To discuss the Department of Justice’s new proposed rule on data security, we interviewed two brilliant guests from the ChinaTalk Hall of Fame — DOJ National Security Division attorneys Lee Licata and Devin DeBacker.
Before DOJ, Lee was an attorney at DHS and then CBP, while Devin was a partner at Kirkland & Ellis and then worked with the Office of White House Counsel. Today we’ll be discussing the DOJ’s new proposed rule on data security.
Have a listen on Spotify and Apple Podcasts.
We get into…
DOJ’s plan to protect your data from foreign adversaries,
How public comments have shaped the proposed rule since the last time we interviewed Lee and Devin,
DOJ’s tools for enforcing corporate compliance,
The differences between data security regulations, privacy laws, and export controls,
Why some public comments get accepted and some get rejected,
The DOJ playbook for assembling a dream team of talented bureaucrats.
Shutting the Front Door
Nicholas Welch: Lee and Devin, welcome back to ChinaTalk.
Devin DeBacker: Happy to be back. As repeat guests on ChinaTalk, are we eligible for a plaque or some kind of award?
Nicholas Welch: You know, I’m not in charge of funding — you’ll have to ask the dictator of ChinaTalk once he’s back from paternity leave. But your request — like the many requests you likely receive in the notice and comment period — is duly noted.
For those who missed the show back in April, here’s the context — back in February, there was an executive order focused on preventing foreign access to Americans’ bulk sensitive personal data and US Government-related data by countries of concern. This was followed by an advance notice of proposed rulemaking (ANPRM). Now, we are in a period of notice of proposed rulemaking (NPRM), one step closer to the final rule.
Can you give us a 40,000-foot view of this executive order and the proposed rule? What national security risks are they aiming to address?
Devin DeBacker: The audience might be wondering, “What are these 422 pages of regulatory detritus all about?”
The primary risk we’re addressing here is the national security threat posed when foreign adversaries or their intelligence agencies access Americans’ sensitive personal data. Such data can be exploited, weaponized, and turned against our national interests in various ways. For instance, adversaries can use geolocation data to track and monitor Americans, or health and financial data to identify vices and vulnerabilities in individuals’ lives, such as behavioral patterns and daily routines. This data can be weaponized to surveil, blackmail, intimidate, or otherwise influence those individuals — whether targeting specific people or analyzing broader population insights. This rule aims to address and mitigate these kinds of threats.
Nicholas Welch: This rule isn’t addressing, say, an intelligence agency hacking in through the back door to steal information. You’re talking about data on the open market that could be purchased by anyone, right?
Devin DeBacker: Exactly. The “front door, back door, and side door” analogy works well here. We’ve got a “barn full of data” on Americans, and we’re trying to close the front door with this rule.
Other mechanisms and tools (especially from DOJ and other agencies) are in place to close the back door.
But we can’t leave any doors open, and the front door has been wide open for a long time. It’s been advertised almost as a free-for-all.
This rule aims to close that front door. Legally speaking, this covers legitimate or lawful commercial transactions where foreign adversaries can access data — either by buying it on the open market or through vendors, employees, or investors who can leverage it through their country’s political or legal systems.
Nicholas Welch: Where does this rule fit in the broader sanctions and export control framework? How does it contribute to the ongoing discussion about the intersection of national security and economic security? Is it similar or different from semiconductor export controls?
Lee Licata: Good question. There are aspects of this rule that resemble the Office of Foreign Assets Control (OFAC) and our export controls regime. This rule seeks to move beyond a case-by-case approach as we see with CFIUS, Team Telecom, or even some of the Commerce ICTS Authority actions, which often look at specific transactions or entities. Instead, it takes a more systemic or holistic approach across holders of this kind of data. The idea is to implement prohibitions and restrictions similar to an OFAC regime. It includes features like advisory opinions and licensing options, which are standard in such regimes. We see this as a foundational step toward a more comprehensive framework.
Devin DeBacker: Zooming out a bit, there are key assets in the US that we want to protect from falling into the wrong hands. Sometimes it’s technology, sometimes capital — we don’t want money flowing to terrorists, for instance. In certain cases, we want to prevent not just capital, but also the know-how that accompanies it from reaching critical sectors of emerging technology. Likewise, we want to protect sensitive American data from misuse. Each of these regimes — export controls, sanctions, outbound investment, and now this data security program — addresses a distinct part of that problem, forming a suite of tools in our national security toolbox.
Restricted Transactions and Covered Persons
Nicholas Welch: Let’s dig into the specifics. The rule says a “US Person” cannot engage in a “restricted transaction” with a “covered person.” What do these terms mean exactly?
