DOJ Blocks Access of China, Other Adversaries to U.S. Sensitive Personal Information
The crusade against cyber-crime remains a true transnational effort, with the
leading defense organizations of some of the world’s most powerful countries continuing to
collaborate on the most effective methods to limit new forms of cross-border crime in this
technological age of finance. Over the last several years, one of the more widely analyzed
areas of discussion – one with both economic and political ramifications – has remained
financial fraud that has grown to affect both individuals and entire entities at an alarming
rate. More recently the topic of intellectual property (IP) theft (i.e. the pilfering of
inventions, literary and artistic works, and designs, symbols, names and images used in
commerce that are protected by law through patents, trademarks, and copyrights which
allow creators to gain primary financial benefit from their innovations) has dominated
international headlines. The Trump Administration previously accused the government
representation of foreign counterparts such as China of internally promoting these efforts,
amounting to hundreds of billions of dollars in collective losses for the greater U.S.
economy on an annual basis.
As greater dependence continues to be placed on technology to complete even the most
rudimentary of daily tasks, the widespread shift to online banking and investing, bill pay,
and even social media usage by the masses have contributed to exponential increases in
cases of identity theft, personal data breaches and full account takeovers domestically. The
personal identifiable information and additional sensitive financial information maintained
by American citizens has developed into a prime target for international fraudsters seeking
to exploit this data for personal gain, with identity theft as a whole developing into the
single largest form of financial crime worldwide. Realizing the scope of the issue at hand,
the Biden Administration has continued efforts to address this ongoing crisis with
legislation aimed at limiting the shear amount of personal information being disclosed to
foreign firms operating across a number of industries. Over the final days of the Biden
presidency, the United States federal government has taken a major step towards
addressing what has been called a major foreign threat to the privacy of American citizens.
In late December, the U.S. Justice Department issued a final rule to carry out Executive
Order 14117 titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and
United States Government-Related Data by Countries of Concern.”
This executive order has tasked the Justice Department with better protecting American
data by establishing and implementing a new national security program aimed at
addressing the “urgent and extraordinary national security threat” posed by the
aforementioned efforts of certain foreign nations being taken against the bulk sensitive
personal data of U.S. citizens and entire companies. The concern behind the Executive
Order specifically comes from a growing threat of foreign countries targeting and hacking
those with access to sensitive data such as military capabilities. It is the fear of U.S. officials
that cyber criminals could use this data to blackmail and coerce their targets into giving up
valuable secrets or simply utilize the stolen data to directly bolster their own military
capabilities more along the lines of the IP theft issue discussed previously. Furthermore,
the DOJ highlights an increasing trend that has seen the misuse of this bulk sensitive
personal data to develop and enhance artificial intelligence (AI) capabilities and algorithms
that enable the use of large datasets in increasingly sophisticated and effective ways to the
detriment of U.S. national security. The DOJ provides the example of countries of concern
using AI in conjunction with multiple unrelated data sets to identify U.S. persons whose
links to the federal government would be otherwise obscured in a single dataset and who
can then be targeted for espionage or blackmail. 3
“This final rule is a crucial step forward in addressing the extraordinary national security
threat posed of our adversaries exploiting Americans' most sensitive personal data,” said
Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security
Division. “This powerful new national-security program is designed to ensure that
Americans' personal data is no longer permitted to be sold to hostile foreign powers,
whether through outright purchase or other means of commercial access.” 3
In spite of the risk of exploitation of more significant/pertinent information regarding
government operations, civilians who are not military or government officials are also at
risk of being targeted. Political activists, academics, candidates, and other politically
influential persons may be targeted by foreign countries looking to stir division and create
further conflict within the United States. Of course, financial institutions are always a target
for foreign cyber-criminals for various reasons: laundering money, stealing funds to
bankroll their efforts, or even moving as far as crashing markets to harm the U.S. economy.
The Final Rule also identifies exactly which countries of concern and covered persons to
whom the rule applies. There are six countries specifically designated under the new
measure, including China (also covering Hong Kong and Macau), Cuba, Iran, North Korea,
Russia, and Venezuela. These countries were chosen because of their long track records of
funding hackers and cybercriminal groups attempting to harm the United States or the
security of its individual citizens. This list of six countries are considered to currently pose
the greatest degree of risk in this regard. Under the Rule, certain categories of transactions
between U.S. persons and persons and entities with a relationship with these identified
countries of concern and involving several categories of data (including precise geo-
location, biometric/health data, and financial data, as well as personal identifiers and
government-related data) will be either completely prohibited, or permitted only if the
United States-based entity complies with identified security requirements or otherwise
obtains specific licensing from the U.S. Justice Department. Additionally, U.S. persons
engaging in restricted transactions are required to adhere to certain due diligence,
recordkeeping, reporting, and audit requirements. 2
The Final Rule also amends the language of the original Notice of Proposed Rulemaking
(NPRM) brought forth on October 29, 2024 with regard to covered persons. This is meant
to align the language more closely with the Office of Foreign Asset Control’s (OFAC) 50-
percent rule, which ensures entities with 50%+ beneficial ownership by a covered person
are considered covered persons as well. There are four total classes of persons defined by
the Final Rule: (1) foreign entities that are 50 percent or more owned by a country of
concern, organized under the laws of a country of concern, or have their principal place of
business in a country of concern; (2) foreign entities that are 50 percent or more owned by
a covered person; (3) foreign employees or contractors of countries of concern or entities
that are covered persons; and (4) foreign individuals primarily resident in countries of
concern. 3
The Justice Department released an accompanying fact sheet in order to prevent confusion
and/or backlash following their announcement on the measure. In this fact sheet, they
make it clear that the final rule does not ban certain apps or social-media platforms, nor
does it concern any single app or technology such as TikTok, which has also been a topic of
discussion over recent years. The final rule “addresses only the most serious data-security
risks.” This fact sheet can be reviewed in its entirety here.
Citations:
1. FACT SHEET: Justice Department Issues Final Rule to Address Urgent National Security Risks Posed by
Access to U.S. Sensitive Personal and Government-Related Data from Countries of Concern and Covered
Persons, U.S. Department of Justice, 27 Jan. 2024.
2. Hickey, Adam S., and Aaron Futerman. “Export of Sensitive Personal Data: US Department of Justice
Issues Final Rule to Regulate: Insights: Mayer Brown.” Insights | Mayer Brown, 6 Jan. 2025.
3. “Justice Department Issues Final Rule Addressing Threat Posed by Foreign Adversaries’ Access to
Americans’ Sensitive Personal Data.” Office of Public Affairs, United States Justice Department , 27
Dec. 2024.