US Blocks Foreign Governments from Acquiring Citizen Data

The US Justice Department has unveiled an initiative designed to counter the practice of foreign governments acquiring US citizens’ sensitive personal data.

The new Data Security Program establishes “export controls” that prevent foreign adversaries from accessing US government-related data and bulk genomic, geolocation, biometric, health, financial and other sensitive personal data.

The plan further implements an executive order published under the Biden administration in February 2024.

This order was designed to counter the threat of nation-states such as Russia, China and Iran purchasing US government and citizens’ data from commercial entities, or by compelling companies in their jurisdiction to access such information.

US Deputy Attorney General Todd Blanche commented: “If you’re a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access?”

The US government said foreign governments use advanced technologies, such as AI, to analyze and manipulate bulk sensitive personal data for a range of malicious purposes.

These include for espionage and other cyber operations or to identify other potential strategic advantages over the US.

In addition, these datasets can be used to fuel the creation and refinement of AI and other advanced technologies.

The US Department of Justice (DoJ) designated six nations as “countries of concern” regarding nefarious practices relating to the purchase of US data. These are China, Cuba, Iran, North Korea, Russia and Venezuela.

“These countries of concern demonstrate an intent and capability to use US Government-related data and Americans’ sensitive personal data to threaten US national security, including espionage and economic espionage, surveillance, coercion and influence, blackmail, foreign malign influence, curbing dissent by US persons, targeting journalists, political figures, members of marginalized communities, and other populations, and engaging in nefarious, cyber-enabled activities,” the DoJ wrote.

Prohibited Data Transactions

Under the Data Security Program, US individuals and organizations are prohibited from knowingly engaging in a transaction involving the transfer of data with a country of concern, unless exempt or authorized by a general or specific license.

Covered data transactions come under four categories: data brokerage, a vendor agreement, and employment agreement and an investment agreement.

Violations of the program can result in substantial civil and criminal penalties for entities and individuals, including a maximum prison sentence of 20 years.

The Data Security Program came into effect on April 8, 2025. However, the government said it will take a light touch to enforcement for the first 90 days as long as the organization or individual is engaging in “good faith efforts” to comply with the program during that time.