The Department of Justice (DoJ) formally proposed a rule on Monday that would protect Americans’ sensitive data from being sold or transferred to adversarial countries.
The proposed rule marks a key step in implementing President Biden’s February executive order (EO), “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Justice Department issued the draft rule in March.
The EO came amid Congress’ failure in recent years to pass comprehensive privacy legislation and gave marching orders to several Federal agencies – the DoJ chief among them – to prevent the large-scale transfer of Americans’ personal data to specific countries.
According to the rule, the DoJ has identified China, Russia, Iran, North Korea, Cuba, and Venezuela as the six countries of concern under this new program. This means that their access to government-related data or bulk U.S. sensitive data poses a “national security risk.”
“This comprehensive proposed rule would implement the EO by establishing categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to government-related data or bulk U.S. sensitive personal data,” the Justice Department said in a statement.
“Among other things, the proposed rule identifies classes of prohibited and restricted transactions, identifies countries of concern and classes of covered persons to whom the proposed rule applies, identifies classes of exempt transactions, explains the department’s methodology for establishing bulk thresholds, provides the department’s initial assessment of economic and other regulatory impacts, establishes processes to issue licenses authorizing certain prohibited or restricted transactions, issue advisory opinions, and designate covered persons, and addresses recordkeeping, reporting, and other due-diligence obligations for covered transactions,” the DoJ explained.
Notably, while the White House and lawmakers have taken action to ban TikTok – owned by the China-based tech giant ByteDance – on government-issued devices due to data privacy concerns, the rule does not seek to ban apps or social-media platforms from foreign adversaries.
According to the rule, the program “will not be about any single app or technology” and “will address only the most serious data-security risks.”
The DoJ’s National Security Division is requesting public comment on the proposed rule within 30 days of its Oct. 21 publication. It invites industry, trade association groups, civil society, subject-matter experts, organizations potentially affected by the proposed rule, and others to submit comments.
