The Justice Department has released a Notice of Proposed Rulemaking (NPRM) to implement President Biden's Executive Order 14117, aimed at preventing access to sensitive personal data and U.S. government-related data by countries of concern. This move addresses national security threats posed by efforts from certain nations to exploit Americans' sensitive information.
The proposed rule seeks to establish categorical rules for data transactions that pose risks, identifying prohibited and restricted transactions, countries of concern, and covered persons. It also outlines exempt transactions, methodologies for establishing bulk thresholds, economic impacts, licensing processes for certain transactions, advisory opinions issuance, recordkeeping obligations, and more.
Public comments on the NPRM are requested within 30 days of its publication in the Federal Register. The Justice Department's National Security Division invites feedback from industry groups, civil society organizations, subject-matter experts, and others with an interest in data security.
The rule is designed to address specific national security risks while supporting a global economy through cross-border data flows. It does not impose generalized data localization requirements or broadly prohibit commercial transactions with countries of concern. New exemptions are proposed for telecommunications services and clinical-trial data.
Consistent with other access restrictions on sensitive personal data imposed in different contexts such as CFIUS reviews and Team Telecom assessments, the proposed rule exempts several classes of transactions including personal communications and financial services.
According to the NPRM, countries of concern could use access to this type of data for malicious activities like cyber-attacks or espionage. The rule aims to prevent these nations from exploiting such information against U.S. individuals or entities.
Additionally, vendor agreements qualifying as restricted transactions must comply with proposed security requirements developed by the Cybersecurity and Infrastructure Agency (CISA) alongside the Justice Department. These include organizational cybersecurity policies and practices as well as specific data-level requirements like encryption.