A new executive order (E.O.), signed by US President Joe Biden Wednesday, aims to prevent Americans’ private data from getting into the hands of countries considered a threat to national security.
The new rules will proactively restrict the bulk personal data of Americans (as well as some US government-related data) from being sold to nation-state adversaries who are known to weaponize the data for “intelligence collection and economic espionage.”
The six “countries of concern” identified by the US Justice Department (DoJ) – which is tasked with implementing the new regulations – are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
Our adversaries are exploiting Americans’ sensitive personal data to threaten our national security,” said Attorney General Merrick B. Garland. “They are purchasing this data to use to blackmail and surveil individuals, target those they view as dissidents here in the United States, and engage in other malicious activities.
“This Executive Order gives the Justice Department the authority to block countries that pose a threat to our national security from harvesting Americans’ most sensitive personal data – including human genomic data, biometric and personal identifiers, and personal health and financial data,” Garland said.
An “Advance Notice of Proposed Rulemaking” (ANPRM) describing the initial categories of prohibited transactions will be issued by the DoJ’s National Security Division for public feedback.
Under the ANPRM, data brokers would be barred from selling or transferring any sensitive personal data, as defined in the program, to the six nations in question.
"Personal identifiers, precise geolocation and related sensor data, biometric identifiers, human genomic data, including DNA, personal health data, personal financial data, or any combination thereof” are included in that definition.
Any personal data that is a matter of public record, such as court documents and government records, will not be covered under the new rules.
In addition, brokers would be restricted from peddling any data containing vendor, employment, and investment agreements to those countries deemed a security risk.
“Today, we make clear that American citizens' sensitive and personal data is not for sale to our adversaries,” said Deputy Attorney General Lisa Monaco.
The new rules will apply to “four categories of covered persons,” according to the DoJ.
- Any entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern
- A foreign person who is an employee or contractor of such an entity
- A foreign person who is an employee or contractor of a country of concern
- A foreign person who is primarily resident in the territorial jurisdiction of a country of concern.
"Buying data through data brokers is currently legal in the US, reflecting a gap in our national security toolkit," US officials said Wednesday. The order is seen as a way to fill that gap.
Penalties for violators are still be considered, but are expected to include “civil and criminal remedies” available under the International Emergency Economic Powers Act (IEEPA).
Under current law, IEEPA sanctions include civil penalties of up to $10,000, and criminal penalties of up to $250,000 and 10 years' imprisonment.
Your email address will not be published. Required fields are markedmarked