On October 29, 2024, the US Department of Justice (DOJ) issued a proposed rule to implement US President Joe Biden’s Executive Order (EO) 14117 aimed at preventing access to Americans’ sensitive personal data and US-government-related data by countries of concern.
The proposed rule would prohibit or restrict certain transactions involving bulk sensitive data (the thresholds of which are defined in this proposed rule), particularly those that pose the national security risk described in the EO. The proposal includes health data as one of the categories of sensitive personal data that could be exploited by countries of concern. This includes personal health data of individuals, which could be used to analyze lifestyles, spending habits, and personal visits to sensitive locations such as health clinics.
While this proposed rule tackles issues beyond health-specific data, this article focuses on information relevant to those operating in healthcare. Stakeholders who operate in human genomics, pharmaceutical research and development, and clinical research should review this proposed rule closely.
Comments are due by November 29, 2024. For assistance preparing comments, contact the author of this piece, or your regular McDermott+ consultant or McDermott lawyer.
BACKGROUND
On February 28, 2024, President Biden issued EO 14117, entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The EO directs the Attorney General to issue regulations that prohibit or otherwise restrict US persons from engaging in “any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (transaction),” where the transaction:
DOJ’s proposed rule identifies six countries of concern:
The goal of the proposed rule is to protect “sensitive personal data” from being exploited by a country of concern to harm US national security, particularly if that data is linked or linkable to any identifiable US individual or to a discrete and identifiable group of US persons. As a result, relevant entities would be prohibited from sharing bulk sensitive data with the six countries identified as a threat to national security.
The proposed rule provides specific definitions of sensitive personal data and what constitutes “bulk.” It clarifies exceptions and exemptions (which are particularly relevant for certain healthcare entities), as well as proposed penalties.
DEFINITIONS AND PROPOSED THRESHOLDS
The proposed rule defines of six categories of sensitive personal data:
DOJ also proposes four tiers of sensitivity, which tie to numerical thresholds for bulk sensitive personal data. Relevant proposed definitions and thresholds are discussed below.
Bulk US sensitive personal data. The proposed rule defines this as a collection or set of sensitive personal data relating to US persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.
The proposed rule defines “bulk” as any amount of such data that meets or exceeds the specified thresholds during a given 12-month period, whether through one covered data transaction or multiple covered data transactions involving the same US person and the same foreign person or covered person.
Covered person. The proposed rule identifies a “covered person” as an individual or entity that the Attorney General has designated as a covered person or that falls into one of the following classes of covered persons:
An entity is also a covered person if it is a foreign person that is 50% or more owned, directly or indirectly, by a covered person. Any foreign individual who is an employee or a contractor of such an entity or of the country of concern itself is also a covered person.
The proposed rule would not treat any US person, including a US subsidiary of a covered person, as a covered person unless the DOJ has designated the US subsidiary as a covered person pursuant to the process described in the proposed rule. No US person, including the US subsidiary of a covered person, would be categorically treated as a covered person under the proposed rule.
Human genomic data. The proposed rule has been identified as the most sensitive category, and DOJ proposes that human genomic data be on its own in the first tier of sensitivity. The bulk threshold for human genomic data would be more than 100 US persons. Anything below this amount would not trigger the limitations in the proposed rule.
The proposed rule defines “human genomic data” as data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual’s “genetic test” and any related human genetic sequencing data. The term “human genomic data” does not include non-human data, such as pathogen genetic sequence data, that is derived from or integrated into human genomic data.
Biometric identifiers. Biometric identifiers and precise geolocation data would be grouped under tier two of sensitivity. The proposed bulk threshold for biometric identifiers is more than 1,000 US persons. Anything below this amount would not trigger the limitations in the proposed rule.
The proposed rule defines “biometric identifiers” as measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.
Personal health data. Personal health data and personal financial data would be grouped in the third tier of sensitivity. The proposed bulk threshold for personal health data is more than 10,000 US persons. Anything below this amount would not trigger the limitations in the proposed rule.
The proposed rule uses the Health Insurance Portability and Accountability Act of 1996 (HIPAA) definition of “individually identifiable health information” as the starting point for its personal health data definition and then revises it so that the proposed rule’s definition does not turn on whether data is handled by HIPAA covered entities or business associates. Personal health data is not defined in terms of whether the data identifies an individual, because the proposed rule would apply regardless of whether data is de-identified.
The proposed rule defines “personal health data” as health information that relates to:
The personal health data includes:
The proposed rule would operate on a categorical basis and would determine that the category of personal health data generally meets the requirements of being “exploitable by a country of concern to harm U.S. national security” and “is linked or linkable to any identifiable U.S. individual or to a discrete and identifiable group of U.S. individuals.”
Covered personal identifiers. The proposed rule would place covered personal identifiers into the fourth tier. The proposed bulk threshold for covered personal identifiers is more than 100,000 US persons. Anything below this amount would not trigger the limitations in the proposed rule.
The EO defined “covered personal identifiers” as “specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that – whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern – could be used to identify an individual from a data set or link data across multiple data sets to an individual,” subject to certain exclusions.
