You are currently viewing DOJ Issues NPRM Regarding Sensitive Data Transfers  WilmerHale
Representation image: This image is an artistic interpretation related to the article theme.

DOJ Issues NPRM Regarding Sensitive Data Transfers WilmerHale

The National Security Division (NSD) is a part of the Department of Justice (DOJ) and is responsible for enforcing federal laws related to national security. The NSD has been working on a new rule that will require companies to obtain approval from the government before transferring sensitive data to foreign entities.

The Background of the Rule

The new rule is part of a broader effort by the U.S. government to strengthen national security and protect sensitive data from falling into the wrong hands. The NSD has been working on this rule for several years, and it is expected to be finalized soon. The rule will require companies to obtain approval from the government before transferring sensitive data to foreign entities, including data related to national security, defense, and foreign policy.

The Department of Justice will review all comments received during this period and respond to them in a final rule.

The Department of Justice’s New Rule: A Shift in Investigative and Enforcement Powers

The Department of Justice (DOJ) has recently proposed a new rule that significantly expands its investigative and enforcement authorities. This development has sparked significant interest and debate among legal professionals, policymakers, and the general public. In this article, we will delve into the details of the proposed rule, its implications, and what it means for the future of law enforcement and justice in the United States.

Understanding the Proposed Rule

The proposed rule, which is expected to be published in the Federal Register, will introduce substantial new investigative and enforcement authorities for the DOJ.

The Department of Justice has issued a Notice of Proposed Rulemaking (NPRM) related to disclosure of certain categories of data. This follows President Biden’s Executive Order 14117, which was issued on February 28, 2024. The proposed rule aims to establish a new regulatory regime for the disclosure of sensitive data.

Understanding the Executive Order and its Implications

The Executive Order 14117, signed by President Biden on February 28, 2024, sets the stage for the Department of Justice’s proposed rule. The order emphasizes the importance of protecting sensitive data and promoting transparency in government operations. It requires federal agencies to develop and implement policies and procedures for the disclosure of certain categories of data. The order also establishes a new framework for the disclosure of sensitive information, which will be implemented through the proposed rule.

Key Provisions of the Executive Order

  • Requires federal agencies to develop and implement policies and procedures for the disclosure of certain categories of data
  • Establishes a new framework for the disclosure of sensitive information
  • Promotes transparency in government operations
  • Protects sensitive data
  • The Proposed Rule and Its Objectives

    The Department of Justice’s proposed rule aims to establish a new regulatory regime for the disclosure of sensitive data.

    The categories include:

  • *Personal identifiable information (PII) such as names, addresses, and Social Security numbers.**
  • *Biometric data, such as fingerprints, facial recognition data, and iris scans.**
  • *Financial information, such as bank account numbers and credit card details.**
  • *Healthcare information, such as medical records and insurance details.**
  • *Employment and education history.**
  • *Other sensitive data, such as citizenship status and family relationships.**
  • Understanding the Proposed Rule

    The proposed rule aims to protect sensitive personal data from being exploited by foreign adversaries. It builds on the Executive Order (EO) issued by the President in 2020, which established a framework for protecting sensitive personal data.

    Key Components of the Proposed Rule

    The proposed rule defines six categories of sensitive personal data that could be exploited by a country of concern to harm U.S. national security. These categories include:

  • Personal identifiable information (PII) such as names, addresses, and Social Security numbers. Biometric data, such as fingerprints, facial recognition data, and iris scans. Financial information, such as bank account numbers and credit card details. Healthcare information, such as medical records and insurance details. Employment and education history. Other sensitive data, such as citizenship status and family relationships.

    These countries are subject to enhanced scrutiny and monitoring by the U.S. government due to their alleged human rights abuses, authoritarian governance, and support for terrorism.

    The Countries of Concern

    The six countries identified by the NPRM are not new to the U.S. government’s attention. However, the proposed rule increases the level of scrutiny and monitoring on these countries, imposing stricter requirements on U.S. persons and entities that engage with them.

