FB pixel

US DOJ issues final rule on foreign access to Americans’ PII

US DOJ issues final rule on foreign access to Americans’ PII
 

After months of reviewing the comments it received to its March 5 Advance Notice of Proposed Rulemaking (ANPRM), the US Department of Justice (DOJ) on Monday unveiled its final proposed rules to implement President Joe Biden’s February 28 Executive Order (EO), Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.

The EO addressed the national security threat that’s posed by the continued efforts of Russia, Iran, China, and other countries of concern to access and exploit certain kinds of Americans’ sensitive personal data.

US-based data brokers are the primary targets of the Justice Department’s proposed  rule, which would bar all third-party data brokers and businesses selling data they collect from data transactions that are tied to the countries identified by DOJ’s proposed rule.

As Biometric Update has reported, US-based data brokers’ sales of American’s personally identifiable information to these – and other – countries, poses a serious threat to both national security and intelligence collection activities.

The comment period on the rule ended April 19. Only 68 comments were submitted, far fewer than observers expected given the controversial nature of the proposed regulations.

Only days after DOJ published its advance notice of proposed rulemaking in March, Biden signed into law H.R. 815, a national security and foreign aid spending bill that incorporated the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), which took effect in June and is to be enforced by the Federal Trade Commission (FTC).

H.R. 815 also incorporated the legislation that forces TikTok’s China-based parent company, ByteDance, to divest from China within one year or face a ban from app stores in the US.

H.R. 815 makes it “unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to any foreign adversary country or any entity that is controlled by a foreign adversary.”

Exactly how, though, H.R. 815 will impact DOJ’s final rulemaking to carry out Biden’s EO remains murky, as Biometric Update reported in August.

DOJ’s final comprehensive proposed rule would implement the EO “by establishing categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to government-related data or bulk US sensitive personal data,” DOJ said Monday.

“Among other things,” the Justice Department said, “the proposed rule identifies classes of prohibited and restricted transactions, identifies countries of concern and classes of covered persons to whom the proposed rule applies, identifies classes of exempt transactions, explains [DOJ’s] methodology for establishing bulk thresholds, provides [DOJ’s] initial assessment of economic and other regulatory impacts, establishes processes to issue licenses authorizing certain prohibited or restricted transactions, issue advisory opinions, and designate covered persons, and addresses recordkeeping, reporting, and other due-diligence obligations for covered transactions.”

The proposed rule published Monday has a 30-day comment period. DOJ said the rule “is tailored to address the specific national security risks stemming from access by countries of concern and covered persons to Americans’ bulk sensitive personal data and certain sensitive US government-related data. These measures complement the United States’ commitment to promoting an open, global, interoperable, reliable, and secure internet; protecting human rights online and offline; supporting a vibrant, global economy by promoting cross-border data flows that are required to enable international commerce and trade; and facilitating open investment.”

DOJ said “the proposed rule’s prohibitions and restrictions are consistent with other access restrictions on sensitive personal data that have been imposed in other contexts, including for transactions reviewed by the Committee on Foreign Investment in the United States (CFIUS) and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom).”

In addition, DOJ explained that “the proposed rule exempts several classes of data transactions from the scope of its prohibitions and restrictions, including certain personal communications, financial services, corporate group transactions, transactions authorized by federal law and international agreements, investment agreements subject to a CFIUS action, telecommunication services, biological product and medical device authorizations, clinical investigations, and others.”

Both Biden’s EO and DOJ’s proposed rule “fill an important gap in the “government’s authorities to address the threat posed by countries of concern accessing government-related data or Americans’ bulk US sensitive personal data,” the proposed rules says.

As the ANPRM explained, “countries of concern can use their access to government-related data or Americans’ bulk US sensitive personal data to engage in malicious cyber-enabled activities and malign foreign influence activities and to track and build profiles on US individuals, including members of the military and other Federal employees and contractors, for illicit purposes such as blackmail and espionage.”

Countries of concern also “can exploit their access to government-related data or Americans’ bulk US sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, or members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties.”

DOJ noted in its proposed rule published Monday that the 2024 National Counterintelligence Strategy pointed out that “our adversaries are interested in personally identifiable information about US citizens and others, such as biometric and genomic data, health care data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, and data on individuals’ political affiliations and leanings, hobbies, and interests.”

These and other kinds of sensitive personal data “can be especially valuable, providing adversaries not only economic and [research and development] benefits, but also useful [counterintelligence] information, as hostile intelligence services can use vulnerabilities gleaned from such data to target and blackmail individuals.”

The Justice Department noted that “a recent study by the MITRE Corporation had summarized open-source reporting” that highlighted “the threat of blackmail, coercion, identification of high-risk government personnel and sensitive locations, and improved targeting of offensive cyber operations and network exploitation posed by hostile actors’ access to Americans’ data derived from advertising technology.”

DOJ added that “the development of artificial intelligence, high-performance computing, big-data analytics, and other advanced technological capabilities by countries of concern amplifies the threat posed by these countries’ access to government-related data or Americans’ bulk US sensitive personal data. For instance, the US National Intelligence Council assessed in 2020 that ‘access to personal data of other countries’ citizens, along with [artificial intelligence]-driven analytics, will enable [the People’s Republic of China] to automate the identification of individuals and groups beyond China’s borders to target with propaganda or censorship.’”

The rule would require vendor agreements, employment agreements, and investment agreements that qualify as restricted transactions to comply with the separately proposed security requirements that have been developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) in coordination with the Justice Department.

These proposed security requirements require that US persons engaging in a restricted transaction to comply with organizational and system-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and controls are in place, and data-level requirements, such as data minimization and masking, encryption, and privacy-enhancing techniques.

CISA is concurrently making these proposed security requirements available for public comment at www.regulations.gov.

Related Posts

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

UK government wades into private sector territory with mDL, digital wallet

The UK government has thrown the nation’s digital identity ecosystem into confusion with the revelation that the Gov.uk digital wallet…

 

Trump unveils landmark AI initiative called ‘Stargate’

Coinciding with his repeal of former President Joe Biden’s 2023 AI Executive Order that required AI companies to share safety…

 

Opinion: Mexico’s AI Bill highlights global trends in compliance and fair use

By Tony Porter, Chief Privacy Officer, Corsight AI The global regulatory landscape for AI is evolving at a breakneck pace,…

 

All eyes on AI Act exemptions as ban on high-risk AI systems nears

Despite being celebrated as the world’s first comprehensive AI legislation in the world, the European Union’s AI Act has left…

 

Idemia liveness detection tops DHS evaluation

Idemia Public Security has announced it scored the highest biometric accuracy and fairness in an assessment of its liveness detection…

 

Keyless adds $2M in funding to fuel North American expansion

Keyless has raised $2 million in a selective strategic funding round to support its plans for continued growth in 2025,…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events