Episode 4: Sensitive Personal Data of U.S. Citizens under CFIUS's "Foreign Investment Risk Review Modernization Act"

2024-09-24 22:40:24

On January 13, 2020, the U.S. Department of the Treasury issued two "Final Rules" to implement the "Foreign Investment Risk Review Modernization Act" (hereinafter referred to as "FIRRMA"). The Final Rules expanded the jurisdiction of the Committee on Foreign Investment in the United States (hereinafter referred to as "CFIUS") to review non-controlling foreign investments in U.S. businesses involved in critical technologies, critical infrastructure, or sensitive personal data (hereinafter referred to as "TID U.S. Businesses").

According to the Final Rules, CFIUS may review any transaction related to a U.S. business that "maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security" (i.e., the third category of TID U.S. Businesses). "Sensitive personal data" under the Final Rules includes two categories. The first category is "identifiable data" collected or maintained by U.S. businesses that meet one of the following three conditions: (1) the U.S. business targets products or services to U.S. national security agencies or military departments with intelligence, national, or homeland security responsibilities, or their personnel and contractors; (2) the U.S. business maintains or collects identifiable data of over one million individuals within a 12-month period; or (3) the U.S. business demonstrates a business objective to maintain or collect identifiable data on over one million individuals, and such data is an integral part of the U.S. company's primary products or services. "Identifiable data" consists of ten specific types of data, including financial data, data contained in consumer reports, data provided for health insurance applications, physical and mental health-related data, non-public electronic communications, geolocation data, biometric data, data stored for generating state or federal identification documents, data related to U.S. government personnel security clearance status, and data collected during security checks for U.S. government job applications.

The second category of "sensitive personal data" is personal genetic testing results, including all data related to genetic sequencing, provided such results constitute identifiable data. However, genetic testing results maintained by the U.S. government and regularly provided to private entities for research purposes are excluded.

"Sensitive personal data" does not include: (1) data maintained or collected by a U.S. business about its employees, unless the data pertains to employees of U.S. government contractors holding U.S. government personnel security clearances; or (2) data that is part of public records, such as court records or other government records typically made available to the public.

The Final Rules took effect on February 13, 2020. [Stay tuned for more updates]