    Key Features of the Proposed Rule

  • The proposed rule requires U.S. persons and entities to report on their interactions with the Countries of Concern, including any transactions, investments, or other business dealings. The rule also imposes stricter requirements on U.S. persons and entities that engage in transactions with the Countries of Concern, including the need to obtain licenses and permits. The proposed rule aims to prevent U.S. persons and entities from inadvertently supporting terrorism or human rights abuses in these countries. ## The Impact on U.S. Persons and Entities*
  • The Impact on U.S. Persons and Entities

    The proposed rule will have significant implications for U.S. persons and entities that engage with the Countries of Concern. These individuals and organizations will need to comply with the new reporting and licensing requirements, which may involve significant changes to their business practices and operations.

    Compliance Challenges

  • The proposed rule requires U.S.

    “covered persons” are also: a foreign person that is an entity (“foreign entity”) 50% or more owned, directly or indirectly, by a country of concern and is a member of a covered group.

    The Concept of Covered Persons

    Definition and Scope

    The concept of covered persons is a critical component of various international agreements and regulations, particularly in the context of sanctions and export controls. Covered persons refer to individuals or entities that are subject to specific restrictions and prohibitions due to their association with a country of concern.

    Exemptions for Citizens of Countries of Concern

    The proposed rule aims to address the concerns of citizens of countries of concern, who are often subjected to unfair or unjust treatment by the US government. The exemption would apply to citizens of countries that are deemed to be of concern by the US government, such as North Korea, Iran, and Syria. Key aspects of the exemption: + Exemption from the definition of covered persons + Applies to citizens of countries of concern + May be subject to additional requirements or conditions

    Impact on Covered Persons

    The exemption would have a significant impact on covered persons, who are currently subject to certain restrictions and limitations on their activities in the US. The exemption would allow these individuals to engage in activities in the US without being considered covered persons, which could have far-reaching consequences for their personal and professional lives. Potential benefits: + Increased freedom to engage in activities in the US + Potential for greater access to education, employment, and other opportunities + Reduced stress and anxiety related to being considered a covered person

  • Potential drawbacks:
  • + May create new challenges and complexities for covered persons + Could lead to increased scrutiny and monitoring by US authorities + May raise concerns about national security and public safety

    Implementation and Enforcement

    The proposed rule would require careful consideration and implementation to ensure that it is effective and fair.

    This is because the IRS considers them as non-resident aliens for tax purposes.

    The Impact of the Foreign Account Tax Compliance Act (FATCA) on Non-U.S. Citizens

    The Foreign Account Tax Compliance Act (FATCA) is a U.S. law that has significant implications for non-U.S. citizens residing in the United States. The law, enacted in 2010, aims to combat tax evasion by U.S. taxpayers who have hidden assets abroad. However, its impact extends beyond U.S. citizens, affecting non-U.S. citizens who are also residents of the United States.

    Who is Covered by FATCA? FATCA applies to non-U.S. This includes individuals who have obtained a green card, are in the process of obtaining a green card, or are married to a U.S. citizen. The law also covers non-U.S. citizens who are employed by a U.S. employer or have a U.S. source of income. Key characteristics of covered individuals:

    + Non-U.S. citizens + Residents of the United States + Green card holders or in the process of obtaining a green card + Married to a U.S.

    This data can be obtained through various means, including GPS, Wi-Fi, and cellular network triangulation.

    Understanding the Importance of Precise Geolocation Data

    The Rise of Location-Based Services

    In recent years, the demand for precise geolocation data has skyrocketed, driven by the proliferation of location-based services (LBS). LBS has become an essential component of modern life, with applications ranging from navigation and mapping to social media and advertising. The accuracy of geolocation data is crucial in providing users with relevant and personalized experiences. Key features of LBS include: + Real-time location tracking + Location-based recommendations + Personalized advertising + Navigation and mapping

    The Impact of Precise Geolocation Data on Society

    Precise geolocation data has far-reaching implications for various aspects of society, including:

  • Public Safety: Precise geolocation data can be used to quickly locate individuals in emergency situations, such as natural disasters or crimes. Healthcare: Geolocation data can be used to track patient locations, monitor disease outbreaks, and provide personalized health recommendations. Environmental Monitoring: Precise geolocation data can be used to monitor and track environmental changes, such as deforestation or climate change. ## The Challenges of Collecting and Using Precise Geolocation Data**
  • The Challenges of Collecting and Using Precise Geolocation Data

    Data Collection Methods

    Precise geolocation data can be obtained through various means, including:

  • GPS: Global Positioning System (GPS) technology provides accurate location data, but it can be affected by satellite signal strength and interference.

