The United States Department of Justice and the cybersecurity agency CISA are seeking comments on a proposed rule for protecting the personal data of Americans against foreign adversaries.

The proposal comes in response to an executive order signed by President Biden earlier this year. The executive order is named ‘Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.’ 

The goal is to prevent data brokers, which are companies that collect and aggregate information and then sell it or share it, from providing bulk data collected on American citizens — as well as government-related data — to ‘countries of concern’, such as China, Cuba, Iran, North Korea, Russia, or Venezuela.

The concern is that these countries could exploit such data for spying and for other malicious purposes. The proposed rules aim to address foreign policy and national security concerns.

Data brokers are legal in the US, but some of them are shady companies, and studies have shown how they can expose sensitive information, including on military members, to foreign threat actors.  

The DOJ has shared clarifications on the proposed bulk thresholds: human genomic data on over 100 individuals, biometric identifiers on over 1,000 individuals, precise geolocation data on over 1,000 devices, personal health data or financial data on over 10,000 individuals, certain personal identifiers on over 100,000 U.S. persons, “or any combination of these data types that meets the lowest threshold for any category in the dataset”. Government-related data would be regulated regardless of volume.

CISA has outlined security requirements for US persons engaging in restricted transactions, and noted that these security requirements “are in addition to any compliance-related conditions imposed in applicable DOJ regulations”.

Organizational- and system-level requirements include: ensuring basic cybersecurity policies, practices and requirements are in place; implementing logical and physical access controls to prevent data exposure; and conducting data risk assessments.

Data-level requirements focus on the use of data minimization and data masking strategies, the use of encryption techniques, applying privacy enhancing technologies, and configuring identity and access management techniques to deny authorized access.

Related: Imagine Making Shadowy Data Brokers Erase Your Personal Info. Californians May Soon Live the Dream

Related: House Passes Bill Barring Sale of Personal Information to Foreign Adversaries

Related: Senate Passes Bill to Protect Kids Online and Make Tech Companies Accountable for Harmful Content