Quiero saber acerca de...

4912

Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES

commenters are addressed by defining the term ICTS Transaction to include 1 ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download; and 2 any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order. The purpose of these additions is to clarify that the Secretary may review ICTS Transactions, including the provision of services, that occur on or after January 19, 2021, by any person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. Providing services, such as software updates, to U.S.
persons may provide a foreign adversary an opportunity to engage in the types of activities that may threaten U.S.
national security, as described above.
Further, the definition of ICTS
Transaction clarifies that attempting to structure a transaction in order to circumvent Secretarial review is nonetheless an ICTS Transaction subject to this rule.
7.2Definition of party or parties to a transaction Several commenters expressed an interest in the Department further clarifying what entities are covered by the rule. Further, in revising the proposed rule for finalization, the Department used the term party to a transaction in several instances and believes it would be beneficial to define that term. Accordingly, the rule adds a definition of party or parties to a transaction, to mean a person engaged in an ICTS Transaction, including the person acquiring the ICTS and the person from whom the ICTS is acquired.
The term person is also defined by the rule and is unchanged from the proposed rule.
Party or parties to a transaction include entities designed or intended to evade or circumvent application of the Executive Order. For purposes of this rule, this definition does not include common carriers that transport goods for a fee on behalf of the general public, except to the extent that a common carrier knows, or should have known as the term knowledge is defined in 15
CFR 772.1, it was providing transportation services of ICTS to one or more of the parties to a transaction that has been prohibited in a final written determination made by the Department or permitted subject to mitigation measures.
This addition narrows the scope of the rule by adding clarity regarding which persons are responsible for a
VerDate Sep<11>2014

16:33 Jan 17, 2021

Jkt 253001

reviewable transaction. This also affects which parties will be notified by the Department regarding any potential review of a transaction.
7.2Definition of Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary In addition to defining party or parties to a transaction, the Department sought to add clarity to the rule by defining the phrase person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, as many commenters expressed concern that leaving such terms undefined might create confusion about the breadth of the rules reach.
The Department defines person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary to mean any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary; any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary; and any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.
7.2Sensitive Personal Data Many commenters requested additional clarity about the specific ICTS that is subject to this rule. While it is impossible to identify all of the ICTS that may present undue or unnecessary risks, the Department has defined the term, sensitive personal data, to identify, along with the information identified in section 7.3 of the rule, some of types of information or communications that might be involved in an ICTS Transaction reviewed under this rule where a party or parties to a transaction use, possess, or retain, or are expected to use, possess, or retain sensitive personal data.
The term sensitive personal data includes: 1 Personally Identifiable Information i.e., data that can identify individuals that is maintained or collected by a U.S. business operating in specific areas, and that is maintained or collected on over one million people
PO 00000

Frm 00036

Fmt 4700

Sfmt 4700

over a 12 month period; and 2 results of individual genetic testing.
The categories of identifiable data of concern to the Department are:
Financial data that could be used to indicate an individuals financial distress or hardship; the set of data included in consumer reports; the set of data used for health and certain financial insurance applications; data relating to the physical, mental, or psychological health condition of an individual; non-public electronic communication information, such as personal emails; geolocation data used in certain technologies; biometric data;
data stored and processed for generating Federal, State, Tribal, Territorial, or other government identification cards;
data concerning U.S. Government personnel security clearance status; and data from security clearance or employment applications.
As indicated in section 7.3, Scope, the Department believes that ICTS
Transactions involving sensitive personal data could create risks for the U.S. national security and also believes it is important to specifically identify these categories of data to provide the regulated community with additional specificity and certainty as to the scope of the rules application.
7.2Definition of Undue or unacceptable risk Commenters recommended various alternative uses for and limits on this term. For example, some suggested that the Department identify certain industries or types of transactions that do not pose a risk to national security, and that the Department should exempt certain types of transactions from the rule.
Most of the suggestions could unnecessarily limit the United States ability to determine its national security interests and, thus, could limit the ability to protect the Nation. However, the Department agrees the term requires definition, and in this rule adopts the definition of undue or unacceptable risks as those risks identified in Section 1aii of the Executive Order.
Section 1aii of the Executive Order includes the following risks . . . an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; . . . an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or . . . an unacceptable risk to the national
E:FRFM19JAR1.SGM

19JAR1