On February 28, 2024, President Biden issued Executive Order 14117 (“EO”) that directs Department of Justice (“DOJ”) and other related federal agencies to issue regulations on the prohibition or restriction of access to bulk sensitive personal data transfer. This EO was issued under the authority granted by the International Emergency Economic Powers Act and National Emergencies Act and aims to limit transfer of bulk sensitive personal data and government related data to designated countries of concern. Concurrently, DOJ released an Advance Notice of Proposed Rulemaking (“ANPRM”, the EO and ANPRM together are referred to as the “Proposal”), which outlines a proposed regulatory regime to implement the EO. The final proposed regulations are due within 180 days of the publication of EO and compliance will not be required until a final rule is issued.
2024年2月28日, 美国颁布总统行政令来加强对批量个人敏感数据和美国政府相关数据的监管。 该总统令是基于国际紧急经济权力法案授予总统的权力所颁布。 同时司法部发布了对行政令的执行实施通知, 该通知中列举出了对于行政令应该怎样执行并且征集公共意见。 在接受后司法部才会发布最终的规则以及进一步的操作指南, 未发布最终规则前不产生效力。
The EO seeks to prohibits and restrict “covered data transactions” between “U.S. persons” and “covered countries of concern” or “covered persons” that involved the transfer of “bulk U.S. sensitive personal data” or “government related data.” This article will be concentrating on addressing the restriction and prohibition on the transfer of bulk sensitive personal data.
该总统令寻求限制和禁止“美国主体“和”受关注国家“/”受监管个体“之间涉及”批量个人敏感信息“和“政府相关信息“的”数据交易“。 本文将着重介绍其中对涉及批量个人敏感信息部分的限制和禁止。
Country of Concern and Covered Persons 受关注国家和被监管主体
According to the Proposal, Country of Concern include countries such as China (including Hong Kong and Macau), Iran, Russia, North Korea, Cuba and Venezuela.
其中受关注国家包括中国(包括香港和澳门), 古巴,伊朗, 朝鲜, 俄罗斯和委内瑞拉.
Covered Persons means an entity owned by, controlled by, or subject to the jurisdiction or direction of a Country of Concern; a foreign person who is an employee or contractor of such an entity; an foreign person who is an employee or contractor of a Country of Concern; a foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or any person designated by the DOJ as being owned or controlled by or subject to the jurisdiction or direction of a Country of Concern, as acting on behalf of or purporting to act on behalf of a Country of Concern or other covered person, or as knowingly causing or directing, directly or indirectly, a violation of the EO or any regulations implementing the EO.
受监管主体包括: 受关注国家直接或者间接拥有50%以上股权的实体—第一类受限制主体; 由第一类、第三类、或者第五类受限制主体直接或者间接拥有50%以上股权的实体—第二类受限制实体; 作为受关注国家, 第一类、第二类或第五类受限制主体的雇员或者合同工的外国主体控制其管辖或者指示的实体—第三类受限制主体; 以及被司法部指定为由受关注国家拥有或者控制, 或受关注国家管辖或指导的主体,或是代表受关注国家及相关人员的主体, 或者是故意导致或者引起违反相关规定行为的主体。司法部会定期公布名单。
The EO seeks to exempt US persons from the restrictions, U.S. persons will include U.S. citizens, national or lawful permanent residents; any individual admitted to the United States as a refugee or granted asylum; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.
但是以下实体和个人不属于上述受监管对象的范围:美国公民, 国民或者拥有永久居住权的居民; 任何以难民身份进入美国或者获得庇护的人; 根据美国法律或司法管辖区组建的任何实体(或外国分支机构) 位于美国境内的主体。
Sensitive Personal Data 敏感个人信息
The Proposal defines sensitive personal data to include:
批量个人敏感数据包括:
· Genomic data
· 涉及人类基因组数据
· Biometric data: The DOJ proposes defining “biometric identifier” as measurable physical characteristics or behaviors used to recognize or verify the identity of an individual.
· 生物特征数据:是指用于识别或验证个人身份的可测量的身体特征或行为,包括面部图像、声纹和图案、视网膜和虹膜扫描、掌纹和指纹、步态和键盘使用模式等。
· Personal health data: The DOJ proposes defining “personal health data” as individually identifiable health information, regardless of whether such information is collected by a “covered entity” or “business associate “.
· 个人健康数据:司法部提议将“个人健康数据”定义为个人可识别的健康信息,无论这些信息是否由“受监管主体”或“商业协会”收集。
· Geolocation data: The DOJ proposes regulating covered transactions involving only precise geolocation information defined as data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within [number of meters/feet] based on electronic signals or inertial sensing units.
· 地理位置数据:司法部建议规范涉及精确地理位置信息的交易,该信息被定义为数据,无论是实时的还是历史性的,它都能准确识别个人或设备的物理位置,精度在[米/英尺的数量]范围内,基于电子信号或惯性感应单元。
· Financial data: The DOJ proposes defining “personal financial data” as data about an individual’s credit, charge or debit card, or bank account.
· 财务数据:司法部提议将“个人财务数据”定义为关于个人信用卡、借记卡、或银行账户的数据。
· Certain personal identifiers, specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that—whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern—could be used to identify an individual from a data set or link data across multiple data sets to an individual.
