The US Department of Justice (DoJ) has recently issued a final rule to enforce Executive Order (EO) 14117 aimed at protecting Americans’ sensitive personal data from foreign adversaries such as China, Russia, North Korea, Iran, Cuba, and Venezuela. This rule underscores the critical need to safeguard both personal and government-related data from being exploited by these nations. The new regulations set specific thresholds for various categories of data, including biometric identifiers, human genomic data, geolocation, health information, financial data, and personal identifiers. The primary goal is to prevent foreign entities or “covered persons” from using this data to carry out cyberattacks, influence operations, or to track and profile US citizens, including military personnel, members of the intelligence community, federal employees, and contractors.
Protecting Sensitive Data from Exploitation
Foreign adversaries could potentially use Americans’ sensitive personal data for nefarious activities such as blackmail, espionage, and coercion. The implications could be far-reaching, undermining civil liberties by enabling these adversaries to track activists, academics, journalists, and political dissidents. This new rule outlines the necessary processes to obtain licenses for specific data transactions and sets rigorous protocols for designating the covered persons. Moreover, it grants the DoJ the authority to amend the list of countries of concern based on their cyber activities or threats they might pose.
The new rule is in alignment with the US commitment to an open and secure internet while maintaining a balance with global trade and cooperation. Unlike other data protection measures, this rule does not mandate data localization or require the data processing to be relocated to the US. It also does not prohibit research collaborations with covered persons when no payment is involved in such data transactions. Furthermore, it doesn’t restrict commercial transactions involving financial and other types of data used in selling goods and services internationally. This approach ensures that there’s no disruption to broader economic, scientific, and trade relationships, which are vital to the nation’s economy and international standing.
Implementation and Broader Impact
The new rule from the DoJ will take effect 90 days after publication, with due diligence, auditing, and reporting requirements starting 270 days post-publication. Organizations handling sensitive data must comply with these new regulations, which includes implementing necessary safeguards and enhancing their compliance programs. Additionally, the US Department of Health and Human Services will propose new HIPAA regulations aimed at strengthening patient data protection through stringent encryption standards and regular compliance checks.
In summary, the DoJ’s new rule marks a significant step in safeguarding US citizens’ personal data from foreign threats while balancing national security with economic and scientific collaboration. It aims to bolster data protection standards across various sectors without straining relationships with international partners. By focusing on these strategic measures, the US seeks to strengthen its defenses against potential data exploitation by hostile foreign entities while promoting a secure and open internet. These measures, along with proactive cooperation between industry and government, will not only protect personal and governmental data but also set a standard for future data protection in the face of evolving global cyber threats.
