Lawfare Daily: The New Program to Protect Americans' Bulk Data from Foreign Exploitation, with DOJ's Devin DeBacker

[Intro]

Devin DeBacker: So, one of the key, I think, insights from the rule, from the proposed rule is that we're focused on activities, we're not focused on entities. And that is a key distinction from the parallel universe of privacy regulation.

Scott R. Anderson:  It's the Lawfare Podcast. I'm Senior Editor Scott R. Anderson with Contributing Editor Brandon Van Grack and Devin DeBacker, chief of the Foreign Investment Review Section at the U.S. Department of Justice.

Devin DeBacker: These are emerging threats, as we've talked about, that we're trying to urgently address. We're also trying to do that in a very deliberative way, and that's why we took the optional step of doing an advance notice of proposed rulemaking and taking the optional step of doing all these engagements with companies in the private sector so that we can maximize the amount of feedback we have and the time we have.

Scott R. Anderson: Today, as part of our special of the Regulators series, we're talking about the new program the Justice Department is setting up to regulate foreign transactions involving bulk data on Americans aimed at preventing their exploitation by foreign actors.

[Main Podcast]

Brandon Van Grack: In March, you were on the podcast and you talked about this bulk data program that we're going to talk about today.

You sort of gave a description of it and what it might look like. And so now we're at the point where the U.S. government, the Department of Justice, has formally noticed that this is happening that this has now taken shape, and so I want to go through some of the details of the program, but really get a little deeper as well now that this is becoming a reality in terms of what this means, what people should be looking out for, and so maybe just to begin, if you could sort of help level set, and just give an overview of what this bulk data program is.

Devin DeBacker: At its core, the program sets generally applicable rules, and you can think of this like sanctions, or export controls, for transactions involving access to bulk sensitive personal data of Americans. And so the proposed rule, much like we previewed in the ANPRM would limit or prohibit U.S. persons from engaging in certain categories of cross border commercial activities, or transactions, that we think pose an unacceptable risk of giving countries of concern, or covered persons, access to bulk sensitive personal data, or certain narrow categories of U.S. government related data.

Brandon Van Grack: Before we, you know, we're going to dive deep into some of those terms, what they mean, and also like how it applies. But before we do that, I want to talk a little bit about where this program is situated because you're at the Department of Justice and you lead a group, the Foreign Investment Review Section.

And I don't think you use the word foreign or investment or review in your summary. And so, you want to sort of level set in terms of understanding why, why is this, you know, why are you know, helping oversee this program?

Devin DeBacker: I think we're probably due for a name change, but that's a subject for a different time. But I do think the name is apropos of the origins of the idea for the program. So, to step back, I mean, our responsibility when I started this job, our responsibility was the bread and butter of reviews of foreign investments and foreign participation in U.S. businesses, examining the national security risks posed by those kinds of investments and activities, and then mitigating them.

And we did that on a very case-specific, transaction-specific basis. And what we were seeing was that we were consistently mitigating some of the same kinds of data security risks, over, and over and over again. And really the fact that we were doing it in the context of a foreign investment or in the context of a telecommunications license was pure happenstance. The risk was much broader than that. It was a systemic risk. And so the idea here is that we will take the experience and expertise that we have in the Foreign Investment Review Section in mitigating those kinds of data security risks and do it more globally, do it more systemically rather than just sort of the one off transactions that we happen to look at through these other authorities.

Brandon Van Grack: So just to press on that, and I understand, including the origin story, but why the DOJ? Because what you just said, it could have applied to CFIUS, and I don't say that in terms of sort of, you know, to pit one agency against the other, but what is it about DOJ and its authorities and its sort of enforcement posture that sort of leads it to, to be housed in your group?

Devin DeBacker: I think it's a few things. So first, DOJ and, you know, with the FBI is the premier counterintelligence agency in the United States. And that's the main category of national security risk that we're talking about when we talk about foreign adversary access to sensitive personal data. It's the exploitation of that data for counterintelligence purposes. Like, foreign malign influence or blackmail or espionage or surveillance, and so on. So it's really at the core of our national security equities and those are exactly the kinds of cases and transactions that we end up taking a lead role in, in CFIUS and in Team Telecom and some of these other authorities. So it's right at the core of our national security equities.

It's also, though, consistent with the department's focus on corporate compliance and enforcement in the, particularly in the national security space. I think it's safe to say that this is housed at DOJ. It's a program that, as the assistant attorney general said in March, is going to have real teeth behind it. And it's going to be enforced very seriously like a, like sanctions, and like export controls.

Brandon Van Grack: So just anytime you say DOJ, I can't stop talking. So, Scott, I'll jump in a minute, but you know, we just announced the notice. So are, you know, are you already staffed up? What's the current sort of situation in terms of being able to hit the ground running?

