At the time of the completion of this article, the U.S. Department of Justice's National Security Division (NSD) announced the implementation rules (unofficial version) of the Executive Order, and we will continue to follow up and interpret them.
On February 28, 2024, Eastern time, Biden issued an Executive Order entitled "Preventing Concerned Countries from Accessing Americans' Massive Sensitive Personal Data and U.S.**Related Data" (hereinafter referred to as the "Executive Order") in accordance with the International Emergency Economic Powers Act (IEEPA) to protect Americans' sensitive personal data from countries of concern of concern). In a press release[2], the U.S. Department of Justice called the move a groundbreaking** executive order.
The Executive Order, together with the U.S. Department of Justice's Fact Sheet: Justice Department Will Issue Advance Notice of Proposed Rule ("ANPRM"[3][3], builds on the existing foundations of CFIUS, Team Telecom[4], the Department of Commerce's ICTS program, and export controls. It additionally complements existing controls to provide additional protection for Americans' sensitive personal data and close the gap between U.S.'s goals and reality.
1) CFIUS and Team Telecom review discrete types of transactions only on a transaction-by-transaction basis, and their rules do not provide forward-looking, explicit rules to address the risks posed by business activities involving direct data to countries of concern, or business or employment relationships that facilitate access to sensitive personal data of U.S. persons in countries of concern.
2) The Department of Commerce's ICTS program regulates transactions and types of transactions involving information and communications technology and services produced by foreign-adversaries for use in the United States. In contrast, the Executive Order and implementing regulations developed by the U.S. Department of Justice (collectively, the "Data Security Program") will regulate data transactions involving the potential transfer of sensitive personal data of U.S. persons to a country of concern.
and 3) the export control system is used to address the transfer of sensitive U.S. products and technologies and to prevent countries of concern from acquiring and using them for malicious purposes. However, the export control system does not address the movement of sensitive personal data itself or the counterintelligence and associated risks posed by such data.
1. Current assessment.
We understand, however, that the impact of this executive order is limited as far as the executive order itself is concerned:
First, the executive order is only a framework structure, and its content is subject to the implementation regulations issued by the Ministry of Justice. Therefore, we recommend that Chinese companies focus on the "Fact Sheet: Justice Department Will Issue Advance Notice of Proposed Rule*** ("ANPRM)"[5]" issued by the US Department of Justice, and follow up on the subsequent implementation rules issued by the US Department of Justice.
Second, the Executive Order restricts U.S. persons from transferring only Americans' most personal and sensitive information, including genomic data, biometric data, personal health data, Geolocation data, financial data, and certain types of personally identifiable information. Not all data is prohibited from being transferred, even the most personal and sensitive information of an American person (except for information related to the United States**) is only triggered when the specified threshold is reached (see Section II, Item 8 of this article for details), and even if the ban is triggered, only two types of data transactions are prohibited and three types are restricted (see Section II, Item 10 of this article for details), and it is not some ** "U.S. interrupts data transmission", "no U.S. data can be exported", and "so alarmist" situations. In addition, exceptions are granted to certain types of data, such as data that forms part of the provision of financial services (including banking, capital distribution and financial and insurance services) and that is necessary to comply with any federal statutory or regulatory requirements, including any regulations, guidance or orders implementing those requirements.
In addition, the current E.O. injunction and the DOJ's ANPRM Fact Sheet Rule, which is currently in a 45-day public comment period (with two rounds of comment), are not effective and do not immediately create any new legal obligations, and will not be subject to the rules until the final rule is issued and becomes effective.
2. U.S. Department of Justice (DOJ) ANPRM Fact Sheet.
The Executive Order was accompanied by the U.S. Department of Justice's ANPRM Fact Sheet. The U.S. Department of Justice expressed the following opinion in the ANPRM:
First, the legislation will aim to close the gap between the current reality and the goal. It is currently legal to purchase personal data and access it through other commercial relationships in the United States. Existing U.S. agencies, such as the Committee on Foreign Investment in the United States (CFIUS) and Team Telecom[6], are able to review and address these data security risks on a case-by-case basis for different types of activities. However, existing laws do not comprehensively and proactively address the risks posed by the country of concern or covered persons under its jurisdiction or control who may access sensitive personal data through business transactions.
Second, the U.S. Department of Justice will work closely with other U.S. agencies. The Executive Order requires the U.S. Department of Justice (DOJ) to act as the lead implementing agency, to conduct interagency consultations with other U.S. agencies and departments, and to give the U.S. Departments of Commerce, Treasury, Homeland Security, and others important mandates in rulemaking, licensing decisions, designation of countries of concern, and designation of covered individuals.
