U.S. Proposes Rules to Limit Sensitive Data Transfers to Foreign Adversaries

The U.S. Department of Justice (DoJ) has released a draft of new regulations aimed at restricting government agencies and private entities from transferring sensitive personal data to countries deemed adversaries to the U.S., namely China, Russia, North Korea, Iran, Venezuela, and Cuba. These rules are designed to implement a presidential executive order from February 2024.

The draft regulations target categories of sensitive data, such as Social Security numbers, names when connected to device identifiers, precise location data, biometric and genetic data, medical records, and personal financial information. Quantitative thresholds are defined for each type of data. Transfer restrictions are triggered when they exceed these specified limits. For example, sharing genetic data on 100 or more Americans would be prohibited, and biometric data on 1,000 or more Americans can only be transferred if strict data security protocols are followed. Transfers of U.S. government-related information, including government-employee data or contractor data, are outright banned regardless of volume.

Exceptions to these restrictions include standard financial services such as banking, capital markets, insurance, and clinical trials. Following public comments to an earlier draft, the DoJ revised the proposed rules and is now seeking additional public input before finalizing them.