On October 21, the DOJ issued an NPRM establishing new regulations to prevent access to sensitive personal data of U.S. individuals by certain classes of covered persons or countries of concern, such as Russia, Iran, and China. These regulations will implement President Biden’s Executive Order 14117 on similar. The NPRM seeks public comments within 30 days of its publication, inviting input from industry groups, civil society, subject-matter experts, and other interested parties.

If finalized as proposed, the regulations will outline categorical rules for data transactions that pose unacceptable risks of giving covered countries or individuals access to government-related data or sensitive personal data, identify categories of prohibited and restricted transactions, classes of covered persons, and countries of concern, and exempt certain transactions. For example, “prohibited transactions” will include, among other categories, any data brokerage and other highly sensitive transactions (such as human genomic data transactions), involving a covered person or country of concern, as well as any transaction structured to evade the regulations. In contrast, “restricted transactions” will, subject to security and other requirements on data handling, permit covered persons to access personal data. The specific security requirements will be established by the Cybersecurity and Infrastructure Security Agency.

A violation of the regulations may result in civil penalties up to the greater of $368,136 or twice the amount of the transaction and criminal penalties, including fines, of up to $1 million and imprisonment for up to 20 years. The DOJ will issue a pre-penalty notice to allow responses before implementing a final decision and imposing penalties.