Third, there will be no case-by-case review of specific data transactions with countries of interest. The U.S. Department of Justice will review specific data transactions with countries of concern by establishing rules that are generally applicable and transparent.
Fourth, the DOJ is considering listing China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern, which is the same as high-risk countries in the area of export controls and economic sanctions.
Fifth, compared with the relatively abstract definition of the Executive Order[7], the DOJ has clarified the key points of the identification of a covered person from the perspective of legal practice, and also provides an idea for our operational practice - whether providing sensitive personal data to an entity or individual will lead to access to such data by a country of concern, and if so, it belongs to a covered person, and vice versa. The DOJ defines covered persons as those that include certain categories of entities and individuals that are under jurisdiction, direction, ownership, or control of the country of concern.
Sixth, the DOJ will issue and regularly update a list of covered persons to assist businesses in gaining a clearer understanding of these specific individuals and entities and complying with compliance requirements. Note that this list is non-exhaustive and not being included in the list does not mean that you are not a person who is covered.
Seventh, the DOJ will refine the definition of sensitive personal data[8] to better regulate it:
1) Categories and combinations of covered personal identifiers (not all personally identifiable information) that are specifically listed. Covered Personal Identifiers are the categories of personally identifiable data that are reasonably associated with an individual, as determined by the Attorney General in the regulations issued pursuant to Section 2 of this Executive Order, which, when combined with each other, with other sensitive personal data, or with other data disclosed by a party pursuant to a transaction, would result in the Personal Data being subject to a country of concern concern) is used to identify an individual from a dataset or to link (point to) data from multiple datasets. "Covered Personal Identifiers" does not include:
a.Demographic or contact data that is only linked to another demographic or contact data, such as name, date of birth, place of birth, zip code, residential street or postal address, ** number and email address, and similar publicly available information, account identifiers; Or.
b.A network-based identifier, account authentication data, or call detail data is only linked to another network-based identifier, account authentication data, or call detail data to provide a telecommunications, network, or similar service.
2) precise geolocation data;
3) biometric identifiers;
4) human genome data [9];
5) personal health data; And.
6) Personal Financial Information.
DOJ further clarified that "sensitive personal data" does not include: 1) public record data lawfully obtained by the public, such as court records or other records; 2)50 u.s.c.Personal communications under 1702(b)(1); 3)50 u.s.c.Expressive information under 1702(b)(3), such as **, artwork, or publications.
Eighth, the DOJ will regulate data transactions in the specified categories of the six categories of sensitive personal data described above only if the transaction exceeds a specified threshold (i.e., the threshold number of U.S. persons or U.S. devices). However, with the exception of transactions involving certain United States government-related data[10], data transactions involving sensitive personal data of persons or locations in the United States**, regardless of the volume of such data, will be regulated.
Ninth, for U.S.**-related personnel data (u.ss.government-related data on personnel), the U.S. Department of Justice will consider focusing on sensitive personal data sold by transacting parties, such as data brokers, that are or can be associated with current or recent former employees or contractors or former seniors of the Commonwealth** (including the intelligence community and military). For location data related to the United States** (us.government-related data on locations), the DOJ will consider focusing on geolocation data that is associated with or linkable to certain sensitive locations within the geofenced area, which the DOJ designates in a public list.
Tenth, the U.S. Department of Justice plans to divide covered data transactions into prohibited and restricted transactions to reduce access risk for countries of concern and covered persons.
The prohibited types of data transactions fall into the category of highly sensitive data transactions including: 1) data brokerage transactions, and 2) genomic data transactions, which involve the transmission of large amounts of human genomic data or biological samples from which such data is derived.
The types of data transactions that are restricted include: 1) merchant agreements (including cloud service agreements) involving the provision of goods and services; 2) Labor contract; 3) Investment agreements. Note that the Statement of Restricted Data Transactions imposes security requirements, including the adoption of cybersecurity measures such as basic organizational cybersecurity posture requirements, physical and logical access controls, data masking and minimization, and the use of privacy-preserving technologies. These security requirements will be developed by the Department of Homeland Security's Cybersecurity and Infrastructure Bureau.
Eleventh, the Department of Justice is considering the following transactions as exempt transaction types that are not subject to this Data Security Program:
1) typically related to and part of financial services, payment processing, and regulatory compliance, such as banking, capital markets, or financial and insurance activities; financial activities within the jurisdiction of other regulatory bodies; The provision or processing of payments involves the transfer of personal financial data or covered personal identifiers[11] for the purchase and sale of goods and services; and legal and regulatory compliance.
2) Typically related to and part of ancillary business operations within a U.S. multinational corporation, such as payroll or human resources.
