Photo of Brian Kim

Brian Kim

Brian Kim is an associate in the firm’s Washington, DC office and a member of the CFIUS Practice Group. He advises clients on the U.S. national security review process administered by the Committee on Foreign Investment in the United States (CFIUS) and related reviews conducted by the interagency working group known as Team Telecom. Brian also advises clients on sensitive national security investigations and compliance matters, including mitigation agreements with CFIUS and issues under the National Industrial Security Program (NISPOM) and the Defense Counterintelligence and Security Agency (DCSA) in proceedings related to the mitigation of foreign ownership, control, or influence (FOCI). Brian regularly advises on matters involving China and the region, supply chain security, and other U.S.-China policy issues.

Introduction

On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued the Final Rule implementing President Biden’s February 28, 2024 Executive Order on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”). The Final Rule solidifies a new national security regulatory regime focused on protecting bulk U.S. sensitive personal data and government-related data from countries of concern, including the People’s Republic of China (“PRC” or “China”), and represents the latest step in the U.S. government’s whole-of-government effort to “de-risk” with respect to China. The Final Rule marks the first time that U.S. persons will be categorically prohibited from engaging in certain transactions that may result in foreign access to bulk U.S. sensitive personal data and government-related data. It also provides that certain other transactions will be “restricted,” meaning they are prohibited unless the U.S. business first implements a range of security requirements, which in some cases will be onerous or costly. The Final Rule accordingly could have wide-ranging implications for U.S. companies across various industries. The Final Rule takes effect 90 days after publication in the Federal Register, which is set for January 8, 2025, although certain compliance requirements will not take effect until 270 days following publication.

In parallel with the release of the Final Rule, on January 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), which is part of the U.S. Department of Homeland Security (“DHS”), released the final security requirements (the “Security Requirements”). The Security Requirements set forth the measures that U.S. persons must satisfy in order to engage in restricted transactions, and are incorporated by reference into the Final Rule.

Importantly, as we discussed in our analysis of the Advance Notice of Proposed Rulemaking (“ANPRM”) and our analysis of the Notice of Proposed Rulemaking (“NPRM”), the Final Rule is a national security regulation designed to address identified risks to U.S. national security—not a privacy regulation designed to protect privacy or other individual interests. Consequently, while the Final Rule regulates transactions involving personal data, many of the concepts and definitions diverge materially from those in existing privacy regimes. The Final Rule stems from the U.S. government’s increasing unwillingness to tolerate foreign adversary access to U.S. personal data. As DOJ explained in the preamble to the Final Rule, “[t]his rule will prevent . . . foreign adversaries from legally obtaining [bulk U.S. sensitive personal data or government-related data] through commercial transactions with U.S. persons, thereby stemming data flows and directly addressing the national security risks identified in the [EO].” DOJ cited examples such as (1) the ability of journalists to track the movements of U.S. President Joe Biden, U.S. Vice President Kamala Harris, and now President-Elect Donald Trump through their bodyguards’ use of a fitness app; and (2) the ability to track U.S. government personnel movement through the purchase of location information and digital advertising data—that demonstrate the U.S. national security risks associated with foreign adversary access to commercially available data. Finally, DOJ made a particular point of explaining that certain data that is anonymized or depersonalized presents U.S. national security risks, especially with respect to the ability of adversaries to use “bulk human genomic data[] to enhance military capabilities that include facilitating the development of bioweapons.”Continue Reading Department of Justice Issues Final Rule to Implement Bulk U.S. Sensitive Personal Data and Government-Related Data Executive Order

On March 21, 2023, the Department of Commerce (“Commerce”) published a Notice of Proposed Rulemaking (the “Commerce Proposed Rule”) to implement certain provisions of the CHIPS and Science Act of 2022 (“CHIPS Act”) that place restrictions on certain activities of businesses receiving federal funding pursuant to the CHIPS Act (“Commerce

Continue Reading National Security Update – Departments of Commerce and Treasury Release Notice of Proposed Rulemaking Regarding CHIPS “Guardrails”

On the heels of Russia’s invasion of Ukraine, pandemic-induced supply chain disruptions, and U.S.-China tensions over Taiwan, 2022 accelerated a sweeping effort within the U.S. government to make national security considerations—especially with respect to China—a key feature of new and existing regulatory processes. This trend toward broader national security regulation, designed to help maintain U.S. strategic advantage, has support from both Republicans and Democrats, including from the Biden Administration. National Security Advisor Jake Sullivan’s remarks in September 2022 capture the tone shift in Washington: “…[W]e have to revisit the longstanding premise of maintaining ‘relative’ advantages over competitors in certain key technologies…That is not the strategic environment we are in today…[w]e must maintain as large of a lead as possible.”

This environment produced important legislative and regulatory developments in 2022, including the CHIPS and Science Act (Covington alert), first-ever Enforcement and Penalty Guidelines promulgated by the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) (Covington alert), President Biden’s Executive Order on CFIUS (Covington alert), new restrictions under U.S. export control authorities targeting China (Covington alert), and proposals for a new regime to review outbound investments by U.S. businesses (Covington alert). The common thread among these developments is the U.S. government’s continuing appetite to use both existing and new regulatory authorities to address identified national security risks, especially where perceived risks relate to China.

With a Republican majority in the U.S. House of Representatives riding the tailwinds of this bipartisan consensus, 2023 is looking like a pivotal moment for national security regulation—expanding beyond the use of traditional authorities such as trade controls and CFIUS, into additional regulatory domains touching upon data, communications, antitrust, and possibly more. In parallel, the U.S. focus on national security continues to gain purchase abroad, with foreign direct investment (“FDI”) regimes maturing in tandem with CFIUS, and outbound investment screening gaining traction, for example, in the European Union (“EU”). It is crucial for businesses to be aware of these developments and to approach U.S. regulatory processes with a sensitivity towards the shifting national security undercurrents described in greater detail below.Continue Reading Will 2023 Be an Inflection Point in National Security Regulation?