The US Department of Justice issued a final rule on Executive Order 14117, which President Joe Biden signed in February 2024, preventing the movement of US citizens' data to a number of “countries of concern,” which not-surprisingly includes China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
The Executive Order is aimed at preventing countries that are considered hostile to the US from using the data of US citizens in cyber espionage and influence campaigns, or from building profiles of US citizens to be used in social engineering, phishing, blackmail, and identify theft campaigns.
The types of prohibited data are:
- Personal identifiers such as social security numbers, driver’s license, or other government ID numbers.
- Precise geolocation data such as GPS coordinates.
- Biometric identifiers such as facial images, voice patterns, and retina scans.
- Human genomic, epigenomic, proteomic, or transcriptomic data.
- Personal health data such as height, weight, vital signs, symptoms, test results, diagnosis, digital dental records, and psychological diagnostics.
- Personal financial data related to an individual’s credit, debit cards, bank accounts, and financial liabilities, including payment history.
Isn't most or all of that data available for purchase from data brokers, many of which are not US-based and therefore not required to follow these new rules? And can't those countries simply buy the data from those brokers and/or steal it from insecure systems that have already purchased or acquired the data by other means?
I understand that the order can certainly help curb the exodus of American data to hostile countries, but shouldn't we be moving towards a goal of preventing ANY company or country (USA included) from having such personal data on US consumers?
The DOJ says that the banned countries have “engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of US persons,” and that these nations could, “access and exploit Americans’ bulk sensitive personal data and certain U.S. Government-related data.”
Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division said, “This powerful new national-security program is designed to ensure that Americans' personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access.”
The final rule will come into effect in 90 days. Companies that violate the order will face civil and criminal penalties.