Overview
The Justice Department recently issued a notice of proposed rulemaking to implement President Joe Biden's executive order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” It is common for countries to have national data protection rights in place for their citizens, with America being one of the countries that does not yet have anything specific in place. As data continues to become increasingly more digital, America has some catching-up to do to protect sensitive data for US citizens. The General Data Protection Act is used to protect data for citizens of the European Union; Brazil has the General Data Protection Law; India has the Personal Data Protection Bill; China has the Personal Information Protection Law; the list goes on as there are 137 countries with global privacy laws.
Diving in
The primary goal of this proposed rule is to prevent inappropriate access to large amounts of US citizens' personal sensitive information. There is a current concern over what countries have access to this information and what they may do with this information, such as gaining access to Government employees information and using it to blackmail them or use them as a means to commit espionage. This proposed rule defines personal sensitive information as the following items:
- Government ID numbers,
- Financial account numbers and PINs,
- Device IDs such as MAC addresses,
- Advertising IDs,
- Account-authentication data such as usernames,
- Network-based identifiers "such as IP addresses or cookie data,"
- Call detail data such as CPNI,
- “Demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers)."
Any of the above data types combined with another, or any of the above data types combined with another type of sensitive data category is what will make it covered under this proposal. The other categories of sensitive data that are covered by this proposal are: precise geolocation data, biometric identifiers, human genomic data, personal health data and personal financial data.
Since this proposal is specifically targeting bulk amounts of sensitive information, tiers have been designated to define what is considered “bulk” data. See the following tiers and what classifies each category as bulk data:
- Human genomic data: More than 100 U.S. persons,
- Biometric identifiers and precise geolocation data: More than 1,000 U.S. persons,
- Personal health data and personal financial data: More than 10,000 U.S. persons,
- Covered personal identifiers: More than 100,000 U.S. persons.
The introduction of this proposed rule is the (very late) start of the protection of U.S. citizens' sensitive personal data. As this rolls out it is worth paying attention to see if this changes U.S. data privacy for the better, or if this is only a small piece of protecting sensitive information in the way that it should be.