31 CFR § 800.241 - Sensitive personal data.

(a) The term sensitive personal data means, except as provided in paragraph (b) of this section:

(1) Identifiable data that is:

(i) Maintained or collected by a U.S. business that:

(A) Targets or tailors products or services to any U.S. executive branch agency or military department with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof;

(B) Has maintained or collected any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals at any point over the twelve (12) months preceding the earliest of the completion date, the date of any of the events described in § 800.104(b)(2) through (4) (as applicable), or the date of filing of a written notice or submission of a declaration, unless the U.S. business can demonstrate that at the time of the completion date of the transaction it had or will have neither the capability to maintain nor the capability to collect any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals; or

(C) Has a demonstrated business objective to maintain or collect any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals and such data is an integrated part of the U.S. business's primary products or services; and

(ii) Within any of the following categories:

(A) Financial data that could be used to analyze or determine an individual's financial distress or hardship;

(B) The set of data in a consumer report, as defined under 15 U.S.C. 1681a, unless such data is obtained from a consumer reporting agency for one or more purposes identified in 15 U.S.C. 1681b(a) and such data is not substantially similar to the full contents of a consumer file as defined under 15 U.S.C. 1681a;

(C) The set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;

(D) Data relating to the physical, mental, or psychological health condition of an individual;

(E) Non-public electronic communications, including email, messaging, or chat communications, between or among users of a U.S. business's products or services if a primary purpose of such product or service is to facilitate third-party user communications;

(F) Geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, vehicle GPS, other onboard mapping tool, or wearable electronic device;

(G) Biometric enrollment data including facial, voice, retina/iris, and palm/fingerprint templates;

(H) Data stored and processed for generating a state or federal government identification card;

(I) Data concerning U.S. Government personnel security clearance status; or

(J) The set of data in an application for a U.S. Government personnel security clearance or an application for employment in a position of public trust; and

(2) The results of an individual's genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data. Such results shall not include data derived from databases maintained by the U.S. Government and routinely provided to private parties for purposes of research. For purposes of this paragraph, “genetic test” shall have the meaning provided in 42 U.S.C. 300gg-91(d)(17).

(b) The term sensitive personal data shall not include, regardless of the applicability of the criteria described in paragraph (a) of this section:

(1) Data maintained or collected by a U.S. business concerning the employees of that U.S. business, unless the data pertains to employees of U.S. Government contractors who hold U.S. Government personnel security clearances; or

(2) Data that is a matter of public record, such as court records or other government records that are generally available to the public.

(c) Examples:

(1) Example 1. Corporation A, a U.S. business, periodically collects geolocation data as described in paragraph (a)(1)(ii)(F) of this section on its customers for marketing and customer experience purposes. Corporation A maintains the geolocation data for a short period, then purges the data from its systems. When Corporation A and a foreign person notify the Committee of a transaction, Corporation A maintains the geolocation data of only 200,000 individuals. However, in the 12 months prior to filing the notification to the Committee, Corporation A has collected the geolocation data of greater than one million individuals. Because Corporation A collected the geolocation data of greater than one million individuals in the 12 months prior to the filing date of the notice, it meets the criteria in paragraph (a)(1)(i)(B) of this section.

(2) Example 2. Corporation A, a U.S. business, collects data relating to physical health conditions as described in paragraph (a)(1)(ii)(D) from new customers, which numbered fewer than one million over the 12 months prior to executing a definitive binding agreement to be acquired by a foreign person. Under its data retention policy, Corporation A maintains the health data for a long period of time. Accordingly, Corporation A maintains the health data from new customers (those from whom the data was collected in the previous 12 months) and older customers (those from whom the data was collected in prior years). In total, Corporation A maintains the health data of three million individuals. Because Corporation A maintains health data of greater than one million individuals, it meets the criteria in paragraph (a)(1)(i)(B) of this section.

(3) Example 3. Same facts as the example in paragraph (c)(2) of this section, except that, under its data retention policy, the number of individuals for whom Corporation A maintains the health data fluctuates. Over the 12 months prior to executing a definitive binding agreement to be acquired by a foreign person, Corporation A usually maintained the health data of 900,000 individuals. However, at one point during the prior 12 months, it maintained the health data of 1,100,000 individuals. Corporation A currently maintains the health data of fewer than one million individuals. Because Corporation A maintained the health data of greater than one million individuals during the 12 months prior to executing a definitive binding agreement to be acquired by a foreign person, it meets the criteria in paragraph (a)(1)(i)(B) of this section.

(4) Example 4. Corporation A, a U.S. business, maintains data under multiple categories in paragraph (a)(1)(ii) of this section on over one million individuals. Specifically, Corporation A maintains financial data described by paragraph (a)(1)(ii)(A) of this section on 400,000 individuals, and health data described by paragraph (a)(1)(ii)(D) of this section on another 700,000 individuals. Because Corporation A maintains the data described in the categories in paragraph (a)(1)(ii) on greater than one million individuals, despite not maintaining or collecting data of greater than one million individuals in any one category, it meets the criteria in paragraph (a)(1)(i)(B) of this section.

(5) Example 5. Corporation A, a U.S. business, is a start-up mobile mapping venture that has maintained or collected geolocation data described by paragraph (a)(1)(ii)(F) of this section on substantially fewer than one million individual subscribers over the 12 months prior to completing a transaction with a foreign person. The geolocation data is an integrated part of Corporation A's primary product, mobile mapping services. Corporation A, in connection with attempting to secure an additional round of financing, has prepared and distributed to potential investors pitch materials that include Corporation A's projection that, within the next two years, it will have greater than one million active individual subscribers. Corporation A also has made plans to substantially increase its workforce and enhance its IT infrastructure in anticipation of obtaining the additional subscribers. Corporation A meets the criteria of paragraph (a)(1)(i)(C) of this section of having a demonstrated business objective to maintain or collect data described in paragraphs (a)(1)(ii)(A) through (J) of this section on greater than one million individuals.