Devin DeBacker:  So, we have a couple of different phases to the staffing and the build-out plan. The first phase is really to take us from the issuance of the executive order through the stand up of the program, through the issuance of the final rule. That phase relies on an interim team, a beachhead team, if you will, of detailees and contractors. So, we've taken detailees from other agencies that run similar programs. We have OFAC detailees. We have BIS detailees. We've got detailees from the Criminal Division and so on that have something of a tiger team that's standing this program up. There'll obviously need to be a more permanent build-out of the program that will happen over the next year or so, but what I would ultimately anticipate it to look like is very similar to OFAC or BIS, right? There will be a licensing and advisory opinions work stream. There'll be a regulatory and policy analysis shop. There'll be a targeting and designation shop to designate covered persons. We already have a compliance and enforcement team in place in FIRS, and so we'll leverage that team to do compliance and enforcement for this new program.

We obviously have the intelligence community liaisons through both the FBI and in-house in the section. And so that's what the program will ultimately look like when we sort of get to the permanent buildout. Right now, of course, we're focused on the rulemaking. We're focused on getting to the final rule and having the program become effective. We're also, of course, building out things like the IT infrastructure that's needed to actually process licensing opinions or licensing requests, and advisory opinions and you know, building the standing operating procedures that we're going to use to designate covered persons and so on.

Brandon Van Grack: You're just describing building a regulatory group within the Justice Department and the FARA unit probably has, the unit for the Foreign Agents Registration Act, like, has, is somewhat analogous, but that's a, you just talked about a bunch of different groups that are like, is there already, you know, resources in the budget identified for this? Like, is this something where you have a vision that you're going to be X, you know, X number of folks by the end of 2025 dealing with this? Like, do you have that level of granularity?

Devin DeBacker: So we definitely have a budget plan. We're working with Congress on securing, you know, the new funding that will be necessary to put this program into effect next year when the final rule drops.

You know, much as I say that this program can't work unless the private sector understands their obligations. It also can't work if the government isn't properly resourced to run it and to educate the private sector on their obligations. So that's a key component of building out the program. And, you know, we're continuing to work with our congressional partners and making sure that those resources come to pass.

Scott R. Anderson: So, DOJ is playing the lead role in this program, but it's not working alone. Interestingly, this notice kind of coincided with a release from CISA that kind of works hand in glove to some extent with the proposed rules that you guys have laid out.

What role are they playing in this program, do they anticipate playing in this program? And what other agencies come in? What else is informing this process? CFIUS is obviously a very interagency driven process, so presumably other agencies are involved here. Who has what equities where?

Devin DeBacker: Well, as you know, that was a purely coincidental, not at all planned concurrent release of those security requirements.

But I think it is an important point. So, I, again, think of this like sanctions or export controls. I mean, export controls are run by commerce, but there are specific parts of the process, for example, in the licensing process, where other agencies have inputs and have important roles, so that they can bring their expertise and equities to bear.

So for this program, CISA is a key partner. CISA is responsible for designing and ultimately finalizing the security requirements that will govern the categories of restricted transactions under the program. And those are mostly cybersecurity requirements, which, you know, we can talk about another time if it's appropriate.

Other agencies also have important roles. And so, for example, if we were to get a license, let's say, a license request that asked for a license for the financial services sector, then we would consult with Treasury. And the proposed rule lays this out. We would consult with Treasury to make sure that we're calibrating that license appropriately, and including any conditions on the license to make sure that we're not unduly hampering whatever transaction it is that we may license.

Same thing would be true for, say, if there are clinical research transactions that take place overseas in a country of concern or with a covered person. We would consult our HHS colleagues to make sure that we're getting those decisions right, from both the national security perspective, but also from an economic perspective.

So while it's not an interagency committee like CFIUS or like Team Telecom, and it is run and implemented by DOJ, our interagency partners have very important roles to make sure that we really bring the whole government's expertise to bear on the decisions we're going to make around licensing and advisory opinions and enforcement.

Scott R. Anderson: So let's actually get into the program, how you guys envision this working, the requirements, the obligations. Give us a kind of rough overview. Let's start, I guess, with the core foundational concept, which is of a covered person, which is the threat element, the entity you're worried about.

What do we mean by covered person? Who does it include and who do we anticipate it potentially including in the future?

Devin DeBacker: So, the concept of covered persons really gets at this idea of a hybrid commercial threat, which the FBI has talked about in other contexts. And the idea there is that there are certain countries, and here it's the countries of, the six countries of concern, that have legal, and political, and practical abilities to leverage companies and individuals that are under their jurisdiction or control to gain access to things, whether it's technology or systems or data. And the idea of covered persons is to recognize that these categories of individuals and companies exist, and that they often pose the same risk as selling directly to the PRC or to Russia or so on.

And so the way that the proposed rule tackles this is not to adopt a purely list based approach you know, contra the entity list, for example. Instead, we have categories of covered persons. There are four categories in the proposed rule, and they cover things like foreign entities that are 50 percent or more owned by a covered person or by a country of concern, or entities that are headquartered in a country of concern, or foreign individuals who primarily reside in a country of concern.

We also have the ability to supplement those categories through designations, and so we can designate individual companies or persons that meet certain criteria like they're acting, we find that they're acting on behalf of a covered person, or that they're a cutout, or they're an agent of a country of concern or things like that. And those designations will live on a public list, much like the SDN List for sanctions.

Brandon Van Grack: So a foreign branch of a U.S. company is not a cover person, is that right?