Devin DeBacker: The program outlines certain covered data transactions that US Persons either cannot engage in or must engage with restrictions, particularly with countries of concern or covered persons. I’ll let Lee explain the specifics since he’s the architect of this framework.
Lee Licata: Let’s start with the prohibitions. Two types of commercial transactions between a US Person and a “country of concern” or “covered person” are outright prohibited. The first type is data brokerage, and the second type is transfers of genomic data or biospecimens, which is the raw material from which genomic data is derived.
We also impose restrictions in three categories — vendor agreements, employment agreements, and investment agreements that aren’t passive.
For these restricted agreements, we aim to put a box around these transactions to control how they’re conducted. Essentially, certain security measures must be in place to prevent countries of concern or covered persons from accessing sensitive data. These security measures, issued by the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security, were published alongside our proposed rule. They include organizational security requirements, such as having a security officer, system-level security measures, and data-level protections like encryption and anonymization techniques.
Regarding who qualifies as a covered person and countries of concern, we’ve designated six countries — China, Russia, North Korea, Cuba, Venezuela, and Iran. Covered persons fall into four main categories — entities headquartered in or owned by a country of concern, entities owned by other covered persons, entities or individuals working for covered persons, and those predominantly residing in a country of concern. There’s also a fifth catch-all category for those acting on behalf of a country of concern — think proxies, cutouts, or shell entities. Essentially, we’re structuring this like an OFAC regime.
Nicholas Welch: Lawyers sure do love catch-all categories at the end of statutes!
Tools of Enforcement and the Impact of Public Comments
Nicholas Welch: What does this rule’s compliance and enforcement regime look like? I see due diligence obligations, a licensing regime, annual reports, and even requirements to disclose when a US Person rejects a solicitation to transfer restricted data to a covered person. What should companies anticipate as DOJ finalizes this rule?
Lee Licata: First, we encourage companies to consider submitting comments on the docket during this finalization phase. Their input is vital for us to understand how this will be implemented and what impacts might arise.
Devin DeBacker: The more specific, the better. It helps us to understand the exact types of transactions companies engage in and whether their interpretation of the rule aligns with ours so we can clarify as needed.
Lee Licata: The comment period is 30 days and ends on November 29, 2024. Beyond comments, we want companies to start evaluating their risk profiles concerning these rules. Companies need to understand what data they hold, especially sensitive data regulated here, and the nature of commercial relationships that could involve a covered person or country of concern. They should also identify who has access to that data and what security measures they have in place to protect it.
The compliance and enforcement regime includes features common in export controls or OFAC frameworks — recordkeeping requirements, annual reporting, and reporting rejected transactions, similar to OFAC sanctions. We also require audits for restricted transactions to ensure security measures are in place. Entities must have policies governing compliance with these rules. Lastly, this is an IEEPA-based executive order, so DOJ can leverage IEEPA’s enforcement tools, including criminal prosecution and civil penalties. The rule outlines thresholds for civil penalties and allows us to notify entities of violations without financial penalties, though we’ll make sure they’re aware of their transgressions. This entire framework is about orienting entities to understand their risks and ensuring they take action.
Devin DeBacker: To take a broader view, our compliance approach is similar to that of sanctions programs. Most companies will need an in-house compliance program tailored to their specific risk profile — who they do business with, where, and in what sectors. While some restricted transactions can proceed with terms and conditions, generally, we focus on compliance first. DOJ sees corporate compliance, especially in national security, as a priority. Companies are on the front lines — they hold the data, technology, or capital we’re concerned about. We need them as partners to understand and uphold their obligations. But DOJ is also prepared to use its enforcement tools when necessary. At the end of the day, what matters isn’t the 422 pages of the proposed rule but how it works in practice to protect against these risks.
Nicholas Welch: Let’s say I’m Company X. I read this rule and think, “Wow, this will be massively expensive. I don’t want another compliance regime.” How will the DOJ know if I violate the rule? Will the DOJ really find out?
Devin DeBacker: Oh, we’ll find out. Corporate compliance is our bread and butter, especially in the Foreign Investment Review Section, where this program resides.
My team focuses solely on compliance and enforcement every day, around the clock. We also have the FBI, which excels at investigating violations — whether it’s sanctions, export controls, or this program. Additionally, we have public tips, recordkeeping requirements, and reports that help us follow up and investigate. For companies with higher risk profiles, we can inspect their records and ensure compliance interpretations align. The other key point is that one person can’t engage in a transaction alone — there’s always another party, so if one doesn’t report, the other often does.
