Office of Public Affairs Justice Department Issues Comprehensive Proposed Rule Addressing National Security Risks Posed to US Sensitive Data United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppNote Read the Departments fact sheet on this matter hereppThe Justice Department today issued a Notice of Proposed Rulemaking NPRM to implement President Bidens Executive Order 14117 the EO of Feb 28 Preventing Access to Americans Bulk Sensitive Personal Data and United States GovernmentRelated Data by Countries of Concern The EO addresses the national security threat posed by the continued effort of certain countries of concern to access and exploit certain kinds of Americans sensitive personal data The President charged the Justice Department with the responsibility of establishing and implementing this new national security regulatory program to address these risks On March 5 the Departments Advance Notice of Proposed Rulemaking ANPRM was published in the Federal Register Informed by extensive stakeholder outreach and careful consideration of comments the NPRM addresses public comments received on the ANPRM and proposes a rule to establish this new program and implement the EOppThis comprehensive proposed rule would implement the EO by establishing categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to governmentrelated data or bulk US sensitive personal data Among other things the proposed rule identifies classes of prohibited and restricted transactions identifies countries of concern and classes of covered persons to whom the proposed rule applies identifies classes of exempt transactions explains the Departments methodology for establishing bulk thresholds provides the Departments initial assessment of economic and other regulatory impacts establishes processes to issue licenses authorizing certain prohibited or restricted transactions issue advisory opinions and designate covered persons and addresses recordkeeping reporting and other duediligence obligations for covered transactionsppThe Justice Departments National Security Division requests public comment on the proposed rule within 30 days of its publication in the Federal Register The Department seeks comments on the proposed rule from industry trade association groups civil society subjectmatter experts organizations and entities potentially affected by the proposed rule and others with interest in the rule or expertise on data security and cybersecurity The public may submit written comments on the NPRM at wwwregulationsgovppThe proposed rule is tailored to address the specific national security risks stemming from access by countries of concern and covered persons to Americans bulk sensitive personal data and certain sensitive US governmentrelated data These measures complement the United States commitment to promoting an open global interoperable reliable and secure internet protecting human rights online and offline supporting a vibrant global economy by promoting crossborder data flows that are required to enable international commerce and trade and facilitating open investmentppAs previewed in the ANPRM the proposed rule does not authorize the imposition of generalized data localization requirements to store Americans bulk sensitive personal data or US Governmentrelated data or to locate computing facilities used to process such data in the United States As also previewed in the ANPRM the proposed rule also does not broadly prohibit US persons from engaging in commercial transactions including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons or impose measures aimed at a broader decoupling of the substantial consumer economic scientific and trade relationships that the United States has with other countries To reflect this the NPRM proposes a new exemption for telecommunications services provides further clarity on exemptions regarding financial services and intracorporategroup transfers that were previewed in the ANPRM and seeks public comment on a new proposed exemption for clinicaltrial datappThe proposed rules prohibitions and restrictions are consistent with other access restrictions on sensitive personal data that have been imposed in other contexts including for transactions reviewed by the Committee on Foreign Investment in the United States CFIUS and the Committee for the Assessment of Foreign Participation in the US Telecommunications Services Sector Team Telecom As the ANPRM previewed the proposed rule exempts several classes of data transactions from the scope of its prohibitions and restrictions including certain personal communications financial services corporate group transactions transactions authorized by Federal law and international agreements investment agreements subject to a CFIUS action telecommunication services biological product and medical device authorizations clinical investigations and othersppAs explained in the NPRM countries of concern can use their access to these types of data to engage in malicious cyberenabled activities and malign foreign influence activities bolster their military capabilities and track and build profiles on US individuals including members of the military and other Federal employees and contractors for illicit purposes such as blackmail and espionage Countries of concern can also exploit this data to collect information on activists academics journalists dissidents political opponents or members of nongovernmental organizations or marginalized communities to intimidate them curb political opposition limit freedoms of expression peaceful assembly or association or enable other forms of suppression of civil libertiesppThe proposed rule would require vendor agreements employment agreements and investment agreements that qualify as restricted transactions to comply with the separately proposed security requirements that have been developed by the Department of Homeland Securitys Cybersecurity and Infrastructure Agency CISA in coordination with the Justice Department These proposed security requirements require US persons engaging in a restricted transaction to comply with organizational and systemlevel requirements such as ensuring that basic organizational cybersecurity policies practices and controls are in place and datalevel requirements such as data minimization and masking encryption and privacyenhancing techniques CISA is concurrently making these proposed security requirements available for public comment at wwwregulationsgovppRichard Shih 77 the founder and former chief executive officer of a Californiabased international logistics and freight forwarding company with offices in Grapevine Texas pleaded guilty today to conspiring toppMichael Lee Tomasi 38 of Rio Verde Arizona was sentenced yesterday to 15 months in prison and 36 months of supervised release for making online threats against public servants includingppPing Li 59 of Wesley Chapel Florida was sentenced to 48 months in prison today for conspiring to act as an agent of the Peoples Republic of China PRC withoutppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppNote Read the Departments fact sheet on this matter hereppThe Justice Department today issued a Notice of Proposed Rulemaking NPRM to implement President Bidens Executive Order 14117 the EO of Feb 28 Preventing Access to Americans Bulk Sensitive Personal Data and United States GovernmentRelated Data by Countries of Concern The EO addresses the national security threat posed by the continued effort of certain countries of concern to access and exploit certain kinds of Americans sensitive personal data The President charged the Justice Department with the responsibility of establishing and implementing this new national security regulatory program to address these risks On March 5 the Departments Advance Notice of Proposed Rulemaking ANPRM was published in the Federal Register Informed by extensive stakeholder outreach and careful consideration of comments the NPRM addresses public comments received on the ANPRM and proposes a rule to establish this new program and implement the EOppThis comprehensive proposed rule would implement the EO by establishing categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to governmentrelated data or bulk US sensitive personal data Among other things the proposed rule identifies classes of prohibited and restricted transactions identifies countries of concern and classes of covered persons to whom the proposed rule applies identifies classes of exempt transactions explains the Departments methodology for establishing bulk thresholds provides the Departments initial assessment of economic and other regulatory impacts establishes processes to issue licenses authorizing certain prohibited or restricted transactions issue advisory opinions and designate covered persons and addresses recordkeeping reporting and other duediligence obligations for covered transactionsppThe Justice Departments National Security Division requests public comment on the proposed rule within 30 days of its publication in the Federal Register The Department seeks comments on the proposed rule from industry trade association groups civil society subjectmatter experts organizations and entities potentially affected by the proposed rule and others with interest in the rule or expertise on data security and cybersecurity The public may submit written comments on the NPRM at wwwregulationsgovppThe proposed rule is tailored to address the specific national security risks stemming from access by countries of concern and covered persons to Americans bulk sensitive personal data and certain sensitive US governmentrelated data These measures complement the United States commitment to promoting an open global interoperable reliable and secure internet protecting human rights online and offline supporting a vibrant global economy by promoting crossborder data flows that are required to enable international commerce and trade and facilitating open investmentppAs previewed in the ANPRM the proposed rule does not authorize the imposition of generalized data localization requirements to store Americans bulk sensitive personal data or US Governmentrelated data or to locate computing facilities used to process such data in the United States As also previewed in the ANPRM the proposed rule also does not broadly prohibit US persons from engaging in commercial transactions including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons or impose measures aimed at a broader decoupling of the substantial consumer economic scientific and trade relationships that the United States has with other countries To reflect this the NPRM proposes a new exemption for telecommunications services provides further clarity on exemptions regarding financial services and intracorporategroup transfers that were previewed in the ANPRM and seeks public comment on a new proposed exemption for clinicaltrial datappThe proposed rules prohibitions and restrictions are consistent with other access restrictions on sensitive personal data that have been imposed in other contexts including for transactions reviewed by the Committee on Foreign Investment in the United States CFIUS and the Committee for the Assessment of Foreign Participation in the US Telecommunications Services Sector Team Telecom As the ANPRM previewed the proposed rule exempts several classes of data transactions from the scope of its prohibitions and restrictions including certain personal communications financial services corporate group transactions transactions authorized by Federal law and international agreements investment agreements subject to a CFIUS action telecommunication services biological product and medical device authorizations clinical investigations and othersppAs explained in the NPRM countries of concern can use their access to these types of data to engage in malicious cyberenabled activities and malign foreign influence activities bolster their military capabilities and track and build profiles on US individuals including members of the military and other Federal employees and contractors for illicit purposes such as blackmail and espionage Countries of concern can also exploit this data to collect information on activists academics journalists dissidents political opponents or members of nongovernmental organizations or marginalized communities to intimidate them curb political opposition limit freedoms of expression peaceful assembly or association or enable other forms of suppression of civil libertiesppThe proposed rule would require vendor agreements employment agreements and investment agreements that qualify as restricted transactions to comply with the separately proposed security requirements that have been developed by the Department of Homeland Securitys Cybersecurity and Infrastructure Agency CISA in coordination with the Justice Department These proposed security requirements require US persons engaging in a restricted transaction to comply with organizational and systemlevel requirements such as ensuring that basic organizational cybersecurity policies practices and controls are in place and datalevel requirements such as data minimization and masking encryption and privacyenhancing techniques CISA is concurrently making these proposed security requirements available for public comment at wwwregulationsgovppRichard Shih 77 the founder and former chief executive officer of a Californiabased international logistics and freight forwarding company with offices in Grapevine Texas pleaded guilty today to conspiring toppMichael Lee Tomasi 38 of Rio Verde Arizona was sentenced yesterday to 15 months in prison and 36 months of supervised release for making online threats against public servants includingppPing Li 59 of Wesley Chapel Florida was sentenced to 48 months in prison today for conspiring to act as an agent of the Peoples Republic of China PRC withoutppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp
