New DOJ Regulation Targets Foreign Access To Americans’ Sensitive and Government Data

Department of Justice Implements Rules on Bulk Sensitive Data Access by Foreign Adversaries: A Critical National Security Measure

On 26 December 2024, the U.S. Department of Justice (DOJ) adopted a final rule to address the national security risks associated with foreign adversaries accessing Americans' sensitive personal data and government-related data.

This regulation, implementing Executive Order 14117, targets six countries of concern—China, Cuba, Iran, North Korea, Russia, and Venezuela—and introduces strict controls on data transactions that could pose significant risks to U.S. national security.

Key Provisions of the Rule

The final rule does not require general data localisation within the United States, nor does it prohibit commercial transactions involving U.S. entities.

Instead, it sets prohibitions and restrictions on specific transactions deemed to pose risks, including data brokerage, employment agreements, and investment agreements.

Importantly, the rule provides clear definitions for sensitive data categories, such as:

• Biometric Data: Facial images, voice prints, retina scans, and similar identifiers.
• Genomic Data: Information from human DNA sequences.
• Financial Data: Information related to bank accounts, credit cards, and payment histories.
• Geolocation Data: Precise location information of individuals or devices.

The rule’s thresholds define "bulk" sensitive data, regulating transactions involving large volumes of such data that could be exploited by foreign adversaries.

For example, data on over 1,000 individuals or devices may trigger restrictions.

Exceptions and Licensing Mechanisms

Acknowledging the need for flexibility, the rule includes exemptions for specific transactions, such as federally authorised research, personal communications, and data exchanges necessary for regulatory approvals.

Additionally, the DOJ has introduced licensing mechanisms for transactions that might otherwise be prohibited, allowing for conditional approvals based on compliance with security protocols.

Compliance and Enforcement Framework

The rule mandates robust compliance protocols for restricted transactions, including due diligence, record-keeping, and annual audits. Entities involved must implement measures like:

• Data Security Policies: Written policies certified annually by a responsible officer.
• Auditing Requirements: Independent audits to verify compliance with security standards.
• Record-keeping: Maintaining transaction records for at least 10 years.

Violations of the rule could result in severe penalties, including civil fines of up to $368,136 or twice the value of the transaction, and criminal penalties that may include fines up to $1 million and up to 20 years in prison.

Safeguarding U.S. Data from Foreign Exploitation

This regulatory effort reflects a broader strategy to counter threats from foreign adversaries who exploit Americans' sensitive data for espionage, cyberattacks, and other malicious purposes. The DOJ aims to protect national security while preserving critical research and commercial activities.