Devin DeBacker: A foreign branch of a U.S. company is treated the same way it's treated under sanctions, which means that it's part of the U.S. person. So really when you get into, as I suspect, we're going to branches and subsidiaries, the question is sort of where do you draw the wall, right?

Brandon Van Grack: And therefore, just to pull that thread, just, you know, one inch further, so a foreign subsidiary that would be, a foreign subsidiary, I should say, located in a country of concern would be considered a covered person here.

Devin DeBacker: That's right. A foreign subsidiary would be treated as a separate entity. And so if it otherwise met the criteria for a covered person, then it would be a covered person.

Scott R. Anderson: So let's dig into this concept of a country of concern, which, in a way, is even a more foundational threat concept than the covered person concept. There are six countries currently in this category. What are they and what makes them unique? Why do they warrant inclusion in this universe? And what are the on- and off-ramps, you all are envisioning for the program moving forward? What do countries have to do to get off this list and what might pull other countries onto this list?

Devin DeBacker: So the, there's a two-part test under the executive order for whether a country is a, qualifies, as a country of concern. And it's a fairly familiar test that we've seen in other national security regulatory programs like Commerce's ICTS program.

But the test is whether the country is engaged in a long term pattern or serious instances of conduct that are significantly adverse to our national security. And whether they pose a significant risk of exploiting government related data or bulk U.S. sensitive personal data, to the detriment of our national security.

So there's sort of a general inquiry into whether they've been engaged in instances of activity that are significantly adverse to our national security, and there's a more specific data security inquiry as well. The six countries that are on the list are the same six that have been identified in the ICTS program. They're overlapped significantly with countries that have been identified for purposes of other regulations, like the outbound investment regulations, and sanctions as well. And so, in terms of on-ramps, off-ramps, I mean, the program will involve continuous evaluation, and so we'll always be examining whether we need to adjust our regulations and identify or change the list of countries of concern.

But I think that there's a pretty high bar to doing that particularly when it comes to these six countries. If folks need, you know, nighttime reading material, then you can read the NPRM and the, you know, 20 or 30 pages of unclassified material about why these countries meet that two-part test but they really are sui generis when it comes to their willingness and ability and desire to get American sensitive personal data and then exploit it to the detriment of our country.

And you need to look no further than, you know, China and its attempts to hack, and crack, and buy, and steal and otherwise get access to sensitive personal data. And, you know, you can look at the front page of the Wall Street Journal for that.

Scott R. Anderson: What are, for our listeners who might not have it at the tip of their fingers, what are the six countries?

And because, the slightly broader category, you look at the outbound investment restriction system, that's very China, that is expressly China-focused. There's a little broader universe, not, I don't think anyone, any of them are surprising, but just for the listener, which ones are we talking about? 

Devin DeBacker: So we're talking about China, Russia, Iran, Venezuela, North Korea, and Cuba.

Brandon Van Grack: So, we've identified what countries, you know, that if a person or a company is located in, sort of, via certain connections. So let's talk about like, you know, what type of transaction and activity gets connected here, and I say that because I think when we use the term transaction, it feels a little bit like a misnomer here, and that's not to be critical, although this is just a notice so you have opportunities to change it, I suppose, because it seems like access is actually the focus as opposed to transaction.

So I mean, I think we should get to the data piece as well, but before we get to the data what type, what are the sort of the triggering events, I should say, if we have a country of concern and a person or entity located or connected to it?

Devin DeBacker: So transaction and access are two key elements of the program. And for the, you know, legal nerds out there listening, and I'm one of them, the idea of transaction is a little bit of a, as you say, a misnomer, it's a holdover from from IEPA, the International Emergency Economic Powers Act, which is the basis of the program, but really an IEPA transaction is activity. That's what we're talking about. It's a broad term that covers everything from dealing to holding to, you know, to the more traditional transactions where you enter into an agreement.

Now the transactions were focused on in the program, at least under the proposed rule, I put them into two categories. There are prohibited transactions and there are restricted transactions. There are two categories of prohibited transactions. One is data brokerage. The other are transactions that give a country of concern or covered person access to biospecimens from which genomic data can be derived or actually involve the exchange of bulk genomic data.

The restricted transactions are vendor employment and investment agreements. And so one of the key, I think, insights from the rule, from the proposed rule is that we're focused on activities. We're not focused on entities. And that is a key distinction from the parallel universe of privacy regulation.

Brandon Van Grack: Obviously, Scott and I have read every word of the notice. But just to unpack some of that, because obviously the prohibited versus restricted is a key piece there. But, you know, just to break it down. So, on the prohibited piece, you know, as you said, bulk data, a lot of that, or, you know, a shorthand would be, bulk data, but that's potentially a little bit more transaction-oriented in terms of like sale, but that's not restricted to that. But that's sort of a shorthand. And then, as you said, genomic data, but that's sort of it's, that's not necessarily transaction oriented, but that's a little bit more access-based in terms of the focus because of the sensitivity of that information. Is that sort of a…?

Devin DeBacker: I think that's fair. And I think the way I would think about it is, if transaction is is confusing, it's a legal term, then I would think about as commercial activity, right? Commercial activity that involves this kind of access: that's the right way to think about it.