    Unlocking the Power of Personal Health Data to Transform Healthcare Outcomes.

    This includes data about an individual’s medical history, symptoms, diagnoses, treatments, and outcomes. Personal health data is a valuable resource for healthcare providers, researchers, and patients themselves, as it can be used to improve healthcare outcomes, develop new treatments, and inform patient-centered care.

    The Importance of Personal Health Data

    Personal health data is a vital component of modern healthcare, and its importance cannot be overstated. Here are some key reasons why personal health data is essential:

  • Improved healthcare outcomes: Personal health data can help healthcare providers identify patterns and trends in patient data, allowing them to develop targeted interventions and improve patient outcomes. Development of new treatments: By analyzing large amounts of personal health data, researchers can identify new patterns and correlations that may lead to the development of new treatments and therapies.

    The worksite or duty station of Federal Government employees or contractors who are involved in the development, production, or testing of weapons or other military equipment. The worksite or duty station of Federal Government employees or contractors who are involved in the development, production, or testing of nuclear reactors or nuclear weapons. The worksite or duty station of Federal Government employees or contractors who are involved in the development, production, or testing of space launch vehicles or space-related equipment.

    Prohibited Transactions are defined as any transaction involving the sale, lease, or transfer of any covered data. Prohibited Transactions include data brokerage, vendor agreement, employment agreement, investment agreement, and data sharing agreements. Restricted “Covered Data Transactions” include data brokerage, vendor agreement, employment agreement, investment agreement, and data sharing agreements.

    The Proposed Rule: A Comprehensive Overview

    The proposed rule, aimed at protecting sensitive personal data, defines a “covered data transaction” as any transaction involving access to government-related data or bulk U.S. sensitive personal data. This comprehensive rule aims to regulate the handling and sharing of sensitive information, ensuring that it is protected from unauthorized access and misuse.

    Key Components of the Proposed Rule

  • Covered Data Transactions: The proposed rule defines a “covered data transaction” as any transaction involving access to government-related data or bulk U.S. Prohibited Transactions: Prohibited transactions include the sale, lease, or transfer of any covered data, as well as data brokerage, vendor agreement, employment agreement, investment agreement, and data sharing agreements. Restricted “Covered Data Transactions”: Restricted “covered data transactions” include data brokerage, vendor agreement, employment agreement, investment agreement, and data sharing agreements. ### Implications of the Proposed Rule**
  • Implications of the Proposed Rule

    The proposed rule has significant implications for organizations that handle sensitive personal data. Some of the key implications include:

  • Increased Regulatory Compliance: The proposed rule requires organizations to implement robust security measures to protect covered data, ensuring compliance with regulatory requirements. Enhanced Data Protection: The proposed rule aims to enhance data protection by regulating the handling and sharing of sensitive information, reducing the risk of data breaches and unauthorized access.

    More than 500 U.S. persons.

    The Proposed Rule: Bulk Data Collection and Analysis

    Background

    The proposed rule, announced by the U.S. Department of Health and Human Services (HHS), aims to regulate the collection, use, and analysis of bulk data. This move is part of a broader effort to address concerns around data privacy and security in the digital age.

    Key Provisions

    The proposed rule sets the following bulk thresholds for the collection, use, and analysis of different types of data:

  • Human Genomic Data: More than 100 U.S. persons**
  • Biometric Identifiers and Precise Geolocation Data: More than 1,000 U.S. persons**
  • Personal Health Data and Personal Financial Data: More than 500 U.S. persons**
  • These thresholds are designed to ensure that the collection and analysis of bulk data are subject to robust safeguards and oversight.

