View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOJ/NSD RIN: 1124-AA01 Publication ID: Fall 2024 
Title: Provisions Regarding Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern 
Abstract:

On February 28, 2024, the President issued the "Executive Order Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern" (EO 14117). The Order directs the Attorney General to issue regulations that prohibit or otherwise restrict United States persons from engaging in any
acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign person has any interest, where the transaction: (a) involves U.S. Government-related data or bulk U.S. sensitive personal data, as defined by final rules implementing the Order; (b) falls within a category of transactions that the Attorney General has determined pose an unacceptable national security risk of access by countries of concern or covered persons to Americans’ bulk sensitive personal data or U.S. Government-related data; or (c) meets other criteria specified by the Order.


On March 5, 2024, the Department published an Advanced Notice of Proposed Rulemaking (ANPRM) seeking public comment on various topics related to the implementation of the Order, including designating countries of concern and covered persons, identifying prohibited and restricted data transactions, defining U.S.  governmentrelated data and bulk U.S. sensitive personal data, and other provisions relating to the Order’s interpretation, enforcement, and compliance therewith.

The Department plans to publish a Notice of Proposed Rulemaking (NPRM) later this year.

 
Agency: Department of Justice(DOJ)  Priority: Section 3(f)(1) Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Yes  Unfunded Mandates: No 
CFR Citation: Not Yet Determined     (To search for a specific CFR, visit the Code of Federal Regulations.)
Legal Authority: EO 14117 - Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern   
Legal Deadline:  None

Statement of Need:

Regulatory action is necessary to meet the Executive Order 14117 requirement that the Attorney General issue regulations that prohibit or otherwise restrict United States (U.S.) persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest, where the transaction: (1) involves U.S. Government-related data or bulk sensitive personal data, as defined by final rules implementing the Order; (2) falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because it may enable access by countries of concern or covered persons to bulk sensitive personal data or government-related data; and (3) meets other criteria specified by the Executive Order. This new regulatory authority would fill a significant gap in national security lawsone that allows China, Russia, and other countries of concern to obtain unrestricted access to Americans’ bulk sensitive personal data and government related data through legitimate commercial transactions, including transactions involving data brokerage, and employment, investment, and vendor agreements, in a manner that threatens U.S. national security.

Summary of the Legal Basis:

The President issued the Executive Order pursuant to the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code.  Section 2 of the Executive Order authorizes these regulations.

Alternatives:

The Department also considered prohibiting or restricting the transfer of all U.S. sensitive personal data to countries of concern.  This alternative would go further than directed by the Executive Order, the provisions of which were directed at bulk U.S. sensitive personal data and would entail more complicated and costly enforcement efforts than the proposed rule.  Since this alternative would prohibit or restrict transfers of smaller quantities of sensitive personal data that may not substantially threaten U.S. national defense or foreign policy, the marginal benefits of regulating such transactions are not likely to justify the larger value of forgone transactions and compliance costs compared to the proposed rule’s estimated cost. The Department also considered taking no actions to prohibit or restrict transactions involving U.S. sensitive personal data or government-related data, an alternative that would yield no costs relating to forgone transactions or compliance, but that would not mitigate the national security risks associated with country of concern access to Americans’ bulk sensitive personal data and U.S. Government-related data, except in narrow circumstances through other existing national security authorities or processes that operate on a case-by-case basis.

Anticipated Costs and Benefits:

T

The Department believes the rule is significant under section 3(f)(1) of Executive Order 12866 (governing regulatory review), and estimates the discounted annualized cost of the proposed rule to be approximately $502 million annually.  This rule, when finalized, is estimated to afford protection to well over 100 million American individuals who are potential targets of countries of concern exploiting their bulk U.S. sensitive personal data. The annual cost estimate reflects the cost of complying with certain security requirements for restricted transactions, recordkeeping and reporting costs, auditing costs, and the costs associated with seeking a license or advisory opinion from the Department. The cost also accounts for some marginal lost transaction cost.

 

Risks:

If the Department does not issue the rule, the national security risk associated with countries of concern accessing Americans’ bulk sensitive personal data and U.S. Government-related data through data brokerage, transfers of genomic data, and vendor, employment, and investment agreements would remain largely unmitigated, and the President’s Executive Order 14117 would remain unfulfilled.

Timetable:
Action Date FR Cite
ANPRM  03/05/2024  89 FR 15780   
ANPRM Comment Period End  04/19/2024 
NPRM  10/29/2024  89 FR 86116   
NPRM Comment Period End  11/29/2024 
Final Rule  01/00/2025 
Additional Information: Previously reported as RIN 1105-AB72.
Regulatory Flexibility Analysis Required: Undetermined  Government Levels Affected: None 
Federalism: No 
Included in the Regulatory Plan: Yes 
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest.
RIN Data Printed in the FR: No 
Agency Contact:
Lee Licata
Deputy Chief for National Security Data Risks, Foreign Investment Review Section
Department of Justice
National Security Division
175 N Street, NE,
Washington, DC 20002
Phone:202 514-8648
Email: nsd.firs.datasecurity@usdoj.gov