On Monday, October 21, the U.S. Department of Justice issued a “Notice of Proposed Rulemaking” (NPRM) aimed at imposing new restrictions on certain commercial transactions to prevent federal government data and large amounts of personal data of Americans from falling into the hands of China (CCP), Russia, Iran, and other countries.
The proposal is in response to the enforcement of Executive Order 14117 issued by President Biden on February 28, titled “Executive Order on Addressing the Threat from Securities Investments that Finance Certain Companies of the People’s Republic of China.” At that time, Biden tasked the Department of Justice with developing and implementing this new national security monitoring program to address national security risks.
On March 5, the Department of Justice published an “Advance Notice of Proposed Rulemaking” (ANPRM) in the Federal Register, aiming to prevent foreign adversaries from using accessible U.S. financial, genomic data, and health information for cyber attacks, espionage, and extortion.
The NPRM issued on Monday explains, “Adversarial nations could leverage access to this data to engage in malicious cyber activities and malign foreign influence activities, enhance their military capabilities, and track and build dossiers on U.S. persons (including U.S. government personnel).”
“Adversarial nations could also use this data to collect information on activists, scholars, journalists, dissidents, political opposition figures, or members of non-governmental organizations or marginalized communities to intimidate them, suppress political opposition, restrict freedom of speech, peaceful assembly, or association, or otherwise restrain civil liberties.”
In addition to China (CCP), Russia, and Iran, the “countries of concern” designated under Executive Order 14117 also include Venezuela, Cuba, and North Korea.
Reuters reported on Monday that Washington has long been trying to prevent the flow of U.S. personal data to China (CCP), which is part of the longstanding technological and trade rivalry between the U.S. and China.
In 2018, the Committee on Foreign Investments in the United States (CFIUS), responsible for reviewing foreign investments for potential national security threats, rejected the plan for China’s Ant Financial to acquire the U.S. money transfer company MoneyGram International over concerns about the security of U.S. citizens’ data.
U.S. officials stated that transactions with data brokers that could lead to data flowing to “countries of concern” will be prohibited, as well as the transfer of any data related to U.S. government personnel.
The proposal provides more details for the first time on the types and quantities of data that will be prohibited from transfer, including genomic data of more than one hundred Americans, personal health or financial information of over ten thousand individuals, and precise geolocation data from over a thousand U.S. devices.
The rule will allow the Department of Justice to enforce compliance through criminal and civil penalties.
U.S. officials on Monday stated that Chinese applications such as TikTok may violate the proposal if they transfer sensitive data of U.S. users to their Chinese parent companies.