of Justice proposes making annual adjustments to the civil monetary penalty on an annual basis after the effective date of this part consistent with the FCPIA Act.

2. Section 202.1305—Finding of Violation

The proposed rule also provides a process in which the Department might issue a finding of violation where the Department determines that a party has violated the regulations and that an administrative response short of a civil monetary penalty is warranted. As with civil penalties, the proposed rule also provides that, consistent with due process requirements, the Department will give the alleged violator any relevant non-classified information that forms the basis of any finding of violation and a meaningful opportunity to respond.

K. Coordination With Other Regulatory Regimes

The Order requires the Department of Justice to address, as appropriate, coordination with other United States Government entities, such as CFIUS, OFAC, agencies that operate export-control programs, and other entities implementing relevant programs, including those implementing Executive Order 13873; Executive Order 14034 of June 9, 2021 (Protecting Americans' Sensitive Data from Foreign Adversaries); and Executive Order 13913 of April 4, 2020 (Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector). The Department does not currently intend or anticipate that this new program will significantly overlap with existing programs. As explained in the ANPRM, existing programs do not provide prospective, categorical rules to address the national security risks posed by transactions between U.S. persons and countries of concern (or persons subject to their ownership, direction, jurisdiction, or control) that pose an unacceptable risk of providing those countries with access to government-related data or bulk U.S. sensitive personal data.

The Department has identified and considered three potential areas of overlap between this proposed rule and existing regulatory regimes.

First, the Department has considered the potential interaction between this proposed rule's application to investment agreements and CFIUS's authority to review “covered transactions,” see generally50 U.S.C. 4565. Some “investment agreements,” as defined in the proposed rule, would also be covered transactions or covered real estate transactions subject to CFIUS's jurisdiction. See § 202.228; 50 U.S.C. 4565(a)(4). The ANPRM contemplated an approach in which the proposed rule would independently regulate, as a restricted transaction, an investment agreement that is also a covered transaction or covered real estate transaction subject to review by CFIUS unless and until a “CFIUS action” occurs in which CFIUS imposes an order or condition or enters into a mitigation agreement to resolve the national security risk arising from the transaction. As explained in the ANPRM, this approach would preserve CFIUS's authority to develop bespoke protections to mitigate risks arising from covered transactions or covered real estate transactions—or recommend that the President prohibit a transaction—where CFIUS concludes that such action is necessary to address the national security risk arising from the transaction. To implement this approach, the ANPRM contemplated an exemption in the proposed rule that would apply categorically for all covered transactions that are subject to CFIUS actions, rather than requiring the Department to issue a specific license for each investment agreement subject to a CFIUS action.

The proposed rule adopts the approach described in the ANPRM and implements that approach by adding a corresponding exemption for any investment agreement that is subject to a “CFIUS action,” defining that term, and providing examples. See § 202.508. Under the proposed rule, if a CFIUS action occurs with respect to an investment agreement, that investment agreement would become exempt from the proposed rule and would be subject only to CFIUS's authority going forward. The Department, in close coordination with the Department of the Treasury, as chair of CFIUS, would retain enforcement authority with respect to any violations of the proposed rule before the effective date of the CFIUS action. Alternatively, in some instances, CFIUS may not review a particular transaction at all or may conclude its review or assessment of a transaction without taking a CFIUS action. Because CFIUS's authority to mitigate transactions is limited to risks that “arise[s] as a result” of the particular transaction, see50 U.S.C. 4565(l)(3)(A)(i), the fact that CFIUS takes no action does not mean that the transaction poses no national security risk. For example, the transaction may implicate pre-existing national security risks that do not arise from the particular transaction CFIUS can review.” In those scenarios, any obligations under the proposed rule would continue to apply with respect to the transaction. Similarly, if CFIUS requests information from parties about a transaction for which no filing has been submitted to CFIUS under 31 CFR 800.504(b) or 31 CFR 802.501(b), the Department will closely coordinate with the Department of the Treasury with respect to any enforcement action under the proposed rule with respect to that investment agreement. CFIUS may also refer a covered transaction or covered real estate transaction to the President, in which case any obligations under the proposed rule would continue to apply and the Department would closely coordinate with the Department of the Treasury on any enforcement actions under the proposed rule. The same would be true after any Presidential order under 50 U.S.C. 4565(d) following a referral from CFIUS, absent any accompanying CFIUS action. The Department, in consultation with CFIUS member agencies, continues to evaluate alternative approaches, such as regulating investment agreements as restricted transactions regardless of whether they are “covered transactions” subject to a CFIUS action. The Department welcomes comments on this potential alternative approach, as well as any other proposed alternatives.

Second, the Department has considered, in consultation with the Federal Trade Commission (“FTC”) and other agencies, the potential interaction between this proposed rule's application to data-brokerage transactions and the Protecting Americans' Data from Foreign Adversaries Act of 2024 (“PADFAA”). SeePublic Law 118-50, div. I 138 Stat. 895, 960 (2024). The PADFAA generally makes it unlawful for a “data broker to sell” or “otherwise make available personally identifiable sensitive data of a United States individual” to any foreign adversary country or any entity that is controlled by a foreign adversary and authorizes the FTC to bring civil enforcement actions for any violations. The proposed rule would generally prohibit U.S. persons from engaging in covered data transactions involving data brokerage with countries of concern or covered persons.

Following consultation with the FTC, the Department does not believe that it would be appropriate to alter the proposed rule's scope in light of the PADFAA for several reasons. There are significant differences in scope between the PADFAA and the proposed rule. The PADFAA's prohibition applies to entities that meet the statutory definition of “data broker.” By contrast, the proposed rule would regulate certain transactions involving “data brokerage,” a term that is broader and covers activities that present the national security risk of allowing countries of concern access to sensitive personal data, regardless of the kinds of entities that engage in that activity. In addition, the proposed rule would reach any U.S. persons—including individuals, not just entities—who engage in the regulated categories of activities. Similarly, the PADFAA applies to a narrower category of activities than the proposed rule. Unlike the PADFAA, the proposed rule expressly addresses the re-export or resale of data by third parties and indirect sales through intermediaries. The PADFAA excludes from the definition of “data broker” any entity that transmits a U.S. individual's data at that individual's request or direction, whereas the proposed rule would not contain any such exception in light of the national security threat posed even in such instances. In addition, the PADFAA does not provide any mechanisms for affected parties to seek clarification or redress, such as the advisory opinions, general licenses, and specific licenses available to parties under the proposed rule. Similarly, the PADFAA provides general contours for entities and businesses to determine whether a counterparty is “subject to the direction or control” of either: (1) a person that is domiciled in, headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country; or (2) an entity that is 20-percent or more owned by such a person. The proposed rule provides different criteria for determining whether a person is “covered” under the regulatory program, and it contemplates a designation process, which the PADFAA lacks.

Given the PADFAA's structure and the significant differences in scope, the Department declines to alter the proposed rule's scope in light of the PADFAA. The Department and the FTC intend to coordinate closely to ensure that these authorities are exercised in a harmonized way to minimize any conflicting obligations or duplicative enforcement. For example, the Department and the FTC intend to coordinate, as appropriate, on licensing decisions and on any potential enforcement actions under the PADFAA with respect to activities that may be authorized, exempt, or licensed under the proposed rule. Thus, the proposed rule adopts the approach described in the ANPRM without change.

Third, the Department has considered the potential interaction between this proposed rule's application to vendor agreements and any actions taken by the Secretary of Commerce under Executive Orders 13873 and 14034. Some vendor agreements, as defined in this proposed rule, could also be the subject of an action by the Secretary of Commerce regarding an information and communications technology and services (“ICTS”) transaction that involves ICTS that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and presents the types of unacceptable national security risks described in Executive Orders 13873 and 14034. Even so, the Department does not believe that it would be appropriate to alter the scope of this proposed rule for several reasons. While these two authorities could potentially address some of the same national security risks related to vendor agreements, they would do so in different ways and by focusing on different vectors of risk. Executive Order 14117 and this proposed rule seek to address this risk by addressing transactions involving the export of U.S. sensitive personal data, such as restricting a U.S. person's ability to enter into a vendor agreement that grants access to government-related data or bulk U.S. sensitive personal data to a country of concern or covered person. Executive Orders 13873 and 14034, on the other hand, seek to address transactions involving the acquisition, import, or use, among other actions, of technology or services developed or otherwise sourced from a foreign adversary by U.S. persons or in the United States. For that reason, the ICTS authority addresses a broader range of potential national security risks than access to Americans' bulk sensitive personal data.

In addition, this proposed rule (through the incorporation by reference of the CISA security requirements for restricted transactions, including vendor agreements) creates a floor for the security of all government-related data or Americans' bulk U.S. sensitive personal data involved in a restricted transaction. Only by complying with these requirements (or operating under an applicable license) could a U.S. person engage in a proposed restricted transaction. Executive Order 13873 and its implementing regulations do not establish a baseline set of mitigation measures to protect this data across all of types of vendors that could be subject to prohibition or restriction. Rather, the Department of Commerce will exercise that authority by taking an action with respect to transactions involving a specific vendor or proposing regulation of a sector-specific set of ICTS. Nothing in this proposed rule would prevent the Department of Commerce from exercising its ICTS authorities to take vendor-specific actions or promulgate sector-specific rules. At this time, any overlap between these two authorities is hypothetical, and the Department does not believe that there will be any substantial impact. The Department is, however, considering approaches to address any potential overlap that might arise between the requirements of this proposed rule and any ICTS actions undertaken by the Department of Commerce, whether through an understanding between the Department of Commerce and Department of Justice or a more formal licensing process that could apply where the Department of Commerce has taken action under its ICTS authorities. The Department welcomes comments on the identified approaches, or any others, to address any potential overlap that might arise.

L. Severability

The Department intends for the provisions of this proposed rule to be severable from each other. In short, if a court holds that any provision in a final 28 CFR part 202 is invalid or unenforceable, the Department intends that the remaining provisions of a final 28 CFR part 202, as relevant, would continue in effect to the greatest extent possible. In addition, if a court holds that any such provision is invalid or unenforceable as to a particular person or circumstance, the Department intends that the provision would remain in effect as to any other person or circumstance. Depending on the circumstances and the scope of the court's order, remaining provisions of a final rule likely could continue to function sensibly independent of any provision or application held invalid or unenforceable. For example, the prohibitions and restrictions related to transactions involving access to personal health data could continue to apply even if a court finds that the restrictions or prohibitions on transactions involving access to biometric data are invalid. Similarly, the proposed rule could be applied with respect to North Korea even if a court finds its application with respect to Russia is invalid.

V. Analysis for Proposed Bulk Thresholds

The Department of Justice proposes volume-based thresholds for each category of sensitive personal data and for combined datasets. The bulk thresholds are based on a risk-based assessment that accounts for the characteristics of datasets that affect the data's vulnerability to exploitation by countries of concern and that affect the consequences of exploitation. In conducting this assessment, the Department considered numerous ways that a country of concern might exploit each category of sensitive personal data. In general, bulk U.S. sensitive personal data is useful for deriving additional information about individuals or subpopulations, such as demography, geography, and interests, that can be used to identify vulnerabilities. The advertising industry has long recognized that such data is useful for predicting and influencing behavior. Influencing behavior is similarly at the root of intelligence recruitment. The Department assessed how a foreign intelligence service might use bulk U.S. sensitive personal data as part of the agent recruitment cycle—a “systematic method for finding agents who will meet national intelligence information needs”—among other potential malign uses. While the categories of sensitive personal data may have a variety of applications for foreign intelligence services or foreign governments, they may be especially useful to parts of the first three steps of agent recruitment:

• “spotting (or identifying) individuals who can meet intelligence needs”;
• “assessing whether the spotted individuals have the placement and access to provide desired information”; and
• “developing a relationship with the individual to . . . explore whether they will be responsive to . . . tasking for intelligence information.”

The Department's subject-matter experts identified seven characteristics relevant to the exploitability and national security harm posed by any particular type of data: purpose ( i.e., how the data can be used), changeability ( i.e., how easy it would be for an individual to deliberately change or falsify the data in question), control ( i.e., who tracks and manages the data), availability ( i.e., how easily the data can be obtained), volume ( i.e., the number of data points in a dataset), velocity ( i.e., how quickly the dataset evolves), and quality ( i.e., how much processing is required to use the data). These characteristics help describe the national security risk of each type of sensitive personal data by providing a methodology for analyzing their value to an adversary. For example, availability and control focuses on the ease with which an adversary may be able to acquire this data using licit or illicit means. Quality and changeability examine the ease and speed with which an adversary can use the data. Volume, velocity, and purpose are other important attributes of these datasets that focus on how valuable a particular data may be to an adversary and how long it is likely to remain valuable.

Using this framework of characteristics, the Department evaluated the relative sensitivity of each of the seven categories of bulk U.S. sensitive personal data and ranked them based on their potential value to enable foreign governments and foreign intelligence services engaged in agent recruitment to: (1) identify or spot individuals within bulk datasets for intelligence needs; (2) group individuals into specific categories to assess their value for intelligence purposes; and (3) characterize the behaviors and vulnerabilities of individuals to identify ways to develop and exploit relationships. The Department then considered how close in sensitivity each category was to the other, grouped them into tiers of similar sensitivity (resulting in four tiers), and then set proposed numerical thresholds for each tier.

To conduct the analysis, the Department considered use cases from each category of bulk U.S. sensitive personal data based on widely available information about commercial practices around data, news reports of past incidents involving data with national security implications, and a survey of covered transactions reviewed by CFIUS that implicated sensitive personal data. The Department also considered how future changes in technology could affect the utility and value of each category of data.

A. Analysis of Sensitivity of Each Category of Sensitive Personal Data

1. Human Genomic Data

The Department of Justice assesses that human genomic data is the most sensitive category of sensitive personal data. To conduct the analysis, the Department considered human genetic testing data, which sequences only specific portions of the human genome for a specific purpose ( e.g., identifying ancestry, diagnosing a specific disease); and sequencing of a complete human genome, a still-emerging capability with a wide variety of potential applications. Based on the multiple characteristics that were considered of high sensitivity, and especially noting that the velocity of this data has very high sensitivity, human genomic data is highly sensitive:

• Purpose: High sensitivity. Human genomic data has unique purposes among the categories of bulk U.S. sensitive personal data. It is not only useful for identifying traits such as health, emotional stability, mental capacity, appearance, and physical abilities that might be useful in intelligence recruitment; countries of concern may also use this data to develop military capabilities such as bioweapons. Because human genomic data includes the unique genetic code of an individual, it is exceptionally useful in identifying individuals. For example, an adversary with access to an individual's genomic data may be able to predict physical features, such as eye, hair, and skin color, and vocal and facial characteristics. As technology develops further, analysts may also be able to use such genomic data to determine an individual's propensity toward certain behaviors, such as aggression or risky activities. Finally, foreign adversaries could potentially use human genomic data to conduct or support surveillance, oppression, extortion, and influence operations; and could potentially use this data to inform biological weapons development.

• Changeability: High sensitivity. Human genomic data is difficult to deliberately alter. While certain technologies, such as Clustered Regularly Interspaced Short Palindromic Repeats (“CRISPR”), can alter or edit the human genome in extremely targeted, localized ways, larger-scale alterations remain technologically impossible. As a result, human genomic data is largely immutable over an individual's lifetime.

• Control: High sensitivity. Corporate entities such as healthcare laboratories usually process and control human genomic data. Because human genomic data is tied to an individual at a biological level, it is basically immutable. Additionally, biological residue such as saliva, blood, and hair can contain human genomic data, and this residue is difficult for an individual to completely control.

• Availability: High sensitivity. Bulk human genomic data is difficult to obtain in the commercial marketplace, as it remains an emerging capability. For example, the crucial technologies that formed the foundation for scaled commercial applications of genomic sequencing are still less than 20 years old. In addition, medical systems tightly control access to and distribution of this information through privacy regulations and general scientific ethics. Because this data is currently hard to acquire but has myriad potential applications, it is highly valued.

• Volume: Varied sensitivity. A complete human nuclear genome contains about 3.2 billion base pairs, with each base pair representing a unique data point. This human genome can be divided into codons of three base pairs each, each of which codes for a unique amino acid. This human genome can also be divided into tens of thousands of genes, each of which code for the production of specific proteins and other cellular activity and each of which can have multiple variants. Data sets containing human genomic data will be of different sizes—for example, a data set including the complete genome of an individual will be much larger than the data set just identifying specific genes present that may affect the chances of a specific cancer. A larger data set is more sensitive. Thus, the volume sensitivity of genomic information may vary because the datasets containing human genomic data are likely to vary widely in size.

• Velocity: Very high sensitivity. Human genomic data remains largely stable over an individual's lifetime, and while the ability to interpret that data may evolve over time, the underlying information will not change. Furthermore, the value of human genomic data will likely increase significantly in the future as technology develops. It requires protection now to prevent future exploitation.

• Quality: Varied sensitivity. Processing a single sample of human genomic data can take as long as 48 hours. As a result, computing power continues to limit analysts' ability to use fully sequenced but unevaluated human genomic data. However, analysts will be increasingly able to take advantage of public databases and open-source tools to evaluate sequenced and analyzed data, reducing the computational power required to evaluate such processed datasets.

2. Biometric Identifiers

The Department of Justice assesses that biometric identifiers are the second most sensitive category of sensitive personal data. To conduct the analysis, the Department considered physical biometrics measurements ( e.g., eye patterns, fingerprints, facial features) as well as behavioral biometrics measurements ( e.g., gait, keystroke recognition, signature). Biometric data is moderately to highly sensitive overall based primarily on the purpose, changeability, and control characteristics below:

• Purpose: High sensitivity. Biometric data is specifically intended to identify specific individuals based on distinguishing biological or behavioral characteristics. In addition, analysts can identify certain categorizing characteristics from this data—for example, inferring gender from facial features. Finally, biometric information can be used to authenticate users, either alone or as part of a multi-factor authentication protocol. Fingerprints, voiceprints, and facial scans provide useful reference points for identifying individuals for intelligence recruitment, espionage, and influence based on their patterns of life. Searches through video footage, police records, and intelligence databases using biometrics could provide points of leverage for coercion, blackmail, and influence.

• Changeability: Moderate-to-high sensitivity. Biometric data is generally difficult to deliberately change or falsify because it is linked to the physical characteristics of an individual. However, it can evolve as individuals age or be altered through activities such as limb loss or amputation, long-term manual labor, or physical retraining.

• Control: Moderate-to-high sensitivity. Physical biometric information is largely beyond the ability of an individual to control or conceal. If an individual's fingerprint or other physiological biometric measurement is compromised, it can be impossible to change. Additionally, covert or passive measures such as surveillance cameras or latent fingerprints can capture biometric data without the targeted individual's knowledge. However, certain types of behavioral biometric information, such as gait and voice, may be possible to change, though it may be difficult.

• Availability: Moderate sensitivity. Certain types of biometric data could be widely available in certain records, such as facial features derived from photographs on the internet. Others, such as gait, are not widely available. Reliable bulk biometric databases remain difficult enough to assemble that they are seen as important national security assets.

• Volume: Varied sensitivity. Video surveillance footage, which could be used to derive biometric information from tens or hundreds of individuals walking by the camera, collects up to 30 frames of potentially high-definition photo images per second. In contrast, a single human face can be represented by approximately 80 distinct nodal points, each of which could be represented as a single number.

• Velocity: Moderate sensitivity. Certain types of biometric information can change, for example as individuals age or change weight. However, because biometrics are physical, many will remain substantially the same over a person's lifetime. For example, fingerprints are constant over a lifetime, and iris patterns remain largely stable even as children grow.

• Quality: Varied sensitivity. Factors including the quality of sensors and environmental conditions can affect the reliability of readings stored in databases. The complex nature of most biometric data systems means data quality can be further affected by obscured or degraded characteristics, subject behavior, data collection, compression and sampling efforts, feature extraction issues, matching errors, and administrative and database problems. As a result, the value of a bulk biometric data source to an analyst will depend on the quality of the underlying dataset.

3. Precise Geolocation Data

The Department of Justice assesses that precise geolocation data is the third most sensitive category of sensitive personal data. To conduct the analysis, the Department considered geolocation measurements obtained by a variety of means, including Global Positioning Systems (“GPS”), cell tower proximity, Wi-Fi networks, Bluetooth signals, and IP geolocation. It considered use cases where sets of geolocation points were linked to a specific device and included timestamps; were linked to a specific device but did not include timestamps; and were not linked to either specific devices or timestamps but instead represented an aggregate picture of where individuals were taking devices. In many—but not all—instances across these use cases, precise geolocation data is moderately to highly sensitive based primarily on the purpose, changeability, volume, and quality characteristics below:

• Purpose: High sensitivity. Analysts can use geolocation data to derive detailed information about patterns of life, as well as other types of sensitive personal data such as home address and place of work. They may use it to identify influential individuals for blackmail and coercion, physically map and target sensitive sites and high-risk personnel, create near-real-time situational awareness, and target offensive cyber operations. They may also use it to identify a specific person, such as who goes to a residence, as well as large numbers of people, such as everyone who goes to the Pentagon.

• Changeability: Moderate sensitivity. Geolocation data is technically collected ( i.e., derived from signals and electronic devices). As a result, individuals can spoof or alter this data with some effort. One common way to affect the apparent location of a device is through a Virtual Private Network (“VPN”), which can affect the apparent location of a device based on its IP address, while connected applications that can spoof a GPS location on a cellphone are readily available online. More complicated spoofing techniques require transmission of a false radio signal to override a legitimate GPS signal.

• Control: Moderate sensitivity. Precise geolocation data is collected from electronic devices, which an individual can typically leave behind or be separated from. However, these devices usually collect geolocation data in the background, often beyond the control or visibility of the individual, using software services built into device operating systems. These sensors are present in an increasing number of devices, including phones, cars, and smartwatches.

• Availability: Moderate sensitivity. Commercial companies collect geolocation data in large volumes and consider it valuable for identifying consumers and evaluating their behavior. It is subject to increasing regulatory protection, with laws passed in California and Virginia to regulate precise geolocation data, and Massachusetts considering a law that would ban the sale of user location data as of the date of the proposed rule. These restrictions make the date more sensitive because it is less generally available.