    Implications

    The proposed rule has significant implications for various sectors, including healthcare, finance, and technology. For instance:

  • Healthcare: The rule could impact the use of genomic data for research and treatment purposes. Finance: The rule could affect the use of personal financial data for credit scoring and other purposes.

    The chatbot is designed to assist with customer service inquiries and is hosted on servers located in the United States. The chatbot is not connected to any servers outside of the United States, and all data is stored locally on the servers in the United States. This setup ensures that the data is not transmitted to any servers outside of the United States, and the company can comply with U.S. data protection regulations.”

    The Benefits of Data Localization

    Data localization is a growing trend in the tech industry, where companies are choosing to store and process their data within a specific geographic region.

    Hiring a covered person poses significant risks to a U.S.

    The appointee has access to sensitive financial information and is authorized to make decisions on behalf of the company.

    The Risks of Hiring a Covered Person

    Hiring a covered person can pose significant risks to a U.S. company, particularly when it comes to prohibited transactions. A covered person is defined as an individual who has access to bulk personal financial data, such as a citizen of a country of concern or a foreign national with a high level of access to sensitive financial information.

    Key Risks

  • Data Breach: A covered person with access to bulk personal financial data may inadvertently or intentionally compromise the security of the company’s financial information.

    For life sciences companies, the NPRM provides the following illustrative example: “[a] U.S. company that conducts consumer human genomic testing collects and maintains bulk human genomic data from U.S. consumers. The U.S. company has global IT operations, including employing a team of individuals who are citizens of and primarily resident in a country of concern to provide back-end services. The agreements related to employing these individuals are employment agreements. Employment as part of the global IT operations team includes access to the U.S. company’s systems containing the bulk human genomic data. These employment agreements would be prohibited transactions (because they involve access to bulk human genomic data).”

    Digital transformation is crucial for financial services companies to remain competitive and relevant in the market.

    company, X, has a strong brand and a large customer base, but its financial performance is not as strong as its competitors. This is because X has not invested enough in digital transformation and has not leveraged its brand and customer base to drive revenue growth.”

    The Challenges of Digital Transformation in Financial Services

    The financial services industry is undergoing a significant transformation, driven by technological advancements and changing consumer behaviors. However, this transformation is not without its challenges. In this article, we will explore the challenges of digital transformation in financial services and provide examples of companies that have successfully navigated these challenges.

    Understanding the Importance of Digital Transformation

    Digital transformation is the process of integrating digital technology into all areas of a business, fundamentally changing how it operates and delivers value to customers.

    The proposed rule is designed to enhance the security of the nation’s critical infrastructure, including the nation’s transportation systems, energy systems, and other critical infrastructure sectors.

    Preparing for the Proposed Rule

    Understanding the Proposed Rule

    The proposed rule, which is expected to go into effect in 2024, aims to enhance the security of the nation’s critical infrastructure. The rule requires companies to implement security controls to protect against cyber threats and to report any security incidents to CISA. The proposed rule also includes provisions for the use of artificial intelligence and machine learning to enhance security. Key aspects of the proposed rule: + Implement security controls to protect against cyber threats + Report security incidents to CISA + Use artificial intelligence and machine learning to enhance security

    Assessing Your Company’s Readiness

    To prepare for the proposed rule, companies should assess their current security posture and identify areas for improvement.

    Ensuring HIPAA Compliance through Authorization of Restricted Transactions.

    However, if the vendor has a written agreement with the company that outlines the security measures to be taken, the company is authorized to engage the vendor.

    Authorization to Conduct Restricted Transactions

    Overview

    Authorization to conduct restricted transactions is a critical aspect of complying with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The law sets forth specific requirements for the handling of protected health information (PHI), and companies must ensure they have the necessary authorization to engage vendors to store and process this sensitive data.

