US Moves to Block Large Transfers of US Data to China, Russia, Iran

The US is looking to stop certain countries—including China, Russia, and Iran—from buying large amounts of data on Americans, citing the threat of spying and blackmail. 

The proposed rules, announced Monday by the Justice Department, seek to prevent foreign governments from exploiting sensitive US data for computer hacking, surveillance, and influence campaigns. The restrictions would block the sale or transfer of data to companies, contractors, and individuals in six “countries of concern”: China, Cuba, Iran, North Korea, Russia, and Venezuela.

The rules come after President Biden signed an executive order in February to stop US companies, including shady data brokers, from selling such information to foreign adversaries.

The White House is particularly concerned about these countries using commercial deals to acquire data on Americans, including biometric, health, DNA, and geolocation information, along with other sensitive details such as Social Security and bank account numbers. Learning such information could make it easy for a foreign government to uncover a person’s spending habits, personal preferences, and visits to sensitive locations, such as places of worship and government facilities. 

“This data is then used for cyberattacks, blackmail, espionage, and intimidating activists, academics, political figures, and journalists, as well as other malicious activities,” the Justice Department said in a fact sheet about the proposed rules. “Countries of concern employ advanced technologies like big-data analytics, artificial intelligence (AI), and high-performance computing to manipulate and exploit this data more effectively.”

(Credit: Matt Anderson Photography via Getty Images)

The proposal includes thresholds for how much data a country could acquire in specific industries or segments over a 12-month period. For example, it would apply to:

• Human genomic data on over 100 US persons

• Biometric identifiers and/or precise geolocation data on over 1,000 US persons

• Personal health data and/or personal financial data on over 10,000 US persons

• Certain covered personal identifiers on over 100,000 US persons

• Any combination of these data types that meets the lowest threshold for any category

So, the rules would ban a US person from selling geolocation data taken from more than 1,000 US devices to a company headquartered in China or a company from hiring a Chinese lab to analyze DNA samples belonging to 100 US persons. The rules would also block a country of concern from buying sensitive data on a single US active military member or government official.

The limits could be exceeded if the applicant receives a license from the DOJ. The rules also include exemptions for routine operations, such as payroll, taxes, and human resources, to prevent the restrictions from hampering international business.

Rule-breakers could face civil and criminal penalties, including up to 20 years in prison for willful violations. The DOJ will now solicit public comments for 30 days before finalizing the regulations in the coming months.

It’s possible the regulations will ensnare TikTok, the social media app from Chinese company ByteDance. For example, they would technically prohibit a US-based TikTok employee from transferring bulk data on Americans to a TikTok employee, investor, or parent company in China.  

TikTok didn’t immediately respond to a request for comment. The company has sued the White House to stop a law that threatens to ban the social media app in the US. TikTok also says it’s 60% owned by a group of global investors, with its headquarters in Los Angeles and Singapore.

About Michael Kan

Senior Reporter

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael’s full bio

Read the latest from Michael Kan