On February 28 President Biden issued an Executive Order “to protect Americans’ sensitive personal data from exploitation by countries of concern.” (EO 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data by Countries of Concern.”)

On March 5 the National Security Division of the Department of Justice (DOJ) published an advanced notice of proposed rulemaking (ANPRM) to regulate “U.S. government-related data or bulk U.S. sensitive personal data.” (89 Fed. Reg. 15780 – 15802.) The proposed rule has a relatively short comment period ending on April 19.

Congress has also been considering legislation to regulate data brokerage transactions, which have been accelerating at a rapid pace. On March 7 the U.S. House Energy and Commerce Committee reported the Protecting Americans’ Data from Foreign Adversaries Act (H.R. 7520) by a vote of 50 to 0. The legislation could be debated on the House floor in the weeks ahead.

The DOJ regulation and H.R. 7520 differ in several key respects, including the following:

Regulator: DOJ (ANPRM) v. the Federal Trade Commission (H.R. 7520).

Data Categories: The ANPRM sets forth six categories of covered data; H.R. 7520 includes 16 categories.

Prohibitions: The ANPRM defines data brokerage, vendor, employment, and investment agreements. It bans transfers under any of these four types of agreements of any volume of data relating to certain government facilities and personnel, or bulk volumes of human genomic data. It also bans transfers by data brokers (but not under the other three types of agreements) of bulk volumes in five other sensitive personal data areas. H.R. 7520 focuses on data brokerage agreements. It bans transfers by data brokers of any volume of sensitive personal data in any of the 16 data categories.

Additional Restrictions: The ANPRM contains restrictions on transfers of bulk sensitive personal data under vendor, employment, or investment agreements by requiring that certain security requirements to be in place. It also contemplates the creation of “general or specific licenses” to create exceptions for the transfer of certain data. H.R. 7520 has no comparable provisions.

Countries of Concern: The ANPRM covers individuals and entities related to six countries; H.R. 7520 covers data recipients in four countries.

Click here for a detailed side-by-side comparison of the two proposals