Privacy & Cybersecurity Law Blog

On November 27, 2024, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth filed a response to the Department of Justice’s (“DOJ”) Notice of Proposed Rulemaking, which implements Executive Order 14117 of February 28, 2024. Read our previous coverage. CIPL offered comments with a view to ensuring that certain aspects of the rule remove potential ambiguities and establish clear and appropriate guardrails for data transactions in countries of concern.

In particular, CIPL noted that the proposed rule does not define anonymized, pseudonymized, de-identified or encrypted—terms used throughout the proposed rule that carry great significance based on the context. For example, a proposed exemption for data transactions necessary to obtain and maintain regulatory approval to market a drug, biological product, medical device, or combination product in a country of concern is limited to data that is “de-identified.” Pharmaceutical companies and others seeking to obtain and maintain regulatory approval need clarity on what de-identified means in this context. CIPL has asked the DOJ to confirm that the de-identification that takes place for post-market pharmacovigilance reporting to the FDA would be the applicable standard. Relatedly, CIPL has asked the DOJ to clarify that key-coded data may constitute “regulatory approval data” within the scope of that exemption.

CIPL has also asked the DOJ to consider amending the definition of bulk U.S. sensitive personal data to provide an exemption for data encrypted with post-quantum cryptography (“PQC”). NIST has approved a suite of PQC algorithms designed to withstand the attack of a quantum computer. Given the government’s mandate to transition to these quantum-resistant algorithms by 2035, a PQC exemption would incentivize encryption via PQC algorithms.

Section 202.302 of the proposed rule includes a prohibition specific to data brokerage to address transactions involving the onward transfer or resale of government-related data or bulk U.S. sensitive personal data to countries of concern and covered persons. With respect to the need for contractual restrictions in data brokerage transactions with foreign persons, CIPL has asked the DOJ to clarify that the regulation does not apply to agreements entered into prior to the effective date. If, however, the DOJ determines that the regulation applies to agreements entered into prior to the effective date, CIPL has requested the DOJ to provide sufficient time for U.S. companies to amend existing agreements.

Read CIPL’s full response.