• Volum e: High sensitivity. Technically, geolocation is often a combination of latitude and longitude, along with related fields such as timestamps, accuracy measurements, device identifiers, and IP addresses. This string of information requires relatively little space to store and is simple, and geolocation information is often collected in very large quantities to be meaningful for commercial or research purposes at scale. For example, one provider of geolocation data advertised a dataset covering 1 year with 214 million daily data points, suggesting the relatively small amount of information contained in each data point. In general, geolocation data is sold in many differently sized sets and different ways, ranging from small, precisely targeted geofenced areas using ads to global datasets containing records on billions of devices.

• Velocity: Low sensitivity. Commercially available geolocation datasets typically offer 1 to 5 years of data. This indicates a relatively limited lifespan and may vary. Compared to other types of data under consideration, this data is less valuable and useful over long time periods due to other factors such as volume.

• Quality: Moderate sensitivity. Analysts can purchase geolocation data in a variety of formats, including real-time and historical data, over a variety of geographic locations. Analysts can determine valuable information about patterns of life from this information. However, this data is generally provided as raw, unprocessed “pings,” which require machine analysis to derive useful insights.

4. Personal Health Data

The Department of Justice assesses that personal health data is the fourth most sensitive category of sensitive personal data. In conducting the analysis, the Department considered personal health records as well as claims and billing information. Unlike the three categories discussed in parts V.A.1, V.A.2, and V.A.3 of this preamble, personal health data contains a much more heterogeneous set of data, with sensitivity varying across the evaluated characteristics. Based primarily on the purpose, control, and availability characteristics described below, the Department assesses personal health data to be moderately sensitive overall:

• Purpose: Moderate sensitivity. Personal health records contain a variety of information, including information on medical history, medications, treatments, tests, immunizations, implanted devices, and associated data. They may also contain financial information (where related to billing), and covered personal identifiers. As a result, analysts could use them for a variety of identifying, characterizing, and categorizing activities, including identifying vulnerabilities in an individual's background that could be leveraged to coerce that individual into recruitment by a foreign intelligence service. For example, healthcare records can reveal healthcare providers and embarrassing or expensive medical conditions that help our adversaries target individuals and groups for intelligence recruitment, espionage, and influence. Severe injuries, chronic medical conditions, and mental health information provide points of leverage for coercion, blackmail, and influence. In extreme circumstances, countries of concern could even exploit information gathered from personal health records to target individuals using certain medical devices or taking certain prescriptions.

• Changeability: Moderate sensitivity. Many medical records contain objective information, such as laboratory test results and physical measurements. They also contain information that an individual could falsify by providing an inaccurate medical history, describing false symptoms, and hiding certain behaviors or habits to avoid negative consequences, get access to medication or insurance, or for simple emotional reasons such as guilt or shame.

• Control: Moderate sensitivity. Personal health records are often based on information provided by an individual and subject to strict privacy laws that help ensure individual control of this data. As a result, this data may not be available without an individual's permission. However, it is typically maintained by third parties, such as doctors, hospitals, and insurance systems, placing it in record systems outside an individual's direct control.

• Availability: High sensitivity. Personal health data is considered highly private and is well protected by privacy legislation. Data is shared as part of clinical trials, but access to such data is recognized as a continuing challenge within the healthcare community. Furthermore, health data remains highly valuable to cyber criminals on the dark web, as compared to data such as credit card numbers and Social Security numbers, pointing to the general difficulty in obtaining this information in bulk quantities.

• Volume: Varied sensitivity. As discussed, personal health data generally contains large amounts of data of varying formats and structures, ranging from the highly structured and technical information in lab results, to the more unstructured data, such as x-ray images and magnetic resonance imaging scans. Such variation means the amount of information may range from very small, such as the results of a single test, to very voluminous, such as a complete medical history. The volume of elements such as progress notes is also increasing, further expanding variability.

• Velocity: Moderate-to-low sensitivity. As discussed, personal health data contains a variety of different types of information, but many of these records are lab tests, diagnostics, and other treatment information that may be less useful to analysts. However, certain pieces of information of enduring value—such as information on chronic disease and hereditary conditions—may be mixed in with other pieces of information, somewhat raising the overall sensitivity.
• Quality: Low sensitivity. Personal health records vary widely in terms of data type, quantity, precision, and consistency, making personal health data less suitable for automated machine analysis than other types of data. Analysts or automated systems may not be able to draw useful conclusions without a great deal of context surrounding highly technical diagnostic data. “Note bloat”—unnecessarily lengthy information—is a recognized issue within the medical community, indicating the ongoing challenge of obtaining quality, valuable information. Much of the useful information may be contained in generalized diagnostics, particularized forms, and images that analysts may not be able to easily transform into useful conclusions, particularly if patients are not being truthful.

5. Personal Financial Data

The Department of Justice assesses that personal financial data is the fifth most sensitive category of sensitive personal data. To conduct the analysis, the Department considered data linked directly with personal financial accounts ( e.g., records with account numbers and names), data included in financial applications such as data used to apply for mortgages or loans ( e.g., credit history), and related data routinely exchanged during a transaction ( e.g., account numbers, routing numbers). Personal financial data includes records that are confidential ( e.g., complete bank account information, including name). Personal financial data includes a variety of data types with varying sensitivity and moderate sensitivity overall based primarily on the purpose, changeability, availability, and quality characteristics below:

• Purpose: Moderate sensitivity. Financial institutions must uniquely identify and verify the identity of individuals both to track financial flows and to comply with regulations such as anti-money laundering. In order to do this, they store a mix of data that is useful for identifying individuals. Other categories of financial data, such as credit or consumer reports, provide data that can be useful for characterizing behavior or grouping individuals into categories. Today, most individuals leave a digital trail through their purchases and other financial activities, revealing behaviors, activities, and patterns of life. They provide insight into their financial condition, personal preferences, habits, and concerns through brokerage activity, savings account information, and insurance records. Foreign intelligence services could derive other sensitive personal data, such as workplace and daily life habits, including vulnerabilities in an individual's personal life that may be leveraged to coerce that individual into recruitment by a foreign intelligence service, from financial transaction data. Use of a financial instrument to purchase products or services reveals spending habits and patterns of life that help our adversaries target individuals and groups for intelligence recruitment, espionage, and influence. Debt, creditworthiness, and financial troubles provide points of leverage for coercion, blackmail, and influence.

• Changeability: Moderate-to-high sensitivity. Financial information on an individual is recorded and maintained by financial institutions, which depend on possessing reliable and accurate information. However, individuals do have some ability to change their financial identifiers by, for example, closing one account and opening another. Additionally, the continued existence of money laundering as a law enforcement issue demonstrates that financial information can be, to some extent, controlled or manipulated by an individual.

• Control: Moderate sensitivity. Financial information and records are managed and maintained by centralized financial institutions. Credit cards and checks leave a history with the financial institution, but individuals have the power to pay in cash or other anonymized methods and not reveal transactions to these financial institutions. Ultimately, this information reflects the activity of individuals, leaving it partly in their control.

• Availability: Moderate sensitivity. The sharing of certain types of information maintained by financial institutions is controlled by privacy regulations. However, credit card, debit card, and bank account numbers, and other financial identifiers and information, are routinely exchanged as a matter of course in commercial transactions; credit reports are regularly used by financial institutions and businesses as part of background checks; and transaction data is provided to marketing and third-party data analytics organizations. Credit cards and online financial account credentials can command between $15 and $200 on the dark web, as compared with Social Security numbers, which command less than $10.

• Volume: Moderate-to-low sensitivity. Over 100 million credit card transactions occur in the United States each day. While each transaction contains a small amount of information, this total transaction volume represents a massive dataset that analysts must mine to achieve useful results. Other types of information, such as data in credit reports, can contain information in a wide variety of formats that may be bulkier to manage and store.

• Velocity: Varied sensitivity. Analysts can use certain pieces of data, such as long-term loans, for a very long time. However, other pieces of information, such as information on individual transactions, may lose their value to an analyst over a short period of time.
• Quality: Moderate sensitivity. Analysts usually value personal financial data not for the information itself, but for what it can reveal about an individual's behavior. As a result, some analysis is usually required to make it useful. Additionally, financial records such as credit reports can contain inaccurate information or make erroneous connections between individuals and assets.

6. Covered Personal Identifiers

The Department of Justice assesses that covered personal identifiers are the sixth most sensitive category of sensitive personal data. Covered personal identifiers come from a variety of contexts and are of varying quality. For example, people have used certain types of covered personal identifiers ( e.g., Social Security numbers) for decades, and numerous entities collect them, making them more available than other categories of data. Other types of covered personal identifiers ( e.g., advertising IDs) are distributed widely and only useful when collected in very large volumes and linked to other pieces of data. The variety and variability of this category makes it inherently more difficult to characterize across the board than other categories. Based primarily on the purpose, changeability, and velocity characteristics below, the Department assesses covered personal identifiers to have low sensitivity relative to the other categories of sensitive personal data:

• Purpose: Moderate sensitivity. As stated in the proposed rule, covered personal identifiers are pieces of data that can be useful for identifying individuals, making them inherently sensitive. However, covered personal identifiers include pieces of information that are uniquely identifying ( e.g., Social Security numbers) as well as those that are deliberately designed to be anonymous ( e.g., advertising identifiers). Covered personal identifiers and unique IDs can be used to link other datasets containing more directly exploitable information. For example, they can help link databases of habitual visitors to gambling sites with debt collection records or a database of government records. They could link advertising IDs, IP addresses, and SIM card numbers to personal mobile devices, home addresses, and government mobile devices. However, in general, covered personal identifiers are primarily useful as identifiers, reducing their overall sensitivity because they themselves reveal little information.

• Changeability: Moderate-to-low sensitivity. As a category, they cover a range of data points that differ in terms of ease of change. For example, Social Security numbers are difficult to change, requiring evidence that an individual is in danger from domestic violence, other abuse, or identity theft. In contrast, account identifiers and passwords can be changed at a user's discretion. Many covered personal identifiers, including passport numbers, device IMEIs, and addresses, do change on a semi-regular basis as passports are reissued, devices are replaced, and individuals move.

• Control: Moderate-to-low sensitivity. Some covered personal identifiers—particularly government-issued identifiers such as Alien Registration Numbers and Social Security numbers or financial identifiers such as account information—are fully outside the control of an individual. Others are fully controlled by an individual, including email addresses and account identifiers. Still other covered personal identifiers such as phone numbers may be issued by a third party, but an individual can change them at will.
• Availability: Low sensitivity. Covered personal identifiers such as phone numbers and home addresses have been used as unique identifiers in a variety of systems, ranging from customer loyalty trackers to tax records. Many are available as part of the public record. Technical covered personal identifiers such as IP addresses are necessarily widely available as a matter of technical necessity.

• Volume: Low sensitivity. Online data-brokerage firms advertise datasets of mobile advertising IDs containing hundreds of millions to billions of records. Tens of millions of Social Security numbers are routinely found on the dark web, suggesting the large volumes in which these data points are stored and shared by companies. Companies such as Twitter (now X) hold the phone numbers and email addresses of more than 100 million individuals. As these examples demonstrate, covered personal identifiers are routinely held and used in massive volumes. At such large volumes, this type of data tends to be less sensitive because it reduces the ability of an adversary to identify a specific individual (such as distinguishing between people who have the same name, have lived at the same address, etc.), absent other data that can be used to narrow down and link the identifiers to individuals.

• Velocity: Moderate-to-low sensitivity. Covered personal identifiers such as Social Security numbers and names can be quite persistent, changing infrequently or not at all over an individual's lifetime. Covered personal identifiers like mobile advertising IDs cease to be useful in as little as 7 to 8 months. In general, the useful lifespan of many covered personal identifiers is limited. Only a few covered personal identifiers follow an individual over a lifetime, while many have lifespans measured in weeks to months, reducing the overall sensitivity of the category.

• Quality: Low sensitivity. For example, an individual user may have multiple mobile advertising IDs across multiple devices. Advertising specialists assert that 91 percent of companies have data quality issues, including from outdated data and user-error mistakes. Individuals may also make and use throwaway email accounts to avoid spam. Major technology companies, such as Apple, offer the ability to create relay emails specifically to obfuscate certain underlying covered personal identifiers.

B. Grouping the Categories Into Tiers by Similar Sensitivity

Based on this ranking, the Department grouped the categories of sensitive personal data into four tiers based on how similar or dissimilar, in terms of sensitivity, each category is compared to the other. Human genomic data, the most sensitive category, is unique and substantially more sensitive than biometric data due to its lower changeability and velocity. As a result, the Department placed human genomic data on its own in the first tier. While not as sensitive as human genomic data, biometric identifiers and precise geolocation data are generally more sensitive than either personal health or personal financial data because the data is more structured, making it more useful for machine-based analysis. Biometric identifiers and precise geolocation data also identify individuals with more precision than personal health data or personal financial data, making the results of machine-based analysis more valuable to human analysts. As a result, the Department grouped biometric identifiers and precise geolocation data together into the second tier and grouped personal financial data and personal health data together into the third tier. Finally, compared to personal financial data or personal health data, covered personal identifiers are more varied in terms of use, making them less useful to foreign intelligence services. As a result, the Department grouped covered personal identifiers into the fourth tier.

To help verify the relative sensitivities and tiered groupings yielded by the seven-factor analysis, the Department compared the results of this analysis to other circumstances in which the Federal Government or state governments have treated these categories of data as sensitive. To start, the Department examined over 50 transactions reviewed by CFIUS in which the government identified, and took action to address, a risk to national security posed by access to data by countries of concern or persons subject to their ownership, direction, jurisdiction, or control. The Department examined the types and volumes of data involved in each CFIUS transaction to identify the lowest volumes of data that the government identified as a risk to national security posed by each of these transactions, which served as proxy for how sensitive CFIUS has generally considered each category of data with respect to identified national security risks relating to that data.

In the case of personal financial data, personal health data, and covered personal identifiers, the Department was able to identify enough CFIUS transactions to present a reasonable sample. It identified the following approximate numbers as the lowest volumes identified by CFIUS as presenting a national security risk warranting action in the context of the specific transactions involving sensitive personal data that CFIUS reviewed:

• Personal financial data: 16,000 individuals
• Personal health data: 85,000 individuals
• Covered personal identifiers: 100,000 individuals

Based on these data points, the Department confirmed that its sensitivity analysis of these three categories was consistent with previous CFIUS national security assessments, at least in the specific contexts of those case-by-case CFIUS reviews.

Because there was not a sufficiently large sample of CFIUS matters for human genomic data, biometric data, or precise geolocation data, and because there does not appear to be another national security program with relevant quantitative or qualitative data on this topic, the Department examined how the Federal Government and States treat these three remaining categories under privacy laws to help verify the results of its seven-factor assessment. While privacy laws and national security laws generally address different challenges associated with sensitive personal data, as explained in part IV of this preamble, there is some overlap in the ultimate harms that both seek to address. These privacy-based analogues thus help provide some indication of the relative capability of each category of sensitive personal data to be exploited and used to cause harm.

In the case of human genomic data, the Department confirmed its assessment that this category of data is more sensitive than the three previously mentioned categories of data (covered personal identifiers, personal financial data, and personal health data) by evaluating comparative data from the FTC. The FTC has taken action against companies making deceptive privacy claims on cases involving the human genetic data of as few as 2,600 individuals. In doing so, the FTC's complaint alleged that the company's “disregard for the basic security” of this data caused it to be “publicly exposed online,” revealing, among other things, “the level of risk for having or developing certain health conditions.” The FTC also explained that this kind of “DNA data is sensitive because it's about who” a person is and is “so sensitive there's a law to protect you from discrimination based on genetic information when you're trying to get work or health insurance.” In contrast, eight other FTC cases between 2021 and 2023 involving only covered personal identifiers, personal financial data, or personal health data involved data on one million or more individuals. The fact that the FTC took action in a case involving a significantly lower amount of compromised human genomic data supports the Department's assessment that human genomic data is substantially more sensitive than other data types.

In the case of biometric data, the Department confirmed its assessment with reference to State legislation. Three States—Washington, Texas, and Illinois —have prohibited the sale, lease, or disclosure of biometric identifiers for purposes other than the provision of a specific commercial service, such as confirming a consumer-requested financial transaction. Massachusetts is also contemplating such a law at the time of this proposed rule. The legislative action in these cases supports the Department's assessment that the transfer of even very small amounts of biometric data could prove highly damaging and thus that this data should be subject to a lower threshold.

In the case of geolocation data, the Department confirmed its assessment with reference to other government actions and reporting suggesting that even small amounts of geolocation data could be sensitive. The FTC charged two companies with causing injury to consumers by selling geolocation data that did not exclude information on sensitive locations, such as reproductive health clinics, places of worship, and addiction recovery facilities, and issued an order banning one of those companies from selling data without consumer consent. It also noted a data breach that involved 2,200 customers as part of its action against a company that harvested and shared data on people's physical movements. The FCC has also levied fines for selling location data without customer consent. The National Security Agency has noted the importance of limiting location data exposure. Congressional testimony has highlighted how commercial datasets can be used to precisely identify individuals in sensitive national security roles. The Massachusetts State legislature is considering a bill at the time of this proposed rule that would ban the sale of phone location data. These comparisons all support the Department's assessment that this type of data is relatively more sensitive than other types of data, such as personal identifiers.

C. Proposed Bulk Thresholds for Each Tier

The Department of Justice developed numerical thresholds using the four tiers of sensitivity based on the number of individuals included in a dataset. In the ANPRM, the Department set the overall upper limit for these thresholds at one million individuals. As explained in the ANPRM, within each group, the Department set a potential upper and lower limit for each of the bulk thresholds, relying on orders-of-magnitude differences to develop preliminary judgments.

The Department sought input on the thresholds from the public in response to the ANPRM. Commenters expressed a wide variety of general concerns regarding the ranges of the potential bulk thresholds. Some commenters stated that the potential thresholds were too high, some that they were too low, some that the thresholds should be zero, and some that relying on thresholds was objectionable for other reasons. None of the comments, however, provided any actionable data points, use cases, or evidence that would support an alternative analytical framework or support adopting one particular threshold over another. Given that lack of specificity, the Department (along with the Department of Commerce) followed up individually with each commenter on this topic to seek any additional information available that informed their comments, as described in part III of this preamble. Those engagements did not yield any substantially new qualitative or quantitative information to reliably inform the selection of the proposed bulk thresholds.

Based on this analysis and public comment, the proposed rule would set the following bulk thresholds:

• Human genomic data: More than 100 U.S. persons.
• Biometric identifiers and precise geolocation data: More than 1,000 U.S. persons.
• Personal health data and personal financial data: More than 10,000 U.S. persons.
• Covered personal identifiers: More than 100,000 U.S. persons.

The proposed bulk thresholds for all the categories of sensitive personal data except human genomic data are approximately the middle order of magnitude of the preliminary ranges identified in the ANPRM ( e.g., the proposed threshold of 1,000 U.S. persons for biometric identifiers is the middle order of magnitude in the ANPRM's range of 100 to 10,000). Given the high sensitivity of human genomic data and the significant additional national security risks posed by human genomic data beyond counterintelligence risks, the proposed bulk threshold for human genomic data is the lowest order of magnitude in the preliminary range identified in the ANPRM. These proposed bulk thresholds are generally consistent with the order of magnitude of the minimum number of individuals in a dataset that the United States Government and other actors have treated as presenting a national security risk or as otherwise sensitive in the use cases and comparisons described in part V.B of this preamble.

The Department has considered whether the potential economic impact should affect our choice of thresholds for the purpose of defining “bulk” in these regulations and has determined it should not. First, the Department expects that the proposed rule will likely have some economic impact with respect to the prohibitions and restrictions on covered data transactions that have been determined to pose an unacceptable national security risk. The Department seeks to avoid and minimize unintended economic impacts on activities that do not present such national security risk. Neither the Department nor commenters have identified any actionable data or analysis suggesting that the choice of thresholds above zero is reasonably likely to result in unintended downstream impacts, as explained further in part VII.A of this preamble.

Second, based on the information provided to the Department and the Department's own analysis to date, it seems unlikely that the data or analysis would be detailed and representative enough to reasonably affect the choice of any specific thresholds within the ranges identified in the ANPRM. While it is theoretically possible that choosing a higher (or lower) threshold would correspondingly affect both the numbers of captured transactions and the resultant costs, it is also possible that a meaningfully significant sample size of U.S. persons conducting prohibited and restricted transactions at volumes that generally exceed the upper end of the ranges in the ANPRM. There is no known, reliable qualitative or quantitative data that objectively favors adopting one of those likely possibilities at this time. For example, the average volume and distribution of volumes of human genomic data in covered data transactions between U.S. persons and countries of concern (or covered persons) is unknown. Because there is no data available to determine how often, for example, U.S. persons engage in such transactions at volumes above 1,000 U.S. persons as compared to 100, there is insufficient data to support a conclusion that the choice between 100 and 1,000 will meaningfully impact the number of transactions subject to the proposed rule. Accordingly, the Department declines to deviate from the risk-based analysis at this time.

VI. Interpretation of “Information or Informational Materials” in IEEPA

The Department proposes exercising its delegated statutory authority to define “information or informational materials” in 50 U.S.C. 1702(b)(3). Under IEEPA, “[t]he President may issue such regulations, including regulations prescribing definitions, as may be necessary for the exercise of the authorities granted by this chapter.” As courts have held, this provision explicitly “authorize[s] the Executive Branch to define the statutory terms of IEEPA,” and definitions promulgated by an agency that has been delegated this authority thus “carry the force of law” subject to judicial deference. Section 2(b) of the Order delegated this statutory authority to the Attorney General, and the Department proposes to exercise this authority to define “information or informational materials” as follows.

To implement 50 U.S.C. 1702(b)(3), the Department proposes defining “information or informational materials” as limited to expressive material and including publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds.