3) activities of the United States** and its contractors, employees, and grantees, such as federally funded health and research activities (which the funding agency will self-regulate); Or.
4) Transactions required or authorized by federal law or international agreements, such as passenger manifest information exchange, INTERPOL requests, and public health surveillance.
5) Certain investments that do not have rights or influence. The DOJ believes that investments with power or influence generally pose an unacceptable risk of access to sensitive personal data by countries of concern or covered persons. For China's private enterprises, this may be an applicable breakthrough.
Twelfth, the Ministry of Justice is considering establishing a process for the issuance of general and specific licenses and advisory opinions by the Department:
1) General licenses will give the DOJ the flexibility to exempt certain categories of transactions, change their conditions, or allow grace periods for certain categories of transactions.
2) Specific licenses will give companies and individuals the opportunity to apply for rule exceptions to engage in specific data transactions, and the DOJ will make licensing decisions in agreement with the Department of Commerce and the Department of Homeland Security.
3) Companies and individuals may also seek advice on the application of the regulations (subsequently enacted) to specific transactions.
Thirteenth, for U.S. telecommunications infrastructure, it will be Team Telecom (chaired by the Attorney General):
1) Priority review of existing licenses for entities in countries of concern to own, operate or log in submarine cable systems;
2) publicly publish policy guidelines on license application review, including assessment of third-party data security risks;
3) Take further measures to continuously address data security risks.
Fourteenth, for the U.S. health care market, it will be up to the Department of Defense, the Department of Health and Human Services, the Department of Veterans Affairs, and the National Science** to consider measures to leverage their existing funding and contracting powers, including taking steps that prohibit federal funding to support or otherwise reduce the risk of diversion of sensitive health data and human genome data to countries of concern and covered individuals.
Fifteenth, for U.S. consumer protection, it will be up to the Consumer Financial Protection Bureau to consider measures to address the role of data brokers in creating these risks.
Sixteenth, this DSP does not prohibit apps or social networking platforms from countries of concern from operating in the U.S. (although this may be a privacy challenge), nor does it prohibit any single application or technology.
One of the goals of this data security program is to address the most serious data security risks posed by countries of concern to access a subset of data collected and used by apps and social platforms, but not all data.
Involved 50 us.c.Expressive information (e.g., **, artwork, and publications) under 1702(b)(3) is excluded from regulation.
Seventeenth, this Data Security Program does not regulate purely domestic transactions between U.S. persons, such as the collection, maintenance, processing, or use of data by U.S. persons within the U.S., except for Covered Persons who are specifically and publicly designated as acting on behalf of a country of concern.
Eighteenth, the Data Security Program does not regulate data transactions between the U.S. and non-countries of concern. However, the following cases are excepted:
1) evading or circumventing regulation;
2) Before entering into a data transaction, the non-concerned country procuring entity refuses to promise or agree to "not resell or allow access to [12] data from the country of concern or the covered person". Note that access includes access to data through information technology systems, cloud computing platforms, networks, security systems, devices, or software.
Nineteenth, the ANPRM only considers the implementation of aggressive record-keeping and reporting requirements under discrete circumstances[13] as a condition of engaging in restricted transactions or under general or specific licensing. In addition to this, this data security program does not establish uniform general due diligence requirements, affirmative record-keeping requirements, or affirmative reporting requirements. Instead, the data security program will use a déjà vu approach to compliance, modeled after the IEEPA-based economic sanctions program administered by the U.S. Treasury Department's OFAC: U.S. companies and individuals will be expected to develop and implement an IEEPA-based compliance program. U.S. companies and individuals should develop and implement a compliance program based on their individualized risk profile, which can vary based on a range of factors such as size and complexity, products and services, customers and counterparties, and geographic location. In the event of a violation, the DOJ will consider the adequacy of that compliance program in its enforcement actions.
Twentieth, the Department of Justice is responsible for investigating violations, including seeking civil and criminal remedies under the IEEPA. The Department of Justice is considering the creation of civil penalties for violations, and the specific penalties for any particular violation will depend on the facts and circumstances of the violation, including the adequacy of any compliance program.
3. Suggestions for Chinese enterprises to respond.
1) Complete the outstanding transaction as soon as possible.
The DOJ's statement on the ANPRM does not mention whether the implementing regulations are retroactive, and in light of the DOJ's statement in the ANPRM fact sheet[14], "the current prohibition in the Executive Order and the DOJ's ANPRM fact sheet do not immediately create any new legal obligations." Rules and restrictions must only be complied with after the final rule is issued and takes effect", we prefer to interpret it as a non-retroactive implementation rule. Therefore, we recommend that data transactions that are prohibited or restricted should be considered to expedite the transaction process and complete the data transaction as soon as possible.