    Types of Authorized Transactions

  • Business Associate Agreements (BAAs): Companies can engage vendors to store and process PHI, but they must have a written agreement with the vendor that outlines the security measures to be taken. De-identified PHI: Companies can engage vendors to store and process de-identified PHI, which is PHI that has been stripped of personally identifiable information. Research and Public Health Activities: Companies can engage vendors to store and process PHI for research and public health activities, as long as the vendor has a written agreement with the company that outlines the security measures to be taken. ### Examples of Authorized Transactions**
  • Examples of Authorized Transactions

  • Vendor-Client Agreements: A company can engage a vendor to store and process PHI, as long as the vendor has a written agreement with the company that outlines the security measures to be taken. Data Storage Services: A company can engage a vendor to store PHI, as long as the vendor has a written agreement with the company that outlines the security measures to be taken. Research Studies: A company can engage a vendor to store and process PHI for research studies, as long as the vendor has a written agreement with the company that outlines the security measures to be taken.

    Exemptions for critical transactions and personal communications.

    Exemptions from the proposed rule

    The proposed rule aims to exempt certain types of data transactions from its prohibitions and restrictions. These exemptions are designed to ensure that the rule’s requirements do not unduly burden certain types of transactions that are critical to the functioning of the economy or that are subject to existing laws and regulations. Here are some examples of exemptions that are included in the proposed rule:

  • Personal communications: The proposed rule exempts personal communications, such as emails, letters, and phone calls, from its prohibitions and restrictions. This exemption is intended to protect the privacy of individuals and ensure that personal communications are not subject to the rule’s requirements. * Financial services: The proposed rule exempts financial services, such as banking and securities transactions, from its prohibitions and restrictions.

    Enforcement of Export Control Laws to be Enhanced with Civil Monetary Penalties and Criminal Penalties

    The proposed rule also includes provisions for the imposition of civil monetary penalties for violations of the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR).

    Proposed Rule: Civil Monetary Penalties for Violations of Export Control Laws

    Overview of the Proposed Rule

    The proposed rule aims to enhance the enforcement of export control laws, including the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). The rule would impose civil monetary penalties for violations of these regulations, as well as establish a criminal penalty in line with the International Emergency Economics Powers Act (IEEPA).

    Civil Monetary Penalties

    The proposed rule includes a process for imposing civil monetary penalties similar to those used in contexts implicating the IEEPA. The maximum civil monetary penalty for violations would be the greater of $368,136. This penalty would be imposed for violations of the EAR and ITAR, as well as for violations of the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). The proposed rule would also establish a tiered penalty structure, with penalties increasing for more severe violations. The rule would provide for the imposition of penalties for violations of specific regulations, such as the EAR and ITAR. The proposed rule would also include provisions for the imposition of penalties for violations of the EAR and ITAR, including penalties for failure to comply with licensing requirements.

    Criminal Penalty

    The proposed rule establishes a criminal penalty in line with IEEPA requirements.

    The proposed rule, however, is not as narrow as it appears.

    The Proposed Rule: A Closer Look

    The proposed rule, which was announced by the U.S. Department of Commerce in June 2020, aims to regulate the flow of personal data across international borders. The rule, which is part of the U.S. government’s efforts to protect the privacy and security of U.S. citizens’ data, is intended to ensure that U.S. companies comply with data protection regulations when transferring data to foreign companies.

    Key Provisions of the Proposed Rule

  • The rule requires U.S. companies to obtain explicit consent from individuals before transferring their personal data to foreign companies. The rule also requires U.S. companies to implement data protection measures to ensure the security and integrity of personal data. The rule establishes a framework for the transfer of personal data between U.S. companies and foreign companies, including requirements for data protection agreements and data transfer protocols. ### The Impact of the Proposed Rule on U.S. Companies*
  • The Impact of the Proposed Rule on U.S. Companies

    The proposed rule has significant implications for U.S. companies that operate globally. This may require significant changes to their business practices and may result in increased costs and complexity.

    The Impact of the Proposed Rule on Foreign Companies

    The proposed rule also has implications for foreign companies that receive personal data from U.S. companies.

    Leave a Reply