US DOJ may soon issue rule on foreign access to Americans’ PII
The U.S. Department of Justice (DOJ) may be getting close to issuing its final rule to implement President Joe Biden’s February 28 Executive Order (EO) 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, Biometric Update has learned.
For four months, DOJ has been reviewing the comments it received to its March 5 Advance Notice of Proposed Rulemaking (ANPRM) in which it outlined its proposed rule. The comment period on the rule ended April 19. Only 68 comments were submitted, far fewer than observers expected, given the controversial nature of the proposed regulations.
Complicating matters though, days later, and with little fanfare, Biden signed into law H.R. 815, a national security and foreign aid spending bill that incorporated the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), which took effect in June and is to be enforced by the Federal Trade Commission (FTC). H.R. 815 also incorporated the legislation that forces TikTok’s China-based parent company, ByteDance, to divest from China within one year or face a ban from app stores in the U.S.
DOJ’s National Security Division published its ANPRM in the Federal Register “to provide transparency and clarity about the intended scope of the program, and to solicit comments on its development and implementation.”
In issuing its proposed rule for comment, Deputy Attorney General Lisa Monaco said DOJ is making “clear that American citizens’ sensitive and personal data is not for sale to our adversaries. The Justice Department has long focused on preventing threat actors from stealing data through the proverbial back door. This executive order shuts the front door by denying countries of concern access to Americans’ most sensitive personal data.”
“Hostile foreign powers are weaponizing bulk data and the power of artificial intelligence to target Americans,” added Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division. “Today’s announcement fills a key gap in our national security authorities, affording the Justice Department a new and powerful enforcement tool to protect Americans and their most sensitive information from being exploited by our adversaries.”
H.R. 815, meanwhile, makes it “unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to any foreign adversary country or any entity that is controlled by a foreign adversary.”
Exactly how, though, H.R. 815 will impact DOJ’s final rulemaking to carry out EO 14117 remains murky.
According to attorneys with the Washington, DC-based Akin Gump Strauss Hauer & Feld, “at this stage, it is unclear how the FTC will coordinate with the DOJ, which will be enforcing the bulk sensitive personal data rules under EO 14117 that overlap, at least in part, with the PADFA restrictions.”
“PADFA passed very quickly after introduction and is distinct from the Biden Administration’s February 28, 2024, Executive Order,” the attorneys wrote, adding that, “while both PADFA and the DOJ’s proposed program under EO 14117 create additional protections for – and restrictions on – transfers of sensitive data, in order to accomplish national security aims, more types of data are covered under the PADFA while more types of transactions are covered under the ANPRM.”
Attorneys at New York-based Simpson Thacher wrote that, “collectively, PADFA, the Executive Order, and the ANPRM signal the U.S. government’s clear intent to restrict and regulate sensitive individual data out of national security concerns. If and when fully enacted, these new regulations will impose significant restrictions and compliance obligations on any companies in the possession of U.S. personal data.”
Mark Francis, a partner at Tampa, Florida-based Holland & Knight, said shortly after the bill was enacted that its broad definitions of data broker and sensitive data will likely result in compliance burdens for a wide range of organizations beyond traditional data brokers. “This Act doubles down on restrictions intended to prevent the dissemination of sensitive personal information about U.S. residents to foreign adversaries, with broad bipartisan support,” he said.
Regardless of the overlap with PADFA, the U.S. Attorney General – the top official at DOJ – is still required by Biden’s EO “to issue regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest where the transaction involves U.S. government-related data or bulk U.S. sensitive personal data,” and “falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because it may enable access by countries of concern or covered persons to Americans’ bulk sensitive personal data or U.S. government-related data.”
The EO said “access to Americans’ bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities.” It says these “countries of concern can rely on advanced technologies, including artificial intelligence, to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States.”
Countries of concern “can also use access to bulk data sets to fuel the creation and refinement of AI and other advanced technologies, thereby improving their ability to exploit the underlying data and exacerbating the national security and foreign policy threats.”
Additionally, the EO said, “access to some categories of sensitive personal data linked to populations and locations associated with the federal government -including the military – regardless of volume, can be used to reveal insights about those populations and locations that threaten national security. The growing exploitation of Americans’ sensitive personal data threatens the development of an international technology ecosystem that protects our security, privacy, and human rights.”
DOJ’s response to Biden’s EO is “a starting point for its rules, rather than beginning from an empirical assessment of the problem,” said Mark Febrizio, a senior policy analyst at the George Washington University Regulatory Studies Center. “Nevertheless, the ANPRM establishes that a degree of risk exists and provides several anecdotes indicating that transactions involving sensitive data on U.S. persons could create significant national security risks when falling into the wrong hands.”
“Given the uncertainty DOJ is dealing with in these regulations,” Febrizio said, “it should proactively prepare for retrospective review of these rules to ensure that it can adjust and refine the regulations at a later date to be more effective. Currently difficult to estimate effects will be easier to evaluate once DOJ has incoming information on the number and types of covered data transactions that occur each year, as well as which countries of concern seem to pose the greatest threat in this area.”
In its March ANPRM, DOJ said the “unrestricted transfers of bulk sensitive personal data and government-related data to countries of concern, through commercial transactions or otherwise, present a range of threats to U.S. national security and foreign policy. Countries of concern can use their access to Americans’ bulk sensitive personal data to engage in malicious cyber-enabled activities and malign foreign influence, and to track and build profiles on U.S. individuals, including members of the military and federal employees and contractors, for illicit purposes such as blackmail and espionage.”
DOJ said countries of concern “can also use access to U.S. persons’ bulk sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities in order to intimidate such persons; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties.”
The Office of the Director of National Intelligence (ODNI) had earlier made clear that the U.S.’s “adversaries increasingly view data as a strategic resource.” The ODNI said countries of concern are “increasing their ability to analyze and manipulate large quantities of personal information in ways that will allow them to more effectively target and influence, or coerce, individuals and groups in the United States and allied countries.”
Article Topics
cybersecurity | data privacy | data protection | Department of Justice | national security | U.S. Government
Comments