Skip to main content
close search
site logo

DOJ to use OFAC enforcement model for Biden order on bulk data sales

Companies will need to have controls in place but there won’t be any prescriptive due diligence or reporting requirements to comply with data sales curbs to China, other adversarial countries.

Published Feb. 29, 2024
Robert Freedman's headshot
Lead Editor
Executive order restricting bulk data sales
U.S. President Joe Biden delivers remarks on the Emergency National Security Supplemental Appropriations Act in the State Dining Room of the White House on February 6, 2024 in Washington, DC. Alex Wong / Staff via Getty Images

The executive order President Joe Biden signed this week restricting the bulk sale of Americans’ sensitive personal information to adversarial countries like China and Russia shouldn’t be hard for companies to comply with, the Department of Justice says. The plan is to model implementation on the way the U.S. Treasury’s Office of Foreign Assets Control enforces economic sanctions – a relatively light-touch approach that creates a burden mainly when a company seeks an exemption. 

“The contemplated program would not prescribe general due-diligence requirements, affirmative recordkeeping requirements, or affirmative reporting requirements,” DOJ says in an information sheet on the executive order. “Instead, the contemplated program would use a familiar approach. U.S. companies would be expected to develop and implement compliance programs based on their individualized risk profiles, which may vary depending on a range of factors such as their size and sophistication, products and services, customers and counterparties, and geographic locations.”

Biden’s executive order is intended to make it harder for adversarial countries to obtain bulk data on Americans. Hostile governments are believed to use the data to engage in espionage and run malicious influence, cyber and kinetic operations.  

“The growing exploitation of Americans’ sensitive personal data threatens the development of an international technology ecosystem that protects our security, privacy, and human rights,” Biden said in the order. 

These bulk data sales are legal today, so this is seen as a way to close off an obvious pathway at adversaries use to obtain bulk data on Americans. 

“The Justice Department has long focused on preventing threat actors from stealing data through the proverbial back door,” Deputy Attorney General Lisa Monaco said in a statement. “This executive order shuts the front door by denying countries of concern access to Americans’ most sensitive personal data.”

The order gives DOJ the lead role in implementing the restrictions. It has six months to work with other agencies to come up with rules. 

Although the list isn’t official yet, it’s expected that the rules will apply restrictions to at least six countries: China, Russia, Iran, North Korea, Cuba and Venezuela. Hong Kong and Macau would be included as part of China. Restrictions would also apply to companies or other entities that are controlled or otherwise have ties to one of these foreign governments.  

The restrictions would apply to people’s financial data and other sensitive information, like geolocation data. It would also apply to people’s genomic, biometric and personal health data.

The data brokerage industry will be the most affected, but any company that makes data available to entities outside the United States will have to comply. Existing data transmission arrangements that companies have with other companies outside the United States, including arrangements to process personnel data, shouldn’t be impacted by the order. There’s also no restriction on storing data outside the U.S.  

But the order could mean companies would need to know upfront if a sale to a broker or other entity would mean their data ends up in restricted hands. If that’s the case, selling data even to a domestic broker, or other domestic entity, or an otherwise acceptable foreign entity, could end up being a problem if the data then passes through to a restricted buyer. 

“I think this provides some teeth if there is a factual basis to suggest that domestic data brokers are further selling their holdings to any of these sanctions or prohibited countries,” Aloke Chakravarty, co-chair of Snell & Wilmer’s cybersecurity, data protection, and privacy practice group, told CSO, a trade publication. “I think it provides an enforcement mechanism … through tools in DOJ’s arsenal.”   

The rules are expected to establish civil penalties for violations, with the amount based in part on how seriously the company took its compliance responsibilities. 

“The specific penalty for any particular violation would depend on the facts and circumstances of the violation, including the adequacy of any compliance program,” the agency said. 

Recommended Reading

Filed Under: Emerging Issues

Editors' picks

Company Announcements

View all | Post a press release

Want to share a company announcement with your peers?

Share your announcement

Editors' picks
Latest in Emerging Issues
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.