2) Investigate ongoing data transactions that may trigger review.
Through interviews, questionnaires, and other means, determine whether the ongoing data transactions involving the United States trigger the security review of the data transactions, such as collecting sensitive personal data of U.S. persons and transferring them across borders. If the transaction review may be triggered, it will further investigate whether the relevant transaction involves the situation of the Chinese** military, and whether it may be identified as a risk to the covered person.
3) Formulate a plan for responding to the security review of data transactions.
We recommend that your company formulate a plan to deal with the security review of data transactions in advance based on the results of the above-mentioned investigation and analysis, and conduct internal deduction, so as to respond to the review in a timely manner in the first time.
For data transactions that may trigger review after investigation, 1) if there are risks such as China's leading military, determine whether such risks can be reduced by changing shareholders, equity, product and service functions, etc.; 2) If it involves the remote transmission and/or storage of user data in the United States, it should be determined whether it can be stored locally in the United States; 3) Conduct thorough and reliable third-party audits, focusing on the inability of China** and the military to access sensitive personal data of Americans, and keep audit reports on file and backed up.
Before subsequently responding to the U.S. Department of Justice's review, it should also assess whether approval should be obtained from the competent Chinese authorities in accordance with Article 36 of the Data Security Law of the People's Republic of China on the provision of data to foreign law enforcement agencies; and, if necessary, prepare the appropriate application materials in advance.
If, after judgment, the data transaction triggering the review is likely to be banned by the U.S. Department of Justice, relevant contingency measures should be studied and deployed, including but not limited to: 1) reviewing the terms and conditions of existing data transaction contracts, formulating a timetable for closing the data transaction program, and limiting the scope of U.S. data transactions to the scope of commercially feasible transactions; 2) Centralized management of external communication, situation explanation, and information release; 3) The return of overseas related funds to China, etc.
4) Make full use of the space for purely domestic transactions between Americans that are not subject to security scrutiny of data transactions.
In the ANPRM fact sheet, the U.S. Department of Justice noted that the Executive Order and subsequent implementing regulations enacted by the DOJ do not regulate purely domestic transactions between U.S. persons, such as the collection, maintenance, processing, or use of data by U.S. persons in the U.S., will not be affected by this security review of data transactions, unless the U.S. person is explicitly and publicly designated as a covered person acting on behalf of a country of concern.
Therefore, we suggest that Chinese companies that cannot avoid the use of sensitive personal data of U.S. persons should consider splitting their domestic and foreign entity structures and adjusting their equity structures, and consider the structure model of dual headquarters in China and the United States. In general, Chinese companies should place all business lines that purchase and use sensitive personal data of U.S. subsidiaries (including the holding, controlling entities and branches of U.S. subsidiaries in the United States) for independent operation, and at the same time take risk isolation measures to ensure that U.S. subsidiaries independently set up directors, supervisors and senior executives, make independent decisions on their own business and operation management, and independently carry out R&D, procurement, manufacturing, sales, and after-sales work to integrate the personnel, business, and after-sales work of U.S. subsidiaries. The operation management path is isolated from the Chinese headquarters and other subsidiaries, so that the U.S. subsidiary has no authority to interfere with the specific business operations of the company and other subsidiaries, and other subsidiaries of the group have no authority to interfere with the specific business operations of the U.S. subsidiary.
5) Make full use of the window period and actively lobby the relevant competent authorities.
Judging from the previous statements of all parties in the United States, although it is necessary to establish a security review of data transactions, there is still a lot of room for discussion on the specific implementation details. Currently, the U.S. Department of Justice is soliciting public comments on the implementing regulations, broadly understanding the interests and needs of all parties, and evaluating the impact of the implementing regulations. Chinese enterprises should fully assess the impact of this legislation on their own businesses, and use the window period to jointly invest companies, partner chambers of commerce and other relevant interest groups to strive to limit the scope of security review of data transactions and increase the number of exceptions applicable to their own businesses. Chinese enterprises can also actively submit their specific circumstances and business impact assessments to the competent departments of commerce and industry associations in China, and fully demonstrate the economic impact of such data transaction security reviews on the company and the industry.
Special statement: Dentons strictly abides by the obligation to protect the client's information, and the content of the client's project involved in this article is taken from public information or obtained the client's consent. The content and opinions expressed in this article are for reference only and do not represent any position of Dentons, nor should they be regarded as issuing any form of legal advice or recommendation. If you need to ** or quote any content of the article, please send a private message to communicate the authorization and indicate ** at the beginning of the article**. You may not ** or use any of the content in such articles without authorization.