Return to site
Return to site

New Rules on Sensitive Personal Data Exports to China

Welcome everyone to another edition of my China Tech Law Newsletter. Today’s topic is a quick synopsis in layman’s terms on the newly proposed executive order from the Biden Administration which would impose restrictions on export of certain “sensitive” data to China (among a few other “usual suspect” countries like Russia and North Korea). In particular, we are talking about bulk transfers of certain personal information with the target of the regulations being data brokers.

Side note: Government related data is also covered by the EO but that is probably less applicable to readers of this blog than the sensitive data requirements.

However, even though data brokers are the target, the thresholds for restrictions kicking in are relatively low, as low as 100 persons for geolocation, biometric, and human genomic identifiers.

Sensitive Data

Sensitive data includes:

  • Specifically listed personal identifiers (but not all PII)
  • Geolocation data
  • Biometric identifiers
  • Human genomic data
  • Personal health data
  • Personal financial data

Permitted and Restricted Transfers

Reminiscent of China’s Foreign Investment Catalogue, there is a permitted/restricted distinction.

  • Prohibited data exports = all data brokerage transactions + bulk genomic-data transactions
  • Restricted data exports = vendor agreement data transactions (think cloud providers), employment agreement transactions, and investment agreements (think acquisitions of data centers).

Prohibited data exports will need a license from the Department of Justice, either general (type) or specific (transaction) similar to licenses granted under product/technology export control rules by the Department of Commerce.

Restricted data exports are permitted without a license so long as the exporter adheres to cybersecurity measures in line with standards which will soon be issued by the Department of Homeland Security’s Cybersecurity Infrastructure Agency.

Carveouts are available for certain transfers such as intracompany HR and external e-commerce transactions.

Some Observations:

  • Spillover effects (unintended) will be inevitable even after the comment period is over and the Executive Order goes into effect.
  • The interplay of DOJ’s coverage for investment agreements and CFIUS’ coverage of venture and M&A transactions with TID rules on sensitive personal data will be interesting to watch. DOJ is a committee member of CFIUS so presumably they’ll coordinate the overlap. Notably the numeric thresholds for this EO are lower than CFIUS thresholds.
  • It appears regulators are getting more and more savvy to potential loopholes (inspired probably by the original loopholes in the pre-FIRRMA CFIUS regime and the DOC’s revised semiconductor rules in Oct 2023 after NVIDIA and others used loopholes in the original Oct 2022 rules). Specifically, here they would look to principal place of business (China) vs incorporation (Singapore?) and a backup mechanism for the DOJ to put specific companies on the list if it didn’t neatly fall into one of the enumerated elements (another entity list!).
  • Still it seems likely that policing behavior is going to be challenged by how slippery data is especially once its left the country - third party transfers to companies in China would seem to be a big potential enforcement problem.
  • In a shout-out to the increasing capabilities of AI etc to identify otherwise anonymized / de-identified data…. certain anonymization will not necessarily exempt exporters from the requirements as it often does under global data privacy regulations.
  • Good cybersecurity measures will be needed if for nothing else than peace of mind for companies exporting more than de minimus quantities of data to these countries. Like the FCPA and product/technology export control regulations, having internal controls in place (here primarily cybersecurity) will be mitigating factors for penalties.

In short, this is the first of a likely increasing number of regulations on data exports to certain countries like China and Russia. Remember the impetus here is really for national security not data privacy. Although we are desperately in need of comprehensive data privacy regulations like the EU and China have, given the current state of affairs in Congress that appears unlikely to happen anytime soon. Its going to continue to be piecemeal and ad hoc in the meantime with sometimes blunt measures enacted such as the Congressional action to divest Tik Tok from Bytedance - precisely because no regulations exist to otherwise govern the situation from an industry-wide perspective.

Stay tuned, more regulations to come no doubt, and in the meantime thank you for reading the now weekly newsletter and remember to subscribe if you haven’t already!

*This blog may be considered attorney advertising. It is for informational purposes only and does not constitute legal advice.

Subscribe
PreviousNext
Profile picture
Cancel
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save