Nicholas Welch: Industry, you’ve been warned! From what I’ve read, you engaged in a lot of public feedback. I noticed in the notice of proposed rulemaking that the department even discussed the order with stakeholders at public events, including China Talk. So, if other podcasters want good press, they should invite DOJ lawyers on their shows! There were 114 questions in DOJ’s ANPRM. What were the biggest changes to the rule based on comments and engagements?
Lee Licata: As you mentioned, we received about 70 comments during the ANPRM period, along with feedback from over 100 organizations, companies, trade associations, civil society members, academics — the whole spectrum of regulated communities. We didn’t receive any catastrophic warnings about breaking the internet or collapsing the economy, but we did get a lot of valuable, acute policy input to ensure the rule is implementable without unintended economic consequences.
Some new elements include an analysis of the six countries of concern, bulk data thresholds, and a detailed assessment of data characteristics. We’ve also conducted an economic impact assessment, estimating compliance costs based on studies like GDPR and other due diligence activities. There are specific exemptions for telecommunications, FDA-regulated clinical trials, and data transfers for post-market approval in regulated sectors. We also clarified financial services exemptions to avoid hidden economic decoupling and specified back-office intra-corporate transfers.
Nicholas Welch: How does the industry feel about this rule? Is DOJ expecting millions in lobbying against it, or does industry seem more receptive?
Lee Licata: It’s early, but the industry seems to understand the issue we’re addressing. No one disputes that adversarial nations are actively seeking American data, and this is a legitimate national security threat. Industry representatives are trying to understand compliance obligations and what this means for their transactions. They provided helpful feedback on policy specifics, though we haven’t seen anyone suggesting it would dramatically impact the economy. Stakeholders seem to be grasping that compliance will be necessary and are evaluating their risk exposure. They’ll advocate for their industries, but the input we’ve received has been useful.
Devin DeBacker: We’ve continued public engagements during this comment period, similar to the ANPRM in spring. We’re open to feedback about specific transactions or scenarios where this rule might have unique implications. We’ve already met with over 200 groups in this short comment period, so it’s a broad, cross-sector engagement. We’re here to listen.
Nicholas Welch: Maybe this is a bit technical, but the rule mentions that several commenters suggested incorporating aspects of international or state privacy laws. DOJ decided against that, stating privacy protections and national security measures have different objectives. Can you clarify why?
Lee Licata: Sure, two examples come to mind. First, most state privacy laws define “precise geolocation data” using an 1850-foot distance from the device — a standard not actually supported by device technology. Major operating systems generally use either 1,000 or 10,000 meters to measure precise geolocation data. We chose 1,000 meters to align with how data is collected and to ensure consistency with real technology practices.
Second, state privacy laws cover all “PII” (personally identifiable information), including basic, public information like names and addresses. Our goal isn’t to regulate the phone book but rather to focus on information that adversaries could exploit. We created a narrower category called “covered personal identifiers,” targeting data combinations like a name and Social Security number or IP address and device identifier, as these combinations could uniquely identify someone. This approach focuses on specific national security risks, departing from broader privacy law constructs.
Devin DeBacker: Another example relates to a consent-based exception. Some commentators suggested we allow cross-border data transfers if individuals consent. From a privacy perspective, which emphasizes individual control over data, this makes sense. But in national security, we’re more concerned about the broader externalities created by individual and company choices.
We don’t have a consent-based exception for export controls. We don’t say that sensitive technology can go to Iran or North Korea with a company’s permission.
Privacy and national security laws serve different objectives, so they complement each other but don’t always align.
Nicholas Welch: Data, unlike semiconductors, moves easily and can be routed through various entities. If US Company A sells data to Company B, which eventually passes it to an adversary, how does the rule address the risk of onward data transfers?
Devin DeBacker: There are two parts to this. As Lee said, we designed the program to balance obligations on US companies. We don’t impose “pass-through liability” — US Company A isn’t responsible for tracking data through every layer, down to whether the data eventually reaches a covered person. However, we’ve addressed the resale and re-export risk by requiring US companies to include a contractual restriction with third-party buyers, preventing them from reselling to a country of concern or covered person. This “trusted data flows” concept allows third parties within the trusted framework.
If a third party violates the restriction, US companies must report it to us. If necessary, we can publicly designate those violating entities as “covered persons.” This approach strengthens trust-based data flows by identifying who falls within or outside the trusted framework.
Nicholas Welch: Before this rule, did any executive branch mechanism address these specific national security risks?