The proposed rule would adopt two exclusions to this definition from existing OFAC regulations and clarify the definition's application to non-expressive materials. First, as previewed in the ANPRM and explained in detail below, the Department's proposed rule would clarify that the phrase “information or informational materials” is limited to expressive material, consistent with the purpose of 50 U.S.C. 1702(b)(3) to protect materials involving the free exchange of ideas from regulation under IEEPA. See § 202.226. The definition of “information or informational materials” does not include non-expressive data— i.e., data that is not intended to communicate any idea. The statute therefore permits the President, and the Attorney General as his delegee under the Order, to regulate transactions involving the export of sensitive personal data or government-related data because this data is not expressive and therefore falls outside the scope of 50 U.S.C. 1702(b)(3) (“the Berman Amendment”). Second, the proposed definition would, consistent with OFAC regulations, exclude information or informational materials that are not fully created and in existence at the date of the data transaction, or the substantive or artistic alteration or enhancement of information or informational materials, or the provision of marketing and business consulting services, including to market, produce or co-produce, or assist in the creation of information or informational materials. Third, the proposed definition incorporates the statutory exemption for items controlled for export to the extent that such controls promote the nonproliferation or antiterrorism policies of the United States, or with respect to which acts are prohibited by 18 U.S.C. chapter 37. The definition's application to non-expressive material and exclusion for materials not fully created and in existence are discussed in further detail below.

A. The Berman Amendment Is Intended To Protect the Free Exchange of Ideas

As noted above, § 202.226(a) of the proposed rule clarifies that “information or informational materials” is limited to expressive material rather than including every piece of data that might be characterized technically or colloquially as “information or informational materials.” This interpretation is consistent with the statute's text and purpose, as demonstrated by legislative history and context, as well as judicial interpretations.

The text indicates that the Berman Amendment's scope is properly limited to expressive materials. The provision restricts authority under IEEPA to regulate imports and exports “regardless of format or medium of transmission, of any information or informational materials, including but not limited to, publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds.” The specific examples accompanying the phrase “information and informational materials”—publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds—reflect Congress' intent to protect the import or export of expressive speech and communicative works and mediums that may be carrying such expressive content. Although the statute provides that it is “not limited to” the articulated categories of information or specified mediums, the general term “information or informational materials” must be read in the context of those examples and should not be read to extend to dissimilar categories of information to those specifically articulated. Because those examples overwhelmingly relate to expressive materials, the term “information or informational materials” is similarly limited under the established interpretive doctrine of noscitur a sociis.

Congress enacted the Berman Amendment in 1988 and expanded it in 1994, and the initial version of the Berman Amendment passed in 1988 further supports this argument. It amended IEEPA to state that the President's authority under the statute did not include the authority “to regulate or prohibit, directly or indirectly . . . the importation from any country, or the exportation to any country, whether commercial or otherwise, of publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, or other informational materials. The specified items shared the common attribute of having the primary or exclusive purpose of conveying expressive information, and the catch-all term “other informational materials” therefore carried that same limitation under the canon of ejusdem generis. This interpretation is further reinforced by the statute's use of “other” before “informational materials,” indicating a commonality with the enumerated items. As further discussed below, there is no indication that, in amending the 1988 text, Congress sought to deviate from that understanding. The 1994 amendment that enacted the current version of the Berman Amendment was titled “Free Trade in Ideas,” indicating the provision's reach and orientation toward expressive and communicative materials. The statute includes an accompanying provision providing “the sense of the Congress that the President should not restrict travel or exchanges for informational, education, religious, cultural, or humanitarian purposes or for public performances or exhibitions.” Together, these features confirm that the “information or informational materials” covered by the Berman Amendment are limited to the kind of expressive information that is central to the free exchange of ideas; the Berman Amendment is not intended to broadly encompass every piece of data that might technically or colloquially be described as “information.”

The proposed interpretation is consistent with Congress' purpose in enacting the Berman Amendment. As one court explained shortly after the Berman Amendment's initial enactment in 1988, there is an “obvious First Amendment orientation of the words `informational materials.' ” Other courts have reached similar conclusions about the Berman Amendment's purpose. And courts have consistently upheld the Executive Branch's interpretations that distinguish between the types of informational materials that are covered or not covered, explaining that these reflect “permissible interpretation[s]” of the Berman Amendment “in light of IEEPA's competing imperatives ( i.e., restricting material support for hostile regimes while encouraging the robust interchange of information).”

These courts' interpretations are grounded in the relevant historical and legislative context, which reflects Congress' intent to protect the free exchange of ideas. Before the Berman Amendment's enactment in 1988, the President's broad authority to regulate commerce with foreign countries under IEEPA and its predecessor and wartime sibling, the Trading with the Enemy Act of 1917 (“TWEA”), did not contain any statutory exception for “information or informational materials,” and the implementing regulations and licenses generally did not exempt information or informational materials from trade embargoes. Before and during the Cold War, the Executive Branch exercised these authorities to prohibit the importation of and dealing in certain merchandise. These general regulations applied to books, newspapers, and magazines originating in countries designated as enemy nations, such as Cuba, Vietnam, China, North Korea, and Cambodia. Absent a license granted by the Department of the Treasury, Americans could not import these materials into the United States or otherwise deal in them. To obtain such a license, an applicant had to show either that the books, magazines, and other materials were small-value “bona fide gift[s]” that did not provide “any direct or indirect financial or commercial benefit” to the enemy country or its nationals, or that payment for the commercial import of the materials was made into a blocked account. These prohibitions resulted in, for example, customs officials in the 1960s seizing “packages containing English language books and newspapers produced in North Vietnam and China” and refusing their entry until licenses were granted.

Prior to the Berman Amendment's enactment, the United States Government took varying approaches to imports of expressive materials. The Executive Branch initially required licenses for U.S. imports of thousands of Cuban publications destined for Americans' personal use, and then later “nominally allowed the importation of informational materials from Cuba but in reality, banned such importation by requiring that the importers make payment into blocked U.S. accounts.” Plaintiffs challenged these prohibitions and seizures under the First Amendment, but courts upheld them as constitutional on the grounds that the specific restrictions were merely “incidental” to the purpose of the regulations in restricting the flow of capital to enemy nations. In contrast, the 1985 Nicaraguan embargo and 1986 Libyan embargo explicitly authorized the import of “books, newspapers, magazines, films, phonograph records, tape recordings, photographs, microfilm, microfiche, posters, and similar materials” and thus preserved Americans' ability to receive news, ideas, and other expressive content from those nations.

Congress enacted the Berman Amendment against this regulatory and judicial backdrop and as an explicit “reaction” to the continued, and continually upheld, import restrictions on and seizures of “shipments of magazines and books” from most embargoed countries. The Berman Amendment thus “codif[ied] current practice . . . in the recent embargoes of trade with Nicaragua and Libya of exempting information materials and publications from import restrictions,” and used the same terms to do so (“publications,” “films,” “posters,” and so on).

The legislative history confirms what context makes clear: The Berman Amendment was designed to reach expressive information protected by the First Amendment. The relevant House committee report explains that Congress intended the Berman Amendment to protect the import and export of expressive materials; the report favorably cited and quoted from an American Bar Association House of Delegates statement that “no prohibitions should exist on imports to the United States of ideas and information if their circulation is protected by the First Amendment.” “Accordingly,” the report continued, “these sections also exempt informational materials and publications from the export restrictions that may be imposed under these acts.” Senator Charles Mathias, the sponsor of an earlier bill that contained identical language removing restrictions on the import and export of information and that was the predecessor to the 1988 bill that enacted the Berman Amendment, explained that “[t]he thread that ties all of these changes together” is “an ideal embodied in the first amendment [sic]: The removal of barriers that inhibit the free exchange of ideas across international frontiers.” Mathias emphasized not the specific doctrine of the First Amendment but rather its “philosophy” and “ideal[s],” including an “open and robust debate in the marketplace of ideas.” As he further explained, “this liberty, secured by the first amendment [sic], is thwarted by a number of laws which permit the Government to restrict the flow of information and the travel of individuals into and out of the United States,” including “restrict[ing] the import and export of information on the basis of the political doctrines contained in the information”—restrictions that the Berman Amendment was designed to address.

In 1994, Congress updated the Berman Amendment in ways that reinforced the expressive focus of the term “information or informational materials.” Between the enactment of the Berman Amendment in 1988 and Congress' update in 1994, the Executive Branch had taken “a narrow view of what constituted `informational materials.' ” Some of these restrictive Executive Branch interpretations were successfully challenged in court, and others were not. For example, the Department of the Treasury had interpreted the term “informational materials” as excluding “intangible items, such as telecommunications transmissions” (an interpretation that the courts approved), and original art in the form of paintings (an interpretation that the courts rejected).

Congress responded to these regulatory and judicial decisions by “clarify[ing]” the text of the Berman Amendment through the passage of the Free Trade in Ideas Act. As with the original 1988 version, the 1994 version of the Berman Amendment, as reflected in its text and legislative history, focuses on excluding expressive materials from regulation. In its 1994 changes, Congress added new examples of expressive materials to the Berman Amendment but did not otherwise expand its scope to include, for example, even non-expressive materials. First, Congress changed the term “other informational materials” to “any information or informational materials.” Second, Congress moved the new term from the end of the list to the beginning and expanded the list of materials, so that it now reads “any information or informational materials, including but not limited to, publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds.” Third, Congress made explicit that the Berman Amendment applied to information or informational materials “regardless of format or medium of transmission.”

The legislative history of these changes confirms that Congress intended to maintain the Berman Amendment's exclusive focus on protecting expressive materials from regulation under IEEPA and did not intend to exclude from the President's regulatory power the full scope of what colloquially might be understood to be information or informational materials. Among other things, the effect of these changes was, as the 1994 House report explained, to “clarify” the Berman Amendment by “eliminating some of the unintended restrictive administrative interpretations of it.” For example, by adding the words “regardless of format or medium of transmission,” the 1994 amendment overrode the interpretation excluding intangible materials that was unsuccessfully challenged in Capital Cities/ABC, Inc. v. Brady, 740 F. Supp. 1007, 1015 (S.D.N.Y. 1990). Similarly, the 1994 amendment codified the decision in Cernuda v. Heavey, 720 F. Supp. 1544, 1548 (S.D. Fla. 1989), by adding “artworks” to the illustrative list of informational materials and otherwise took the opportunity to “expand[ ] the exemption's non-exclusive list of informational materials to include new media, such as compact discs and CD ROMs,” on which expressive information may exist. But the House conference report makes clear that the 1994 amendment “only intended to address some of those restrictive interpretations” while leaving other interpretations in place. For example, Congress “did not disabuse OFAC of its belief that it could permissibly regulate `informational materials not fully created and in existence at the date of the transaction' ” and “did not counteract” that interpretation, which is discussed in more detail below. By explicitly acknowledging that the bill was intended to overrule some but not all narrow interpretations of “information or informational materials,” Congress rejected a meaning that would include anything that, in a colloquial sense, could potentially be “information or informational materials.”

Similarly, Rep. Howard Berman, the sponsor of the original Berman Amendment in 1988, described the 1994 amendment as designed to protect the right “to impart and receive information and ideas.” “Even at the height of the Cold War,” he recounted, the United States “positively promoted the exchange of literary and artistic work in an attempt to liberalize and open up the cultural and political climate in those countries,” and the then-recent fall of the Soviet Union “suggest[ed] that contact with Americans and the exposure to American ideas were crucial to the momentous changes which are taking place there, to our great national advantage.” The legislative history underscores what is apparent in the statutory text and context: The term is not meant to encompass everything that might technically or colloquially be described as “information.”

Congress' purpose in enacting the Berman Amendment was to protect the free exchange of ideas, and the Berman Amendment does not exempt from regulation all types of conduct, information, or communications. Although the message need not be particularized or articulable, as in the case of many pieces of art, it must still “communicate . . . ideas.” The types of “information or informational materials” listed in the Berman Amendment, such as “publications,” “news wire feeds,” and “artworks,” are mediums for expressing and conveying an idea to others.

B. Regulated Transactions Involving Sensitive Personal Data Under This Proposed Rule Do Not Implicate the Berman Amendment's Restrictions on Regulating Expressive Material

The proposed rule would regulate transactions involving sensitive personal data that is non-expressive and thus is fully consistent with the Berman Amendment. It would regulate commercial transactions involving the export of government-related data or bulk U.S. sensitive personal data that lacks expressive content.

The specific types of sensitive personal data proposed here for regulation are not expressive in nature because the data itself, whether in bulk or in isolation, does not convey an idea. For example, a person's fingerprints (biometric identifiers); DNA sequence (genomic data); financial account numbers or their browser's IP address (covered personal identifiers); debts and income (personal financial data); weight, blood type, test results, and treatments (personal health data); and their telephone's location history (precise geolocation data) do not convey expressive messages or ideas to the recipient. Sensitive personal data instead serves functional purposes, and the regulations proposed here are designed to prevent the export of this data based on its functionality to create and facilitate national security harms, not regulate the expression of ideas.

For example, human genomic data is the biological code of human functioning and growth. It is primarily used (along with personal health data) to understand and address vulnerabilities in human functioning, health, and disease. The same human genomic data that can be used to design disease therapy can also be used to identify genetic variability in a population, which can potentially be used for nefarious purposes such as identifying and exploiting susceptibility to disease. Large human genetic datasets used for ancestry, solving crimes, and research can also be misused for counterintelligence purposes, including targeting, surveillance, coercion, blackmail, intimidation, and influence. Datasets containing human genomic data do not communicate any idea; they simply contain functionally useful data.

Biometric identifiers (like a fingerprint, palm print, iris pattern, or facial feature) are “the measurement of physiological characteristics” of an individual that are primarily used for security and identity verification—for example, by comparing the measurements of an identifier against those of previously enrolled identifiers permitted to access a system. Similarly, precise geolocation data measures geographic location, ordinarily defined by its longitude and latitude coordinates, that is used to identify the physical location of a device (and thus persons associated with the device). Geolocation data is primarily used to enable and facilitate, for example, navigation, tracking, the implementation of security measures through geofencing, anti-fraud measures, targeted advertising, and the provision of certain services like roadside assistance. Biometric identifiers and precise geolocation data do not communicate any idea; they simply contain functionally useful data.

At their core, and as defined in these proposed regulations, personal financial data and personal health data also contain only functionally useful data that does not convey any idea or message. The former typically identifies and measures an individual's financial accounts, assets, debts, and liabilities, primarily to enable, facilitate, and track commercial activity (for example, by exchanging account and routing numbers, balances, and amounts to enable payments, or by identifying assets, debts, and liabilities associated with a particular individual to determine creditworthiness for loan applications). The latter typically identifies and measures an individual's medical conditions and history, primarily to assess and track an individual's health condition and determine a medical course of action.

Finally, covered personal identifiers are specifically listed classes and combinations of data that are “reasonably linked to an individual.” This data (such as Social Security numbers, financial account numbers, hardware-based identifiers, advertising identifiers, and network-based identifiers) is primarily used to identify devices and individuals, and to distinguish them from each other. They are not typically used to express and communicate ideas or messages.

In sum, the regulations contained in this proposed rule appropriately “balance[ ] IEEPA's competing purposes” in “restricting material support for hostile regimes while encouraging the robust interchange of information.” The export of non-expressive data (including the sensitive personal data that the proposed rule would regulate) does not implicate the exchange of ideas and expression that the Berman Amendment protects. At the same time, allowing sensitive personal data to fall into the hands of countries of concern would directly support and enable their attempts to undermine national security, including through traditional and economic espionage, surveillance, sabotage, blackmail, and other nefarious activities. Moreover, these categories of sensitive personal data are already subject to some existing government regulation in the context of domestic commercial transactions. It would be unreasonable to interpret IEEPA—a statute that is specifically designed to address foreign threats to national security, foreign policy, and the economy—as disallowing regulation of the same commercial transactions when they involve transferring such data to a country of concern.

This proposed interpretation aligns with the suggestions of several commenters to clarify the extent to which the transmission of expressive content and associated metadata, including through internet traffic, to entities and individuals in countries of concern would be exempt from the proposed regulations. Under this interpretation, expressive content and associated metadata that is not sensitive personal data would be categorically outside the scope of the proposed definition of “sensitive personal data” and thus outside the scope of the proposed regulations, regardless of the type of activity (or transaction) involved. The Department believes that other aspects of the proposed rule (such as bulk thresholds or the definition of “covered data transaction”) would also protect the dissemination of expressive content and its associated metadata. The Department welcomes further comments on this issue.

To the extent that any parties believe that the sensitive personal data involved in their covered data transactions may nevertheless qualify as “information or informational materials” that is exempt under 50 U.S.C. 1702(b)(3), they can seek clarification using the proposed administrative processes for seeking an advisory opinion or applying for a specific license before engaging in the transaction.

C. Exclusion for Materials Already Created and in Existence

Finally, consistent with longstanding OFAC practice, the proposed rule would exclude “information or informational materials not fully created and in existence at the date of the data transaction, or the substantive or artistic alteration or enhancement of information or informational materials, or the provision of marketing and business consulting services, including to market, produce or co-produce, or assist in the creation of information or informational materials” from the definition of “information or informational materials.” § 202.206(b)(1). Many commercial services and transactions may result in the creation of information or informational materials. This exclusion balances “IEEPA's competing imperatives ( i.e., restricting material support for hostile regimes while encouraging the robust interchange of information)” and reflects a “reasoned determination” that 50 U.S.C. 1702(b)(3) is not meant to exempt “information or informational materials” that “would not be produced but for” commercial transactions that could be otherwise prohibited or regulated. In the sanctions context, for example, a prohibition on providing consulting services would preclude provision of a consulting report even though such a report might otherwise be characterized as “informational materials.” In the context of this proposed rulemaking, a U.S. company's customization and sale of bulk U.S. sensitive personal data in response to a customer's particular criteria would fall within this independent exclusion and would not constitute information or informational materials (in addition to falling outside the definition of “information or informational material” because it is non-expressive material).

The legislative history of the Berman Amendment indicates that Congress was aware of this same interpretation in sanctions programs under IEEPA administered by OFAC and chose not to change it. The Department of the Treasury construed the Berman Amendment not to apply to “informational materials not fully created and in existence at the date of the transaction, or to the substantive or artistic alteration or enhancement of informational materials, or to the provision of marketing and business consulting services” shortly after it was enacted. As discussed above, when Congress amended the statute in 1994, it overrode other government interpretations of the Berman Amendment but it “did not disabuse OFAC of its belief that it could permissibly regulate `informational materials not fully created and in existence at the date of the transaction' ” and “did not counteract” that interpretation. Courts, relying in part on this legislative history, have affirmed this interpretation of the Berman Amendment, and the Department accordingly incorporates it into the definition of “information or informational materials” in proposed § 202.226.

VII. Regulatory Requirements

The Department designated the proposed rule as significant under Executive Order 12866, as amended, and the Office of Information and Regulatory Affairs in the Office of Management and Budget (“OMB”) reviewed the proposed rule. In addition, this section includes the required assessments of the reporting and recordkeeping burdens under the Paperwork Reduction Act of 1995, and the potential impact on small entities pursuant to the Regulatory Flexibility Act.

A. Executive Orders 12866 (Regulatory Planning and Review) as Amended by Executive Orders 13563 (Improving Regulation and Regulatory Review) and 14094 (Modernizing Regulatory Review)

1. Executive Summary

The Department of Justice estimates the discounted annualized cost of the proposed regulation to be approximately $502 million annually. The extremely high potential net benefits ( i.e., expected benefits less estimated costs) justify moving forward with the proposed rule. The approximately $502 million estimated annual cost would afford protection to well over 100 million American individuals who are potential targets of adversaries using bulk U.S. sensitive personal data. Also, the approximately $502 million estimated annual cost of the regulation is about one-third of 1 percent (0.3 percent) of the $176 billion revenues generated in the U.S. Computing, Infrastructure, Data Processing Services, and Web Hosting Services industry sector.

2. Introduction.

The review that accompanies an NPRM is known as a Preliminary Regulatory Impact Analysis (“RIA”). The Office of Management and Budget's Circular A-4 provides guidance to Executive agencies on how to conduct effective regulatory analyses. Circular A-4 recognizes that good regulatory analyses cannot be conducted according to a formula; that conducting high-quality analysis requires competent professional judgment; and that different regulations may call for different emphases in the analysis, depending on the nature and complexity of the regulatory issue and the sensitivity of the benefit and cost estimates of the key assumptions.

Circular A-4 states that RIA analysts “should aim for transparency about the key methods, data, and other analytical choices you make in your analysis.” It also encourages consultation with key stakeholders, which can “be useful in ensuring that your analysis addresses all of the relevant issues and that you have access to all pertinent data,” noting that “[e]arly consultation can be especially helpful.” At the outset of this research, the Department reached out to the private sector and other government agencies regarding data that would be useful to the analysis. The response has, in general, been that the information and data available to and known by other agencies and the private sector that would potentially be relevant to conducting such an analysis are incomplete, irrelevant, and unreliable. The Department's own search found that there are enough information sources available to make a reasonable estimate of the impact of the proposed rule based on a cost analysis that considers the value of transactions lost due to the prohibitions, the security and due diligence costs associated with the pursuit of restricted transactions, and adequate data to approximate the number of firms likely to be affected by the regulation. Regarding the estimated value of transactions lost to the prohibitions, impacts could vary by the bulk thresholds for each of the data categories outlined in the proposed rule. However, due to data limitations, this analysis does not attempt to estimate cost sensitivities based upon alternatives to the proposed bulk thresholds. We welcome comments on addressing this analytical issue.

Given the limitations on available information, the resulting uncertainty, and the qualifications surrounding the analysis, the Department has been unable to assess that any secondary impacts, such as how the prohibition on bulk U.S. sensitive personal data transfers to the countries of concern would influence international trade, are reasonably likely. Based on the available information, such secondary impacts are too speculative and hypothetical to be quantified in this analysis. Although the scope of the proposed rule is limited, indirect trade impacts could run into the hundreds of millions of dollars; nevertheless, such costs would be impossible to calculate at this juncture, and such analysis is outside the scope of this assessment.

This analysis considers the direct costs of the proposed regulation. Although it does not devote a section to indirect costs, Circular A-4 advises analysts to look beyond the obvious costs and benefits of a regulation for additional costs and benefits, which are sometimes referred to as “indirect” effects or “downstream” effects. Beyond the direct costs, there will be other market repercussions associated with the proposed regulation. Foreign firms will have less revenue from selling bulk U.S. sensitive personal data purchased from U.S. firms; new businesses may arise to provide vetting information to firms seeking entrance into the restricted transactions market; misunderstandings of the proposed regulation may result in firms spending more than necessary to comply; overall increased data security may result in more secure data and systems; transactions that are not prohibited may be reduced by firms not understanding nuances of the prohibitions; and, in retaliation, foreign countries may enact their own prohibitions and restrictions that may adversely affect U.S. businesses.

