New Justice Department Rulemaking: Safeguarding Americans’ Sensitive Data from Foreign Threats

In a significant move to bolster national security, the U.S. Department of Justice (DOJ) has issued a Notice of Proposed Rulemaking (NPRM) aimed at implementing President Biden’s Executive Order 14117, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This initiative, announced on February 28, 2023, seeks to address the growing threat posed by certain foreign nations that are actively attempting to access and exploit sensitive personal data belonging to American citizens.

The National Security Imperative

The Executive Order underscores the urgent need to protect Americans’ sensitive personal data from foreign adversaries. The DOJ has been tasked with establishing a regulatory framework that mitigates the risks associated with foreign access to bulk sensitive data. The NPRM, published on March 5, 2023, reflects extensive stakeholder outreach and incorporates feedback received during the Advance Notice of Proposed Rulemaking (ANPRM) phase.

The proposed rule aims to create categorical guidelines for data transactions that pose an unacceptable risk of allowing countries of concern access to sensitive information. This includes identifying prohibited and restricted transactions, defining the countries and entities to which the rule applies, and outlining exempt transactions.

Key Components of the Proposed Rule

The NPRM is comprehensive, detailing various aspects of the proposed regulatory program. Here are some of the critical components:

1. Categorical Rules for Data Transactions: The proposed rule delineates specific classes of transactions that are either prohibited or restricted. This categorization is essential for preventing unauthorized access to sensitive data.

2. Identification of Countries of Concern: The rule specifies which countries are considered to pose a national security threat, thereby guiding compliance and enforcement efforts.

3. Exempt Transactions: Certain transactions, such as those involving telecommunications services, financial services, and intra-corporate transfers, are exempt from the proposed restrictions. This exemption aims to balance national security with the need for economic engagement.

4. Licensing and Advisory Processes: The DOJ will establish processes for issuing licenses for certain prohibited or restricted transactions and providing advisory opinions to clarify compliance requirements.

5. Recordkeeping and Reporting Obligations: Entities engaged in covered transactions will be required to maintain records and report on their compliance with the proposed regulations, ensuring transparency and accountability.

Public Engagement and Feedback

The DOJ is actively seeking public comment on the proposed rule, inviting input from industry stakeholders, civil society, subject-matter experts, and others who may be affected by the new regulations. The comment period lasts for 30 days following the NPRM’s publication in the Federal Register, and interested parties can submit their feedback through the designated online portal.

This engagement is crucial, as it allows the DOJ to refine the proposed rule based on real-world implications and expert insights, ensuring that the final regulations are both effective and practical.

Balancing Security and Economic Interests

While the proposed rule aims to safeguard sensitive data, it also recognizes the importance of maintaining robust economic relationships with other nations. The DOJ has made it clear that the rule does not impose generalized data localization requirements or broadly prohibit commercial transactions with countries of concern. Instead, it seeks to create a framework that protects national security without stifling international commerce.

The proposed exemptions for telecommunications and financial services reflect this balance, allowing for continued engagement while safeguarding sensitive information.

Addressing Malicious Activities

The NPRM highlights the potential misuse of sensitive data by countries of concern, which can engage in malicious cyber activities, espionage, and other forms of foreign influence. By restricting access to sensitive personal data, the proposed rule aims to thwart these threats and protect not only individual privacy but also national security.

The rule also emphasizes the need for compliance with cybersecurity standards, requiring U.S. entities involved in restricted transactions to adhere to security requirements developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). This includes implementing organizational cybersecurity policies and employing data protection techniques such as encryption and data minimization.

Conclusion

The Justice Department’s NPRM represents a proactive step in addressing the national security risks associated with foreign access to sensitive personal data. By establishing clear guidelines and engaging with the public, the DOJ aims to create a regulatory framework that protects Americans while fostering a secure and open global economy. As the comment period unfolds, stakeholders will have the opportunity to shape the final regulations, ensuring that they effectively address the complexities of data security in an increasingly interconnected world.