Brandon Van Grack: And then, so then, and I think though the restricted piece, and again, that's a prohibited ban. So the restricted piece, it's a a little bit more complicated. And I think you said vendor employment and investment. And I, this is one where I think that's where I quibble with you on the word transaction. Although I, as a fan of IEPA or maybe sort of a, someone who has dealt with IEPA, sort of, I appreciate the grounding in the statute. But those are, you know, vendor employment investment are not necessarily sort of sale-based, which is again, I think where some people oftentimes, sort of, connect transaction, which is not the way it's being used here.

And so I'm wondering maybe just touching on each of those, because I do think, in terms of the program itself, that those are the areas where listeners or companies may either be surprised or not expecting necessarily being brought into this. And so I'm wanting just to spend a minute talking about what we mean by each of those terms.

Devin DeBacker: Absolutely. And I think that's a key point. This program is not just about sale. It's not even primarily about sale. It's about a range of commercial activities of which sale is one. So if your company is not engaged in data brokerage, not engaged in the sale of data, that doesn't mean that you can sort of not read the 422 pages and put it aside. It has important implications for how businesses engage globally. So, let's talk about those three kinds of restricted transactions.

So they are, I hope, what they sound like. Employment agreements are those, you know, a U.S. company hires a PRC citizen living in China as part of its global IT team that would have global access to its systems, including sensitive personal data on Americans. That's a sort of core example of a restricted employment agreement.

Brandon Van Grack: And just on that one, just to, because I think that is an important one, one that I suspect will require companies to sort of take a step back. So you talked about data, but the issue is an individual, they have to be located in, for example, a country of concern, or would it just be a national?

Devin DeBacker: And so it would depend on whether they meet the categories or the, or they've been designated. But if they're primarily resident in a country of concern, there'll be for, so there's Two sets of covered persons when it comes to entities. There's two sets of covered persons when it comes to individuals.

And for individuals, we're talking about folks who are primarily, foreign individuals who are primarily resident in a country of concern, as well as foreign individuals who work for a covered entity.

Brandon Van Grack: So in your example, a U.S. company, an individual, you'd sort of said data, but in general, if there was a U.S. company and an individual located in a country of concern, simply, I say the word simply, had access to the data, that would be enough to trigger, so it doesn't have to be, well, they work for a particular group within this company. It's the access that would be the trigger to the restriction. Is that correct?

Devin DeBacker: That's right. As long as they're working for a U.S. person and a U.S. company, then that's correct. So it could change with subsidiaries, for example, right? If you have a U.S. company that has a foreign subsidiary in a country of concern and the covered person works for the foreign subsidiary, then absent some sort of evasion or structuring of that relationship or shell game, then that's the sort of transaction that, the employment relationship would not be regulated, but the relationship between the parent and the subsidiary would.

Brandon Van Grack: And then so maybe just a moment on the vendor and the investment piece as well.

Devin DeBacker: Absolutely. So for vendors the name is Vendor Agreement, but what it really refers to is any arrangement, commercial arrangement between a U.S. person and a foreign person that involves the exchange of goods or services where there's the kind of access to sensitive personal data. So, frequently, when we say vendor folks think of foreign company or foreign individual providing services to a U.S. company, but it could be bi-directional.

And then when we're talking about investments, what we're talking about is really what it sounds like. These are foreign investments in U.S. businesses or in U.S. persons, so a U.S. company that has bulk sensitive personal data, they want to give a stake in their company to, say, a Russian investor. That's the sort of transaction, to use the term, that will trigger the, you know, trigger the proposed rule. 

Brandon Van Grack: So, I have one more follow up on that, and then I'll shut my mic off, which is can you explain why that piece would necessarily be covered by the other hat you wear, which is in the world of, in fact, specifically regulating foreign investment in U.S. companies?

Devin DeBacker: Absolutely. So the interaction with CFIUS, the Committee on Foreign Investment in the United States, is an important one for the proposed rule, especially given that was part of the origins for the program. So, the idea, there are a couple reasons why.

Transactions come into life in the world before CFIUS ever touches them frequently. So there are many transactions CFIUS does not review. There are also risks that CFIUS cannot address. CFIUS is statutorily limited to addressing risks that arise as a result of the transaction, meaning risks that arise as a result of the foreign investment in the U.S. business. But it is possible that the U.S. business already has vulnerabilities or that there are pre-existing risks that are outside CFIUS's scope to address.

And so the idea here is that this program will set baseline security requirements for these foreign investments as soon as they come into life. And those baseline security requirements will operate, unless and until CFIUS takes some other action, so that it will allow CFIUS to tailor more bespoke mitigation measures to a particular transaction if it wants to.

Obviously, coordination with CFIUS is going to be a very important part of the program. It's another reason why it makes sense to house it at least within the Foreign Investment Review Section, because we can do all of that internally.

Scott R. Anderson: So, we have a sense now, of the pretty deep contours of how this program operates, to some extent, the expectations, the way it applies to different sorts of transactions, different sorts of entities. Talk to us a little about how you intend to actually enforce these rules, because this is kind of a new transactional area, right, particularly talk about foreign entities. You know, the CFIUS program traditionally has relied pretty heavily on voluntarily, disclosures. It's structured to incentivize companies to come to you with information and to get them kind of pre-cleared. That's not built in here in the same way.

