US Finalizes Rule Restricting Bulk Data Sales to China

The U.S. federal government has finalized a set of regulations that will restrict the bulk transfer of sensitive data regarding Americans to foreign nations, particularly China and Russia. This new rule, which will come into effect within 90 days following its publication in the Federal Register, is a response to escalating concerns about foreign exploitation of Americans’ personal information.

Under this legislation, the transfer of data related to individuals’ location, health, and biological identifiers will be significantly limited. The reporting requirements associated with these regulations are set to be established within 270 days after implementation, reinforcing the government’s commitment to safeguarding American data.

These regulations are the culmination of a rapid regulatory initiative launched following President Biden’s executive order in February, aimed at curbing bulk data transfers to countries viewed as adversaries. Historical incidents, such as the 2018 cyberattack on Marriott, underline the threat posed by foreign entities in their attempts to acquire large datasets of Americans.

Matters have become more urgent with the increasing recognition of threats that not only include cyberattacks but also non-cyber forms of aggression, such as blackmail and espionage. Assistant Attorney General Matthew Olsen emphasized that the regulation is structured to prevent personal data from being sold to foreign powers, regardless of how the data is obtained.

The rule specifically prohibits the transfer of genetic data in significant quantities, defined by thresholds that vary based on data type, along with the bulk transfer of human biospecimens. Additionally, any data shared for employment, investment, or vendor purposes will be subject to stringent cybersecurity standards developed by the Cybersecurity and Infrastructure Security Agency.

Specific provisions also extend to geolocation data associated with national security, highlighting the sensitive nature of information tied to government operations or personnel. The overarching goal is to disrupt the growing trend of foreign nations compiling personal profiles of U.S. citizens, thereby limiting their ability to use this information for harmful objectives.

In the wake of advancements in machine learning and artificial intelligence, the threat landscape continues to evolve, necessitating these proactive measures. The National Counterintelligence Strategy has pointed to data as a critical asset that adversaries are increasingly targeting. Reports suggest that China’s strategic focus on enhancing its AI capabilities underscores the importance of controlling the availability of quality data.