The US Department of Justice has issued a final rule carrying out Executive Order (EO) 14117, which addresses the risk of Americans’ bulk sensitive personal data being accessed and exploited by China, Russia, and other foreign adversaries.

Also covering certain US government-related data, the final rule (PDF) and the executive order aim to prevent data brokers from providing Americans’ bulk personal information to China, Russia, North Korea, Iran, Cuba, and Venezuela, as well as to certain individuals and entities classified as ‘covered persons’.

Per the executive order, the countries of concern and covered persons can access, exploit, and weaponize the Americans’ personal data and US government-related data to conduct cyberattacks and influence activities, and track and create profiles of US citizens, such as military personnel, members of the intelligence community, federal employees, and contractors, for various illicit purposes.

“Countries of concern and covered persons can also exploit this data to collect information on activists, academics, journalists, dissidents, political opponents, or members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties,” the DoJ says.

According to the US, countries of concern may also use bulk sensitive data to develop and enhance AI capabilities and algorithms that threaten national security, including by targeting specific people for blackmail, espionage, and coercion.

The final rule sets specific thresholds for personal data such as biometric identifiers, human genomic data, geolocation, health information, financial data, and personal identifiers, and details processes to obtain licenses authorizing specific data transactions.

It also describes protocols for the designation of covered persons, and points out that the DoJ has designated countries of concern based on their long-term pattern of engaging in cyber activities adverse to the US, and that the Department has the authority to amend the list of countries of concern based on their actions.

“The final rule is consistent with the United States’ commitment to promoting an open, global, interoperable, reliable, and secure internet; protecting human rights online and offline; supporting a vibrant, global economy by promoting cross-border data flows that are required to enable international commerce and trade; and facilitating open investment,” the DoJ says.

The rule does not impose data localization requirements, does not require relocating computers to process such data, does not prohibit US citizens from conducting research in countries of concern or from collaborating with covered persons to share data, as long as “that activity does not involve the exchange of payment or other consideration as part of a covered data transaction”.

“The final rule also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries,” the DoJ notes.

The final rule will take effect 90 days from its publication, while certain affirmative due diligence, auditing requirements, and reporting will take effect 270 days after publication.

In addition, the US Department of Health and Human Services is set to unveil a notice of proposed rulemaking demanding that healthcare organizations better protect patient data through encryption, compliance checks, and updated cyber standards in compliance with the Health Insurance Portability and Accountability Act (HIPAA), GovInfo Security reports.

Related: CISA, DOJ Propose Rules for Protecting Personal Data Against Foreign Adversaries

Related: White House Issues Executive Order on International Data Protection

Related: Google Data Protection Case to be Heard in UK Supreme Court

Related: Virginia Lawmakers Advance Consumer Data Protection Act