Additionally, staff of the Department of Commerce Office of Undersecretary for Economic Affairs note that there will be indirect costs from the loss of database imports from countries of concern, forgone productivity gains associated with potential innovation resulting from access to restricted data by individuals in countries of concern, and firms' reduced access to employees from countries of concern. At this point, the Department is not aware of any data with which to assess these costs, and the assessment of such costs is outside the scope of this RIA.

The regulatory review faces significant challenges in developing quantitative estimates of the monetary costs and benefits of the proposed regulation. Among these challenges to a reliable comparison of quantified cost and benefits, is the nature of the benefits that are expected from the regulation. These benefits include the security of the American people, economic prosperity and opportunity, and democratic values, all of which are beyond a reasonable, reliable, and acceptable estimate of quantified monetary value. In contrast, although precise, reliable, and relevant data to estimate the regulation's cost impacts are not publicly available, the Department has made a preliminary estimate of those costs using knowledge of the entities affected by the proposed rule; the transactions likely to be involved; and previous estimates of the costs of compliance with similar activities, such as due diligence, audits, recordkeeping, and reporting. Policy decisions will be informed by whether the benefits expected from the regulation justify the estimated costs.

3. Market Sectors Impacted by the Proposed Regulation

The firms that are currently active in the collection, processing, sale, or other types of transfers of bulk U.S. sensitive personal data and that are likely to be impacted by the proposed regulation include those that collect sensitive personal data (often referred to as “first parties”) and those that aggregate, assemble, analyze, and sell sensitive personal data (“third parties”). Sensitive personal data passes through a long supply chain of third-party vendors, such as data brokers, that obtain the data from first-party sources such as doctors, hospitals, pharmacies, banks and other financial companies, insurance companies, internet service providers, online and brick-and-mortar retail chains, schools, “smart product” sellers, rental agencies, ancestry agencies, software vendors, geolocation firms, and gaming firms. Another sector that may be impacted consists of those firms that export bulk biospecimens such as blood plasma and other medical products, laboratory supplies, and cosmetic products made with human hair. The United States supplies 70 percent of the world's supply of blood plasma, for example, making it the largest exporter of blood plasma. Additionally, blood plasma has become the United States' 11th most valuable export. In 2022, China imported more U.S. exports of “immunological medicines, plasma and other blood fractions” than any other country had in a given year. When it comes to the biospecimen segment, the proposed rule exempts items related to clinical trials, and official United States Government business and transactions required or authorized by international agreements, including United States Government business and international agreements related to pandemic preparedness and surveillance.

Bulk personal data that is extracted from different sources and then combined and analyzed can provide comprehensive profiles of individuals. Comprehensive profiles typically include a wide range of personal data, including contact information such as address, phone number, and email address; demographic data, including age, family ties, and ethnic and religious affiliations; data on general interests, such as charitable giving, gambling, pets, preferred celebrities, movies and music genres, and reading preferences; data about a person's home and neighborhood, including home equity, home size ( e.g., number of rooms and baths), and rent or loan amount and interest rate; criminal and civil actions background data, such as arrests and convictions, and judgments in civil cases; social media and technology data, including home internet provider, social media usage, and computer operating systems; financial data, including credit card usage, loans, and net worth; health data, including alcohol or tobacco usage, medical conditions ( e.g., allergies), medicine preferences, and mental health issues; and other data, such as travel, vehicle, and behavior data.

a. Sensitive Personal Data and Government-Related Data

i. Personal Financial Data

The universe of financial institutions that create bulk U.S. sensitive personal data is all firms that provide financial services. The smallest, narrowest set is the financial firms subject to a primary financial regulator. These include banks, credit unions, large financial utilities, securities firms, investment companies, and insurance companies. The total number of government-regulated and -supervised financial-services firms in this category is around 35,000. The total number of large financial-services firms is about 17,000. The Department arrived at this number by consulting the North American Industry Classification System (“NAICS”), which, in its category for Finance and Insurance companies, contains the broadest potential set of firms that could be found in the NAICS category for Finance and Insurance companies. This category contains more than 240,000 firms in total, with around 17,000 of these firms having over 20 employees, making them potentially more likely to have in-house data management and control systems.

ii. Personal Health Data

As with human genomic data, many doctors, hospitals, medical facilities, consumer human genetic testing labs, insurance companies, businesses, healthcare providers, and research institutions sell sensitive health-related data ( e.g., Electronic Medical Records (“EMRs”), prescriptions, laboratory tests, insurance claims). There is a large market for such data, which generates significant profits for companies with the capabilities to collect, anonymize, collate, and sell the data to third parties and data brokers. The market for these sales is at least in the billions of dollars. With the EMR market expected to grow at a compound annual growth rate of 6.5 percent to $46.96 billion in 2028, it is expected that the keepers of this data will take advantage of the increasing demand and massive economic benefits that these data sales can achieve.

At the forefront of data sales are the hospitals, medical facilities, pharmaceutical companies, insurers, and pharmacies that have direct access and involvement in the creation and maintenance of patient health data. HIPAA and other privacy laws help protect patients from having their personal health information shared, but nearly every State either recognizes medical providers as the owners of medical data or does not have any laws conferring patients specific ownership or property rights to their medical records. The situation with clinical trial data is similar, as any data generated by a trial participant becomes the property of the sponsor company.

Furthermore, some companies in the health sector may be able to legally sell Americans' health-related information, depending on the legal requirements applicable to their context. For example, although healthcare providers that conduct certain standard transactions electronically may be HIPAA-covered entities that are generally prohibited from selling protected health information by the HIPAA Privacy Rule, many companies that collect healthcare information are not covered by HIPAA and are not subject to its restrictions. Pairing Americans' health-related information with publicly available health record databases, healthcare directories and clearinghouses, academic or government databases ( e.g., data.gov ), and basic internet searches makes it increasingly simple to re-identify or link information. Data brokers have flourished by selling packaged datasets on the sensitive health conditions of millions of Americans in the open market. As the volume and demand for this data increase, we may see continued growth in the market share.

We also note that the Department of Health & Human Services (“HHS”) is supporting the secure sharing of clinical information via the development of the voluntary Trusted Exchange Framework and Common Agreement.

iii. Precise Geolocation Data

The proposed rule defines “precise geolocation data” as “data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within one kilometer.” The parameters to be determined are (1) the level at which to set this precision, (2) the level of precision necessary to support common commercial applications of geolocation data, and (3) the effectiveness of applying location fuzzing to geolocation data (decreasing its accuracy) in some commercial applications to reduce potential privacy impacts. These parameters are necessary to provide clear guidance to acquirers and sellers of precise geolocation data.

Mobile applications (“apps”) from smartphones are the primary sources that directly gather location data from consumers, although other technologies are also collecting and transmitting data, such as “Internet of Things” wearable devices and connected vehicles. Once they collect it, many apps share location data with third parties, whether by selling it to data brokers, to advertisers who then sell it to data brokers, or directly to buyers who intend to use the geolocation data. Data brokers can “pay a mobile app developer to use the broker's software development kit . . . in the developer's app. The broker can then sit within the app and gather data directly on users.” Alternatively, many app developers will sell location data “directly to a data broker through a server-to-server transfer.” As one example, the family safety app Life360 sold location data to nearly a dozen location data brokers in 2021—and in fact, it had agreements to directly transfer location data about its users to data brokers through its own servers. Such practices create opportunities for countries of concern to exert malign influence over U.S. persons relevant to national security.

The market for location data is large, and many companies operate as data brokers. Significantly, three major data brokers—Acxiom, LexisNexis, and Nielsen—sell data on current or former U.S. military personnel, some of which is specifically marketed as such. All three firms collect and advertise information on individuals, ranging from their family members and friends to their spending habits, mental health conditions, and geolocation. Both Acxiom and LexisNexis also provide users with the ability to verify whether someone is active duty.

iv. Human Genomic and Human 'Omic Data

There is value in both human genomic and 'omic data, and there is a large global ecosystem for buying and selling this data for a variety of purposes. The 'omic data market is growing exponentially due to the use of such data for drug discovery. There is little current regulation that restricts the buying and selling of this data, but there are real risks and potential harms associated with the misuse of such data, ranging from the individual to the population level.

The human genomic data ecosystem is large and has both public and private actors, including healthcare entities, law enforcement, international security agencies, and recreational personal human genomics/biospecimen companies. The global human genomics market was valued at $28 billion in 2022 and is projected to grow to over $164 billion by 2032, with North America accounting for approximately 45 percent of the market's current size.

Personal human genomics companies ( e.g., 23andMe, Ancestry, Ariosa Diagnostics, Color Genomics, FamilyTreeDNA, Ionis, GenScript, Illumina, Genentech, My Heritage, Navigenics, Orig3n, and Prenetics) and human biospecimen ( e.g., BioChain Institute, BioIVT, Boca Biologistics, Creative Bioarray, Cureline, Discovery Life Sciences, Infinity BiologiX, Precision for Medicine) companies collect human genomic and related data or human biospecimens, such as tissue and blood samples, that can be used to extract human genomic information for a variety of healthcare and recreational purposes. It is common for companies in these spaces, especially direct-to-consumer firms, to be owned by pharmaceutical companies or to sell the human genomic data they obtain to pharmaceutical companies. It is also common for them to conduct health research in collaboration with healthcare systems and to enter into partnerships with other industries.

There is little readily available information on who is purchasing or reselling human genomic data beyond pharmaceutical companies. Similarly, there is little readily available information on which entities (such as multinational pharmaceutical companies) are transferring human genomic data to their subsidiaries or vendors in countries of concern.

While many of the uses of human genomic data are for the development of new health technologies and pharmaceuticals, and the health and drug discovery environment are highly regulated, the sale of the data appears common and is currently virtually unregulated. As a result, there are few records of current transactions, and any company that collects human genomic data could potentially broker its sale to other companies or interested parties. For example, the States of Vermont and California have data broker registration laws, but even in those States, there is not specific information regarding genomic information sales.

v. Biometric Identifiers

The proposed rule defines biometric identifiers” as “measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.” In recent years, such identifiers have become increasingly ubiquitous in our security and verification systems. A wide variety of companies and agencies collect this information, amassing large datasets on everything from face shape, eye scans, and fingerprints to voice recordings and even heartbeats.

There is also limited information regarding the biometric data broker community. Because of the highly sensitive nature of the data ( i.e., fingerprints cannot be changed), brokers are not forthcoming in their advertising or collection of available information.

vi. Covered Personal Identifiers

An individual can have personal identifiers both assigned to them and collected from them in a wide variety of contexts and through a wide variety of entities—including governments, advertisers, and providers of technology and communications services. This, combined with the fact that personal identifiers have been used in some form for many years, means that they are a widely available form of sensitive personal data. The proposed rule specifies two subcategories of covered personal identifiers that could be used, when combined with each other or combined with other types of sensitive personal data, to “identify an individual from a data set or link data across multiple data sets to an individual.” These subcategories of covered personal identifiers in the proposed rule are listed identifiers: (1) In combination with any other listed identifier; or (2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data.See § 202.212.

b. The Data-Brokerage Market

Much of the economic impact of the proposed rule's restrictions on the transfer or sale of data types described in part VII.A.3.a of this preamble will be borne by firms involved in the data-brokerage market. The United States is widely perceived to be the largest data-brokerage market in the world, as described below in this section. While the proposed rule regulates data-brokerage activities ( i.e., transactions), there does not appear to be any direct measure of data-brokerage activities. This analysis therefore uses and examines information regarding first-party data brokers and third-party data brokers as a reasonable measure of data-brokerage activities.

i. Companies That May Meet the Definition of Data Brokers for the Purposes of the Proposed Rule

Data brokers collect, aggregate, and sell personal data. First-party or primary data brokers collect and sell information from their own customers. Third-party data brokers purchase and resell data. On the global scale, an estimated 5,000 data-brokerage firms operate worldwide. There may be as many as 11,000 firms that fall under the 518210 NAICS code, which covers firms that provide data processing, hosting, and related services.

ii. Market Size

Estimates of the size of the data broker market vary widely, from $50 billion to $300 billion, with one popular estimate claiming that over $200 billion in revenue is generated globally each year. For the United States, which maintains approximately 60 percent of the global market, a likely range is between $30 billion and $180 billion.

Based on total revenue (U.S. and foreign) and the number of employees at these firms, the Department estimates the market size as shown in Table VII-1 of this preamble.

iii. Products Sold by Data Brokers

Data brokers often collect data regarding, for example, where the average person goes, where they shop, and what they search for online. Notably, researchers from Duke University who used a secret shopper approach were offered access to thousands of records of military personnel and military veterans' data containing names, addresses, emails, phone numbers, military agency or branch, medical ailments, political affiliations, religion, gender, age, income, credit rating, and even details on children in the household. Not all brokers sell the same data, with many targeting niche industries or markets to help them gain a competitive advantage. Brokers also trade and combine their data with primary collectors to create detailed profiles they can package and commercialize.

iv. Price Information

Depending on its type and volume, personal data can be purchased for prices ranging from less than $1 for one personal record to millions of dollars for a large dataset. In a secret shopper study, Duke University researchers found that they could purchase a single record for as little as $0.12 and spend upwards of $10,000 for approximately 50,000 records of service members and military veterans. The price did not noticeably vary based on the data subjects' IP location (United States vs. Singapore). The Duke University researchers found that if one broker could not sell the information to them, another one could. There are estimates that mental health datasets could range between $15,000 and $100,000 and may be sold for even higher prices if the datasets include more detailed demographic data.

v. Customers of Data-Brokerage Products

It is known that data brokers sell datasets both domestically and internationally; however, specific transaction activities with these parties are difficult to ascertain from available financial reports. The U.S. Bureau of Economic Analysis (“BEA”) faces significant limitations for estimating the size of the domestic and international markets because BEA data does not break out data brokerage separately as an industry. Furthermore, based on sample financial data of the data-brokerage firms listed in Table VII-1 of this preamble, the Department estimates that the U.S. market produces over 60 percent of data broker revenue.

c. Agreements Affected by the Proposed Regulation

It is difficult to determine an approximate number of affected vendor agreements, employment agreements, and investment agreements that are entered in any given year by a U.S. person due to the scope and nature of these agreements. Each of these three types of agreements are considered restricted transactions if they involve access to government-related data or bulk U.S. sensitive personal data. The Department welcomes comments that provide a source for the annual number of vendor agreements, employment agreements, and investment agreements that might be affected by the regulation.

i. Vendor Agreements

According to the proposed rule, a vendor agreement is defined as “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.” See § 202.258(a). A potential example of a vendor agreement covered by the proposed rule is a medical facility in the United States that contracts with a company headquartered in a country of concern to provide information technology (“IT”) related services. The medical facility has bulk personal health data on its U.S. patients, and the IT services provided under the contract involve access to the medical facility's systems containing that bulk personal health data. ( See Example 2 in § 202.258(b)). The NPRM also discusses additional examples of vendor agreements pertaining to technology services and data storage. ( See Examples 3 and 4 in § 202.258(b)).

The costs of compliance with the security requirements will vary. Covered persons who have vendor agreements within the scope of the proposed rule may face costs associated with either replacing a vendor located in a country of concern or spending more on compliance ( e.g., implementing the security requirements) to maintain those vendor agreements. Furthermore, some U.S. companies may choose to remove vendor agreements altogether rather than bear the cost of complying with the security requirements. In contrast, most Fortune 500 companies or companies in sectors subject to cybersecurity regulations already have cybersecurity controls in place and might only need minor modifications to their existing vendor agreements and data security controls, while companies with less mature cybersecurity programs may require more significant changes.

ii. Employment Agreements

This NPRM defines an employment agreement as “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.” See § 202.217(a). A potential example of an employment agreement is a U.S. company that employs a team of individuals who are citizens of and primarily reside in a country of concern and have access to back-end IT services and company systems that contain bulk human genomic data ( see Example 1 in § 202.217(b)). Similarly, the employment of a lead project manager or a CEO of a U.S. company who primarily resides in a country of concern and who has access to bulk U.S. sensitive personal data would be considered a restricted transaction ( see Examples 2 and 3 in § 202.217(b)).

Any employment agreements involving government-related data or bulk U.S. sensitive personal data between U.S. persons and countries of concern or covered persons would need to comply with security requirements. The cost of security and due diligence requirements may drive some companies to cease employment agreements with these covered persons, while other companies may incur costs to ensure compliance or even implement job transfers to eliminate the potential cost of compliance with the proposed regulation. Ultimately, employment agreements may incur larger upfront costs once the proposed regulation comes into effect that may be minimized over time as the initial market disruptions due to the proposed rule settle, the costs associated with job transfers are minimized, and firms learn how to operate in the changed environment.

iii. Investment Agreements

This NPRM defines an investment agreement as “an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States or (2) a U.S. legal entity.” See § 202.228(a). An example is when a U.S. company intends to build a data center located in a U.S. territory to store bulk personal health data on U.S. persons, and a foreign private equity fund located in a country of concern agrees to provide capital for the construction of the data center in exchange for acquiring a majority ownership stake in the data center ( see Example 1 in § 202.227(c)). Ultimately, investment agreements may incur larger upfront costs once the proposed regulation comes into effect that may be minimized over time.

iv. Security Requirements

The proposed rule authorizes three classes of otherwise prohibited transactions (vendor agreements, employment agreements, and investment agreements) if they meet the security requirements proposed by CISA. The goal of the proposed security requirements is to address national security and foreign-policy threats that arise when countries of concern and covered persons access government-related data or bulk U.S. sensitive personal data that may be implicated by the categories of restricted transactions. The proposed security requirements (incorporated by reference in § 202.402 of this NPRM) have been developed by DHS through CISA, which has published the proposed requirements on its website, as announced via a Federal Register request for comments on the proposed security requirements, issued concurrently with this proposed rule. After CISA receives and considers public input, it will revise as appropriate and publish the security requirements.

Regarding investment agreements, as described in § 202.228 and § 202.508, the proposed rule would treat investment agreements entered into by U.S. persons with countries of concern or covered persons as restricted transactions even if they are also covered transactions subject to CFIUS review, unless and until CFIUS issues an interim order, enters into a mitigation agreement, or imposes a condition with respect to a particular covered transaction. As a result, any investment agreement that is both a restricted transaction under the proposed rule and a covered transaction subject to CFIUS review would be subject to the security requirements under the proposed rule unless and until the transaction is filed with CFIUS and CFIUS takes a “CFIUS action,” as defined in the proposed rule, by entering into a mitigation agreement or imposing mitigation measures. Because the security requirements are likely at least similar to and potentially less burdensome than any bespoke mitigation measures that CFIUS would enter into or impose, the parties to such a covered transaction would likely face, as a result of the proposed rule, only the marginal cost of complying with the security requirements before CFIUS takes action. Because this cost of compliance is marginal, and because it appears likely, based on the Department's experience, that many investment agreements by countries of concern or covered persons that involve access to sensitive personal data would also be covered transactions subject to CFIUS review, it appears likely that there will not be a meaningful cost for investment agreements to comply with the security requirements.

v. Due Diligence and Recordkeeping

Due diligence and recordkeeping requirements will be important considerations when engaging in a restricted transaction or as a condition of a license (general or specific) and may be similar to certain requirements of an IEEPA-based sanctions program administered by OFAC. Section 202.1101 of the proposed rule requires U.S. persons subject to these affirmative requirements to maintain documentation of their due diligence to assist in inspections and enforcement, and to maintain the results of annual audits that verify their compliance with the security requirements, as applicable, and the conditions of any licenses, where relevant, that the U.S. persons may also have. Entities may be required to collect, maintain, and analyze readily available information to make appropriate judgments regarding their transactions and potential requirements under the proposed regulation. They may also be required to make available to the Department any annual audits that verify the U.S. person's compliance with the security requirements and any conditions on a license.

vi. Audits

The proposed rule imposes certain audit requirements on restricted transactions to ensure compliance with the security requirements for covered data transactions, such as appointing a qualified auditor to annually assess compliance. Such audits would address the nature of the U.S. person's covered data transaction and whether it is in accordance with applicable security requirements, the terms of any license issued by the Attorney General, or any other aspect of the regulations.

vii. Licenses

General and specific licenses would be available under the proposed regulation. Such licenses would permit transactions that are otherwise prohibited by the proposed regulation. Both general and specific licenses could include a range of requirements or obligations as the Department deems appropriate. The benefits of this type of regime include giving regulated parties the ability to bring specific concerns to the Department and seek appropriate regulatory relief and affording the Department the flexibility to resolve varied cases either generally or individually.

4. Need for Regulatory Action

There are many statutes, regulations, and programs that aim to keep America secure by monitoring, restricting, prohibiting, or otherwise regulating the flow of goods, services, investments, and information to foreign countries and foreign nationals, especially countries considered to be adversaries. For example, CFIUS has the authority to take action to mitigate any national security risk arising from certain foreign investments in U.S. businesses or involving U.S. real estate, or to recommend that the President suspend or prohibit a transaction on national security grounds. In addition, OFAC “administers and enforces economic and trade sanctions based on U.S. foreign-policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy, or economy of the United States.”

In Executive Order 13873, the President authorized the Department of Commerce to prohibit transactions in the information and communications technology and services supply chain or to impose mitigation measures to address an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. The Secretary of Commerce exercises this authority through the Bureau of Industry and Security. Executive Order 14034 takes various steps to protect sensitive personal data from foreign adversaries.

While existing legislation provides the Department of Justice with authority to promulgate this proposed rule, no existing statute replicates the measures undertaken here. Neither do any of the previous executive actions set forth in Executive Order 14117 broadly empower the government to prohibit or otherwise restrict the sale or transfer of government-related data or bulk U.S. sensitive personal data to countries of concern. Therefore, the proposed regulation will not be duplicative of any existing regulatory regime.

