The latest proposal by the Department of Justice aims to curb data sales of Americans’ sensitive personal information to nations deemed adversaries.
At a Glance
- The DOJ proposes regulations against selling U.S. data to adversarial nations.
- The rules target six data categories, including health and financial information.
- Countries like China, Russia, and Iran face prohibitions on bulk data purchases.
- Exemptions apply for specific telecommunications and clinical data.
Overview of Proposed Regulations
The Department of Justice has outlined rules to restrict the sale of Americans’ sensitive data to foreign adversaries, according to a recent announcement. This proposal emerges from an executive order by the Biden administration in February. The primary focus of the restrictions is on six data categories: personal, geolocation, biometric, genomic, health, and financial information.
Identified adversarial nations include China, Russia, Iran, North Korea, Cuba, and Venezuela The rules call for a blanket prohibition on the sale of bulk data to these countries. However, exemptions exist for particular instances like telecommunications services and data from clinical trials necessary for regulatory reasons.
Justice Department Issues Comprehensive Proposed Rule Addressing National Security Risks Posed to U.S. Sensitive Data
đź”—: https://t.co/M4s8KVl4kr pic.twitter.com/liJ6xa3v6u
— National Security Division, U.S. Dept of Justice (@DOJNatSec) October 21, 2024
Compliance and Operational Requirements
Private companies will be required to report any third-party involvement in data sales. U.S. entities must set up compliance programs to manage data transactions effectively and understand the safeguards associated with data handling. The proposed measures aim to deter direct sales of personal and genomic data to entities with significant ties to countries of concern.
“Under the proposed rule, U.S. persons transacting in these kinds of data will need to establish a compliance program based on the individual risk profile of their activities,” according to a senior DOJ official.
The regulations would base security measures on NIST’s cybersecurity and privacy frameworks. Different categories of data would face varying thresholds based on their sensitivity, and U.S. institutions such as the DOJ could issue special licenses to bypass the rules in exceptional circumstances.
The Broader Context
The Justice Department’s proposal addresses escalating tensions with countries like China over data flow and cybersecurity concerns. The United States remains one of the largest markets for data brokering, with companies such as Oracle America, Equifax, and Experian holding vast volumes of sensitive information, which could potentially be exploited by foreign adversaries.
The notice reportedly refers to the U.S. as the “widely perceived to be the largest data-brokerage market in the world.”
Ongoing discussions stress the need to prevent foreign adversaries from leveraging American data for malign activities such as cyberattacks and espionage. Effective enforcement would involve criminal and civil penalties to ensure compliance with the new regulations. However, while the DOJ’s proposal marks a step forward, many argue it falls short of addressing the broader vulnerabilities in the U.S. data privacy landscape.
Sources
- Justice Department rule aims to curb the sale of Americans’ personal data overseas
- Justice Department Proposes Rules to Block Data Transfers to China, Russia, Iran
- US unveils new rules to block China, Russia and Iran from accessing bulk US data