So what sort of is the enforcement strategy for this? And what sort of penalties are we talking about slash what expectations, what is expected of companies and what will happen to them if they don't comply?

Devin DeBacker: Let's talk about what's expected of companies, because I think the last thing that we want to be in the position of doing is pre-clearing a million data transfers every year. I think that would be terrible for us, it would be terrible for the private sector, it would be terrible for the internet. So that's not the idea here. The idea here, really, and I hate to keep stealing from my friends at OFAC, but the idea here is, but I'm going to.

The idea here is that companies will have to implement risk-based compliance programs. Their compliance programs are going to have to be tailored to the particular risk profiles that their business has. It's based on the services and products they offer, based on where they do business, based on who they do business with, based on the kind of data they hold, based on the kinds of commercial activities or transactions they engage in, and so on.

And so it will, in some ways, really be up to companies in the first instance to decide what those programs look like, and then to implement them. And that's just a necessary feature of any program like this. It's a necessary feature of sanctions, it's a necessary feature of export controls in the first instance, and the reason for that is because the U.S. government is not on the front lines of these transactions, and these activities. Those are the companies. And so, at the outset, I view it as a partnership. It has to be a partnership. We rely on companies to protect the data, to protect technology, to protect capital from flowing where we don't want it to go, and that's a necessary feature of the program.

Now, that's not true for every category of transaction. The restricted transactions pose some heightened risks because it's an instance in which we're allowing there to be some commercial activity between a U.S. person and a covered person where we're relying on measures to mitigate access to the data. And so because of that heightened risk, we have prescribed some due diligence requirements that are affirmative obligations on the companies that, we are, in essence, prescribing aspects of their compliance program in the rule. Things like record keeping and auditing and due diligence and so on.

Now how are we going to enforce this? Enforcement is a real key priority for this program because it's not going to work if people don't follow the rules. We have a number of mechanisms in the proposed rule to help us enforce. We have a number of reporting requirements that companies are obligated to to follow. Those include things like annual reports for companies that are engaged in restricted transactions, record keeping requirements for companies engaged in restricted transactions, restrictions on resale of data. So, obviously, companies that are sell, U.S. companies that are selling data  to a foreign third party that's not a covered person. There's the risk that data can then just be easily resold or re-exported to a country of concern, and now the risk is materialized, and it's a very easy loophole or workaround.

And so the proposed rule has provisions in it to restrict that further resale, and also to notify us if U.S. companies suspect that there's been a violation of that restriction, so that we can decide to take appropriate action against a foreign third party, including treating them as a covered person, we could designate them. And so this really, when it boils down to is having a circle of trust. And most people are inside the circle of trust, but the point of the program is to place some limits on where that trust extends and where data can go.

Now what kind of penalties can companies face? So, it's IEPA, IEPA has both civil and criminal penalties. The department, obviously, is very well versed in the criminal enforcement of IEPA-based programs, including sanctions and export controls. And so, part of the benefit of housing this at the department, is that I'll be able to walk across the hallway, and talk to my colleagues at CES, and they will be the ones responsible for criminal enforcement of this program, just like they are for sanctions and export controls.

Obviously, it's going to take willing violations, and willful violations, to get to the level of criminal enforcement. And certainly in the early days, what we're looking to do is educate and make sure that companies understand their compliance obligations. But it is a 422-page proposed rule. A lot of this, I think, is quite clear. And companies have a lot of mechanisms to get more clarity. They can seek licenses, they can seek advisory opinions, they can look at the guidance we're going to put out, and so on.

Scott R. Anderson: That actually brings me to another question I had, which is about these advisory opinions, which is, kind of, a unique tool. You see some regimes like this one use, other ones lean on less often.

What is the vision for the role advisory opinions will play in this program vis-a-vis licenses? Because they could play a similar function in terms of giving, serving a kind of pre-clearance function. Is that what you're envisioning or is this something that has a different role in the program?

Devin DeBacker: So, there are different mechanisms for getting clarity. I think that's right. And advisory opinions really allow parties to come to us and say, we think this is how the rules apply, but we're not sure. This is a gray area. And so in some way it allows us to develop precedent and it's another mechanism for developing guidance around the rules.

So we'll issue guidance. We'll have, you know, we'll have guidance that explains, for example, how we're going to take, the approach we're going to take to compliance, the approach we're going to take to enforcement. But there may be specific questions about, you know, how do these obligations, for example, on complying with the prohibitions apply to, say, someone in this sector doing this kind of transaction?

The advisory opinions will allow us to answer those more granular questions, and they'll provide some precedent and build up some precedent around the application of the program. Licenses are sort of another step further, where companies are saying, look, we know that this is not. this is not allowed under the program, or we think it's not allowed under the program. And so we want a variation from that. And we want to, we want authority to go forward with the transaction, even though it's something you all have identified in the regulations as prohibited or restricted.

I think it's fair to say that, you know, we'll certainly consider every license request on its merits. But the idea behind the program is that the rules are supposed to be pretty targeted to the risk we see. And so I think it's going to be a pretty high bar for us to grant a license in the ordinary course.

