The Justice Department has rolled out a new rule to safeguard Americans’ sensitive data from foreign adversaries. This move follows the Executive Order (E.O.) 14117, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.
” The rule addresses the growing threat to national security posed by hostile foreign powers seeking to exploit Americans’ personal data.
Tackling National Security Threats
According to Matthew G. Olsen, Assistant Attorney General for the National Security Division, this rule is a key step in protecting Americans’ data from exploitation by adversaries.
The program aims to stop foreign powers from purchasing or accessing bulk data that could be used against U.S. citizens, including through cyber-attacks, espionage, or coercion.
The final rule implements this executive order by setting clear rules for transactions involving certain types of data that pose a significant security risk.
Countries of concern are using access to this data for malicious activities such as cyberattacks, military strengthening, and creating profiles on U.S. citizens for illegal purposes like blackmail or espionage.
Data at Risk
One of the major concerns driving this rule is the increasing use of artificial intelligence (AI) to analyze bulk data. Countries of concern are using AI to link seemingly unrelated datasets, allowing them to target individuals in sensitive sectors like the military or intelligence community.
This makes the data even more valuable and dangerous, as AI technology can identify potential espionage targets more effectively.
The rule specifically addresses various categories of sensitive data, including health information, financial data, biometric identifiers, and precise location data.
By placing limits on transactions involving these data types, the Justice Department is working to prevent harmful access by foreign powers.
How the Rule Works
The final rule outlines which countries and individuals are subject to its restrictions.
It establishes clear guidelines for what types of transactions involving sensitive data are prohibited, restricted, or exempted. Additionally, the rule sets thresholds for the types of data that pose the most risk, including genetic, biometric, and financial information.
It also provides processes for obtaining licenses for transactions that would otherwise be restricted, along with due diligence requirements like reporting, auditing, and recordkeeping.
This ensures that businesses and other organizations are held accountable for their data-sharing practices.
A Balance of Security and Global Commerce
While the new rule aims to protect national security, it also respects the need for international trade and communication.
It does not impose strict data localization requirements, meaning companies aren’t forced to store sensitive data within the U.S. Similarly, U.S. persons can still engage in scientific research or collaborate with foreign entities, as long as these activities don’t involve transactions that compromise sensitive data.
The rule also exempts several types of transactions from its restrictions, including personal communications, financial services, and certain corporate transactions.
These exceptions are designed to maintain a balance between national security and the global flow of commerce and ideas.
Compliance and Enforcement
As the final rule goes into effect, the Justice Department will provide further guidance on compliance, enforcement, and the process for obtaining licenses or advisory opinions.
The department will continue working with stakeholders to fine-tune the rule and ensure it addresses emerging threats effectively.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will also play a key role in enforcing the new security requirements.
These include ensuring organizations implement strong cybersecurity policies and data protection measures, such as data encryption and privacy safeguards.
CISA’s detailed guidelines will be published separately, providing additional clarity on these critical security measures.