Standards, Regulations & Compliance
Rule Aims to Stymie Weaponization of Americans’ Data
![U.S. Finalizes Rule Throttling Bulk Data Sales to China](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/us-finalizes-rule-throttling-bulk-data-sales-to-china-showcase_image-7-a-27168.jpg)
The U.S. federal government finalized Friday regulations throttling the bulk commercial transfer to China and Russia of data pinpointing Americans’ location, their health data, or biometric and genomic identifiers.
See Also: Netskope PCI DSS 4.0 Mapping Guide
A final rule will become effective within 90 days of its publication in the Federal Register, with reporting requirements to set in 270 days later.
The rule is the end result of a breakneck-speed regulatory effort to implement a February executive order from President Joe Biden (see: Biden Executive Order Targets Bulk Data Transfers to China).
Multiple presidential administrations have flagged China’s voracious appetite for data on Americans, whether obtained through hacking – such as a 2018 cyberattack against hotel chain Marriott – or through commercial transactions. The final rule covers the bulk transfer of data through data brokerage, or agreements for employment, investment or to establish a vendor relationship.
The rule “is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access,” said Assistant Attorney General Matthew Olsen.
The rule outright prohibits the transfer of genetic data at thresholds ranging from 100 individuals to 1,000, depending on its type, as well as the bulk transfer of human biospecimens. Data transferred for the purpose of vendor agreements, employment or investment will be subject to cybersecurity standards developed by the Cybersecurity and Infrastructure Security Agency (see: Breach Roundup: CISA Proposes Security for Bulk Data Sales).
The rule places further restrictions on the transfer of geolocation data tied to national security or military installations and sensitive personal data marketed as linked to current or recent government employees or contractors.
The federal government says the rule is necessary to stop countries such as China from building dossiers on individuals and deploying them for cyberattacks, blackmail or espionage. It is also concerned with transnational intimidation of activists and other members of civil society.
Concerns about the weaponization of data have grown in tandem with the rise of machine learning and artificial intelligence. The most recent National Counterintelligence Strategy identified adversaries “broader focus on data” and their interest in Americans’ personally identifiable information as a key challenge. An annual report by the U.S.-China Economic and Security Review Commission warned that “China understands the value of data to AI and has taken active measures to increase the availability of quality data within its AI ecosystem.”