Brandon Van Grack: So, I feel like over the last year, I, but also listeners have become accustomed to the acronym NPRM and ANPRM, which is terrible. But what we—

Devin DeBacker: Just awful.

Brandon Van Grack: Just awful.

Scott R. Anderson: We should define for people.

Brandon Van Grack: We will. So I won't even give you what all the words mean, but what we're talking about here is there's a notice of a rule, and there's an advance notice. And I say this because earlier this year when you were on there had been an advance notice. We are thinking about doing a regulation or rule. Now we have the notice, the NPRM, I'll let listeners figure out what the P and the R and the M stand for.

But what I, but the reason I flagged that is, is I think it makes sense to just spend a minute, what are the major differences between what had been discussed or proposed earlier this year and where we're at now? Because, in particular, I think there are some exemptions that were added and I think it's important to flag those.

Devin DeBacker: That's right. So the proposed rule that we just issued very closely tracks the preview that we gave earlier in the advanced notice. Most of what you see in the proposed rule are additional details and clarifications and implementation of what was previewed in the advanced notice. But you're right, there are some additional, in particular, some additional exemptions that we've added in response to helpful comments from the public.

So, the proposed rule adds, for example, new exemptions for clinical trial data. There are two different exemptions related to clinical trial data because of the importance of not unnecessarily impeding cross-border research and healthcare. One of those exemptions is for clinical trial data that's needed to obtain regulatory approval to research or market a drug or device in a country of concern. We're certainly not trying to stop drug companies from marketing, you know, life saving drugs in other countries, even if that involves some submission of sensitive personal data to a country of concern.

Likewise, we're also proposing to exempt clinical trial data that's needed to support FDA applications for research and marketing for the same reasons. And we also propose exempting transactions or activities that are ordinarily incident to telecommunications services. So if a U.S. telecommunications company needs to exchange some personal data in order to say, initiate calls or, you know, do chargebacks for roaming or things like that, we're certainly not trying to break the phone system any more than we're trying to break the Internet.

Brandon Van Grack: Well, and so part of that is obviously because there's still a comment period that's occurring right now. And so it strikes me as, what occurred was certain industries sort of identified some concerns on how these advanced proposed regulations rules would impact them and impair their business, and it strikes me as in terms of what comments you might be looking for would be similarly if there have yet to be identified particular areas or industries that would be particularly harmed and affected by this, to sort of flag those.

Is that sort of a fair characterization?

Devin DeBacker: I think that's right. And I'd say the more specific the comments, the better. It's hard for us to know how to calibrate the proposed rule if we have, you know, if what we get are general comments or comments that aren't, you know, very specific about or concrete about how, you know, particular sectors are engaged in activities and how the data is used in those activities and who they're engaged with and the kinds of data and so on.

So the more specific, the better. Definitely encourage comments.

Brandon Van Grack: One more comment, which is, I think, also sort of providing an overview. I think we sort of obviously have gone through, I think, some aspects and details of the program, but I want to ask about sort of the why now? And it's because this really is a paradigm shift in terms of the U.S. government, how it's regulating data and access to data and activity involving data in a way they haven't before. And my question is it because there's greater awareness of the threat or has the perceived threat evolved and therefore it's because of that evolution that now is the time?

Devin DeBacker: I think the right answer is yes.

So, I think it is both things. Certainly when we sort of, you know, get the reps in through CFIUS and Team Telecom and some of these other case-specific authorities over the last 5 to 10 years, certainly that creates a greater awareness within the government and we're able to connect different, you know, the different reps to each other and understand the threat better.

I also think the threat is evolving and I think you know, you know, I'll give you two data points. So just a couple months ago, the intelligence community released the National Counterintelligence Strategy and this was in August. And there's, you know, a whole page is devoted to the efforts by foreign adversaries to gain access to sensitive personal data to exploit it for precisely the reasons that we're trying to address in this program. That, you know, that sort of public acknowledgement of that threat in that way, I think, underscores that the threat is evolving and the threat is increasing.

And it increases, of course, with the advancements in technology. So the better AI gets, the better the ability of foreign governments and foreign adversaries to take sensitive personal data, manipulate it, understand it, draw insights between different data sets, and so on. And then, of course, every week I feel like there's another news story about how geolocation data or some other form of data is being used to track and surveil people that in ways we don't want. I'm sure that by the time this goes live that the example I'm going to give is going to be replaced by some other story. That's been, you know, that's come to pass, but I think it was just a few days ago that Le Monde reported that the geolocation data from fitness app used by the bodyguards and security personnel of U.S. presidential candidates and political leaders were used to track the non-public movements of those leaders. And so that's just a great example of how data can be used, and is being used in ways that you can easily imagine how that would affect our national security if it's in the hands of, say, China or Russia.

Scott R. Anderson: We've touched a little bit on what the types of data we're talking about, but before we, we kind of get out of the nitty gritty of the program, we should spin it down. There are kind of six categories of data that we're really concerned about here to different degrees, to some extent. Walk us through the logic behind that. What are we worried about, and to what extent are we worried about these different categories?

