The U.S. Department of Justice (DoJ) has issued a final rule carrying out Executive Order (EO) 14117, which prevents mass transfer of citizens’ personal data to countries of concern such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
“This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our adversaries exploiting Americans’ most sensitive personal data,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
“This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access.”
Back in February 2024, U.S. President Joe Biden signed an executive order to address the national risk posed by unauthorized access to Americans’ sensitive personal and government-related data for malicious activities, such as espionage, influence, kinetic, or cyber operations.
Furthermore, the order noted that the countries of concern can leverage their access to bulk data to develop or refine artificial intelligence and other advanced technologies, as well as purchase such information from commercial data brokers and other companies.
“Countries of concern and covered persons can also exploit this data to collect information on activists, academics, journalists, dissidents, political opponents, or members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties,” the DoJ said.
The rule issued by the DoJ is expected to become effective in 90 days. It identifies certain classes of prohibited, restricted, and exempt transactions; sets bulk thresholds for triggering the rule’s prohibitions and restrictions on covered data transactions involving bulk sensitive personal data; and establishes enforcement mechanisms such as civil and criminal penalties.
This covers data spanning six categories: personal identifiers (e.g., Social Security numbers, driver’s license etc.), precise geolocation data, biometric identifiers, human ‘omic (genomic, epigenomic, proteomic, and transcriptomic) data, personal health data, and personal financial data.
However, it bears noting that the rule neither imposes data localization requirements, nor does it prohibit U.S. citizens from conducting medical, scientific, or other research in countries of concern.
“The final rule also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries,” the DoJ said.