The Department of Justice (DoJ) issued a comprehensive final rule on Dec. 27 to help protect Americans’ sensitive data from being sold or transferred to adversarial countries.
The final rule carries out President Biden’s February 2024 executive order (EO), “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Justice Department issued the draft rule in March 2024 and formally proposed the rule in October 2024.
The EO came amid Congress’ failure in recent years to pass comprehensive privacy legislation and gave marching orders to several Federal agencies – the DoJ chief among them – to prevent the large-scale transfer of Americans’ personal data to specific countries.
According to the rule, the DoJ has identified China, Russia, Iran, North Korea, Cuba, and Venezuela as the six countries of concern under this new program. This means that their access to government-related data or bulk U.S. sensitive data poses a “national security risk.”
The final rule also notes that the department has the authority to update the list of countries of concern if necessary. In doing so, it would undertake another rulemaking that is subject to interagency review and public comment.
“This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our adversaries exploiting Americans’ most sensitive personal data,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said in a Dec. 27 press release.
“This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access,” Olsen added.
Among other things, DoJ explained, the final rule identifies the countries of concern and the foreign entities or individuals to whom the rule applies, “and designates classes of prohibited, restricted, and exempt transactions.”
“The final rule establishes bulk thresholds for certain sensitive personal data, including human ‘omic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and certain covered personal identifiers,” the DoJ explained. “The final rule also prescribes processes to obtain licenses authorizing otherwise prohibited or restricted transactions; protocols for the designation of covered persons; and provides advisory opinions, and recordkeeping, reporting, and other due diligence obligations for covered transactions.”
In a separate fact sheet, the department said the final rule “does not ban apps or social-media platforms, nor does it concern any single app or technology” – such as TikTok. The final rule “addresses only the most serious data-security risks,” according to the DoJ.
The final rule will become effective 90 days after publication. However, certain affirmative compliance obligations will be phased-in and will not become effective until 270 days after the rule’s publication.
The Justice Department said it will publish guidance related to the final rule at www.justice.gov/nsd/data-security.
