Rule limits access to "bulk U.S. sensitive personal data" and "government-related data" by "countries of concern" and "covered persons"
The U.S. Department of Justice (DOJ) has issued a comprehensive final rule (the "Rule") targeting foreign access to sensitive U.S. data, including Americans' "bulk" sensitive personal data.
The Rule, which DOJ announced on December 27, 2024, prohibits and restricts U.S. persons from entering into certain transactions involving access by "countries of concern" and "covered persons" to "bulk U.S. sensitive personal data" and "government-related data" by "countries of concern" and "covered persons." "U.S. persons" subject to the Rule are defined broadly to include any U.S. citizen, national, or lawful person, any entity organized under the laws of the United States or any U.S. jurisdiction, and any person physically within the United States.
The Rule is to be published in the Federal Register on January 8, 2025, and to become effective 90 days after publication, or April 8, 2025. Certain due diligence, reporting and auditing requirements go into effect 270 days after publication, or October 5, 2025.
DOJ issued the Rule to implement the directives set forth in President Biden's February 2024 Executive Order 14117 (EO 14117), "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." According to EO 14117 and DOJ, adoption of the Rule has been driven by growing threats to U.S. sensitive data—particularly Americans' "bulk" sensitive personal data—posed by "countries of concern," which can acquire or access such data through various commercial transactions. Such countries may acquire sensitive U.S. data directly or through various types of "covered persons" that are subject to control or coercion by those countries. Countries of concern then may employ advanced technologies such as big-data analytics and artificial intelligence to exploit this data for malicious purposes, including espionage, cyberattacks, blackmail, curbing political dissent and limiting freedom of expression. According to a DOJ fact sheet accompanying the Rule, existing laws have "failed to fully protect against these national security risks, permitting countries of concern access to such sensitive data through commercial means."
The Rule, among other things:
- Establishes specific categories of prohibited and restricted transactions that involve an "unacceptable risk" to sensitive U.S. data. Prohibited and restricted transactions include data brokerage, vendor agreements, employment agreements and investment agreements that meet certain criteria.
- Identifies six "countries of concern": China, Cuba, Iran, North Korea, Russia, and Venezuela. DOJ may amend the Rule to add or remove countries.
- Defines "covered persons," which includes (but is not limited to): entities owned or controlled by, or that are likely to become owned or controlled by, countries of concern; individuals primarily resident in the territorial jurisdiction of countries of concern; and entities or individuals that act, or that are likely to act for on behalf of countries of concern." DOJ may designate specific persons as "covered persons," although an entity or individual need not be so designated to be a covered person.
- Set bulk thresholds for covered "sensitive personal data," which the Rule defines to include covered personal identifiers (e.g., names linked to device identifiers, social security numbers, driver's license, or other government identification numbers), precise geolocation data, biometric identifiers, human 'omic data (i.e., human genomic, epigenomic, proteomic and transcriptomic data), personal health data, personal financial data, and any combination of such data.
- Requires U.S. persons to comply with cybersecurity requirements set forth by the Cybersecurity and Infrastructure Security Agency (CISA) when entering into restricted transactions. Those cybersecurity requirements also are scheduled to be published in the Federal Register on January 8, 2025—the same day as the Rule.
- Enumerates various exceptions to prohibited and restricted transactions, including (but not limited to) personal communications, travel, and transactions "ordinarily incident to and part of the provision of" financial services or telecommunications services.
- Establishes compliance and enforcement mechanisms to ensure adherence to these new regulations. U.S. persons engaged in prohibited or restricted transactions must implement a due diligence program, conduct yearly audits of such transactions, and comply with various recordkeeping and reporting requirements. U.S. persons who violate the Rule may be subject to civil and criminal penalties under the International Emergency Economic Powers Act (IEEPA).
Notably, the Rule does not include any general "localization" requirements; i.e., the Rule does not require that sensitive data be stored or processed on computing infrastructure in the United States. EO 14117 expressly stated that it did not authorize such localization requirements.
We expect that implementation and enforcement of the Rule will be a priority under the incoming Trump Administration, in part because EO 14117 expressly builds on President Trump's Executive Order 13873, "Securing the Information and Communications Technology and Services Supply Chain," issued in May 2019. That executive order declared a national emergency related to foreign threats to U.S. information and communications technology and services and prohibited U.S. persons from engaging in certain transactions involving foreign design, development, manufacture or supply of such technology and services.
[View source.]
