Advertisement

Justice Department rule aims to curb the sale of Americans’ personal data overseas

The proposed regulation imposes a series of restrictions on how American entities can sell “bulk” sensitive data across six categories.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
US Department of Justice building and the American flag under the sun, Washington DC, United States

The Justice Department has formally proposed new regulations that would prevent or restrict the selling and transferring of Americans’ sensitive personal data to adversarial countries.

The proposed rule, first previewed in March, stems from an executive order issued by the Biden administration in February and imposes a series of restrictions on how American entities can sell “bulk” sensitive data across six categories: personal data like driver’s license and Social Security numbers, precise geolocation data, biometric identifiers, human genomic data such as DNA, health information and financial information.

It would also impose a blanket prohibition on selling such bulk data to six nations — China, Russia, Iran, North Korea, Cuba and Venezuela — designated as “countries of concern,” meaning their acquisition of Americans’ personal data represents a potential national security risk.

The revised version, released Monday, adds new exemptions for telecommunications services, clinical trial data needed to obtain regulatory approval to research or market pharmaceuticals or medical devices in a country of concern, and clinical trial data needed for Food and Drug Administration applications related to pharmaceuticals and medical devices. 

Advertisement

The revised rules also require companies to report third-party involvement in a sale, explain  how the rules align with other federal bodies, like the Committee on Foreign Investment in the United States, and provides unclassified examples of non-compliant transactions or behaviors.

“Under the proposed rule, U.S. persons transacting in these kinds of data will need to establish a compliance program based on the individual risk profile of their activities,” a senior DOJ official said. “They will need to understand the kinds and volumes of data they transact, who they are doing business with and how that data is being used, and the safeguards they use to control access to that data.”

Americans frequently share vast amounts of personal information through social media, online shopping, medical visits or  government benefits. Companies collect and sell this data to larger data brokers, who compile granular profiles of consumers that can be sold to the highest bidder.

The regulation would prevent U.S. individuals or companies from directly selling personal data to foreign entities that are at least 50% owned by or located in a country of concern, foreign employees of contractors, foreign individuals who reside in countries of concern, or individuals specifically listed by the DOJ as a covered person.

Data brokerage, as well as transferring bulk human genomic data or biospecimens to any listed countries, would be barred under the rule. Vendor, employment and non-passive investment agreements, meanwhile, would need to pass requirements being developed by the Cybersecurity and Infrastructure Security Agency around encryption, data minimization, physical and logical access controls and privacy.

Advertisement

A senior Department of Homeland Security official said the security requirements will be based on the National Institute of Standards and Technology’s cybersecurity and privacy frameworks, and attempts to strike a balance between national security and freemarket economic principles.

“We’re seeking to achieve these goals as much as possible without disrupting free flow of data across borders, including by providing flexibility for various types of restricted transactions while, at the same time, not undermining the policy goals of the security requirements,” the official said.

Each category of data covered under the rule is subject to different thresholds depending on the sensitivity of the data. For example, a company would be prohibited from selling geolocation data on more than 1,000 U.S. devices to a company headquartered in China, or hiring a laboratory in China to analyze the DNA samples of more than 100 U.S. persons.

Meanwhile, a company that holds financial or health data for more than 10,000 U.S. individuals  must follow CISA’s security requirements if it grants a Russian investor an equity stake, hires a China-based company for data storage or processing, or employs workers who primarily reside in China.

The DOJ, along with the Departments of State, Commerce and Homeland Security, would have the authority to issue licenses to bypass the proposed rules, but the government anticipates doing so “only in rare circumstances.”

Advertisement

The United States has lagged Europe and other parts of the world when it comes to updating privacy laws for the digital age and reining in data brokers who buy, bundle and sell massive amounts of Americans’ personal data to advertisers, marketers and foreign nations. 

On a call with reporters, senior DOJ officials said the department received 67 comments on the advanced proposed rule and heard feedback from over 100 companies, industry groups and other stakeholders.

Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, a right-leaning think tank, told CyberScoop that the new proposed regulations represent a “partial solution” to the problem of foreign countries gathering Americans’ personal data, but noted that current laws and regulations around data privacy in the United States still offer numerous pathways to accomplish the same goal.

“There are definitely ways that adversaries … are going to access this data, and this is not going to address them all,” Pugh said. “They can steal it, they can rely on data in breaches — or cause the breaches themselves.”

This year, a bipartisan group in Congress worked to agree on a comprehensive privacy bill that would limit the data that businesses can collect on their customers, shining a light on the largely unregulated data broker industry. 

Advertisement

However, after initial optimism about the bill’s prospects, momentum stalled as the coalition fell victim to infighting and disagreement. It is not expected to move further this year with presidential and congressional elections just weeks away.

Derek B. Johnson

Written by Derek B. Johnson

Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Latest Podcasts