The Department of Justice unveils new regulations to protect Americans’ personal data from foreign adversaries, targeting China, Russia, and other nations of concern.
At a Glance
- DOJ proposes rules to block sale of sensitive American data to six adversarial nations
- Regulations cover personal, health, location, genetic, and financial information
- First major federal action to regulate international data broker sales
- Aims to address gaps in current privacy protection laws
- Affects major data brokers and requires new compliance measures for U.S. businesses
Protecting American Data from Foreign Adversaries
In a significant move to safeguard national security and individual privacy, the Department of Justice has proposed new regulations aimed at restricting the sale and transfer of Americans’ sensitive personal data to adversarial countries. This initiative, based on President Biden’s February 2024 executive order, targets six nations deemed “countries of concern”: China, Russia, Iran, North Korea, Cuba, and Venezuela.
The Justice Department has formally proposed new regulations that would prevent or restrict the selling and transferring of Americans’ sensitive personal data to adversarial countries. https://t.co/IM8gvTOOYQ pic.twitter.com/dQnXhqGBnm
— CyberScoop (@CyberScoopNews) October 23, 2024
The proposed rules cover a wide range of sensitive information, including personal, geolocation, biometric, genomic, health, and financial data. By implementing these regulations, the DOJ aims to close critical gaps in existing privacy protection laws and create a robust framework for monitoring international data transfers.
Specific Restrictions and Compliance Requirements
The regulations set clear limits on data transactions. For instance, they prohibit the sale of genetic data affecting more than 100 Americans and restrict the transfer of precise location tracking data for more than 1,000 U.S. devices at a time. These measures are designed to prevent foreign adversaries from exploiting bulk data that could compromise national security.
“Under the proposed rule, U.S. persons transacting in these kinds of data will need to establish a compliance program based on the individual risk profile of their activities” – a senior DOJ official
U.S. companies, particularly major data brokers like Oracle America, Equifax, and Experian, will be required to establish comprehensive compliance programs to manage data transactions and understand data usage and safeguards. The DOJ and other departments retain the authority to issue licenses bypassing these rules in rare, necessary cases.
Balancing Security and Business Interests
While prioritizing national security, the proposed regulations aim to maintain a balance with legitimate business operations and international data sharing. Exemptions are included for telecommunications services and clinical trial data needed for regulatory purposes, ensuring that necessary global collaborations can continue.
“We’re seeking to achieve these goals as much as possible without disrupting free flow of data across borders, including by providing flexibility for various types of restricted transactions while, at the same time, not undermining the policy goals of the security requirements” – a senior Department of Homeland Security official
The regulations are designed to prevent direct sales of personal data to foreign entities with significant ties to countries of concern, while still allowing for approved international data transfers. Security requirements will be based on the National Institute of Standards and Technology’s cybersecurity and privacy frameworks, striking a balance between national security and free-market principles.
Implications and Challenges
While these regulations represent a significant step forward in protecting Americans’ data, experts acknowledge that they are not a complete solution. The U.S. still lags behind Europe in updating privacy laws and regulating data brokers, and existing laws may still allow data access through other means.
“There are definitely ways that adversaries … are going to access this data, and this is not going to address them all” – Brandon Pugh
The proposal is currently in its public comment phase, after which it will be refined and implemented. Companies found in violation of these regulations could face criminal and civil penalties. As the largest data-brokerage market globally, the U.S. faces unique challenges in implementing these protections while maintaining its competitive edge in the digital economy.
Sources:
- Justice Department rule aims to curb the sale of Americans’ personal data overseas
- US unveils new rules to block China, Russia and Iran from accessing bulk US data
- Justice Department Proposes Rules to Block Data Transfers to China, Russia, Iran
