Getty Images
DOJ rule aims to block adversaries' access to personal data
The new federal measure could apply to companies beyond data brokers. It stems from an executive order signed by former President Joe Biden.
The U.S. Dept. of Justice will start to enforce its rule addressing foreign adversaries' access to bulk personal data within 90 days. The new data rule means companies will need to assess whether or not they fall under its scope.
The DOJ's National Security Division will administer the department’s new data rule, the Data Security Program (DSP). The DOJ said the measure establishes "export controls" preventing foreign adversaries, including China, Russia, Iran, Cuba, Venezuela and North Korea, from accessing U.S. government-related data, as well as bulk geolocation, financial, health, biometric, genomic and other sensitive data.
The DSP addresses what, in recent years, has been an increasing emphasis on the extent to which investment transactions enable foreign adversaries' access to Americans' personal data, said Alexander Joel, adjunct professor at the American University Washington College of Law. Joel spoke on a panel during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C., on Wednesday.
The data rule stems from an executive order signed by former President Joe Biden. The executive order aimed to stop the large-scale sale and transfer of Americans' personal data to countries of concern. Though President Donald Trump rescinded multiple Biden-era executive orders, he did not pull back Biden's order mandating the creation of the data access rule, meaning U.S. companies will need to assess their data access policies in light of this new rule.
"This is a priority in the administration, and they're going forward with it," Joel said.
What companies need to know
The DSP's goal is to protect U.S. national security from countries of concern that may seek to collect and weaponize Americans' sensitive, personal data, said Jeewon Serrato, partner at Pillsbury Winthrop Shaw Pittman law firm. Serrato spoke on the panel with Joel.
While companies looking to comply with the new data rule are engaged with IT and security teams to practically implement security controls, the scope of the rule requires engagement of privacy and compliance teams as well, she said.
"The program requires companies to assess the kinds, and the volumes of data collected about or maintained on U.S. persons, how the company uses the data, whether the company engages in covered data transactions and how such data is marketed," Serrato said.
Serrato said the DPS will require companies to adopt a new data compliance program. She said DSP's specific requirements are not tied to existing legal frameworks, such as the European Union's General Data Protection Regulation or the California Consumer Privacy Act.
Companies will need to begin a data inventory and mapping exercise to determine what servers hold the six categories of sensitive data defined under the DSP. The DOJ has delayed enforcement action for the DSP for 90 days, giving the private sector time to make changes and comply.
John Carlin, partner and practice chair at law firm Paul, Weiss, said companies have expressed confusion about the data rule, with some believing it only applies to data brokers. He said that's not the case. The DOJ defines bulk data differently for each data category, some with extremely low numerical thresholds. For example, if a company collects health data on 10,000 people, it falls under the DSP. If a company collects genomic data for 100 people, it still falls under the DSP.
"If you have the type of data they decide is sensitive and you have it in bulk, then you may be covered under the rule," he said.
Companies then need to assess whether transactions with countries of concern are deemed prohibited or restricted under the data rule. This will encompass vendor agreements and employee access to data, he said.
For most companies, precise geolocation, health and financial data will likely put them in scope of the DSP, Serrato said. While there are some exemptions to the data access rule, the rule does not contain an exemption for obtaining user consent, Serrato said.
"This is a national security rule, so you cannot argue that this was consented to," she said. "Consent is not going to get you out of being in scope."
Other agencies, countries focus on data
The DOJ isn't the only federal agency enforcing a data rule targeting foreign adversaries' access to Americans personal data.
The Federal Trade Commission enforces the Protecting Americans' Data from Foreign Adversaries Act of 2024, which makes it unlawful for data brokers to sell personally identifiable data to foreign adversaries.
Companies are being scrutinized for their data practices, including in the European Union. On Wednesday, the EU fined Apple 500 million euros and Meta 200 million euros for failing to comply with the Digital Markets Act, which requires companies to provide consumers with options that use less of their personal data.
Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining Informa TechTarget, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.
Dig Deeper on CIO strategy
-
![]()
Six major tech lawsuits to keep tabs on in 2025
By: Alison Roller
-
![]()
US Department of Justice wants Alphabet to sell Chrome browser
By: Cliff Saran
-
![]()
'Defunct' DOJ ransomware task force raises questions, concerns
By: Arielle Waldman
-
![]()
Proposed ban on connected vehicle tech from China too broad
By: Makenzie Holland
