The Justice Department has released a Notice of Proposed Rulemaking (NPRM) to implement President Biden’s Executive Order 14117, aimed at preventing certain countries from accessing sensitive personal data of Americans. This initiative responds to national security threats posed by foreign actors attempting to exploit U.S. data and establishes categorical rules for transactions that pose an unacceptable risk. The proposed rule outlines classes of prohibited and restricted transactions, identifies countries of concern, and delineates processes for issuing licenses and advisory opinions, while ensuring recordkeeping and reporting obligations for covered transactions.
The NPRM emphasizes that the proposed regulations will not impose broad data localization requirements or hinder commercial transactions with countries of concern. Specific exemptions are outlined for telecommunications services and certain financial transactions, and the rule aligns with existing restrictions in contexts like the Committee on Foreign Investment in the United States (CFIUS). The proposal also incorporates security requirements developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), which mandate that U.S. entities engaging in restricted transactions adhere to organizational cybersecurity practices and data protection measures.