As relevant here, the regulatory philosophy of Executive Order 12866 provides that agencies should issue regulations when there is a compelling public need, such as a market failure. Executive Order 12866 further directs agencies issuing new regulations to identify, where applicable, the specific market failure that warrants new agency action and to assess its significance. In perfect, unregulated markets, supply and demand lead to transactions that allocate resources efficiently, fully supply the market at prices that buyers are willing to pay, and do not harm third parties. However, some transactions result in market failures known as “negative externalities;” that is, harms to parties not directly involved in the transactions. The sale of government-related data or bulk U.S. sensitive personal data to adversaries is an example. Such transactions are mutually beneficial to the parties: U.S. data brokers obtain monetary benefits, and adversaries obtain possession of a potentially strategic asset of sensitive data that they can put to malicious use. However, when the data can be used to harm U.S. nationals who are not directly involved in the transactions by presenting a risk to national security or foreign policy, then the transaction creates negative externalities. These market failures demonstrate a need for the regulation being proposed, which will eliminate or reduce the risk to national security and foreign policy from such transactions. Circular A-4 also recognizes a common need for regulation to protect civil rights, civil liberties, or advancing democratic values, all of which are threatened if government-related data or bulk U.S. sensitive personal data end up in the hands of adversaries.

5. Baseline (Without the Proposed Rule)

The baseline refers to what the world would look like without the regulatory changes being proposed here, which is closely related to the need for the regulation described above. To inform the public of the rationale behind the agency's proposed regulations, the Department must analyze the quantifiable and qualitative costs and benefits of the proposed action. The baseline for the proposal under consideration is the state of the world without the regulation, often referred to as the “no-action alternative,” which here includes the current regulatory regime.

a. Baseline National Security and Foreign-Policy Risks by Category of Data

i. Human Genomic and Human ’Omic Data

Human genomic data presents characteristics that, under certain circumstances, allow for misuse. Although humans share more than 99 percent of their DNA, the remaining differences play a significant role in physical and mental health. In addition to genomic data, which describes a person's DNA sequence, if combined with other data, data characterizing other human systems, known as ’omic data, can also uniquely identify individuals. For example, transcriptomic data describes RNA transcripts, or the expression of genes as impacted by environmental factors; proteomic data describes the complete set of proteins expressed by a cell, tissue, or organism; and metabolomic data describes the small molecule metabolites found within a biological sample.

Human genomic data and human `omic data are therefore highly personal, and there are both person- and population-level risks to national security associated with the potential sale of such data to foreign adversaries. Genomic data has been widely acknowledged in scientific, policy, and ethics literature to have the potential to be used to track an individual; breach their privacy; and expose individuals to discrimination, exclusion, or social embarrassment when paired with other personally identifiable information, such as by coloring public perception of a person's competence or health. Genomic data that is de-identified by standard healthcare practices ( i.e., removal of name, date of birth) can, in some cases, be potentially re-identified by methods that combine genomic data with other privately and publicly available information. There are also other potential risks related to such data. For instance, the 2023 Annual Threat Assessment of the U.S. Intelligence Community explains that generally, “[r]apid advances in dual-use technology, including bioinformatics, synthetic biology, nanotechnology, and genomic editing, could enable development of novel biological weapons that complicate detection, attribution, and treatment.” Additionally, as the National Counterproliferation and Biosecurity Center has stated, “[r]esearch in genome editing by countries with different regulatory or ethical standards than those of Western countries probably increases the risk of the creation of potentially harmful biological agents or products.” Furthermore, because biological relatives share some genetic traits, the misuse of genomic and related information can potentially harm not only the individual but also their current and future biological relatives, to some degree.

For example, Huntington's Disease is neurodegenerative, is frequently highly incapacitating, has no cure, and is tied to specific genetic variants. Revealing that an individual carries the variants for Huntington's Disease could therefore be used to claim that a political candidate for office may soon become incapacitated or to harm that person's family members mentally or emotionally.

At a population level, there are multiple examples of the risks posed by harmful use of genomic data. For example, the PRC has collected and used genetic data from minority groups and potential political dissidents to carry out human-rights abuses against those groups and to support state surveillance. The PRC's collection of healthcare data from the United States poses equally serious risks, not only to the privacy of Americans, but also to the economic and national security of the United States.

It is conceivable that bulk genomic data in the wrong hands could be used to identify or track ethnic or racial subgroups in the United States and to target them for physical, mental, or emotional harm. As the NCSC has publicly explained, for example, “[c]oncerns over the exploitation of healthcare and genomic data by the [People's Republic of China] are not hypothetical,” as China “has a documented history of exploiting DNA for genetic surveillance and societal control of minority populations in Xinjiang, China.” Specifically, China “has established a high-tech surveillance system across Xinjiang, as part of a province-wide apparatus of oppression aimed primarily against traditionally Muslim minority groups.” This apparatus includes an “initiative launched by the PRC government in 2014” that “has been used to justify the collection of biometric data from all Xinjiang residents ages 12 to 65.” Chinese authorities have “collected DNA samples, fingerprints, iris scans, and blood types” and linked the biometric data “to individuals' identification numbers and centralized [it] in a searchable database used by PRC authorities.” As NCSC has further explained, “[s]pecific abuses by the PRC government as part of this effort include mass arbitrary detentions, severe physical and psychological abuse, forced labor, oppressive surveillance used arbitrarily or unlawfully, religious persecution, political indoctrination, and forced sterilization of members of minority groups in Xinjiang.” In 2020, the Department of Commerce “sanctioned two subsidiaries of China's BGI for their role in conducting genetic analysis used to further the PRC government's repression of Uyghurs and other Muslim minority groups in Xinjiang.” As this example shows, “[t]he combination of stolen PII, personal health information, and large genomic data sets collected from abroad affords the PRC”—and other countries of concern—“vast opportunities to precisely target individuals in foreign governments, private industries, or other sectors for potential surveillance, manipulation, or extortion.” The potential exploitation of this kind of data is not limited to targeting and repression within the borders of a country of concern, as this data could help “not only recruit individuals abroad, but also act against foreign dissidents.”

There are additional risks to national security associated with the sale of bulk genomic data to countries of concern. For example, BGI Group, a Chinese company, grew exponentially during the COVID-19 pandemic by selling COVID-19 test kits in 180 countries around the world, which enabled it to collect biospecimens and DNA sequences from the individuals tested. The company also built laboratories in 18 countries, widely distributing its genetic sequencing/gathering technology across the globe, and the government of China helped to coordinate some of BGI's arrangements with other countries. The human genetic samples that BGI collected may be shared publicly on China's government-funded National GeneBank, creating individual privacy risks, and the Chinese government has indicated that its backing of BGI is intended to support China in commanding a significant position in the international biotechnology industry.

ii. Biometric Identifiers

As previously discussed, the gathering and aggregating of biometric data can be a complex process, and much about the market for biometric data is still unknown. The legitimate use of biometrics across many areas of technology is increasing rapidly, and the exposure of biometric data to countries of concern could prove to be especially damaging since the physical characteristics linked to biometrics are often difficult or impossible to change.

The PRC already has a demonstrated ability to collect and exploit the biometric data of its citizens, an effort that has been especially targeted at oppressed groups within its population. This has included gathering data such as “DNA samples, fingerprints, iris scans, and blood types” and creating a database where such data is linked with an individual's personal identifier. These capabilities will likely continue to be developed as the technology improves and could easily be used to undermine U.S. national security.

iii. Precise Geolocation Data

Precise geolocation data in the hands of foreign adversaries poses national security risks with respect to two areas: (1) operations, including missions, deployments, exercises, and activities of national security personnel; and (2) personnel, including those in the military and their families, as well as nonmilitary persons with the potential to obtain or hold information vital to national security.

Potentially sensitive information can be gleaned outside direct conflict zones. Precise geolocation data can be readily used to identify the location and purpose of important national security-related infrastructure, facilities, and equipment, all of which could lead to immense harm to national security.

Precise geolocation data can also be used to coerce military personnel, State Department officials, and anyone else with access to sensitive national security information, including through the use of such data on their family members or other close associates. Compromising information gleaned from geolocation data can be used by adversaries for surveillance and intelligence gathering as well as to extort, blackmail, dox, and manipulate behavior to obtain sensitive national security information. With all the information that is readily available from data brokers, it is quite feasible to develop effective strategies to identify national security personnel and diplomatic/foreign-policy personnel working with specific sensitive information and to track their movements and behavior.

Adversaries could use these datasets to identify where national security personnel work, then use the personnel's health or financial information to bribe or blackmail them into providing the adversaries with access to restricted systems, sensitive information, or critical programs or infrastructure. Precise geolocation data could also allow these countries to track service members' and other national security personnel's movements, impersonate personnel online or in email, and identify personnel working on specific tasks within the national security community.

Countries of concern can also exploit access to government-related data, regardless of its volume. As one report has explained, for example, location-tracking data on individuals ( e.g., military members, government employees and contractors, or senior government officials) can “reveal sensitive locations—such as visits to a place of worship, a gambling venue, a health clinic, or a gay bar[,]” or “reputationally damaging lifestyle characteristics, such as infidelity[,]” which “could be used for profiling, coercion, blackmail, or other purposes[.]”

In addition, these geolocation capabilities, combined with photography, “can expose personal information, locations, routines and numbers of [Department of Defense (DOD)] personnel, and potentially create unintended security consequences and increased risk to the joint force and mission.”

iv. Personal Health Data

Personal health data also presents threats in the hands of foreign adversaries. There are a few documented cases of data brokers selling sensitive health information to foreign governments, including those in part IV.D.1.a of this preamble. Purchasers may have direct, indirect, or undisclosed ties to foreign officials that provide these entities with access to otherwise prohibited data. The presence of foreign adversaries in the U.S. health data market makes the variety and amount of American health data available in the data-brokerage ecosystem risky. Notably, the types of sensitive personal data ( e.g., mental health or HIV/AIDS diagnoses) available, paired with the increasing speed and ease with which artificial intelligence and other technologies can re-identify individuals using as few as 15 demographic attributes ( e.g., ZIP code, date of birth, gender, citizenship, race, occupation) from another dataset, have the potential to produce harmful outcomes for the American public if placed in the wrong hands.

Currently, health data brokers collect and sell a wealth of information encompassing everything from general health conditions to addiction and prescription drug use. Additional discussion of these risks associated with personal health data can be found in part V.A.4 of this preamble.

v. Personal Financial Data

Financial data tied to individuals can pose associated national security threats in the hands of foreign adversaries. There is also an associated threat to national security to U.S. persons who might be targeted for recruitment by a foreign adversary through the use of financial data as leverage over such U.S. persons. Data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities and debts, and transactions; or data in a credit or “consumer report” expose that individual to more than monetary losses. The threat of exposing an individual's spending habits, particularly spending that may be embarrassing, can render that person open to extortion or blackmail. In instances where a threatened individual has access to especially sensitive information, national security may be at risk.

vi. Covered Personal Identifiers

Covered personal identifiers are a form of sensitive personal data that are both widely available and highly variable in nature. For example, covered personal identifiers may include demographic or contact data ( e.g., first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers) that is linked to financial account numbers. Many types of covered personal identifiers can be used effectively in combination with other typers of sensitive personal data. The versatility of this data could make covered personal identifiers a valuable target for foreign adversaries attempting to increase the effectiveness of the bulk sensitive personal data in their possession by linking together separate datasets. For example, the PRC has both stolen data on U.S. persons that has included covered personal identifiers ( e.g., names and Social Security numbers, as evidenced in the 2015 hack of the health insurer Anthem, Inc.) and has effectively used personal identifiers within internal datasets on their citizens as a way to more effectively surveil marginalized groups.

vii. Government-Related Data

It has become increasingly evident in recent years that government-related location data is at risk of being exploited by countries of concern through location information collected from electronic devices, including cell phones and fitness apps. Such data can be used to not only track the movements of targeted government associates but also to link them with sensitive activities and vices, such as gambling or prostitution. This information can then be used to pressure these persons to reveal sensitive information, thereby compromising U.S. national security. Methods include malicious cyber-enabled activities, espionage, and blackmail.

b. Baseline: Total Potential U.S. Population Affected by Risks

Part IV.A.1 of this preamble explains how adversaries can use their access to Americans' bulk sensitive personal data to engage in malicious cyber-enabled activities and malign foreign influence and to track and build profiles on U.S. individuals, including members of the military and government employees and contractors, for illicit purposes such as blackmail and espionage. As of July 2021, one of the largest data brokers, Acxiom, sold products that purported to cover 45.5 million current and former U.S. military personnel and 21.3 million current and former government employees. The proposed rule also observes that countries of concern can exploit their access to Americans' bulk sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, and members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit the freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties. Even family members of primary targets can be ensnared in such malicious activity. Finally, individuals with access to advanced intellectual property, such as semiconductor designs, could be high-value targets of countries of concern.

Tables VII-2 and VII-3 of this preamble provide estimates of the size of these targeted populations, but these figures should not be added together to calculate a single population figure, since a single individual could be a member of more than one of the communities.

Several of the estimates presented in Table VII-2 of this preamble required calculations based on certain assumptions. Because data on the number of current Federal employees provided by the Office of Personnel Management does not include employees of the U.S. Postal Service, Office of the Director of National Intelligence, or Central Intelligence Agency, data on those groups was obtained from other sources and added in separate lines. The estimated number of former Federal Government contractors was calculated by applying the economy-wide labor turnover rate from 2001 to 2023 to the number of current Federal Government contractors; the Department assumed that half of the labor turnover involved workers staying in Federal Government contracting, and half involved workers leaving the industry. The estimated number of family members of military veterans was calculated by applying the current average number of family members for current military members to the military veteran population.

The proposed rule highlights data associated with “activists, academics, journalists, dissidents, political figures, or members of nongovernmental organizations or marginalized communities” that could be used to “intimidate such persons; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties.” Table VII-3 of this preamble describes the size of these populations.

Table VII-3 of this preamble also contains several figures that required calculations based on certain assumptions. The estimated number of activists was calculated using a survey from the Washington Post and Kaiser Family Foundation that asked respondents whether they considered themselves activists; the percentage that answered “yes” was then applied to the current adult population. No data was available on the number of people residing in the United States who would be considered dissidents, so an estimate is provided for the size of this group. For this analysis, marginalized communities were assumed to include members of the lesbian, gay, bisexual, or transgender (“LGBT”) community; religious minorities; and racial minorities. The number of religious minorities was calculated using the percentage of the population that identified as Jewish, Muslim, Buddhist, Hindu, or another religion.

As noted earlier in this section, the populations affected by risks have substantial overlap, so the Department is unable to provide a single estimate of the affected population. Nonetheless, these estimates show that a substantial portion of the U.S. population is currently affected by the risks resulting from adversaries' access to bulk sensitive personal data.

c. Summary of Baseline (Without the Proposed Rule)

As stated in part IV.A.1 of this preamble, the government-related data or bulk U.S. sensitive personal data discussed here may, under certain conditions, be used against individuals—such as members of the military, government employees, and government contractors—for illicit purposes, including blackmail and espionage. The risks of any particular individual or group being targeted may vary depending on the circumstances, and these data illustrate the range of such activities. Countries of concern can also use access to government-related data or Americans' bulk U.S. sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, and members of nongovernmental organizations or marginalized communities to intimidate such persons; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties.

The individuals within the subgroups most at risk of having their sensitive personal data exploited by countries of concern not only play important roles in American society, but also make up a large portion of the population. When we consider that threats to the spouses and children of targeted individuals could also be made, the Department estimates that the total population of individuals who could potentially be targeted is well over 100 million individuals. Thus, the total number of those who are at risk of being targeted by foreign adversaries could exceed one-third of the entire American population. Failing to prevent the current and future sale or transfer of government-related data or bulk U.S. sensitive personal data to countries of concern effectively forgoes all the benefits that may be realized from such an action. Given the nature of the benefits to be gained from protecting national security and foreign policy from malicious actors, these benefits are unable to be monetized or quantified but will be contrasted with the estimated costs of the proposed regulation.

6. Alternative Approaches

In addition to the proposed action, the Department considered two alternatives. The first alternative, the No Action alternative, would take no regulatory action and allow the unrestricted transfer of bulk U.S. sensitive personal data to any foreign company, person, or country, including the countries of concern. The No Action alternative would not achieve the benefits of reducing the risks to the targeted populations or to U.S. national security and foreign policy. The growing threats related to foreign adversaries' use of bulk U.S. sensitive personal data, enhanced by advancing technologies such as artificial intelligence, for purposes of subjecting American citizens to exposure to blackmail and other malicious actions would continue. In addition to the sale of bulk U.S. sensitive personal data, the vendor, employment, and investment agreements would also continue without restrictions, as would the risks that the proposed rule is intended to reduce. Of course, the No Action alternative would also result in no additional costs to industry. As explained in part VII.A.7 of this preamble, however, the Department considers the expected benefits of the proposed regulation to greatly exceed the estimated costs, resulting in net benefits that are not realized by the No Action alternative. Therefore, the Department rejects the No Action alternative.

The second alternative considered was a prohibition of the transfer to countries of concern of all data that would fall within the scope of the proposed rule. This alternative would go further than directed by the Order, the provisions of which were directed at bulk U.S. sensitive personal data and would entail more complicated and costly enforcement efforts than the proposed rule. Since this alternative would prohibit not only bulk U.S. sensitive personal data but also small transfers of sensitive personal data that may not present any marginal substantial risk to national defense or foreign policy, the small additional benefits are not likely to justify the much larger value of lost transactions and compliance costs than the proposed rule's estimated cost of $502 million. Since the marginal costs of this alternative over the costs of the proposed regulation are expected to be larger than the marginal benefits—if there are any—associated with it, this alternative would necessarily have lower net benefits, as measured by total benefits less total costs.

More generally, in addressing proposals from commenters, the Department also considered alternatives that could broaden the scope of the rule (and thus potentially be more costly) or narrow its scope (and thus potentially be less costly). These alternatives include, for example, lowering or increasing the proposed bulk thresholds, prohibiting or restricting (instead of exempting) additional categories of transactions such as those involving telecommunications or clinical-trial data, expanding the list of countries of concern, and expanding the categories of covered persons. The Department declined to adopt them because they would appear not to appropriately tailor the proposed rule to the national security risks and could cause unintended economic effects, for the reasons more fully discussed with respect to those proposals.

7. Benefits of the Proposed Rule

As mentioned in part VII.A.2 of this preamble, the benefits of the proposed rule associated with reducing threats to national security and foreign policy are difficult to measure. While these benefits are difficult to measure, there is a liberal opportunity for foreign adversaries to access and exploit Americans' sensitive data without the proposed rule. This situation and the best-available information indicate that there is a high likelihood of harm to national security and that the harm to national security could be high, suggesting that the expected benefits of the proposed rule exceed its expected costs. Alternatively, even if the likelihood of harm to national security is low in some circumstances, the potential damage to national security remains high, suggesting that even modest risk reductions are justified.

The proposed rule focuses on the risk of access to government-related data or bulk U.S. sensitive personal data by countries of concern and covered persons. Countries of concern can use their access to Americans' bulk sensitive personal data to engage in malicious cyber-enabled activities and malign foreign influence as well as to track and build profiles of U.S. individuals, including members of the military and Federal employees and contractors, for illicit purposes such as blackmail and espionage. Countries of concern can also exploit their access to Americans' bulk sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, and members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties. Nongovernmental experts have underscored these risks.

Reducing these threats may produce many qualitative benefits, such as improving the security of the American people and safeguarding democratic values, all of which are beyond a reasonable, reliable, and acceptable estimate of quantified monetary value. Other benefits may also arise, such as the creation of new businesses to provide vetting information to firms seeking entrance into the restricted transactions market, or advancements in overall industry cybersecurity technology that result in more secure systems. We make no attempt to quantify these potential benefits, but we welcome comments that may allow us to do so.

8. Costs of the Proposed Rule

The economic costs of the proposed rule are the lost economic value of the covered transactions that are prohibited or forgone, referred to as “direct costs,” and the costs of compliance (for restricted transactions, the cost of complying with the security requirements established by DHS/CISA, affirmative due diligence requirements, audit requirements, and affirmative reporting requirements).

Other provisions included in the regulations—including regulations of investment, employment, and vendor agreements through the imposition of security requirements—will have a mixture of economic impacts, such as one-time costs of switching to approaches that will comply with new regulations, and economic benefits, such as improved cybersecurity controls.

The challenge of estimating the economic impact with any degree of precision is that, because there are no regulations prohibiting cross-border bulk U.S. sensitive personal data transactions, currently available data provides incomplete, unreliable, or irrelevant estimates of the types, volume, and value of the bulk U.S. sensitive personal data transfer activity and thus creates uncertainty in estimates of lost value due to the proposed rule.

Similarly, the estimates of the costs of requirements for affirmative due diligence, security, recordkeeping, affirmative reporting, and audits are very preliminary in this analysis because the size of the industry, per-company costs, and per-transaction costs are very difficult to estimate precisely. Furthermore, based on its experience with similar regulations related to economic sanctions and export controls, the Department expects the costs of compliance with this proposed rule to vary significantly across companies.

Our estimates reflect costs for firms that currently engage in transactions involving bulk U.S. sensitive personal data. The universe of firms that engage in transactions involving bulk U.S. sensitive personal data is larger than the subset of such firms that knowingly transfer such data to countries of concern or covered persons; this larger universe of firms will need to undertake some due diligence measures to ensure that their typical data transfers are not in fact going to countries of concern or covered persons. Comments are solicited and welcome on the estimates that follow.

a. Value of Lost and Forgone Transactions

The costs of the proposed rule would include the economic value of lost or forgone transactions related to the sale, transfer, and licensing of bulk U.S. sensitive personal data, as well as biospecimens, to the six countries of concern. These lost or forgone transactions would include transactions that are prohibited as well as covered data transactions that are forgone because an entity decides not to bear the costs of complying with the due diligence and security requirements necessary to engage in a restricted transaction.

The total economic value of lost and forgone transactions should not exceed the total economic value of such exports to these countries of concern, as, all else equal, an entity would forgo a transaction if its expected compliance costs exceed the expected economic value of the transaction. The anticipated value of potentially regulated transactions with all countries of concern except China is negligible, given the lack of general cross-border transactions involving bulk sensitive personal data and the existing impediments to trade, such as economic sanctions. More specifically, in recent years, the proportions of U.S. bidirectional trade and investment represented by trade with Iran, North Korea, and Cuba, respectively, have been negligible or unknown. Trade with Venezuela represents 0.1 percent of U.S. totals.

