Introduction
The Justice Department has introduced a final rule to enforce Executive Order 14117 [2], which aims to safeguard Americans’ sensitive personal data from foreign access by countries of concern, notably China and Russia. This initiative addresses national security threats posed by these nations [1] [2], which may misuse sensitive data for harmful activities, including cyber operations [1], military advancements [1], and illicit tracking of US individuals. The rule highlights the dangers associated with using Americans’ data in developing artificial intelligence capabilities that could jeopardize US national security [1].
Description
The final rule establishes regulations for data transactions deemed risky to national security [2], identifying specific countries and individuals affected [2], and categorizing transactions as prohibited [2], restricted [1] [2] [3], or exempt [1] [2]. It sets thresholds for sensitive data types [2], including biometric identifiers [1] [2], precise geolocation data [1], and personal health data [2], while outlining processes for obtaining licenses for restricted transactions and due diligence obligations for covered transactions [1]. US persons are mandated to report known or suspected violations of contractual restrictions and are prohibited from knowingly facilitating prohibited transactions by non-US persons [3].
US companies are encouraged to implement risk-based compliance programs to monitor and manage data flows in accordance with the rule [3]. Essential components of these programs include securing senior management support [3], conducting risk assessments [3], establishing internal controls [3], and developing policies and procedures for data transactions [3]. Affirmative compliance requirements for engaging in restricted transactions include creating and executing data compliance programs with risk-based verification procedures [3], conducting annual audits to enhance compliance with security standards [3], preparing annual reports detailing any attempted prohibited transactions [3], and maintaining records of all restricted transactions for a minimum of ten years [3].
The rule aligns with the US commitment to a secure internet and does not impose broad data localization requirements or prohibit research activities in these countries [1], provided they do not involve payment for covered data transactions [1]. Certain transactions [1] [2] [3], such as personal communications and specific financial services [1] [2], are exempt from restrictions [1] [2]. Additionally, the rule mandates compliance for vendor [2], employment [2] [3], and investment agreements involving access to sensitive data by foreign entities [2], requiring adherence to security protocols established by the Cybersecurity and Infrastructure Security Agency (CISA) [2]. These requirements encompass organizational [1], system-level [1], and data-level measures [1], including data minimization and encryption [1].
Guidance on compliance and enforcement will be provided [2], and the Justice Department will engage with industry stakeholders to assess the need for wind-down licenses as the program is implemented [1] [2]. This proposed rule is part of a broader strategy to mitigate national security risks associated with technological advancements that could support military and intelligence objectives of adversarial nations [3], including regulations targeting US outbound investments in Chinese companies involved in advanced technologies and requirements for reporting on foreign use of US cloud computing services for training large AI models.
Conclusion
The implementation of this rule is a significant step in fortifying national security by regulating data transactions that could be exploited by foreign adversaries. By establishing clear guidelines and compliance requirements, the rule aims to protect sensitive personal data and prevent its misuse in ways that could threaten US interests. The collaboration between the Justice Department and industry stakeholders will be crucial in ensuring effective enforcement and adaptation to evolving technological landscapes.
References
[1] https://3bmedianews.com/d-o-j-issues-final-rule-on-foreign-threats-to-americans-personal-data/
[2] https://www.justice.gov/opa/pr/justice-department-issues-final-rule-addressing-threat-posed-foreign-adversaries-access
[3] https://www.jdsupra.com/legalnews/fortifying-us-data-proposed-rule-would-9610572/
