US Restricts Data Transfers to China, Russia, and Others

The United States Department of Justice has unveiled a draft of new regulations aimed at overseeing the transfer of data to foreign countries. The document outlines measures designed to restrict or prohibit data transactions that may pose security risks.

In February 2024, President Biden signed an executive order intended to prevent foreign governments from accessing sensitive data. The nations specified in the order include China, Russia, Iran, North Korea, Cuba, and Venezuela. These same countries are highlighted in the new document.

The proposed rules impose restrictions on transactions that could grant access to such data. The NPRM identifies several categories of data subject to these new measures, including biometric and genomic data, geolocation, health data, and financial information. These regulations apply when the collected data could be linked to specific U.S. citizens or groups.

The regulations prohibit data transfers that exceed certain thresholds. For example, U.S. companies are barred from transferring:

• Genetic information of more than 100 individuals per year to the specified countries;
• Geolocation and biometric identifiers of more than 1,000 citizens;
• Financial and medical information of more than 10,000 individuals;
• Personal data of more than 100,000 people. In this context, personal data refers to names linked to device identifiers, as well as Social Security numbers (SSNs) and driver’s license numbers.

Special provisions apply to data belonging to military personnel and government officials: the transfer of such information is categorically prohibited. A similar ban extends to data transactions where there is reason to believe the information may end up in the hands of one of the target nations. Particular focus will be placed on data brokers who sell collected information to third parties.

Administration officials emphasize that the sale of data to foreign countries represents a serious threat to national security, as the acquired information could be used for cyberattacks, surveillance of government facilities, disinformation campaigns, and the tracking of security leaders. The data could also be used to monitor dissidents and journalists, as well as to analyze the daily activities of U.S. citizens.

Special attention is given to monitoring transactions that may circumvent the restrictions. The document states that the Department of Justice will have the authority to impose bans on specific transactions and require companies to report on such dealings. Additionally, the NPRM includes mechanisms for licensing and obtaining clarifications from the department for market participants.

The draft regulations also introduce several exemptions, covering:

• U.S. government operations;
• Financial and medical transactions;
• International agreements and telecommunications services.

To ensure compliance with the new rules, the department recommends that companies implement security compliance programs, including access controls and data encryption. In cases of violations, civil penalties of up to $368,136 may be imposed, and intentional breaches could lead to criminal penalties of up to 20 years in prison.

The Department of Justice underscores that these regulations will not affect social media platforms and applications, nor do they confer new powers for overseeing the personal data of U.S. citizens.