Trade with Russia averaged about 0.5 percent of all U.S. trade from 2014 to 2023, dropping to 0.1 percent in 2023. U.S. cross-investment ( i.e., two-way foreign direct investment) with Russia averaged about 0.2 percent of total U.S. foreign cross-investment from 2013 to 2022. In contrast, the respective shares of U.S. imports/exports and cross-investment that are conducted with China have averaged about 12 percent and 1.3 percent, respectively, during the same periods. Given this, the estimation of the economic costs of lost or forgone transactions here focuses primarily on China, although Russia is also considered.

Similarly, foreign direct investment into the United States from countries of concern in the information industry is a relatively small portion of the total level of foreign direct investment in this sector. Chinese investment, which has been the highest among countries of concern, has been steadily falling over the past several years. Foreign direct investment figures, based on the country of the ultimate beneficial owner and the country of direct foreign ownership, are presented in Tables VII-4 and VII-5 of this preamble.

Note that some fraction of the lost or forgone data transactions may be for beneficial uses. Beneficial uses of bulk U.S. sensitive personal data in the countries of concern may include consumer-choice improvements and the use of artificial intelligence to expedite innovation in drug discovery and increase knowledge of patterns of, for example, consumption, commerce, transportation, traffic, information/news transmission, nutrition, and health.

The following analysis relies in part on data available from the BEA on U.S. exports of telecommunications, computer, and information services, both in total and for each of the three sub-categories, to China and Russia. Tables VII-6 and VII-7 of this preamble rely on an analysis of the BEA data to approximate the value of lost transactions.

i. Global Market Value of Genomic, Biometric, and Location Data

Genomic data includes data that is used in drug discovery and development, specifically in developing products such as systems, software, and reagents, and in developing processes such as cell isolation, sample preparation, and genomic analysis. Biometric data is used in consumer electronics and automotive applications for safety, surveillance, and identification methods, including facial, posture, voice, fingerprint, and iris recognition technologies. Location data is used in smart devices, network services for improved connectivity, systems integration, monitoring, and satellite location technology, as well as to produce timely, relevant and personalized offers/information for customers.

According to market research data from one company, the global genomics market's value is estimated at $27.58 billion in 2021, $32.56 billion in 2022, and, given an estimated compound annual growth rate of 18.2 percent, $38.49 billion in 2023 and $45.49 billion in 2024. One estimate of the global biometric technology market values it at $34.27 billion in 2022 and, given an estimated 20.4 percent compound annual growth rate, $41.26 billion in 2023 and $49.68 billion in 2024. Finally, one estimate values the global location data market at $18.52 billion in 2023 and, given an estimated 15.6 percent compound annual growth rate, $21.41 billion in 2024. Table VII-6 of this preamble presents these global totals for genomic, biometric, and location data estimates.

ii. U.S. Exports to Relevant Specific Categories and to Countries of Concern

Data is available on U.S. exports in the category of telecommunications, computer, and information services, both in total and for each of these three service subcategories, to China and Russia. Data on exports in a relevant sub-category of information services—database and other information services—is available globally and for both China and Russia individually.

Telecommunications, Computer, and Information Services is one of the eleven service categories BEA presents in the U.S. international transactions accounts. The Telecommunications Services sub-category includes basic services ( e.g., transmitting messages between destinations) as well as value-added and support services. The Computer Services sub-category includes software, computing and data-storage services, hardware and software consultancy, and licensing agreements tied to downloading applications. The category of information services includes database services and web search portals, which belong to one subcategory, and news agency services, which belong to the other. This Database Services sub-category includes data brokers.

Table VII-7 of this preamble presents the value of U.S. exports of telecommunications services, computer services, information services, and the database and other information services component of information services. The table also reports exports to China for the three components combined and the exports to China and Russia individually for database and other information services.

The $10.768 billion Database and Other Information Services sub-category comprises most (98.1 percent) of the $10.972 billion Information Services category, with the other $0.275 billion (2.6 percent) in the News-Agency Services category. For the Database and Other Information Services sub-category, U.S. exports to China are $0.318 billion ($318 million) for 2023, which is 2.94 percent of the U.S. export total. U.S. exports to Russia are $0.32 billion ($32 million), which is 0.30 percent of the U.S. export total.

These U.S. export estimates are significantly over-inclusive, as they include many kinds of data that are explicitly excluded from regulation under the proposed rule, such as web browser history and other expressive data, in addition to services that do not involve data transfer at all. Consequently, the estimates of the costs due to lost or foregone transactions resulting from the proposed rule are probably overstated.

Tables VII-6 and VII-7 of this preamble comprise the “raw” data on U.S. exports to countries of concern that provide upper-bound estimates of the value of lost or forgone transactions. Given the available data that informs the following analysis, the Department welcomes comments on the use of this data and on any alternative or additional data that could also be employed.

iii. Estimates of U.S. Exports of Genomic, Biometric, and Location Data

This section provides estimates of U.S. revenue from sales for three categories of data covered under the proposed rule for which data on the global market are available: genomic, biometric, and location data.

Given the lack of available published estimates of the value of U.S. exports of such data to China, Russia, and other countries of concern, the Department developed a multi-step method for estimating the value of lost transactions in genomic, biometric, and location data to the countries of concern. To summarize, we began with market research companies' estimates of the size of the global markets in geometric, biometric, and location data shown in Table VII-6 of this preamble. Then we derived estimates of the value of lost transactions through a three-step process that involved estimating the U.S. share (domestic plus export) of the global market, estimating the percentage of U.S. global sales that are domestic, and finally making some data-informed assumptions about the share of global sales in those industries that were to the countries of concern.

In 2022, the total value of the U.S. location data market was $4.20 billion, with a projected compound annual growth rate of 13.6 percent. Based on these estimates, it can be projected that the U.S. portion in 2023 would be $4.77 billion ($4.20 * 1.136 = $4.77). As shown in Table VII-6 of this preamble, the market research company estimated that the global market value of location data in 2023 was $18.52 billion, so the estimated U.S. portion in 2023 would constitute 25.76 percent of that estimated global value ($4.77/$18.52 = 0.2576). Because the market research company estimated the U.S. compound annual growth rate for location data to be 13.6 percent and the global compound annual growth rate to be 15.6 percent, it can be projected that the U.S. portion of the global market in 2024 would fall slightly, from 25.76 percent to 25.31 percent (($4.77 * 1.136)/($18.52 * 1.156) = 0.2531).

The market research company estimated that the North American revenue share of the global biometric technology market in 2022 was 30.7 percent. If Canada and Mexico were responsible for 5 percent of global market value, then the U.S. share of the global biometric data market in 2022 would be 25.7 percent, nearly the same as the portion for location data in 2023. Given the alignment in our estimates of the U.S. market share for location and biometric data markets, we assume that the estimated U.S. location data market in 2024 (25.31 percent) also applies to the U.S. portion of global genomic and biometric data. With that assumption, we estimate that the U.S. genomic data market is worth $12.57 billion in 2024 (25.31 percent of $49.68 billion (from Table VII-6 of this preamble)), and the U.S. market is worth $5.42 billion (25.31 percent of $21.41 billion). Table VII-8 of this preamble provides 2024 estimates of U.S. revenue (foreign plus domestic) for those three industries.

Next, the Department assumes that U.S. exports in genomic, biometric, and location data constitute 30 percent of total U.S. revenue (domestic sales plus exports). This assumption is based on market research from a U.S.-based company, which estimated that in 2017, 30 percent of revenue for data brokerage companies came from international sales. When applying this assumption to revenue from sales of genomic, biometric, and location data, we estimate that exports of U.S. genomic data in 2023 were worth $3.454 billion for genomic data (30 percent of $11.513 billion); exports of biometric data were worth $3.772 billion (30 percent of $12.574 billion); and exports of location data were worth $1.626 billion (30 percent of $5.419 billion). Table VII-8 of this preamble presents estimated revenue from U.S. exports (Step 2) alongside the other estimates from which it was derived.

To reiterate, the Department assumes that U.S. exports in genomic, biometric, and location data constitute 30 percent of total U.S. revenue (domestic sales plus exports). The Department uses this assumption to inform the analysis throughout part VII of this preamble.

iv. Estimates of U.S. Exports of Genomic, Biometric, and Location Data to the Six Countries of Concern

As delineated above in this section, the current value of potentially regulated transactions with all countries of concern except China and, to a lesser degree, Russia is negligible, given the lack of general cross-border trade in data and data-driven services and the general impediments to trade with these countries of concern, such as economic sanctions. We therefore focus this part of the analysis on China, and to a lesser degree on Russia due to the $32 million in U.S. exports of database and other information services to Russia. The Department lacks data on cross-border transfers of genomic, biometric, and location data other than sales. An example of such cross-border transfers may include transfer of data within multinational companies.

As set forth in Table VII-7 of this preamble and the subsequent discussion in part VII.A.8.a.ii of this preamble, 3 percent (0.032 = $0.318 of $10.768 billion) of U.S. exports of database and other information services are currently to China and 1 percent are to Russia (0.0106 = $0.111 of $10.768 billion). Applying these percentages to the value of U.S. exports of genomic, biometric, and location data set forth in Table VII-8 of this preamble yields estimates for the value of U.S. exports of genomic, biometric, and location data to China and Russia. The estimates for U.S. exports of genomic, biometric and location data to China total $267 million and to Russia total $94 million.

v. Total Estimated Value of Lost and Forgone Transactions

To reiterate, U.S. exports of genomic, biometric, and location data to China and Russia totaled approximately $361 million in 2022. Some of these exports may have been for beneficial uses, such as consumer-choice improvement; effective medical responses; and increased knowledge of patterns of consumption, commerce, transportation, traffic, information/news transmission, nutrition, and health. The Department's estimates of the value of lost transactions do not include the potential value of any lost positive externalities to U.S. residents. The estimated annual value of lost or forgone transactions is presented in Table VII-10 of this preamble.

The Department welcomes comments on the use of this data and on any alternative or additional data that could also be employed. The Department reiterates the following limitations on these estimates, described in further detail in the analysis above:

1. The estimate assumes that the U.S. share of the global market value for location data is the same as the U.S. share of the global market value for genomic and biometric technology.

2. The export share of each of these respective U.S. markets is assumed to be the same as the share of revenue of U.S. data-brokerage companies that comes from international sales, which is 30 percent.

3. The estimate assumes that the database (and other information) services category of BEA's data includes most data brokers.

4. The estimate uses the share of U.S. exports of database and other information services that go to China and Russia to estimate the share of U.S. exports of genomic, biometric, and location data that go to China and Russia.

5. The Department assumes that the annual economic value of lost and forgone transactions would be equal to the value of all U.S. exports of biometric, location, and genomic data to China and Russia.

vi. Alternative Methodology for Estimating the Value of Lost and Forgone Transactions

An alternative estimate of the value of U.S. exports to China and Russia for this analysis can be derived from BEA data on the value of U.S. exports of database and other information services. As shown in the bottom of Table VII-7 of this preamble, BEA's estimates for 2023 were $318 million for China and $32 million for Russia.

Given the rapid growth of Chinese exports, the Department projected the 2023 BEA estimate forward to 2024. Based on the growth rates of U.S. exports of information services to China between 2006 and 2023, using an annual growth rate of 5 percent for China would increase BEA's $318 million estimate for 2023 to $334 million for 2024.

The Department's alternative estimates for the value of lost transactions are $334 million in forgone exports of information services to China and $32 million in foregone exports of information services to Russia, as shown in Table VII-11 of this preamble.

Under this alternative methodology, the Department's estimate of the economic value of transactions lost due to the proposed rule is $366 million per year (Table VII-11 of this preamble), compared with the $361 million estimate reached in the main analysis (Table VII-10 of this preamble).

The alternative methodology may overestimate the annual value of lost transactions, since the BEA category for the Database and Other Information Services may include many kinds of data that are explicitly excluded from regulation under the proposed rule (such as web-browser history and other expressive data). The comparability of the main and alternative methodologies suggests that the main estimate of $361 million may underestimate the annual value of lost transactions because it does not include personal financial data or health records. With these disparities in mind, we are estimating the value of lost transactions at the midpoint of these estimates, $364 million, and solicit comments on this total.

The Department estimates that the economic value of lost or forgone transactions would be minimal for firms not engaged in data brokerage ( i.e., for restricted transactions). In other words, the Department assumes that firms not engaged in data brokerage would bear minimal economic costs beyond those that may be associated with implementing and maintaining a risk-based compliance program (as described in § 202.302 of the proposed rule). For example, the Department assumes that the small number of U.S.-based firms currently using Chinese cloud-service providers to store prohibited or restricted data would be able to switch to another cloud service provider at low or no cost, given that Chinese cloud-service providers constitute only a tiny fraction of the cloud market for U.S.-based firms. The Department assumes that the other five countries of interest do not sell cloud services of any significant value to the United States.

b. Security Costs

Data security is an important aspect of protecting government-related data or bulk U.S. sensitive personal data from being improperly accessed by foreign adversaries or in ways that could pose a threat to national security. The proposed rule incorporates by reference proposed security requirements that have been developed by DHS through CISA, which represent conditions that businesses must meet to engage in restricted transactions. These security requirements are intended to address national security and foreign-policy threats that arise when countries of concern and covered persons access government-related data or bulk U.S. sensitive personal data that may be implicated by the categories of restricted transactions. Specifically, the proposed rule would prohibit U.S. persons from engaging in transactions unless they comply with three categories of requirements, the first two of which are addressed in the proposed security requirements, which are proposed to be incorporated by reference:

1. Organizational and system-level requirements for instituting cybersecurity policies, practices, and requirements for any covered system (which CISA proposes to define as a specific type of information system that is used to conduct a number of activities related to covered data as part of a restricted transaction).

2. Data-level requirements using any combination of the following capabilities necessary to prevent access to covered data by covered persons or countries of concern:

a. Data minimization and data masking;

b. Encryption;

c. Privacy-enhancing technologies; and

d. Denial of access.

3. Compliance-Related Requirements for Independent Testing and Auditing

These requirements would impose new costs on firms to the extent that they are not already voluntarily meeting such requirements. Any additional costs may be offset by reducing cyber incidents and their associated costs. The Department estimates the new cybersecurity-related costs imposed on affected firms by analyzing the costs that companies at different sizes and levels of technological maturity face when implementing existing security standards and frameworks of similar scope.

i. Similar Security Standards and Frameworks

The proposed rule would create cybersecurity standards that are based on, and thus overlap with, several similar, widely used cybersecurity standards or frameworks. Currently, firms engaged in transactions that are proposed to be restricted transactions are encouraged—but generally not explicitly required—to comply with existing Federal cybersecurity standards or frameworks. Given the similarities between the proposed rule's security requirements and existing cybersecurity standards and frameworks, the costs of complying with one of the existing, commonly implemented sets of cybersecurity standards or frameworks are likely similar to the costs that would be incurred by businesses to comply with the proposed rule. Furthermore, such costs will be offset because, as commenters generally agreed, most companies will already have foundational baseline security requirements in place.

As required by the Order, the security requirements for firms engaged in restricted transactions are based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the NIST Privacy Framework (“PF”). CISA has also leveraged existing performance goals, guidance, practices, and controls, including the CISA Cross-Sector Cybersecurity Performance Goals (“CPGs”), which are themselves based on the NIST CSF and PF.

The CPGs, NIST CSF, and NIST PF are sets of recommendations, based on current best practices, that companies can voluntarily follow. The CPGs are themselves mapped to the CSF. In its proposed security requirements, CISA has included mapping to the CPGs and NIST CSF and PF, as applicable. Furthermore, the CSF aligns its requirements with other similar standards that are commonly used in industry, including NIST SP 800-53 and International Organization for Standardization/International Electrotechnical Commission (“ISO”)/(“IEC”) 27001:2013. The ISO/IEC 27001:2013 standard, unlike the CISA and NIST frameworks, has a more formal certification process and has granted certificates to 48,671 companies globally and 1,898 companies in the United States. Finally, NIST SP 800-171 rev.3, a common security framework, lays out security standards for firms handling controlled unclassified information, while the Department of Defense's Cybersecurity Maturity Model Certification (“CMMC”) program includes the NIST SP 800-171 requirements but with a more formal auditing and certification process.

ii. Current Industry Compliance Level

The majority of firms affected by the proposed rule likely already comply with some portion of the security requirements in the proposed rule. The level of existing adherence to the proposed security requirements for the average U.S. company would vary significantly based on each firm's size, industry, existing regulatory landscape, technological maturity, and internalized priorities. Given the high degree of overlap between the DHS draft security requirements and existing standards and frameworks discussed below, it is possible that the level of existing compliance among affected firms will be high.

One survey of business expenditures on cybersecurity conducted by IANS Research indicates that such spending can vary depending on industry and business size. According to this survey, the average firm spent nearly 10 percent of its IT budget on cybersecurity, with firms in industries like technology, healthcare, and business services spending the highest proportion at over 13 percent. Furthermore, in the same report, an analysis of firm size found that smaller businesses spend the highest proportion of their IT budgets on cybersecurity. While it is possible that companies with larger expenditures on cybersecurity would be closer to compliance with the proposed rule, it is difficult to determine with the available data the extent to which companies are using their cybersecurity budgets to keep up with evolving best practices and maintain the capabilities required by the proposed security requirements.

The level of technological and cybersecurity maturity also varies significantly, even among larger firms. Recent data indicates that there is great variability in cybersecurity practice sophistication and maturity. In 2023, Deloitte conducted a survey of cyber decision makers at firms around the world with at least 1,000 employees and $500 million in annual revenue. The Deloitte study determined that of these organizations, 38 percent had low cyber maturity (as defined in the study), 41 percent had medium cyber maturity, and 21 percent had high cyber maturity. Another survey of IT professionals found that 45 percent of firms did not have a designated Chief Information Security Officer, which would make them noncompliant with the proposed security requirements.

Furthermore, research suggests that the cost of cybersecurity activities can vary based on factors such as the size of the company, the cybersecurity capabilities required, and whether those capabilities are developed in house or by contracting with third parties. Additionally, the Center for internet Security provided high and low estimates of cybersecurity budgets based on company size, with an average estimate of $22,000 for a small firm (1 to 10 employees) and about $800,000 for a large firm (100 to 999 employees).

iii. Costs of Compliance

Regarding the cost of compliance, the Department assumes that most affected companies will not have to build cybersecurity capabilities from the ground up to meet the requirements of the proposed rule. Given that most firms will have existing cybersecurity protections in place, a more realistic approach to calculating the potential cost of the proposed rule would be to consider the additional expenditures that a company would have to make to increase its cybersecurity standards. The Department assumes, based on the design of the proposed rule, that added cybersecurity compliance costs will closely mirror the costs that companies face when complying with similar or more onerous/prescriptive standards, such as NIST 800-171, NIST 800-53, ISO/IEC 27001, and the CMMC program, providing a helpful tool to estimate the added compliance costs associated with the data security requirements, though such estimates may be conservative. Furthermore, since some firms may already clearly be in voluntary compliance with more stringent standards than the proposed security standards, which would allow them to forgo some of the following steps, some of the costs may not be incurred by all firms.

The first step that most firms engaging in restricted transactions will take toward compliance is completing an assessment of their current capabilities and shortcomings. For example, it would cost a small to medium-sized firm that is working toward compliance with NIST 800-171 and NIST 800-53 around $30,000 to $35,000 to build in-house assessment capabilities. Along the same lines, another source estimates that an assessment for a CMMC certification for a firm with 250 employees could cost up to $35,000. For the initial assessment stage of the ISO/IEC 27001 certification process, a small business would expect to spend $25,000 to $40,000 to complete the process internally and around $30,000 to hire a consultant. However, a company with more complicated compliance issues could expect to pay as much as $130,000 for the consulting and assessment. Thus, the Department finds that an assessment will cost between $25,000 and $130,000 for most firms, depending on the scale of the compliance needs involved.

The next step in the compliance process is remediating the issues found in the initial assessment. It is likely that remediation would involve a combination of fixed and recurring costs. One-time remediation costs could involve revising security policies or patching vulnerabilities in covered systems, while recurring costs could include subscriptions to services that provide data encryption, multifactor authentication, or password management services, as well as costs associated with maintaining access controls or required documentation. Estimates for remediation costs for NIST 800-171 compliance range between $35,000 and $115,000. Another estimate suggests that midsized companies with lower levels of technological maturity can expect to pay approximately $100,000 to correct any compliance issues.

In accordance with the security requirements with which U.S. persons engaged in restricted transactions must comply under the proposed rule, every firm, regardless of its initial compliance level, will need to annually verify its compliance through audits and testing. This is a common cost that firms incur to comply with existing frameworks or standards. For a small company with 50 employees, the annual recertification audit for ISO/IEC 27001 compliance costs an estimated $6,000 to $7,500. The continuous monitoring costs associated with NIST 800-171 compliance for small businesses are estimated to be around $6,500 to $13,000. However, annual surveillance audits to ensure compliance with ISO/IEC 27001 standards can cost as much as $40,000.

Table VII-12 of this preamble summarizes the high and low estimates for the costs—both one-time and ongoing—that an average U.S. company engaged in restricted transactions may face under the proposed rule. A firm may find itself in the higher-cost category based on either greater size and complexity or a lower level of technological maturity. For this analysis, it is assumed that even firms in the low-cost scenario will have added costs in each category. Furthermore, based on the Department's experience, half of the added one-time remediation costs in both the high and low estimates are assumed to recur annually. Finally, for the added training costs, the low estimate was taken from the small business low-cost figure in a report by the Center for internet Security, and the high estimate was taken from the midsized business high-cost figure in the same report.

c. Costs Associated With Compliance Program: Due Diligence, Recordkeeping, and Auditing

In addition to security requirements, the proposed rule also introduces affirmative due diligence, recordkeeping, affirmative reporting, and auditing requirements as conditions of a license or for U.S. persons engaged in restricted transactions, each of which would likely impose added costs. In this section, the Department estimates costs for affirmative due diligence, recordkeeping, and auditing for firms engaged in licensed or restricted transactions.

The compliance program for affirmative due diligence, recordkeeping, and auditing would consist partly of risk-based procedures for verifying the data flows involved in any restricted transaction. Further requirements would include a policy describing the compliance program and process, a policy describing the implementation of any applicable security requirements or other conditions, annual certification of such compliance policies, maintenance records documenting the due diligence performed in implementing the compliance policy with respect to data transactions, and an annual certification of the completeness and accuracy of the records documenting due diligence as supported by an audit.