The proposed rule provides three subcategories of covered personal identifiers:
There are two proposed exceptions:
EXCLUSIONS AND EXEMPTIONS
Exclusions from definition of sensitive personal data. The proposed rule would exclude certain categories of data from the definition of the term “sensitive personal data.” These exclusions include:
Exclusions from data-brokerage transactions. The proposed rule also includes a prohibition specific to data brokerage to address transactions involving the onward transfer or resale of government-related data or bulk US sensitive personal data to countries of concern and covered persons. The proposed rule defines “data brokerage” as the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.
The proposed rule includes an exemption relevant to healthcare entities. Specifically, grantees and contractors of federal departments and agencies, including the US Department of Health and Human Services, the US Department of Veterans Affairs, the US National Science Foundation, and the US Department of Defense, would be exempt. The exemption allows these agencies to pursue grant- and contract-based conditions to address risks that countries of concern can access sensitive personal data in transactions related to their agencies’ own grants and contracts, without subjecting those grantees and contractors to dual regulation under the rule and the grant or contract.
Drug, biological product, and medical device authorizations exemption. Under the proposed rule, certain data transactions necessary to obtain and maintain regulatory approval to market a drug, biological product, medical device, or combination product in a country of concern would be exempt from the prohibitions in the proposed rule.
This exemption aims to balance the need to mitigate US national security risks related to unrestricted transfer of bulk US sensitive personal data to countries of concern against scientific, humanitarian, and economic interests in enabling the sale of medicines in those countries. This exemption would be limited to data that is:
For example, de-identified data that is gathered in the course of a clinical investigation and would typically be required for US Food and Drug Administration (FDA) approval of a covered product would generally fall within the exemption. Conversely, clinical participants’ precise geolocation data, even if required by a country of concern’s regulations, would fall outside the scope of the exemption because such data is not reasonably necessary to evaluate safety or effectiveness. DOJ recognizes that data collection and submission continue beyond the initial regulatory approval process, and it intends the term “regulatory approval data” to include data from post-market clinical investigations (conducted under applicable FDA regulations), clinical care data, and post-marketing surveillance (including data on adverse events).
For example, where continued approval to market a drug in a country of concern is contingent on submission of data from ongoing product vigilance or other post-market requirements, the exemption would apply. The exemption would apply even where FDA authorization for a product has not been sought or obtained. DOJ does not, in the proposed rule, intend to require US companies to seek authorization to market a product in the United States before seeking regulatory approval from a country of concern. The proposed exemption is limited to transactions that are necessary to obtain or maintain regulatory approval in the country of concern.
Other clinical investigations and post-marketing surveillance data exemption. The proposed rule would exempt data that is “ordinarily incident to and part of clinical investigations regulated by the FDA or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products, or infant formula.”
It also would exempt data that is “ordinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA, provided the data is deidentified.”
Other FDA-regulated research exemptions. In the proposed rule, DOJ acknowledges the challenge of balancing national security risk and biomedical innovation that benefits the United States. DOJ is considering how to effectively strike that balance and how to scope an exemption for transactions related to or supporting FDA-regulated research to meet that goal. The DOJ is considering the scope of a possible exemption along three axes:
The exemption would also apply to clinical care data indicating real-world performance or safety of products, or post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), where necessary to support or maintain authorization by the FDA.
DOJ also recognizes the existing regulatory framework in these contexts and is evaluating whether these provisions adequately reduce the national security risk associated with the transfer of bulk US sensitive personal data to a country of concern or covered person.
One proposal would exempt all transactions that are part of the conduct of the investigation. An alternative proposal would limit an exemption to only certain types of transactions that are especially important to the conduct of a clinical investigation and that cannot feasibly be avoided without jeopardizing the clinical investigation.
The proposed rule contemplates implementing an exemption for clinical investigations, clinical data, and post-marketing surveillance through one or more general licenses as opposed to including the exemption in the final rule. The DOJ believes general licenses may be a more flexible regulatory tool that can be adjusted to varying circumstances, but for the short term, the DOJ believes that a codified exemption would provide more clarity and certainty for relevant entities.
ADVISORY OPINIONS
The proposed rule would create a mechanism for potentially regulated parties to seek opinions about the application of the final regulations and/or the EO to specific transactions. The proposed rule would permit a US person seeking to engage in a transaction potentially subject to the final regulation to request an interpretation of any provision. The proposed rule would require that advisory opinions only be requested regarding actual (not hypothetical) transactions. Advisory opinions could cover, for example:
PENALTIES
The proposed rule includes civil monetary penalties based on noncompliance, material misstatements or omissions, false certifications or submissions, or other actions and factors.
The proposed maximum civil monetary penalty for violations would be the greater of $368,136 or twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed. DOJ proposes to make annual adjustments, based on inflation, to the civil monetary penalty. Willful violations would lead to criminal fines of up to $1 million and up to 20 years’ imprisonment.
NEXT STEPS
The proposed rule is open for public comment through November 29, 2024. Healthcare entities and other interested stakeholders should consider commenting on the appropriateness of the proposed exemptions and exclusions, as well as the adequacy and accuracy of the proposed definitions and related thresholds.
For more information, please contact Rachel Stauffer or Daniel F. Gottlieb (McDermott Will & Emery – Partner).
