Bulk data collection on American citizens? US gov wants your opinion


The US Justice Department on Monday announced it is seeking public input on a proposed rule designed to reign in foreign adversaries who are freely collecting Americans' private data by the boatload.

The proposal – “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern – was first introduced by Executive Order signed by President Joe Biden back in February.

The DoJ has officially introduced a Notice of Proposed Rulemaking (NPRM) with the goal of finally implementing the rule, but only after set period of 30 days allowing the public to voice its opinion on the proposal.

ADVERTISEMENT

The administration warns that “countries of concern,” such as China and Russia, can use their access to the bulk personal data of Americans “to engage in malicious cyber-enabled activities and malign foreign influence.”

Other nations identified by the DoJ include Iran, Venezuela, Cuba, and North Korea.

Federal officials say the sensitive information could be used to target certain individuals, such as US military members, federal employees, and US contractors.

Gathering personally identifiable information (PII) on such individuals to track locations or build profiles could lead to blackmail or espionage, the DoJ said, adding that foreign adversaries could also use the bulk data to “collect information on activists, academics, journalists, dissidents, political figures, and marginalized communities."

Furthermore, the 'collected data profiles' could be used to intimidate or threaten those persons to curb political opposition or tamp down on civil liberties and other freedoms of expression.

The DoJ ‘s National Security Division said it is working concurrently with the US Cybersecurity and Security Infrastructure Agency (CISA), which has further developed a slew of cybersecurity requirements covering not only the restricted data itself, but also the transactions under which that data would be processed.

ADVERTISEMENT

“These proposed security requirements comply with organizational and system-level requirements, including implementing basic organizational cybersecurity policies, practices, and controls, and data-level requirements, such as data minimization and masking, encryption, and privacy-enhancing techniques,” the CISA document states.

According to the Executive Order (E.O.) 14117 under the DoJ, the rule would:

  • Establish categorical rules for certain data transactions
  • Identify classes of prohibited and restricted transactions
  • Identify countries of concern
  • Identify classes of covered persons
  • Identify classes of exempt transactions

For example, certain types of data covered under the transfer ban to 'nations of concern' would include human genomic data on over 100 Americans, personal health or financial data on over 10,000 people, and precise geolocation data on over 1,000 U.S. devices, according to Reuters.

Other processes to be established include a detailed explanation of the DOJ’s methodology for establishing bulk thresholds, assessing the potential economic impacts of the rule, and addressing compliance, reporting, and other due-diligence obligations for covered transactions., the DoJ announcement stated.

Third party vendor, employment, and investment agreements would all be covered under the proposed rule, and non-compliant entities would be subject to both civil and criminal penalties.

The DoJ said it has also reached out to industry stakeholders, such as trade association groups, subject-matter experts, and private cybersecurity organizations to weigh in on the details, and previous public comments from this spring.

The public can submit written comments online for 30 days, once the proposed rule is published in the Federal Register, the DoJ said.

ADVERTISEMENT