With regard to due diligence, recordkeeping, and auditing costs for U.S. companies, precise numbers on the number of affected firms, their sizes, and per-company or per-transaction costs are very difficult to estimate. Further, the compliance costs for firms that have established programs relative to existing Federal and State regulations may be minimal, as their compliance approach can be modified at low or no cost to address the proposed security requirements, whereas firms without such compliance programs would likely incur higher costs.

In particular, many firms may have existing compliance programs targeted at three notable provisions that were passed and implemented in recent years: the California Consumer Privacy Act of 2018 (“CCPA”) the EU's General Data Protection Regulation (“GDPR”), and the APEC CBPR. More than 10 other U.S. States have also recently passed data privacy legislation, and many others are considering such laws. Due to these laws and existing Federal export-related regulations, it is possible that some expected due diligence costs imposed by the proposed rule may have already been incurred by affected businesses. However, given that the definitions under the proposed rule do not fully align with the definitions used in these frameworks, there are likely to be separate due diligence costs.

The Department has estimated upper- and lower-bound costs to firms from the proposed rule related to due diligence, recordkeeping, and auditing based on our analysis of the literature regarding the CCPA, GDPR, and other data privacy rules and related research. These upper- and lower-bound estimates and the supporting literature are discussed in this part VII.A.8.c of this preamble. In summary, part VII.A.8.c.i of this preamble estimates that Know Your Customer/Know Your Vendor (“KYC”/“KYV”) costs for verifying one's business and its executives are between $150 (lower bound) and $4,230 (upper bound). In addition, parts VII.A.8.c.ii through VII.A.8.c.iv of this preamble estimate that the combined annual recordkeeping and auditing costs per firm are between a lower bound of $1,260 ($300 for auditing + $960 for recordkeeping) and an upper bound of $232,500 ($7,500 for auditing + $225,000 for recordkeeping). These estimates are based on the Department's analysis, but could be different depending on industry and context. The Department welcomes additional input from stakeholders on this point.

i. Due Diligence Costs

The proposed rule requires entities engaged in restricted transactions to perform due diligence that includes KYC/KYV activities, which may involve verifications to confirm the legitimacy and eligibility of customers and vendors. Costs would generally be incurred one time per customer or vendor, but they could be repetitive if there is reason to believe that a customer or vendor's legitimacy or eligibility has changed. The Department estimates the due diligence ( i.e., KYC/KYV) costs for verifying one business and its executives at between $150 (lower bound) and $4,230 (upper bound).

The upper-bound estimate assumes that the background check costs for one customer or vendor business would include a background check for the business and three background checks for executives residing outside the United States. The Department estimates an upper-bound cost of $1,200 per business background check based on a study showing an upper-bound range of more than $1,000 for a due diligence background check of a business. The Department estimates an upper-bound cost of $1,010 per executive background check based on the highest cost for a background check of an executive residing in a country of concern (which is associated with Venezuela) from Table VII-13 of this preamble. Therefore, the upper-bound background check costs for one customer business with three executives could be as high as $4,230 ($1,200 per business + ($1,010 per executive * 3)).

One company, Global Background Screening, charges $150 to $250 for business background checks, with the higher end for businesses headquartered outside the United States. These business background checks include documentation on directorship, financials, registration, judgments, liens, bankruptcies, and credit risk. Screenings for firm executives appear to be separate costs, which vary by country of residence and type of background check, as summarized in Table VII-13 of this preamble. Countries identified in the proposed rule as countries of concern ( see § 202.209) are included in Table VII-13 of this preamble where sufficient data is available. Santoni also advertises due diligence business background checks, which appear to include foreign firms and officers, ranging from $395 to more than $1,000.

The remainder of this section summarizes additional research on background check costs for foreign firms and for individuals residing outside the United States, which is broadly consistent with the Department's upper- and lower-bound estimates discussed so far in this section.

The U.S. International Trade Administration (“ITA”) provides basic background check and in-depth data on foreign firms to help U.S. companies determine the suitability of possible business partners. To be eligible for the service, companies must be export-ready and endeavoring to export goods or services of U.S. origin with at least 51-percent U.S. content. The ITA provides partial profiles that include general business information, background and product data, pertinent executives, reputation information, brief analysis of information collected, and identities of the references used. Fees for these partial profiles range from $150 to $450 depending on the size of the inquiring firm. Full business profiles add onsite visits and interviews of company executives, with costs ranging from $700 to $2,000. Costs could increase if ITA staff are required to travel more than 80 kilometers or 2 hours from an ITA office.

Diligentia, Inc. categorizes background checks on individuals based on the thoroughness of the investigation. An individual or red flag investigation is designed to identify adverse issues predominantly via online searches, at a cost of $500 to $1,500. A professional background investigation is a more thorough review that adds onsite records depository visits and analysis of documents there, at a cost of $1,500 to $2,500. A comprehensive background investigation goes even further, with additional analyses, reviews of business interests, the use of other intelligence sources, financial investigation, and a credit history, at a cost of more than $2,500. This provider does not advertise a price difference between domestic and foreign background investigations.

Checkr states that international background checks can range from $30 to $500, with their fees varying from $32 to $300 and covering more than 200 countries. Checkr asserts that a global background check may include searches for criminal history, watchlist posting, education/employment verification, and media checks.

An ITA partial or full profile of foreign businesses would likely be preferable for U.S. companies due to the real or perceived credibility of a government agency and the comparatively reasonable costs. Accordingly, for verifying one business and its executives, the Department relied on ITA's pricing for the estimated lower-bound cost of $150.

The sources supporting our cost estimates do not discuss whether the costs include extensive investigations that involve foreign travel or contracting with third parties in foreign locations to perform onsite visits, inquiries, interviews, and other in-depth activities. The Department estimates that it is unlikely that firms would allocate resources for these kinds of investigations, particularly when the ITA service is available. However, some firms may not meet the ITA's eligibility criteria for their services. Thus, it is possible that KYC/KYV activities may need to be performed via a private vendor, such as one of the vendors just described. Again, based on the analysis, the Department estimates the due diligence costs for verifying one business and its executives at between $150 (lower bound) and $4,230 (upper bound).

These estimates are based on Department analysis but could be different depending on the industry and context. The DOJ welcomes additional input from stakeholders on this point.

ii. Recordkeeping Costs

The proposed rule's recordkeeping requirements would include generating or maintaining documents pertinent to various data transactions details, verifications of transaction partners, transactions agreements, licenses, exemptions, advisory opinions, annual due diligence certifications, and supporting documentation, as applicable. Data brokers incorporated in the United States market and sell data on individuals not only domestically but from many other countries; for example, Acxiom markets data coverage for more than 62 countries. Assuming that this data on foreign persons includes individuals protected by EU law, these data brokers are subject to the GDPR.

Since 2018, the GDPR has required all organizations that target or collect data relative to persons in the EU to abide by privacy and security standards outlined in that law. One of the seven data protection principles in the GDPR is accountability or due diligence. Accordingly, data controllers ( i.e., holders of data) must be able to demonstrate compliance relative to accountability by (1) designating data protection responsibilities as appropriate; (2) maintaining comprehensive records of collected data, its use, and those responsible for it; (3) training staff and executing technical and organizational security measures; (4) implementing contracts with third parties that process data on their behalf; and (5) appointing a data protection officer (if a public authority or regularly processing personal data on a large scale). Thus, a portion of covered persons subject to the proposed rule are already complying with GDPR recordkeeping requirements and would arguably not incur the full magnitude of these new costs.

iii. Executive Order on Modernizing Regulatory Review Recordkeeping and Related Costs

As shown in the following analysis, the annual recordkeeping and related costs per firm are estimated to be between $960 (lower bound) and $225,000 (upper bound).

The Department calculates a lower-bound estimate of annual recordkeeping costs per firm by starting with the average annual incremental compliance costs/administrative burdens from the EU impact assessment of GDPR. According to the EU's impact assessment of the GDPR, average annual incremental compliance costs/administrative burdens for small and medium-sized enterprises (“SMEs”) are approximately $9,624 (in 2024 dollars). The Department assumes that the incremental recordkeeping costs of the proposed rule would only be about 10 percent of the estimated incremental annual costs for GDPR compliance. This assumption is based on the facts that the GDPR includes extensive recordkeeping requirements and that many of the proposed rule's recordkeeping requirements are similar in scope to the obligations of existing data protection regulations. Furthermore, the EU's impact assessment of the GDPR includes costs of compliance beyond recordkeeping costs. Based on these considerations and input from SMEs, the Department estimates that 1,400 small to medium-sized firms will incur recordkeeping costs of $960 per firm per year.

An upper-bound estimate of annual recordkeeping costs per firm is also based on estimates of company privacy protection annual costs, which for large firms were estimated at $4.5 million per firm. The Department further estimates that the incremental recordkeeping costs of the proposed rule for large firms would be approximately 5 percent of the estimated annual costs for privacy protections. This assumption is based on the same factors as those described for the lower-bound annual recordkeeping cost estimate as well as the fact that the prior study included additional necessary costs ( e.g., IT upgrades) beyond recordkeeping alone. Further, the Department believes that larger firms predominantly have the added benefit of possessing additional sophistication in complying with existing data privacy and security regimes and already have significant compliance programs and mechanisms in place. Thus, based on this analysis and subject-matter expert input, the Department estimates that 100 firms will incur the higher recordkeeping costs of $225,000 per firm.

To provide context on these upper- and lower-bound recordkeeping costs, this section summarizes additional studies.

The CCPA mandated that businesses in California update privacy policies, develop mechanisms for providing notice to consumers when collecting personal information (“PI”), and adequately respond to consumer wishes regarding the handling of such data. The State of California Department of Justice, Office of the Attorney General's (“CDOJAG”) standardized regulatory impact assessment for the CCPA regulations estimated the following rule-imposed costs per firm: $959 in one-time operational costs ( e.g., establishing workflows/plans), $7,500 for technological systems development (assumed one-time), $615 per year for training, $984 per year to abide by record-keeping requirements (one data privacy professional at $61.50 per hour * 16 hours), and $492 (assumed per year) to provide financial incentives or differential services/prices to promote non-discriminatory practices in their treatment of consumers exercising their CCPA rights. Apart from the $984 in compliance-related costs, the CDOJAG assumed that there were no incremental costs for collecting the information subject to the CCPA's recordkeeping requirement, as affected businesses likely already had mature mechanisms for identifying, processing, and analyzing PI from their data-mapping and consumer response practices. The CDOJAG's total estimated costs per firm to comply with the CCPA were about $29,000 ($2,900 annually) for the period from 2020 to 2030.

Christensen et al. estimated GDPR compliance costs at between $5,065 and $12,157 (2024 dollars) per year per SME, which represents a 16- to 40-percent increase in annual IT budgets. These presumably would align with the aforementioned GDPR accountability elements identified by Wolford, which are generally consistent with those of the proposed rule.

A 2018 International Association of Privacy Professionals and Ernst & Young (“IAPP”/“EY”) study/survey identified much higher average expected spending of about $3 million per firm on GDPR compliance, or $300,000 annually if assumed over 10 years. This included $1,276,000 already spent, another $822,000 expected for adaptation of products and services, and $989,000 for other adaptation activities. However, the average annual costs per firm due to GDPR were unclear based on the IAPP/EY 2018 and 2019 surveys. Company annual mean and median privacy-related spending ranged from $128 to $147 on a per-employee basis. Survey respondents were a mix of company sizes ranging from under 100 employees to more than 75,000.

A 2021 Cisco annual global survey of all major industries found that annual privacy budgets doubled from the previous year to an average of $2.4 million (with smaller firms at a lower end of $1.6 million and larger firms at an upper end of $3.7 million, as reported in 2020). This average figure of $2.4 million is comparable to a high-end estimate found in another study that aimed to project the costs to businesses incurred by possible Florida consumer privacy legislation; that study had a lower-bound estimate of about $733,000 in one-time costs per firm and subsequent ongoing annual costs ranging from about $542,000 to $1.5 million. Organizations may spend an average of about $1,406 per subject rights request by consumers pursuant to privacy regulations. According to one estimate, data processing agreements may have an average cost of $785. Though privacy budgets, including some of their underlying elements, are different in scope and detail from the proposed rule they nonetheless have relevance for estimating the costs of the proposed rule as these budgets often serve similar objectives and require companies to undertake similar processes to protect sensitive data.

The relatively new APEC CBPR is a voluntary accountability framework regulating data transfers between member nations that is somewhat similar to the EU's GDPR, but based on Organisation for Economic Co-operation and Development (“OECD”) privacy principles. In the United States, APEC CBPR annual certification costs range from $15,000 to $40,000. The APEC CBPR's data security due diligence mechanism is another requirement with which firms may already be complying and thus could reduce incremental costs of the proposed rule due to comparable or related requirements.

In summary, available sources show variations regarding the compliance costs for data privacy and cybersecurity regulations specific to recordkeeping. The Department estimates that it is very likely that incremental recordkeeping costs for at least some firms impacted by the proposed rule are zero, as the CDOJAG discussed in its cost estimates for the CCPA. Conversely, the possibility exists that larger firms have not been subject to the EU's GDPR and would be impacted by the proposed rule, resulting in their incurring some portion of the $4.5 million in 2024 in estimated annual recordkeeping costs documented by Cisco for such firms. These ranges, along with the other data and analysis discussed throughout this subpart, were taken into consideration for the calculations of the proposed rule's average annual lower- and upper-bound costs per firm of $960 and $225,000. Part VII.F of this preamble estimates that costs due to the proposed annual reporting requirements for certain categories of U.S. persons engaged in certain subsets of restricted transactions would range from $821,100 (lower bound) to $1,642,200 (upper bound).

iv. Auditing Costs

As shown in the following analysis, annual auditing costs per firm are estimated to be between $300 (lower bound) and $7,500 (upper bound).

Auditing costs for restricted transactions would be incurred in the form of independent examinations to support the due diligence certifications. TrustNet offers services to help firms determine their compliance with the CCPA. One such service is a CCPA gap assessment, which covers scope, project management, risk assessment, controls identification, testing/analysis, remediation roadmap, and reporting. The cost of this service starts at $10,000. TrustNet also offers a CCPA compliance assessment with costs starting at $15,000, which covers similar elements.

According to Neumetric, a cybersecurity products and services company, GDPR accreditation or certification is not offered by the EU or any of its member states. Firms do not need to certify that they are GDPR compliant; however, there are third-party certification bodies/consultants that offer GDPR certification services for consultant fees ranging from $3,000 to $11,000, on average. This does not include internal costs to prepare for certification or other prerequisites for obtaining ISO/IEC 27001 and ISO 27701 certification, which could cost between $1,000 and $4,000. Another source estimated that costs for GDPR certification range from about $5,000 to $20,000 or more (excluding ISO/IEC 27001 and ISO 27701 certification).

The American Institute of Certified Public Accountants has developed a cybersecurity compliance framework known as Service Organization Control 2 (“SOC 2”). Cybersecurity audit costs can be divided into SOC 2 Type 1 audits and SOC 2 Type 2 audits. Type 1 audits evaluate the suitability of controls at a specific point in time and can cost between $5,000 and $25,000. Type 2 audits gauge the effectiveness of controls over a more extended timeframe and can range in costs from $30,000 to $100,000. The latter is more appropriate for firms processing highly sensitive personal data on a regular basis. “Dunkelberger provides a slightly different range for SOC 2 Type 1 audits, estimating that they can cost $15,000 to $50,000 for small to medium-sized businesses and between $50,000 to $100,000 for large businesses; and for SOC 2 Type 2 Audits, estimating that they can cost $30,000 to $75,000 for small to medium-sized businesses and $75,000 to $150,000 for large businesses. These costs include the price of a readiness assessment, audit, remediation, and consultant fees.

As these estimates show, the costs of annual audits for compliance with CCPA, GDPR, and SOC 2 range from $3,000 to $150,000, depending on audit type and firm size. The Department expects that such examiners may not always charge these full rates separately just to certify compliance with the proposed rule, due to redundancies with existing legislation and efficiencies of conducting simultaneous audits pursuant to multiple rules. Nevertheless, there would be increased costs, as there are likely to be variations in addition to the redundancies. For purposes of this analysis, the Department assumes that for all small firms, the proposed rule would result in audit costs that are 10 percent of the estimated cost of an audit from the reviewed literature, or $300 ($3,000 * 10 percent incremental cost). The Department assumes that for all large firms, the proposed rule would result in audit costs that are 5 percent of the estimated cost of an audit from the reviewed literature, or $7,500 ($150,000 * 5 percent incremental cost).

v. Estimated Recordkeeping Costs From the Reviewed Literature

The wide-ranging estimates of recordkeeping costs in the studies reviewed, and the entwinement of the former with other costs, demonstrate the difficulty in determining specific costs for each due to the proposed rule. Further, the literature is not specific to compliance with this proposed rule. Rather, the literature relates to the business costs of protecting personal information from unauthorized dissemination while establishing procedures for its processing and transfer, in addition to protocols for responding to consumer preferences regarding handling of their own personal information. In recent years, privacy and protection laws affecting the entities that will likely be impacted by the proposed rule have proliferated. Thus, the recordkeeping costs contemplated under the proposed rule have already been incurred to some extent.

vi. Summary of a Compliance Program: Due Diligence, Recordkeeping, and Auditing

From this examination of the available literature, the due diligence, recordkeeping, and auditing requirements are likely to unevenly impact firms that must comply with the proposed rule, depending on the size of each firm and how much it currently spends on the components of due diligence. Although the means by which firms will comply is uncertain, the Department has relied on a variety of research in the topic areas to make preliminary estimates of costs due to the proposed rule.

Uncertainty is prevalent in these restricted transactions and data-brokerage market cost estimates for several reasons. In particular, the estimates of recordkeeping costs based on the percentage of the costs of compliance with GDPR and other data protection regimes reported in various studies are highly speculative. Estimates of the proposed rule-imposed incremental costs above and beyond similar compliance activities already taking place are also speculative. Consequently, the Department welcomes comments on these cost calculations from affected industries and stakeholders to better inform decision making relative to the proposed rule.

Beyond the cost impacts of the proposed regulation, there could possibly be adjustments and market movements in reaction to changes in the threshold levels that are being proposed. This analysis assumes that all the current bulk U.S. sensitive personal data transactions are above the lower threshold levels as defined by the proposed rule. If the threshold levels are set at the higher level in the final rule, it is possible that there may be less immediate market disruption but also a greater risk of more data falling into malicious hands, including through evasion techniques such as structuring and smurfing ( i.e., conducting smaller and more frequent transactions using additional individuals). Since there is no available data on the number of transactions by volume of personal data being transferred, the impacts of selecting one bulk threshold over another within the ranges in the NPRM are uncertain at the time of the proposal, and the Department welcomes comments on this subject.

Note that the recordkeeping costs discussed here (part VII.A of this preamble) are also included in part VII.F of this preamble (Paperwork Reduction Act), which presents cost estimates for the six new information collection requests introduced by the proposed rule. The costs of affirmative annual reporting are also discussed above. In addition to recordkeeping costs and the cost of affirmative annual reporting, part VII.F of this preamble presents estimates for the applications for specific licenses, reports of rejected prohibited transactions, requests for advisory opinions, petitions for removal from the Covered Persons List, and reports of known or suspected violations of onward transfers prohibition. All of those information collections affect a relatively small number of firms. Additional detail on those annual costs is available in the Information Collection Request submitted for Office of Management and Budget review under the Paperwork Reduction Act and publicly available on reginfo.gov.

9. Summary of Regulatory Analysis

Regulatory analysis in the areas of national security and foreign policy is often not easily quantifiable or monetizable due to an array of factors, such as inadequate information, inaccessibility of sensitive or proprietary data; and the absence of a good measure of the effectiveness of the regulations.

The purpose of the Preliminary RIA is to gather and analyze enough adequate information to inform agency decision makers about whether a proposed rulemaking is in the public's interest. The analysis should describe the impacts on firms in the market and in the supply chain, remembering that the intermediate firms in the chain are customers of the suppliers. To the extent possible, the impacts on the general public should be considered, as well as—in the case of this proposed rulemaking—the impact on national security and foreign policy and the impact of data-brokerage restrictions on the positive uses of bulk data. The precision of estimates depends on the availability of data, the confidence in the accuracy of the data, and the degree of understanding of the impacted markets.

These economic impact estimates lack precision due to significant gaps in the available data on the number of firms and data transactions that would be affected by the proposed rule and by the lack of confidence in much of the available data. Due to relatively recent and emerging developments in studying the market for data, relevant, reliable, and representative size, sales, employment, and other descriptive information on the data-brokerage market and other entities that will be subject to the proposed rule does not appear to be currently available. The Department is not aware of reliable data on the exact number of firms that currently engage in prohibited data-brokerage transactions, the size distribution of these firms, or the numbers of firms that sell above or below the threshold levels that would bring them under the proposed rule's umbrella. The Department welcomes additional input on this point. The low and high threshold levels for the different categories of sensitive personal data or government-related data vary by factors of 10 to 1 for human genomic data and 1,000 to 1 for personal health data and personal financial data. Furthermore, the Department lacks data on the broader universe of firms that transact in government-related data or bulk U.S. sensitive personal data in the context of restricted transactions. As noted in the NPRM, firms that transact in bulk U.S. sensitive personal data above the proposed thresholds, as laid out in part V.C of this preamble, will need to ensure that their typical data transfers are not in fact going to countries of concern or covered persons (for prohibited transactions) and to comply with the security and due diligence requirements for restricted transactions.

This analysis leverages the limited available data on the number of data-brokerage firms and the volume of data-brokerage exports, along with estimates of security and due diligence costs from studies of similar policies and guidelines. The Department finds that, based on certain assumptions, the proposed rule will have at least some measurable economic impacts. From Table VII-10 of this preamble, the Department estimates that the total annual value of lost transactions is $361 million, or an estimated $80,222 per firm for 4,500 firms (3,000 data brokers + 1,500 firms engaged in restricted transactions).