Devin DeBacker: So there are six categories, as you mentioned. It's human genomic data, biometric identifiers like facial images or voice prints, precise geolocation data, personal health data, personal financial data, and then certain covered personal identifiers, which is a narrower set than just sort of general PII.

And, look, each of these categories in our view presents, you know, they're all certainly sensitive enough from a national security perspective to regulate activities involving them. Within that, we think that there are, you know, some differences in the abstract in the sensitivity. So, you know, we're concerned about these categories of data in sort of two different scenarios. One is where transactions give access to this data in bulk, where it's a large data set from which aggregated insights or finding needles in haystacks can be conducted by a foreign intelligence service or a foreign adversary.  The other is more of a micro-targeting concern, and that's the category of U.S. government-related data, where we're concerned about data on certain U.S. government officials, even if it's just one official. So those are the two scenarios in which we're concerned about these categories of data.

Now, when it comes to bulk data, what we're talking about are different volumes of each kind of data that's sufficiently large that pose, that we think pose an unacceptable risk. So, the, what we've done is we've gone through the proposed rule and looked at the different categories and analyzed across a variety of factors the sensitivity of each category. And so just to take sort of, a quick and easy example: genomic data, in our view, is the most sensitive from a national security perspective of those six categories, and so it has the lowest bulk threshold. The bulk threshold in the proposed rule is if you, if the commercial activity involves more than 100 U.S. persons’ genomic data.

And the reason for that is because bulk genomic data poses risks that are not only counterintelligence risks, but also other national security risks. So, unlike some of the other categories of data, which are primarily, it can primarily be used for counterintelligence purposes, genomic data can also be used to not only conduct surveillance, oppression, extortion, and influence operations, but it can also potentially be used to inform bioweapons development. So there's an additional national security imperative there, and that's part of the reason why we treat that as the most sensitive category data.

On the other end of the spectrum, you have covered personal identifiers, which are things like names linked to government ID numbers. These are useful for purposes of identifying individuals in datasets, or across datasets or cross-referencing datasets, but it's a relatively speaking narrower counterintelligence concern, so that's why that has a higher bulk threshold and a lower degree of sensitivity.

Brandon Van Grack: Will your enforcement priorities and actions sort of reflect the different sort of the spectrum and prioritization that you just described?

Devin DeBacker: I think that's right. It's going to be a key factor in our enforcement priorities. All things being equal, if we have a prohibited transaction someone has engaged in, same country of concern, same circumstances, same lack of due diligence, and one of those involves bulk genomic data, and one of them involves bulk-covered personal identifiers.

All things being equal, the national security imperative is going to be to treat the bulk genomic data example as more problematic from an enforcement perspective and warranting, you know, greater penalties or greater action than the covered personal identifiers. Now, I'm sure it will never be that simple but I think that that priority, that the sensitivity is going to be a key factor in our enforcement.

Scott R. Anderson: So, we're at the stage now where we're at the NPRM stage, the Notice of Proposed Rulemaking stage, meaning we've got some time before these are the actual rules. What is the timeline you all are anticipating?

And of course, with any program like this, you know, it's like getting a plane to take off. You've got to build altitude over a period of time, so what sort of runway are we looking at even past, you know, the Notice of Proposed Rulemaking period? You know, a hundred days from now, how do we see this program going? And what do you expect companies and other relevant actors to begin doing to prepare? Like, how much do they need to hit the ground running day one? And how much is there expected to be a broader implementation period?  

Devin DeBacker: Well, some days it feels like we're building the wings while the plane is taking off. But I think thankfully we're getting that past that point. I think the proposed rule helps us do that.

So, look, this, it's no secret that this rulemaking is on an expedited timeline. These emerging threats we've talked about, that we're trying to urgently address. We're also trying to do that in a very deliberative way, and that's why we took the optional step of doing an advance notice of proposed rulemaking, and we're taking the optional step of doing all these engagements with companies in the private sector so that we can maximize the amount of feedback we have for the time we have.

That said, look, the assistant attorney general, as he said in March, you know, we're looking to stand this program up over the next year. So that would look, you know, we're looking at, you know, spring 2025 when we would hope these regulations to go into effect. What can companies start doing now?

What companies can start doing now is understand the rules, engage with us, and start understanding their business and their data. What kinds of data do they hold? What kind of activities do they engage in? Who are they engaging with? Who has access to their data? What safeguards do they have in place to protect and mitigate access to that data? What kind of business do they have and exposure do they have to countries of concern and to covered persons? They really have to understand that business.

And then what's going to, the next step will be taking that understanding and building it into a compliance program that is part of the business process. Because I think too often, and I'm going to step back into a broader corporate compliance role, but too often what we see is that the compliance functions in a company are, and this isn't true everywhere, but the compliance functions at a company are an afterthought and they're separate from the business processes. Compliance has to be built into business. It's not enough that someone goes to the compliance folks and says, does this raise a red flag? Oh, we did it last week, by the way, so hopefully it doesn't. Those kinds of considerations have to be built in to deciding whether or not to engage in activities in the first place.

Scott R. Anderson: So let's look a little further out into the future then. This regime, as you noted several times, is based in IEPA, a 1977 law that people are probably most familiar with from the sanctions context, also was used to run export control regime for various stints when it lacked statutory authority throughout the 90s and 2000s, maybe a little earlier than that, even.