· 特定个人识别符,具体列出的与个人合理关联的个人可识别数据类别,无论是与彼此结合,与其他敏感个人数据结合,还是与交易方披露的其他数据结合,这些数据使得个人可识别数据可被一个关注的国家利用 — 可用于从数据集中识别个人或将数据与多个数据集关联到一个人身上。
Bulk Threshold: DOJ proposes establishing volume-based thresholds based on a risk-based assessment that examines threat, vulnerabilities, and consequences as components of risk. For the defined categories of sensitive personal data, the DOJ proposes the following thresholds:
监管数据门槛:司法部拟计划根据风险来评估数据收集的量级来决定数据收集监管的门槛,只有当数据集超过门槛才会进行规范和监管:
· Genomic data: 100-1,000
· 人类基因组数据:100-1,000人
· Biometrics: 100-1,000
· 生物识别标识数据:100-1,000 人
· Geolocation data: 100-1,000
· 精确地理位置及相关传感数据: 100-1,000 人
· Financial data: 1,000 -1,000,000
· 个人财务信息:1,000 -1,000,000人
· Health info: 1,000 to 1,000,000
· 个人健康数据:1,000 to 1,000,000 人
· Personal identifier: 10,000 to 1,000,000
· 特定个人识别数据:10,000-1,000,000 人
Restrictions and Prohibitions on Covered Transactions 被限制和被禁止的受监管交易
The program will regulate data transactions based on the risk of access by countries of concern to bulk sensitive personal data. The prohibited transactions will be those that DOJ determines posed an unacceptable risk of access by countries of concern, while the restricted transaction will be those that DOJ determines pose a risk of access that can be mitigated by certain security requirements.
该计划将根据受关注国家对大规模敏感个人数据的访问风险来监管数据交易。被禁止的交易将是司法部确定的对受关注国家的访问风险不可接受的交易,而受限制的交易将是司法部确定的存在一定访问风险,但可以通过特定安全要求加以缓解的交易。
Prohibited data transactions include:
彻底禁止的数据交易包括:
· Data-brokerage transaction.
· 经纪交易数据
· Genomic-data transfers involving the transfer of bulk human genomic data or biospecimens from which such data can be derived.
· 涉及批量人类基因组数据或可从中提取数据的生物样本转移的基因交易数据.
Restricted data transactions include:
受监管的被限制的数据交易包括:
· Vendor agreements involving the provision of goods and services (including cloud-service agreements) 供应商协议(包括云计算服务协议)
· Employment agreements 雇佣协议
· Investment agreements. 投资协议。
The restricted data transactions will be prohibited unless certain security requirements are implemented. 受限制的交易需要满足有关安全要求。
Exempt Transactions: the proposal contemplates exempting transactions that are:
· Ordinarily incident to and part of financial services, including banking, capital markets and financial insurance services, as well as payment processing and regulatory compliance
· Ordinarily incident to and part of ancillary business operations (such as payroll or human resources) within multinational U.S. companies
· Activities of the U.S. government and its contractors, employees and grantees
· Transactions required or authorized by federal or international agreements.
赦免的交易:该提案考虑免除以下交易:
· 通常发生并作为金融服务的一部分,包括银行业、资本市场和金融保险服务,以及支付处理和监管合规。
· 通常发生并作为跨国美国公司内的附属业务操作的一部分(例如工资支付或人力资源)。
· 美国政府及其承包商、雇员和受赠人的活动。
· 根据联邦或国际协议要求或授权的交易。
Compliance & Enforcement 合规以及执行
The DOJ is currently considering creating and implementing a compliance and enforcement program modeled on the Department of Treasury’s IEEPA-based economic sanctions, which are administered by OFAC.
司法部同时正在考虑制订和实施一个合规和执行计划, 该计划以财务部基于国际经济紧急权力法案的经济制裁为模板, 并且由OFAC来管理。
Subsequent Action 后续行动
The program would not apply retroactively (before the effective date of the final rule). However, the DOJ may, after the effective date of the regulation, request information about transactions by United States persons that were completed or agreed to after the date of issuance of the EO to better inform the development and implementation of the program.
该计划将不具有回溯力(即不会对在最终规定生效前的交易产生效力)。 但是司法部可能对在规定生效后, 对于在总统令颁发之后完成或者同意完成的交易寻求提交信息,以便更好的为该计划的制订和实施提供信息。
Impact of the Executive Order and Suggestions on the Operation of the Business
行政令产生的影响以及对可能收到影响的公司的建议
It can be expected that the EO will directly impact industries of biotechnology and healthcare, electric vehicles, financial investment and e-commence, especially the companies that have global presence. Companies that may be impacted by the EO should consider reconstructing of their IT management security systems, and classify data into different protection levels, access permissions to meet the security requirements of the newly proposed regulations.
可以预料的是, 根据受限制的数据类型, 该行政令会对生物科技和健康医疗、智能网联车、金融投资以及电子商务等行业造成直接影响, 尤其是对跨国公司。 受影响公司需要重新考虑公司的IT架构以及公司运营结构, 以及对公司的数据进行重新分类、对数据访问进行限制等, 以满足即将出台的法规的合规要求。
Disclaimer: the information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available in this article are for general informational purposes only. Please contact us for legal consultation at connie@lionslawgroup.com.
豁免: 本文不构成也不意图构成法律建议; 所有的信息、内容和材料都旨在提供总体信息。 如需要法律咨询请联系Lion’s Law的戴律师connie@lionslawgroup.com。