Today, the Justice Department issued a comprehensive final rule carrying out Executive Order (E.O.) 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The E.O. charged the Justice Department with establishing and implementing a new regulatory program to address the urgent and extraordinary national security threat posed by the continuing efforts of countries of concern (and covered persons that they can leverage) to access and exploit Americans’ bulk sensitive personal data and certain U.S. Government-related data. The Final Rule will take effect 90 days from the date of the Final Rule’s publication, with certain affirmative due diligence, reporting, and auditing requirements taking effect 270 days after publication.
“This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our adversaries exploiting Americans’ most sensitive personal data,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access.”
The Final Rule implements the E.O. by promulgating generally applicable rules for certain categories of data transactions that pose an unacceptable risk to the national security of the United States. As described in the E.O., countries of concern and covered persons can use their access to this data to engage in malicious cyber-enabled activities and malign foreign influence activities, bolster their military capabilities, and track and build profiles on U.S. persons (including members of the military and U.S. Intelligence Community, as well as other Federal employees and contractors) for illicit purposes such as blackmail, coercion, and espionage, and to bolster their military capabilities. Countries of concern and covered persons can also exploit this data to collect information on activists, academics, journalists, dissidents, political opponents, or members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties.
The Final Rule reflects the risk highlighted in the E.O. that the vulnerability of Americans’ bulk sensitive data is exacerbated because countries of concern are increasingly using bulk sensitive personal data to develop and enhance artificial intelligence (AI) capabilities and algorithms that, in turn, enable the use of large datasets in increasingly sophisticated and effective ways to the detriment of U.S. national security. Countries of concern can use AI in conjunction with multiple unrelated data sets, for example, to identify U.S. persons whose links to the federal government would be otherwise obscured in a single dataset and who can then be targeted for espionage or blackmail.
Among other things, the Final Rule identifies countries of concern and covered persons to whom the Final Rule applies, and designates classes of prohibited, restricted, and exempt transactions. The Final Rule establishes bulk thresholds for certain sensitive personal data, including human ‘omic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and certain covered personal identifiers. The Final Rule also prescribes processes to obtain licenses authorizing otherwise prohibited or restricted transactions; protocols for the designation of covered persons; and provides advisory opinions, and recordkeeping, reporting, and other due diligence obligations for covered transactions.
The Final Rule is consistent with the United States’ commitment to promoting an open, global, interoperable, reliable, and secure internet; protecting human rights online and offline; supporting a vibrant, global economy by promoting cross-border data flows that are required to enable international commerce and trade; and facilitating open investment. Notably, the Final Rule does not impose generalized data localization requirements regarding the physical or electronic storage of Americans’ bulk sensitive personal data or U.S. Government-related data, nor does it require locating computing facilities within the United States to process such data. The Final Rule does not prohibit U.S. persons from conducting medical, scientific, or other research in countries of concern, or from partnering or collaborating with covered persons to share data to conduct researching, if that activity does not involve the exchange of payment or other consideration as part of a covered data transaction. The Final Rule also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries.
The Final Rule further exempts several classes of data transactions from the scope of its prohibitions and restrictions, including personal communications and certain financial services transactions, corporate group transactions, transactions authorized by Federal law and international agreements, investment agreements subject to a Committee on Foreign Investment in the United States (CFIUS) action, telecommunication services, biological product and medical device authorizations, clinical investigations, and others.
The Final Rule’s prohibitions and restrictions are consistent with other access restrictions on sensitive personal data that have been imposed in other contexts, including transactions reviewed by the CFIUS and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom).
Lastly, under the Final Rule, parties engaging in vendor agreements, employment agreements, and investment agreements involving access by countries of concern or covered persons to bulk U.S. sensitive personal data or U.S. Government-related data would be restricted transactions that must comply with the separate security requirements that have been developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in coordination with the Justice Department. These security requirements include organizational and system-level requirements (such as ensuring that basic organizational cybersecurity policies, practices, and controls are in place), and data-level requirements (such as data minimization and masking, encryption, and privacy-enhancing techniques). These critical requirements will be published separately by CISA through the Federal Register and on CISA’s website .
In connection with the Final Rule, the Justice Department will publish compliance, enforcement, and other guidance, which will be located at www.justice.gov/nsd/data-security . The Department will also continue to engage with industry and other stakeholders to determine whether any wind-down licenses are appropriate as this program goes into effect. The Department also anticipates publishing information regarding the application process to seek an advisory opinion or a license for an otherwise prohibited or restricted transaction, as described generally in the Final Rule at Subpart H.