Table VII-14 of this preamble presents estimates of security compliance costs derived from data shown in part VII.B.2 of this preamble and estimates of due diligence, recordkeeping, and auditing costs derived from data shown in part VII.A.8.c of this preamble. The variations in costs are due to firm size and other factors. As explained in part VII.A.8.c of this preamble, the Department estimates the KYC/KYV ( i.e., due diligence) costs for verifying one business and its executives to be between a lower bound of $150 and an upper bound of $4,230. There is no information on how many verifications a firm will do, but the Department assumes for purposes of this analysis 10 verifications per firm per year, for a total cost of between $1,500 and $42,300. Adding the lower bounds of due diligence costs ($1,500), auditing costs ($300), and recordkeeping costs ($960) per firm, the resulting costs at a lower bound are $2,760 per firm for other compliance costs. Adding the upper bound of due diligence costs ($42,300), audit costs ($7,500), and recordkeeping costs ($225,000) per firm, the resulting costs are $274,800 for total compliance annual costs per large firm. Table VII-14 of this preamble shows annual compliance costs per firm. The Department welcomes additional input on this point.

When the proposed rule is finalized and becomes effective, market dynamics will set in, and firms will exit and enter the market as they adjust to the new regulatory environment. As noted in part VII.A.3.b of this preamble, the U.S. data-brokerage market ranges from around $30 billion to $180 billion per year, suggesting average revenues per firm at around $10 million to $60 million per year, assuming an estimated 3,000 firms. The compliance costs per firm will determine whether firms pursue restricted transactions.

For the purposes of this estimate, the Department assumes that 1,500 firms will engage in restricted transactions, the largest 100 will incur the high costs, and the remaining 1,400 will incur the lower costs. Although it is estimated that there are a relatively few U.S.-based firms conducting business with Chinese cloud-service providers that may continue these activities under the restrictions, it is expected that a large—but unknown—number of other firms will pursue the restricted transaction opportunities involving employment and investment agreements. Under these conditions, the Department assumes that about 1,500 firms beyond the 3,000 data brokers will be active in pursuing vendor, employment, and investment agreement opportunities in the restricted transactions market, the 100 largest of which will be at the high cost and 1,400 of which will incur the lower costs.

The annualized costs of the proposed rule are determined by deriving the 10-year projections for three cost components: the economic value of lost transactions, security costs, and other compliance costs (due diligence, auditing, and recordkeeping). Our analysis assumes that 4,500 firms, including 3,000 data brokers and 1,500 other firms engaged in restricted transactions, will incur economic costs. The analyses also assume that 4,300 of those firms are small firms (including 2,900 data brokers and 1,400 firms engaged in restricted transactions) and 200 of those firms are large firms (100 data brokers and 100 firms engaged in restricted transactions). The analysis also assumes that the data-brokerage industry affected by the proposed rule is growing at a 5-percent annual rate.

Turning to compliance costs, our analyses assume that 1,500 firms will incur compliance costs as a result of the proposed rule. The Department assumes that security costs have one-time components—initial assessment and remediation—that are only realized in the first year, as well as recurring components—ongoing remediation, compliance audits, and training—that are present for all 10 years. In addition, it is assumed that the other compliance costs, including affirmative due diligence, auditing, and recordkeeping costs, will decline as firms become more efficient and learn to pursue lower-cost compliance options. These due diligence, auditing, and recordkeeping costs are presented as annually decreasing, but at a decreasing rate. As companies move away from reliance on employees in countries of concern or vendors in countries of concern, the Department assumes that these costs will decrease over time. Further, since the security measures are all reliant on existing NIST standards and CISA performance goals to which many companies already align their security posture, the Department assumes that due diligence, auditing, and recordkeeping costs will decrease 15 percent in the second year, 12 percent in the third year, 9 percent in the fourth year, 7 percent in the fifth year, and then 5 percent, 4 percent, 3 percent, 2 percent, and 1 percent in each of the sixth through tenth years. The costs are presented undiscounted (0-percent rate) and at discounted by 2 percent.

In sum, the parameter assumptions of the 10-year projections are:

1. The annual growth rate of the economic value of lost transactions is 5 percent, compounded annually.

2. Due diligence, auditing, and recordkeeping costs in Year 1 are taken from Table VII-14 of this preamble. Costs in Years 2 through 10 decrease, but at a decreasing rate of 15 percent, 12 percent, 9 percent, 7 percent, 5 percent, 4 percent, 3 percent, 2 percent, and 1 percent.

3. Security costs have both one-time and recurring components in Year 1 and only recurring components in Years 2 through 10 (as shown in Table VII-14 of this preamble).

4. The analysis assumes either undiscounted costs or a 2-percent annual discount rate.

5. The value of lost transactions is from Table VII-10 of this preamble.

6. Small firms will bear “low” costs shown in the security cost and lost transaction totals, and large firms will bear the “high” costs shown in the security cost and lost transaction totals in Tables VII-15 and VII-16 of this preamble.

7. One thousand five hundred (1,500) firms will incur compliance costs as a result of the proposed rule, and a broader group of 4,500 firms will incur costs due to lost transactions.

The 10-year annualized cost analysis (undiscounted and for a 2-percent discount rate) for security and other compliance costs (due diligence, auditing, and recordkeeping costs) is presented in Table VII-15 of this preamble for the 1,400 small firms and in Table VII-16 of this preamble for the 100 large firms. These estimates for security, due diligence, auditing, and recordkeeping costs for both small and large firms engaged in restricted transactions are combined with the industry-wide estimates for the economic value of lost transactions to obtain total costs for all firms, which are presented in Table VII-17 of this preamble.

These year-to-year changes are the same in percentage terms for the analysis of large firms in Table VII-16 of this preamble.

The total annualized costs of the proposed rule for small and large firms are combined and presented in Table VII-17 of this preamble, estimated at $549 million undiscounted and $502 million discounted at 2 percent (any differences are due to rounding). Tables VII-15 and VII-16 of this preamble only include the costs of the security, due diligence, and recordkeeping requirements of the proposed rule, while Table VII-17 of this preamble also includes the costs associated with the value of lost transactions.

Table VII-18 of this preamble summarizes the 10-year annualized cost analysis (presented in Tables VII-15, VII-16, and VII-17 of this preamble) for small and large firms separately and in total, both undiscounted and with a discount rate of 2 percent.

This cost estimate reflects the likelihood that a number of smaller firms will drop out of the market if the costs of compliance are greater than expected revenues ( i.e., if marginal costs exceed marginal revenues). Of course, this could also be true of larger firms that lack the infrastructure or financial resources to comply with the proposed rules and therefore choose to forgo certain transactions or business operations in that market altogether.

In addition to the potential decrease in the number of firms in the industry, another related effect is that the proposed rule may create a barrier to entry for potential data brokers. That is, the same compliance burdens that affect marginal current brokers will also affect potential ones.

These preliminary estimated costs of the proposed rule appear to be reasonable when balanced against the expected benefits of preventing the potential risk and harms to national security and foreign policy that are possible when government-related data or bulk U.S. sensitive personal data is transferred to foreign adversaries. These benefits are beyond monetary calculation but suggest that the proposed rule will have very large net benefits, including protections to well over 100 million American individuals who are potential targets of adversaries using government-related data or bulk U.S. sensitive personal data. A wide range of benefits of the regulation will also be realized by firms, including the savings associated with potentially reducing the likelihood of data breaches thanks to improved security, which are estimated to cost an average of $4.88 million per breach. And firms that sell data to, or buy data from, brokers will have increased confidence in the security and due diligence arrangements associated with the regulation.

Both the benefits to be realized and the costs to the economy and government will be determined, to some extent, by the effectiveness of compliance and enforcement activities and by the methods that market participants use to attempt to avoid detection of prohibited or restricted activities. For example, “back doors” are used to circumvent economic sanctions, and digital assets are used to hide sanctioned transactions themselves. The countries of concern are known to conduct commercial and military operations through proxies. As shown in parts IV.D.1.b and IV.D.1.f of this preamble, Cuba and Venezuela have acted as third parties to promote malicious acts by other countries of concern. Unless the due diligence requirements are fully complied with and the due diligence procedures and inquiries provide accurate information, the effectiveness of the proposed rule may be weakened, leading to reduced expected benefits.

One commenter suggested that the Department conduct a retrospective review of the impact after the final rule becomes effective. The Order already requires such a review. Under section 5 of the Order, within 1 year after the final rule becomes effective, the Department must submit a report to the President that addresses, to the extent practicable, the effectiveness of the measures imposed under the Order in addressing threats to the national security of the United States described in the Order and the economic impact of the implementation of the Order, including on the international competitiveness of U.S. industry. The Order requires the Department to solicit public comment in evaluating the economic impact. The Department also intends to regularly monitor the effectiveness and impact of the regulations once they become effective.

B. Regulatory Flexibility Act

The Department is proposing this rule to address the growing threat posed by the efforts of foreign adversaries to access and exploit the government-related data or Americans' bulk U.S. sensitive personal data. On February 28, 2024, the President issued Executive Order 14117 on “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This Order directs the Attorney General to, among other things, determine which classes of data transactions ought to be prohibited due to the unacceptable risk they pose by allowing countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data. The Order also directs the Attorney General to work with relevant agencies to identify countries of concern and classes of covered persons, establish a process to issue licenses authorizing transactions that would otherwise be prohibited or restricted transactions, address the need for requirements for recordkeeping and reporting transactions, and determine which classes of transactions will be required to comply with separate security requirements.

The need for the proposed rule stems from the increased efforts that countries of concern are making to obtain sensitive personal data of Americans and to utilize it in a way that undermines national security and foreign policy. Advances in computing technology, artificial intelligence, and methods for processing large datasets allow countries of concern to more effectively leverage collected data for malicious purposes. The capability currently exists to allow those who government-related data or Americans' bulk U.S. sensitive personal data to combine and manipulate it in ways that could identify sensitive personal data, including personal identifiers and precise geolocation information.

1. Succinct Statement of the Objectives of, and Legal Basis for, the Proposed Rule

Through the Order, the President used his authority under IEEPA and the National Emergencies Act to declare national emergencies and regulate certain types of economic transactions in order to protect the country against foreign threats. The Order expands upon the national emergency previously declared by Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), which was modified by Executive Order 14034 of June 9, 2021 (Protecting Americans' Sensitive Data from Foreign Adversaries). Furthermore, the President, under title 3, section 301 of the U.S. Code, authorized the Attorney General, in consultation with the heads of relevant executive agencies, to employ the President's powers granted by IEEPA as may be necessary or appropriate to carry out the purposes of the Order.

IEEPA empowers the President to “investigate, regulate, or prohibit” foreign exchanges in cases where there is a threat coming from outside the United States that threatens the country's “national security, foreign policy, or economy.” Existing IEEPA-based programs include those administered by OFAC, which enforces economic and trade sanctions, and the Department of Commerce's Bureau of Industry and Security, which is responsible for information and communications technology and services supply chain security.

2. Description of and, Where Feasible, an Estimate of the Number of Small Entities to Which the Proposed Rule Will Apply

The proposed rule would affect data-brokerage firms and other firms engaged in covered data transactions that pose a risk of exposing government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons. The Department has estimated that about 4,500 firms, just over 90 percent of which are small businesses (hereafter referred to as “small entities”), would be impacted by the proposed rule. Therefore, the Department estimates that this proposed rule would impact approximately 4,050 small entities and approximately 450 firms that would not be classified as small entities.

Small entities, as defined by the Regulatory Flexibility Act, include small businesses, small nonprofit organizations, and small governmental jurisdictions. The definition of “small entities” includes the definition of “small businesses” pursuant to section 3 of the Small Business Act of 1953, as amended: “A small business concern . . . shall be deemed to be one which is independently owned and operated, and which is not dominant in its field of operation.” The definition of “small business” varies from industry to industry (as specified by NAICS code and found in 13 CFR 121.201) to reflect the typical company size in each industry.

NAICS code 518210, “Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services,” contains all the affected data brokers as well as some of the other entities engaged in one or more of the classes of restricted data transactions. The number of small entities affected by the proposed rule was estimated by using the Small Business Administration (“SBA”) small business size standard for the NAICS code to calculate the proportion of firms that are considered small entities. Data brokers are only a subset of the total firms contained in the identified NAICS code; however, for this analysis, it was assumed that the proportion of small entities was the same for both the broader NAICS industry and the specific data broker industry. Because more than 90 percent of impacted firms across all relevant industries can be considered small entities, the proposed rule would have an impact on a substantial number of small entities.

This analysis assumes that the small entities affected by the proposed rule will incur compliance costs of around $32,380 per firm per year, compared with an annual compliance cost of $400,460 for the largest affected firms.

The Department is not aware of reliable revenue data by firm size for the data broker industry, but a reasonable assumption is that if a firm's revenues from data sales are not sufficient to cover the compliance costs, then that firm will have an incentive to exit that market. Furthermore, calculating the proportion of the costs associated with the proposed rule that falls on small firms is complicated by the fact that several of the proposed rule's provisions—specifically the requirements related to cybersecurity, due diligence, recordkeeping, and reporting—likely involve high fixed costs. Even if small entities have less complex business operations, leading to fewer complications related to compliance, they may still face a higher cost burden from the proposed rule than larger firms. Large entities will likely already have a greater portion of the fixed costs associated with the proposed rule covered by existing capabilities. Therefore, while the costs associated with the security and due diligence requirements will be smaller in absolute terms for smaller entities, such entities will likely need to pay a higher proportion of their overall budgets to comply. Due to the unknowns and the large number of small entities, it is possible that a substantial number of small firms will experience a significant impact. The Department welcomes comments on this topic.

3. Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Proposed Rule

The proposed rule would require firms engaged in restricted transactions to adhere to certain standards for data security, due diligence, recordkeeping, and reporting. See § 202.401. To mitigate the risk of sharing government-related data or bulk U.S. sensitive personal data with countries of concern or covered persons through restricted transactions, organizations engaged in restricted transactions would be required to institute organizational and system-level cybersecurity policies, practices, and requirements and data-level requirements developed by DHS through CISA in coordination with the Department. See § 202.402. Those requirements, which CISA will release through a separate Request For Information, overlap with several similar, widely used cybersecurity standards or frameworks. In addition, the security requirements developed by CISA would require firms to protect the data associated with restricted transactions using combinations of the following capabilities necessary to prevent access to covered data by covered persons or countries of concern:

1. data minimization and data masking;

2. encryption;

3. privacy-enhancing technologies; and

4. denial of access.

Firms will also be required to undergo annual independent testing and auditing to ensure their continuing compliance with the security requirements.

Additionally, in order to ensure that government-related data or Americans' bulk U.S. sensitive personal data are not accessible by countries of concern or covered persons, firms will be required to engage in due diligence before pursuing restricted transactions, which involves utilizing KYC/KYV programs to complete background checks on potential partners. Furthermore, firms will be required to keep records that contain extensive details of their restricted transactions as well as the details of the other parties involved. They will also be required to undergo annual audits of their records to ensure compliance and assess potential risks.

4. Identification of All Relevant Federal Rules That May Duplicate, Overlap, or Conflict With the Proposed Rule

As discussed in part IV.K of this preamble, while the PADFAA seeks to address some of the same national security risks of the proposed rule, there are clear differences between the PADFAA, the Order, and this proposed rule, including the scope of regulated data brokerage activities, the types of bulk sensitive personal data that are covered, and the relevant countries of concern. Further, while the PADFAA allows the FTC to investigate certain data-brokerage activities involving countries of concern as unfair trade practices consistent with the FTC's existing jurisdiction, the proposed rule establishes a new set of consistent regulatory requirements that apply across multiple types of commercial transactions and sectors. Finally, as stated in part IV.K of this preamble, the Department will coordinate closely with the FTC to ensure consistency in how both authorities are implemented.

Some restricted transactions under the proposed rule could also end up being subject to review and action by CFIUS. The Foreign Investment Risk Review Modernization Act of 2018 gave CFIUS the authority to review certain non-controlling foreign investments that may pose a risk to national security by allowing the sensitive personal data of U.S. citizens to be exploited. However, while CFIUS acts on a transaction-by-transaction basis, the proposed rule would create restrictions and prohibitions on covered data transactions that would apply to categories of data transactions involving the six countries of concern. In a situation where a covered data transaction regulated by the proposed rule was later subject to a CFIUS review, it would be exempt from the proposed rule to the extent that CFIUS takes any of the actions identified in the proposed rule. See §§ 202.207; 202.508.

Furthermore, the categories of covered data transactions covered by the proposed rule extend beyond the scope of CFIUS, including the provision of government-related data or bulk U.S. sensitive personal data through data brokerage, vendor agreements, and employment agreements. The proposed rule also covers investment agreements that may not be covered by CFIUS as well as cases where the relevant risks do not result from the covered transaction or may occur before a CFIUS action takes place.

C. Executive Order 13132 (Federalism)

The proposed rule would not have federalism implications warranting the application of Executive Order 13132. The proposed rule does not have substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government.

D. Executive Order 13175 (Consultation and Coordination With Indian Tribal Governments)

The proposed rule would not have Tribal implications warranting the application of Executive Order 13175. It does not have substantial direct effects on one or more Indian Tribes, on the relationship between the Federal Government and Indian Tribes, or on the distribution of power and responsibilities between the Federal Government and Indian Tribes.

E. Executive Order 12988 (Civil Justice Reform)

This proposed rule meets the applicable standards set forth in sections 3(a) and 3(b)(2) of Executive Order 12988.

F. Paperwork Reduction Act

The collections of information contained in this notice of proposed rulemaking have been submitted to the Office of Management and Budget for review in accordance with the Paperwork Reduction Act of 1995, 44 U.S.C. 3507(d), under control number 1124-AA01.

Written comments on this collection can be submitted by visiting www.reginfo.gov/public/do/PRAMain. Find this document by selecting “Currently Under Review—Open for Public Comments” or by using the search function. Comments on the collection of information should be received by November 29, 2024.

The Department of Justice is soliciting comments from members of the public concerning this collection of information to:

• Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
• Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information;
• Enhance the quality, utility, and clarity of the information to be collected; and
• Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated collection techniques or other forms of information technology.

The proposed rule includes seven new collections of information: annual reports; applications for specific licenses; reports on rejected prohibited transactions; requests for advisory opinions; petitions for removal from the designated Covered Persons List; reports of known or suspected violations of the onward transfers prohibition; and recordkeeping requirements for restricted transactions.

Based on wage rates from the Bureau of Labor Statistics and lower- and upper-bound estimates (used because this is a new program and there is uncertainty in the estimated number of potential respondents for each of the forms), the following are the estimated burdens of the proposed collections:

• Annual reports. The Department estimates that 375 to 750 filers will send an average of one annual report per year, spending an estimated average of 40 hours to prepare and submit each annual report. The Department estimates the aggregated costs for all filers at $821,100 to $1,642,200 annually for annual reports.
• Applications for specific licenses. The Department estimates that 15 to 25 filers will send an average of one application for a specific license per year, spending an estimated average of 10 hours to prepare and submit each application for a specific license. The Department estimates the aggregated costs for all filers at $8,211 to $13,685 annually for applications for specific licenses.
• Reports on rejected prohibited transactions. The Department estimates that 15 to 25 filers will send an average of one report on a rejected prohibited transaction per year, spending an estimated average of 2 hours to prepare and submit each application for a specific license. The Department estimates the aggregated costs for all filers at $1,642 to $2,737 annually for reports on rejected prohibited transactions.
• Requests for advisory opinions. The Department estimates that 50 to 100 filers will send an average of one request for an advisory opinion per year, spending an estimated average of 2 hours to prepare and submit each request for an advisory opinion. The Department estimates the aggregated costs for all filers at $5,474 to $10,948 annually for requests for advisory opinions.
• Petitions for removal from covered persons list. The Department estimates that 15 to 25 filers will send an average of one petition for removal from the Covered Persons List per year, spending an estimated average of 5 hours to prepare and submit each petition for removal from the Covered Persons List. The Department estimates the aggregated costs for all filers at $4,106 to $6,843 annually for petitions for removal from the Covered Persons List.
• Reports of known or suspected violations of onward transfers prohibition. The Department estimates that 300 to 450 filers will send an average of one report of known or suspected violations of the onward transfers prohibition per year, spending an estimated average of 2 hours to prepare and submit each report of known or suspected violations of the onward transfers prohibition. The Department estimates the aggregated costs for all filers at $32,844 to $49,266 annually for reports of known or suspected violations of the onward transfers prohibition.
• Recordkeeping requirements for restricted transactions. The Department estimates that 1,400 small to medium-sized firms will incur a total of $1,344,000 in recordkeeping costs per year. Also, the Department estimates that 100 large firms will incur a total of $84,844,000 in recordkeeping costs per year.

Under the Paperwork Reduction Act, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid control number assigned by the Office of Management and Budget.

G. Unfunded Mandates Reform Act

The Unfunded Mandates Reform Act requires that Federal agencies prepare a written statement assessing the effects of any Federal mandate in a proposed or final agency rule that may directly result in the expenditure of $100 million or more in 1995 dollars (adjusted annually for inflation) in any 1 year by State, local, and Tribal governments, in the aggregate, or by the private sector (2 U.S.C. 1532(a)). However, the Unfunded Mandates Reform Act does not apply to “any provision” in a proposed or final rule that is “necessary for the national security” (2 U.S.C. 1503(5)).

In the Order, the President explained that “[t]he continuing effort of certain countries of concern to access Americans' sensitive personal data and United States Government-related data constitutes an unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security and foreign policy of the United States.” The Order expanded the scope of the national emergency declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and further addressed with additional measures in Executive Order 14034 of June 9, 2021 (Protecting Americans' Sensitive Data From Foreign Adversaries). Section 2(a) of the Order thus requires the Attorney General to issue the regulations in this part, subject to public notice and comment, “[t]o assist in addressing the national security emergency described” in the Order. Because the entirety of this proposed rule and every provision in it addresses the national emergency described by the President in the Order, the Department has concluded that the Unfunded Mandates Reform Act does not apply to this proposed rule.

Under the rulemaking authority vested in the Attorney General in 5 U.S.C. 301; 28 U.S.C. 509, 510 and delegated to the Assistant Attorney General for National Security by A.G. Order No. 6067-2024, and for the reasons set forth in the preamble, the Department of Justice proposes to add part 202 to chapter I of title 28 of the Code of Federal Regulations to read as follows: