The US government says companies can no longer send bulk data to these countries
- The US DoJ issues the final ruling on Executive Order Executive Order 14117
- Major transactions of US citizen data to hostile countries will be banned
- Ban will protect U.S. national security by preventing U.S. citizens from being targeted en masse by cyber espionage and foreign influence
The US Department of Justice has done that issued a final rule on Executive Order 14117, which President Joe Biden signed in February 2024, which prevented the transfer of US citizen data to a number of “countries of concern.”
The list of countries includes China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela, all of which, according to the DoJ, are “engaged in a long-term pattern or serious instances of conduct significantly detrimental to national security of the United States or the security of American persons.”
It added that these countries “could gain access to Americans’ sensitive personal information and certain data associated with the U.S. government.”
No US data for enemy countries
The final rule will go into effect in 90 days, with Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division saying, “This powerful new national security program is designed to ensure that Americans’ personal information will no longer be allowed to be sold to hostile foreign powers, either through direct purchase or through other forms of commercial access.”
The Executive Order is intended to prevent countries generally hostile to the U.S. from using U.S. citizens’ data in cyber espionage and influence campaigns, and from building profiles of U.S. citizens that can be used in social engineering, phishing, blackmail and identity theft campaigns. .
The final rule sets the threshold for data transactions that pose an unacceptable risk, in addition to the different types of transactions that are prohibited, restricted, or exempt. Companies that violate the order will face civil and criminal penalties. The types of prohibited data are:
- Certain Covered Personal Identification Information (for example, names associated with device identifiers, social security numbers, driver’s license, or other government identification numbers)
- Accurate geolocation data (e.g. GPS coordinates)
- Biometric identifiers (e.g. facial images, voice prints and patterns and retinal scans)
- Human genomic data and three other types of human omic data (epigenomic, proteomic, or transcriptomic)
- Personal health data (e.g. height, weight, vital signs, symptoms, test results, diagnosis, digital dental records and psychological diagnostics)
- Personal financial data (for example, information relating to an individual’s credit cards, debit cards, bank accounts and financial obligations, including payment history)
The DoJ also outlined that the final rule does not apply to “medical, health, or scientific research or the development and marketing of new drugs” nor does it “broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging of financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with others to land.
Via The hacker news