Devin DeBacker: Yes, sort of — this concept emerged from our experience with transaction-specific authorities, like CFIUS and Team Telecom, which assess individual foreign investment risks. However, as data security threats evolved, we noticed we were addressing similar data security risks repeatedly in foreign investment cases, each time creating tailored compliance solutions. Seeing this pattern, we decided to create a comprehensive, systematic program to address these recurring risks. We still have case-specific authorities, and this program complements them by reducing regulatory duplication.
Why DOJ?
Nicholas Welch: On the last show, you mentioned that the DOJ is a natural fit for this role because you’re highly experienced in corporate compliance. You also said you’re expanding the Foreign Investment Review section, hiring more attorneys and non-attorneys. How is that team expansion going? More broadly, what did interagency collaboration look like for this rule? I assume you had extensive interagency support from Team Telecom, Commerce, DOD, and FTC — but ultimately, the DOJ took the byline for this rule. This is hosted on justice.gov, not another agency’s website. Does that impact the rule’s effect or corporate compliance overall?
Lee Licata: Yes, absolutely. First, stepping back, it took us two and a half years to develop this concept for the executive order and then to draft the proposed rule. Throughout that time, we coordinated with around two dozen federal departments and agencies, as well as White House offices, to build this framework and ensure that all relevant interests within the executive branch were represented.
The interagency coordination was extensive, involving entities like CPS, Team Telecom, the ICTS team at Commerce, CFPB, FTC, and SEC — essentially, every regulator overseeing commercial transactions involving the regulated data. We also engaged continuously with OFAC, BIS, and FARA to incorporate similar concepts and ensure compatibility within our program.
The DOJ byline is indeed significant. As Devin mentioned, corporate compliance and enforcement are central to our work — it’s right there in our name, the Department of Justice. So it’s natural for this rule to land here, combining DOJ’s expertise in this risk area with the department’s enforcement mission. In the interim, as we establish this program, we’re building a team within FIRS to finalize the rulemaking and begin implementation. We’ve assembled a team of mostly interagency detailees to bring together the necessary expertise. As of now, we have 11 attorneys plus paralegals, targeters, and other support, and we’re leveraging insights from across the interagency. We have team members from OFAC, FinCEN, BIS, and the Department of Defense, among others, all working under our roof. By the end of the year, we expect to have about 17 people forming the foundation of a full-fledged team.
Nicholas Welch: Where do you see this rule going in the future? Financial industries, for instance, face multibillion-dollar fines and have strong compliance frameworks, but with newer regulations like chip export controls, we’re only starting to see big penalties, like Seagate’s $300 million fine from BIS [and a $500m fine on GlobalFoundries]. Recently, a TSMC chip was found in Huawei, which journalists quickly identified as a supply chain weak link. Chris Miller suggests chip companies need to spend more on compliance, and governments should impose stricter penalties. So where do you see data security compliance going?
Devin DeBacker: As my boss, Assistant Attorney General Matt Olsen, said back in March, this program needs to have “real teeth.” Our primary approach is through compliance. We want companies to fully understand their obligations, have strong programs in place, protect data, and follow the rule, especially with security requirements for restricted transactions. Our main goal is to educate US companies and individuals on these obligations.
If enforcement becomes necessary, however, penalties need to be meaningful — they must impact a business enough to reinforce compliance obligations. More than the size of the penalties, though, what's critical is for companies to understand that compliance can’t be an afterthought — it has to be integrated into the business itself. Compliance teams need to be part of business decision-making, not separate from it. For example, if a company is considering opening an office in Shanghai, storing geolocation data on servers there, and hiring covered persons, that decision-making process must include compliance with US government rules. This needs to be part of the broader business risk assessment.
As Lee mentioned, companies need to ask questions like: Where are our offices? What data do we hold? Where is it accessible? What safeguards are in place? Who has access, and what kind of system-level access do they have? Compliance isn’t about merely ticking a box — it has to be woven into the business itself.
Nicholas Welch: Sounds comprehensive! You’ve done an extensive job of justifying this rule based on statutory authority, like Article II in the Constitution, Section 301, IEEPA. Do you think Congress would be better suited to address this risk legislatively rather than through an IEEPA-based executive order?
Devin DeBacker: IEEPA is intentionally broad, and this rulemaking is consistent with typical IEEPA-based rulemakings, which regulate commercial transactions and cross-border activities. This program can and should stand independently, without Congressional involvement. That said, we’ve worked well with Congress, discussing ways to clarify aspects of IEEPA, like the Berman Amendment, and ensuring long-term resources for this program.
What’s promising is that this area — protecting sensitive US data from foreign adversaries — has broad bipartisan recognition across parties, administrations, and Congress. I believe this will remain a priority across the government, and I’m optimistic this program will become a lasting element of our national security framework in the US.