This is a pretty novel use though of IEPA, and it's not the only one. I should note this administration is using IEPA in a lot of interesting, innovative ways. How complete an authority for what you all think you need to do does IEPA seem to be? IEPA does have carve outs. You have, you know, kind of First Amendment speech related restrictions from the Berman Amendment, restrictions for medical technology, equipment, humanitarian assistance, stuff like that.

And of course, it has a, kind of, template of penalties. It requires annual renewal to an emergency. Is there an idea that this is a stop-gap to eventual statutory authorization, or is the idea that this is a program that can sit in this sort of position permanently?

Devin DeBacker: So IEPA is a broad authority. And I think that while it's a novel threat we're addressing, I don't think it's such a novel use of IEPA, in the sense that, and this now comes back to the nerdy legal point, but we're addressing commercial transactions. And that's really what IEPA was designed to do. It's part of the reason, and I think this is an important point for folks to understand, that what the rule does not do is say we're going to regulate data flows, right? It doesn't say that. It doesn't say we're going to regulate how U.S. companies within the U.S. company, you know, moves in, and uses data overseas. And so what we're not doing is just regulating data flows generally. We're regulating transactions and commercial activities, really at the heart of IEPA.

Look, Scott, as you noted, the IEPA does have certain carve-outs. We don't, you know, generally view those carve-outs as problematic for what we're trying to regulate. We're not regulating expressive material or First Amendment material. We're talking about geolocation data. We're talking about latitudes and longitudes. We're talking about fingerprints. We're talking about, you know, genomic data. Not the kinds of First Amendment or, you know, news-oriented data that or news-oriented information that the Berman Amendment was designed to carve out.

So I think IEPA, you know, this will stand on its own under IEPA. Now, is that to say that there aren't clarifications or updates that would be helpful from Congress? Absolutely not. I think it would be great if IEPA were updated in certain ways, including to, you know, make clearer, for example the meaning of the Berman Amendment. I think, you know, that would be useful. And there are bills right now, pending on the Hill to do that. But look, as to the program as a whole the program will stand on its own, I'm confident.

Scott R. Anderson: And Congress, of course, hasn't been completely lying down when it comes to this issue. We saw them enact the Protecting Americans Data from Foreign Adversaries Act relatively recently. How does this regime intersect with that, to what extent do they reinforce each other, and is that an avenue to greater cooperation with Congress, or is there desired avenues for greater cooperation down the road?

Devin DeBacker: I'm just glad you didn't call it PADFAA because that, I think, would have pushed me over the edge.

Scott R. Anderson: We've had enough indecipherable acronyms already, on this episode.

Devin DeBacker: So, you're right. So, look the I'm not sure what else to call it, but the, that act that Congress passed it's different. It's different in scope, it's different in structure. Yeah, you can read the proposed rule and it explains that we're not inclined to alter the scope of our program in light of the passage of that law for a variety of reasons, but let me just highlight some differences for folks who are looking at these two authorities and wondering what to make of the two of them together.

So you have FTC that's, of course, in charge of enforcing PADFAA. I see how it's hard to avoid. There are no licensing or advisory opinions or rulemaking authority under the act. It's purely civil enforcement. It's entity-based, not activity-based. And so in that sense, it looks more like a privacy regime, although it is very much targeted at national security risk. It's effective now unlike the data security program, which will go into effect in the future. It applies really to, you know, to generalize a bit, only to third-party data brokers. It doesn't include Cuba and Venezuela. It doesn't cover indirect sales and resales. These are all differences from the proposed rule.

It covers a broader set of kinds of data, including things like certain kinds of movie information, movie rental information. But it's also narrower because it only covers identifiable data, whereas the proposed program covers encrypted anonymized aggregated data as well, and it contains this exception for what I call a consent-based exception where if an individual consents to the use or sharing of their information then that is not prohibited by the act. And so it's really quite different in structure and scope and what we are doing is to work closely with the FTC to avoid conflicts. And I think, you know, as one example, you know, we're going to work closely with the FTC to make sure that if we license a transaction under our program or a transaction would be exempt under our program, that we align their enforcement of that law so that we don't create conflicting or dual obligations or, you know, confusion in the marketplace.

And really just to take a step back, it's really important for us that the obligations are clear. We don't want there to be that kind of confusion. And the reason we don't want there to be that kind of confusion is because it's going to result in substandard compliance across the board, which means worse national security outcomes. It's better to have a clear set of rules and no questions about, you know, well, if I engage in an exempt transaction under this program, then what does that mean? Is the FTC going to come after me? And those sorts of things. And so we're going to work closely with the FTC and I think there'll be more to come on that publicly, you know, in the coming months.

Scott R. Anderson: Well, that brings us to the end of our time together today, but this has been an incredibly illuminating deep dive into a pretty complex regime.

Devin, thank you so much for joining us here today on the Lawfare Podcast.

Devin DeBacker: Thanks, Scott. Thanks, Brandon.

Scott R. Anderson: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Make sure to check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja. Our theme song is from Alibi Music. As always, thank you for listening.