New U.S. Controls on Data Transactions with China, Russia, North Korea, Iran, Venezuela, and Cuba
On January 8, 2025, the DOJ finalized regulations that will prohibit or restrict all U.S. persons from engaging in data transactions with adversary countries, their companies and personnel. Under the headline of controlling “sensitive personal data” in “bulk” and government data, the details reveal that certain data sets trigger the controls in a very wide variety of scenarios not always intuitively sensitive or in mass quantities, presenting traps for the unwary. In addition, due to the DOJ’s adoption of OFAC’s exponential “50 Percent Rule”, enforcement and compliance will require extensive corporate ownership mapping.
he DOJ’s Access to U.S. Sensitive Personal Data and Government-related Data by Countries of Concern or Covered Persons (the “DOJ Data Control Rule”) was born out of Executive Order 14117. That order called for comprehensive controls on any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest where such involves U.S. sensitive personal data or government-related data presenting an unacceptable risk to national security. According to the policy buildup, access to U.S. data allows its adversaries to engage in malign foreign influence activities such as:
In particular, the partially de-classified ODNI assessment on Cyber Operations Enabling Expansive Digital Authoritarianism stated:
The DOJ also cited the Duke University study on Data Brokers and the Sale of Data on U.S. Military Personnel which explained:
Countries of Concern, Adversary Countries, and PADFAA
The DOJ has determined that the following countries are the current “countries of concern” or “CoCs” subject to DOJ Data Control Rule because they have engaged in a long-term pattern or serious instances of conduct significantly adverse to U.S. national security, and because they pose a significant risk of exploiting U.S. data:
The CoCs overlap with the list of “adversary countries” identified for the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”), except for Venezuela and Cuba. According to the DOJ, PADFAA does not create a comprehensive regulatory system to adequately address national security risks. Notably, PADFAA is limited to actual data brokers while the DOJ Data Control Rule applies to all U.S. persons. We will discuss PADFAA, and its future, considering the subsuming features of the DOJ Data Control Rule, in a separate blog.
A Comprehensive Set of Data Transaction Contexts
What is remarkable about the DOJ Data Control Rule is the wide-ranging contexts of prohibited and restricted data transactions. The table below illustrates the real-life examples supported by the DOJ Data Control Rule which will be considered either prohibited or restricted.
.png)
What is Sensitive Data and Government Data?
The following tables identify the nature of the data subject to the DOJ Data Control Rule. U.S. sensitive personal data (“Sensitive Data”) are defined using thresholds for the number or records or devices while government-related data (“Government Data”) is not subject to any threshold.
Covered Persons and Corporate Ownership Mapping
The recipient of Sensitive Data or Government Data must involve a CoC recipient or a "Covered Person" recipient. Covered Persons include the following:
The inclusion of Covered Person within the definition of possible shareholders follows OFAC's 50 Percent Rule. In a simple case, a Covered Person causes its first-tier 50 percent subsidiary to be a new Covered Person. The new Covered Person has the ability to cause additional new Covered Persons down each tier of ownership, infinitely. For example, three tiers of ownership with 50 percent or more at each level would cause the second and third tier to be a new Covered Person despite the fact that the first Covered Person only has an indirect interest of 12.5% and 25%, of the third tier and second tier entities, respectively.
More complex cases exist when the aggregate component of the 50 Percent Rule is applicable. In the example below, P and Q are Covered Persons. Due to aggregation, R is a new Covered Person. If S is also a Covered Person, T becomes a new Covered Person. T in turn has the ability to cause all of its progeny to become Covered Persons.
Follow this link to our video which illustrates the application of OFAC’s 50 Percent Rule.
WireScreen also tracks historical and real time changes in ownership as well as various ownership structures unique to Chinese nominee and contractual control structures such as Variable Interest Entities. As noted by the DOJ:
Anti-Circumvention, U.S. Person Direction Pitfalls, and Reporting Attempts
The DOJ Data Control Rule contains a general anti-circumvention provision against evasion, avoidance, and conspiracies. Without detail in the provision itself, the scope of this is described by way of a set of examples. The examples cover evasion attempts by CoC nationals who enter the U.S. to make the transaction look like a domestic unregulated transaction and the use of shell companies and front companies. In addition, there is a unique example involving AI training sets. In the example, a U.S. subsidiary of a company headquartered in a CoC licenses a derivative AI algorithm that was trained on impulsivity identifiers for targeted advertising from a U.S. online gambling company. Since the algorithm can reveal the raw training data, the transaction is prohibited when the subsidiary attempts to share the algorithm with its parent company.
Separately, the DOJ Data Control Rule provides that U.S. persons may also not direct any data transactions that would be a prohibited or restricted transaction if engaged in by a U.S. person. For example, a U.S. officer, senior manager, or equivalent senior-level employee directs a foreign company to engage in a covered data transaction when the covered data transaction would be prohibited/restricted if performed by a U.S. person. This would be considered a violation. Same goes with U.S. persons that own a foreign company which in turn engage in such transactions that would be prohibited/restricted if performed by a U.S. person. The DOJ Data Control Rule also contains a permissive example of these types of situations. In the example, a U.S. person is employed at a U.S.-headquartered multinational company that has a foreign affiliate that is not a covered person. The U.S. person instructs the U.S. company’s compliance unit to change its operating policies allowing the foreign affiliate to engage in transactions that would be prohibited/restricted if performed by a U.S. person. This would rise to the level of a violation as well.
Finally, a report must be filed by any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage. Notably, the DOJ specifies that such rejected offers includes those situations where they are:
Penalties
Violations of the DOJ Data Control Rule include civil penalties up to $368,136 or twice the amount of the transaction involved (whichever amount is greater). Criminal penalties are available up to $1 million and 20 years of prison for willful violations.
CISA Security Requirements for Restricted Transactions
Restricted transactions are prohibited except to the extent they comply with predefined security requirements to mitigate the risk of access by CoCs and Covered Persons.
The requirements are separately produced and maintained by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”). They include items such as basic organizational cybersecurity policies, physical and logical access controls, data masking and minimization, encryption, and the use of privacy-enhancing techniques.3
Exempted Transactions
The DOJ Data Control Rule contains a number of exemptions for data transactions for certain necessary transactions and certain transactions which present unique competing interests.
Official government activities and otherwise authorized or treaty covered transactions are exempt as well as personal communications, certain information or expressive materials, certain travel and baggage data, routine inter-company administrative matters, and ordinary telecom services. There is also provision for investment agreements which overlap with CFIUS authority subject to CFIUS mitigation compliance. Each of these are subject to various qualifications.
More detailed qualifications are provided for exemptions regarding financial services and certain life sciences activities. For example, certain financial services activities are exempt provided they are “ordinarily incidental” to basic financial services transactions (including e-commerce); however there are numerous pitfalls where ordinarily incident activities intersect with the vendor and employment scenarios involving CoC access presenting national security concerns. Similarly, drug and medical device approval related transactions that are reasonably required by law in adversary countries are also subject to detailed exemptions. These generally follow FDA standards such as for data that is de-identified or pseudonymized; however there are numerous carve-outs for transactions deemed to be unreasonable from a national security perspective.
Navigate China’s business landscape, identify risk, and spot opportunity.
