One of my favorite features of the English language is the collective noun. This is the word for a group of a particular type. For example, for a group of swans, the collective noun is a “prestige” of swans. For the wildebeest, it is a “confusion.” Companies doing business in the United States face a herd of potential data security and privacy regulators, including state attorneys general, the Securities and Exchange Commission and the Federal Trade Commission. I submit that we should consider calling a group of regulators a “confusion.” Well, it is time to add to the privacy regulatory “confusion.”

Last month, the U.S. Department of Justice (DOJ) issued a Notice of Proposed Rulemaking (NPRM) to implement President Biden’s Executive Order 14117 (the E.O.) of Feb. 28, 2024, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” In the E.O., the Justice Department received the responsibility to establish and implement a new national security regulatory program to address these privacy risks. 

Publishing this NPRM gave the world notice that the DOJ’s National Security Division (NSD) has the newly minted regulatory authority to prohibit or impose stringent restrictions on the transfer of what is classified as “bulk sensitive personal data” and “government-related data” to designated “countries of concern” and “covered persons.” These quoted terms are necessarily vague, which gives the potential for broad NSD authority. 

With other federal regulators facing major changes to their approach to data regulation under the forthcoming new U.S. president in 2025, the NSD stands ready to become a major federal data regulator. The new rules seek to enhance national security by ensuring that sensitive data does not fall into the hands of entities associated with nations deemed a security risk. NSD is empowered to require adherence to certain cybersecurity requirements or that companies obtain a license from the DOJ that permits the transaction. These requirements echo the requirements under other regulators, such as the Defense Contractor Auditing Agency (DCAA) and the Committee on Foreign Investment in the United States (CFIUS), but have far greater subject matter scope. However, there are certain exemptions to these rules that allow for specific types of transactions to proceed without NSD regulatory oversight. Let’s take a brief look at the limits of these rules by asking a few key questions. 

What Is a Country of "Concern”?

The rule identifies six “countries of concern”: China (which encompasses Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela. However, it is important to note that the U.S. attorney general has the authority to amend this list, which means that additional countries can be added or removed based upon evolving national security assessments.

What Is a “Covered Person”?

The rules define a “covered person” as one of four classes of entities or individuals that maintain some connection to the countries of concern. This classification can also include those added to a “Covered Persons List” by the U.S. attorney general. This broad definition is crucial for determining which parties are subject to the regulations imposed by the rule.

What Constitutes Covered “Bulk” Data and “Government-Related” Data?

The rules define “bulk” data broadly to encompass sensitive personal data related to U.S. individuals. Notably, this covered data includes anonymized, pseudonymized, de-identified or encrypted personal data, as long as the “bulk data” surpasses specific aggregate quantity thresholds within the 12 months leading up to a covered transaction. 

The rules define “government-related” data as sensitive location data and sensitive personal information pertaining to current or recently former government employees, officials or contractors—regardless of the quantity of that data.

What Are “Prohibited Transactions”?

Certain transactions are outright prohibited under this rule. For example, the rules strictly prohibit any transactions with a country of concern or a covered person that involve “data brokerage” or provide access to bulk human genomic data or biospecimens.

What Are Restricted Transactions and the Related Cybersecurity Requirements?

Transactions involving vendor agreements, employment contracts and non-passive investment deals with countries of concern or covered persons are allowed to proceed, but only if the U.S. entity involved complies with specific cybersecurity requirements established by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). 

What Are Exempt Transactions?

The proposed rule outlines 11 categories of transactions that are exempt from its purview. These exemptions include personal communications, specific telecommunications services, certain financial service transactions, particular FDA-regulated data and various investment agreements that fall under CFIUS scrutiny.

What Are the NSD License Requirements?

The NSD will have the authority to issue both “general” and “specific” licenses. General licenses will allow entities to engage in repeated transactions, while specific licenses will be granted for singular transactions that would otherwise be prohibited or restricted under the rule. Navigating this licensing framework will be critical to any companies doing business with countries or persons of “concern.”

What Are the Civil and Criminal Enforcement Mechanisms?

The enforcement of this rule is empowered by the International Economic Emergency Powers Act (IEEPA). Under this framework, the government is authorized to conduct investigations into potential violations and to impose civil penalties up to double the transaction amount. In cases of willful violations, criminal prosecutions can be pursued, which may result in imprisonment for up to 20 years. Notably, the statute of limitations for civil and criminal violations under IEEPA has recently been extended from five years to 10 years, providing a longer window for enforcement actions.

What Does This All Mean?

The rules feature a multitude of defined terms and are composed of over dozens of sections and subparts. Despite the outlined exemptions, the rule possesses the potential to encompass a wide range of transactions that may not have previously been considered under such stringent oversight. Unlike the Committee on Foreign Investment in the United States (CFIUS), which has limited authority to review specific foreign investments in the U.S., this proposed rule would apply universally to any transfer of bulk sensitive data or government-related data that aligns with the provided definitions. Companies will need to add a new layer of due diligence and planning to all international transactions. The starting point for that process will be to scrutinize transactions involving countries and persons of “concern.” However, the process has just begun and the data “confusion” has expanded again.