G L O B A L R A D A R

DOJ Blocks Access of China, Other Adversaries to U.S. Sensitive Personal Information

  • Home
  • DOJ Blocks Access of China, Other Adversaries to U.S. Sensitive Personal Information
idlady

DOJ Blocks Access of China, Other Adversaries to U.S. Sensitive Personal Information

The crusade against cyber-crime remains a true transnational effort, with the leading defense organizations of some of the world’s most powerful countries continuing to collaborate on the most effective methods to limit new forms of cross-border crime in this technological age of finance. Over the last several years, one of the more widely analyzed areas of discussion – one with both economic and political ramifications – has remained financial fraud that has grown to affect both individuals and entire entities at an alarming rate. More recently the topic of intellectual property (IP) theft (i.e. the pilfering of inventions, literary and artistic works, and designs, symbols, names and images used in commerce that are protected by law through patents, trademarks, and copyrights which allow creators to gain primary financial benefit from their innovations) has dominated international headlines. The Trump Administration previously accused the government representation of foreign counterparts such as China of internally promoting these efforts, amounting to hundreds of billions of dollars in collective losses for the greater U.S. economy on an annual basis.

As greater dependence continues to be placed on technology to complete even the most rudimentary of daily tasks, the widespread shift to online banking and investing, bill pay, and even social media usage by the masses have contributed to exponential increases in cases of identity theft, personal data breaches and full account takeovers domestically. The personal identifiable information and additional sensitive financial information maintained by American citizens has developed into a prime target for international fraudsters seeking to exploit this data for personal gain, with identity theft as a whole developing into the single largest form of financial crime worldwide. Realizing the scope of the issue at hand, the Biden Administration has continued efforts to address this ongoing crisis with legislation aimed at limiting the shear amount of personal information being disclosed to foreign firms operating across a number of industries. Over the final days of the Biden presidency, the United States federal government has taken a major step towards addressing what has been called a major foreign threat to the privacy of American citizens. In late December, the U.S. Justice Department issued a final rule to carry out Executive Order 14117 titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”

This executive order has tasked the Justice Department with better protecting American data by establishing and implementing a new national security program aimed at addressing the “urgent and extraordinary national security threat” posed by the aforementioned efforts of certain foreign nations being taken against the bulk sensitive personal data of U.S. citizens and entire companies. The concern behind the Executive Order specifically comes from a growing threat of foreign countries targeting and hacking those with access to sensitive data such as military capabilities. It is the fear of U.S. officials that cyber criminals could use this data to blackmail and coerce their targets into giving up valuable secrets or simply utilize the stolen data to directly bolster their own military capabilities more along the lines of the IP theft issue discussed previously. Furthermore, the DOJ highlights an increasing trend that has seen the misuse of this bulk sensitive personal data to develop and enhance artificial intelligence (AI) capabilities and algorithms that enable the use of large datasets in increasingly sophisticated and effective ways to the detriment of U.S. national security. The DOJ provides the example of countries of concern using AI in conjunction with multiple unrelated data sets to identify U.S. persons whose links to the federal government would be otherwise obscured in a single dataset and who can then be targeted for espionage or blackmail. 3 “

This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our adversaries exploiting Americans’ most sensitive personal data,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access.”3

In spite of the risk of exploitation of more significant/pertinent information regarding government operations, civilians who are not military or government officials are also at risk of being targeted. Political activists, academics, candidates, and other politically influential persons may be targeted by foreign countries looking to stir division and create further conflict within the United States. Of course, financial institutions are always a target for foreign cyber-criminals for various reasons: laundering money, stealing funds to bankroll their efforts, or even moving as far as crashing markets to harm the U.S. economy.

The Final Rule also identifies exactly which countries of concern and covered persons to whom the rule applies. There are six countries specifically designated under the new measure, including China (also covering Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. These countries were chosen because of their long track records of funding hackers and cybercriminal groups attempting to harm the United States or the security of its individual citizens. This list of six countries are considered to currently pose the greatest degree of risk in this regard. Under the Rule, certain categories of transactions between U.S. persons and persons and entities with a relationship with these identified countries of concern and involving several categories of data (including precise geo- location, biometric/health data, and financial data, as well as personal identifiers and government-related data) will be either completely prohibited, or permitted only if the United States-based entity complies with identified security requirements or otherwise obtains specific licensing from the U.S. Justice Department. Additionally, U.S. persons engaging in restricted transactions are required to adhere to certain due diligence, recordkeeping, reporting, and audit requirements. 2 The Final Rule also amends the language of the original Notice of Proposed Rulemaking (NPRM) brought forth on October 29, 2024 with regard to covered persons. This is meant to align the language more closely with the Office of Foreign Asset Control’s (OFAC) 50- percent rule, which ensures entities with 50%+ beneficial ownership by a covered person are considered covered persons as well. There are four total classes of persons defined by the Final Rule: (1) foreign entities that are 50 percent or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern; (2) foreign entities that are 50 percent or more owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; and (4) foreign individuals primarily resident in countries of concern.3

The Justice Department released an accompanying fact sheet in order to prevent confusion and/or backlash following their announcement on the measure. In this fact sheet, they make it clear that the final rule does not ban certain apps or social-media platforms, nor does it concern any single app or technology such as TikTok, which has also been a topic of discussion over recent years. The final rule “addresses only the most serious data-security risks.” This fact sheet can be reviewed in its entirety here.

Citations:

1. FACT SHEET: Justice Department Issues Final Rule to Address Urgent National Security Risks Posed by
Access to U.S. Sensitive Personal and Government-Related Data from Countries of Concern and Covered
Persons, U.S. Department of Justice, 27 Jan. 2024.
2. Hickey, Adam S., and Aaron Futerman. “Export of Sensitive Personal Data: US Department of Justice
Issues Final Rule to Regulate: Insights: Mayer Brown.” Insights | Mayer Brown, 6 Jan. 2025.
3. “Justice Department Issues Final Rule Addressing Threat Posed by Foreign Adversaries’ Access to
Americans’ Sensitive Personal Data.” Office of Public Affairs, United States Justice Department , 27
Dec. 2024.