The US Department of Justice (DoJ) has issued a final rule implementing Executive Order (EO) 14117, which prevents the bulk transfer of personal data of citizens to countries such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela .
“This final rule is an important step forward in combating the extreme threat to national security posed by our adversaries who are exploiting Americans’ most sensitive personal data,” said Assistant Attorney General Matthew G. Olsen of the Department of Justice’s National Security Division.
“This powerful new national security program is designed to ensure that Americans’ personal data is no longer allowed to be sold to hostile foreign powers, whether through direct purchases or other commercial access.”
Back in February 2024. US President Joe Biden signed executive order to address the national risk posed by unauthorized access to sensitive personal and government data of Americans for malicious activities such as espionage, influence, kinetic or cyber operations.
Also, order noted that countries of concern may use their access to big data to develop or improve artificial intelligence and other advanced technologies, and purchase such information from commercial data brokers and other companies.
“Countries of concern and affected individuals may also use this data to collect information about activists, academics, journalists, dissidents, political opponents or members of non-governmental organizations or marginalized communities to intimidate them; curb political opposition; limit the freedom of expression of opinion, peaceful assembly. , or association; allow other forms of suppression of civil liberties,” the Ministry of Justice said.
The rule issued by the Justice Department is expected to take effect in 90 days. It defines certain classes of prohibited, restricted and exempt transactions; establishes bulk thresholds to trigger rule bans and restrictions on covered data transactions involving bulk sensitive personal data; and establishes enforcement mechanisms such as civil and criminal penalties.
This covers data spanning six categories: personal identifiers (such as social security numbers, driver’s licenses, etc.), precise geolocations, biometric identifiers, human (genomic, epigenomic, proteomic, and transcriptomic) data, personal health data, and personal financial data.
However, it should be noted that this rule does not impose data localization requirements or prohibit US citizens from conducting medical, scientific, or other research in countries of concern.
“The final rule also does not prohibit U.S. citizens from engaging in commercial transactions, including the exchange of financial and other data as part of the sale of commercial goods and services, with countries of concern, or impose measures designed to further separate significant consumer, economic, scientific and trade relationships that the United States has with other countries,” the Justice Department said.
