The Justice Department this week issued a final rule that prohibits certain transactions and restricts others that could allow foreign access to bulk U.S. sensitive personal and government-related data. The rule targets “countries of concern,” including China, that could have access to such data. Routine financial activities are exempted, but for banks, it still may cover third-party vendors operating in countries of concern. It also places restrictions on certain covered individuals.
The rule implements an executive order issued by President Biden last year directing the Justice Department and other agencies to issue regulations to protect personal data from foreign actors. Examples of protected sensitive information include genomic data, biometric data, personal health data, geolocation data and financial data. In a statement, the White House said such data could be used to track Americans—including military service members—and enable intrusive surveillance, scams and blackmail.
According to an executive summary, the new rule identifies classes of prohibited and restricted transactions, identifies countries of concern and classes of covered persons with whom the regulations prohibit or restrict transactions involving government-related data or bulk U.S. sensitive personal data; and establishes a process to issue — including to modify or rescind —licenses authorizing otherwise prohibited or restricted transactions. The rule exempts data transfers conducted as part of routine financial services activities, such as banking services as defined by the Office of the Comptroller of the Currency and Federal Reserve, the sale of goods and services, and payments processing.
The rule takes effect April 8.
