The Department of Justice recently issued a final rule preventing access to U.S. citizens personal data. The Press Release states, in relevant part:
. . . Today, the Justice Department issued a
comprehensive final rule carrying out Executive Order (E.O.) 14117
“Preventing Access to Americans’ Bulk Sensitive Personal Data and United States
Government-Related Data by Countries of Concern.” The E.O. charged the Justice
Department with establishing and implementing a new regulatory program to
address the urgent and extraordinary national security threat posed by the
continuing efforts of countries of concern (and covered persons that they can
leverage) to access and exploit Americans’ bulk sensitive personal data and
certain U.S. Government-related data.. . .
“This final rule is a crucial step forward in addressing the
extraordinary national security threat posed of our adversaries exploiting
Americans' most sensitive personal data,” said Assistant Attorney General
Matthew G. Olsen of the Justice Department’s National Security Division. “This
powerful new national-security program is designed to ensure that Americans'
personal data is no longer permitted to be sold to hostile foreign powers,
whether through outright purchase or other means of commercial access.”
The Final Rule implements the E.O. by promulgating generally
applicable rules for certain categories of data transactions that pose an
unacceptable risk to the national security of the United States. As described
in the E.O., countries of concern and covered persons can use their access to
this data to engage in malicious cyber-enabled activities and malign foreign
influence activities, bolster their military capabilities, and track and build
profiles on U.S. persons (including members of the military and U.S.
Intelligence Community, as well as other Federal employees and contractors) for
illicit purposes such as blackmail, coercion, and espionage, and to bolster
their military capabilities. Countries of concern and covered persons can also
exploit this data to collect information on activists, academics, journalists,
dissidents, political opponents, or members of nongovernmental organizations or
marginalized communities to intimidate them; curb political opposition; limit
freedoms of expression, peaceful assembly, or association; or enable other
forms of suppression of civil liberties.
The Final Rule reflects the risk highlighted in the E.O. that
the vulnerability of Americans’ bulk sensitive data is exacerbated because
countries of concern are increasingly using bulk sensitive personal data to
develop and enhance artificial intelligence (AI) capabilities and algorithms
that, in turn, enable the use of large datasets in increasingly sophisticated
and effective ways to the detriment of U.S. national security. Countries of
concern can use AI in conjunction with multiple unrelated data sets, for
example, to identify U.S. persons whose links to the federal government would
be otherwise obscured in a single dataset and who can then be targeted for
espionage or blackmail.
Among other things, the Final Rule identifies countries of
concern and covered persons to whom the Final Rule applies, and designates
classes of prohibited, restricted, and exempt transactions. The Final Rule
establishes bulk thresholds for certain sensitive personal data, including
human ‘omic data, biometric identifiers, precise geolocation data, personal
health data, personal financial data, and certain covered personal identifiers.
The Final Rule also prescribes processes to obtain licenses authorizing otherwise
prohibited or restricted transactions; protocols for the designation of covered
persons; and provides advisory opinions, and recordkeeping, reporting, and
other due diligence obligations for covered transactions.
The Final Rule is consistent with the United States’
commitment to promoting an open, global, interoperable, reliable, and secure
internet; protecting human rights online and offline; supporting a vibrant,
global economy by promoting cross-border data flows that are required to enable
international commerce and trade; and facilitating open investment. Notably,
the Final Rule does not impose generalized data localization requirements
regarding the physical or electronic storage of Americans’ bulk sensitive personal
data or U.S. Government-related data, nor does it require locating computing
facilities within the United States to process such data. The Final Rule does
not prohibit U.S. persons from conducting medical, scientific, or other
research in countries of concern, or from partnering or collaborating with
covered persons to share data to conduct researching, if that activity does not
involve the exchange of payment or other consideration as part of a covered
data transaction. The Final Rule also does not broadly prohibit U.S. persons
from engaging in commercial transactions, including exchanging financial and
other data as part of the sale of commercial goods and services with countries
of concern or covered persons, or impose measures aimed at a broader decoupling
of the substantial consumer, economic, scientific, and trade relationships that
the United States has with other countries.
The Final Rule further exempts several classes of data
transactions from the scope of its prohibitions and restrictions, including
personal communications and certain financial services transactions, corporate
group transactions, transactions authorized by Federal law and international
agreements, investment agreements subject to a Committee on Foreign Investment
in the United States (CFIUS) action, telecommunication services, biological
product and medical device authorizations, clinical investigations, and others.
The Final Rule’s prohibitions and restrictions are consistent
with other access restrictions on sensitive personal data that have been
imposed in other contexts, including transactions reviewed by the CFIUS and the
Committee for the Assessment of Foreign Participation in the U.S.
Telecommunications Services Sector (Team Telecom).
Lastly, under the Final Rule, parties engaging in vendor
agreements, employment agreements, and investment agreements involving access
by countries of concern or covered persons to bulk U.S. sensitive personal data
or U.S. Government-related data would be restricted transactions that must
comply with the separate security requirements that have been developed by the
Department of Homeland Security’s Cybersecurity and Infrastructure Security
Agency (CISA) in coordination with the Justice Department. These security
requirements include organizational and system-level requirements (such as
ensuring that basic organizational cybersecurity policies, practices, and
controls are in place), and data-level requirements (such as data minimization
and masking, encryption, and privacy-enhancing techniques). These critical
requirements will be published separately by CISA through the Federal Register
and on CISA’s website.
In connection with the Final Rule, the Justice Department
will publish compliance, enforcement, and other guidance, which will be located
at www.justice.gov/nsd/data-security..
. .
No comments:
Post a Comment