Updates
DOJ Finalizes Mixed Bag Data Broker Regulation
January 8, 2025
On December 27, the Department of Justice (DOJ) finalized its rule on Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government Related Data to Countries of Concern. This rule aims to minimize access to data by countries of concern which could lead to national security threats such as impersonation of government officials or inferences of sensitive military locations. EPIC argued in its comments during the advanced notice of proposed rulemaking that a more comprehensive, privacy forward approach to minimizing access to data would have the wanted effect of protecting national security interests, but DOJ refused to broaden the protections. Notably, DOJ did not diminish the strong, entity neutral approach to regulating the sale of specific forms of sensitive data, despite comments from industry urging the agency to do so.
This rule prohibits the sale of bulk U.S. sensitive personal data and any amount of government related data to a list of countries the government believes pose a national security threat to the United States. The list of countries currently includes China, Russia, Iran, North Korea, Cuba, and Venezuela, but can be amended by the Attorney General in conjunction with the Department of State and Department of Commerce at any time. The rule also requires contractual clauses, due diligence obligations, and basic cybersecurity requirements on the same types of data sales to non-covered entities to stop third parties from selling the same data to countries of concern.
In its final round of review, DOJ did not make any significant changes. In its notice of proposed rulemaking comments, EPIC suggested clarifying that only countries of concern and covered persons are prohibited from receiving government-related data and/or bulk U.S. sensitive personal data and that nothing in the rule prohibited U.S. persons from accessing that data already in possession of countries of concern/covered persons. In the Final Rule, DOJ clarified the language and adopted our edits to the definition of covered data transactions. DOJ also adopted our suggestion (echoed by various other commenters) to explicitly include voice and other data transmitted over the internet to the telecommunications exception. However, DOJ once again declined to expand the definition of sensitive personal data by increasing the protection on social security numbers. Finally, DOJ maintained the structure of the rule and rejected suggestions which would compromise the national security protections baked into the rule.
Although DOJ has concluded the current rulemaking, EPIC continues to advocate for strong data broker regulation. EPIC has long advocated for robust safeguards to protect consumers from exploitative data collection, use, distribution, and retention practices. EPIC regularly files amicus briefs, regulatory comments, and supports legislation to protect consumers from commercial surveillance regimes.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate