DOJ Issues New Rule Regulating Handling of Bulk Sensitive Personal Data

The Department of Justice (DOJ) has proposed a rule that would regulate certain transactions involving bulk sensitive personal data. Public comments are due in 30 days from the notice date.
The rule would implement a complex regulatory framework, with civil and criminal enforcement, that is similar to sanctions and export licensing regimes. It also implicates federal cybersecurity requirements, government contracting and CFIUS actions.
Businesses that handle significant amounts of sensitive personal data, as well as those that handle any amount of certain U.S. government data, should ensure they are prepared for these significant new potential regulations.
On Oct. 21, 2024, the National Security Division of the Department of Justice (DOJ NSD) issued a notice of proposed rulemaking (NPRM) that would establish a comprehensive regulatory framework to prevent and restrict the transfer of “bulk sensitive personal data” to countries and entities that are deemed a risk to U.S. national security. As explained in a prior insight regarding an advance notice of proposed rulemaking on this issue, the DOJ is issuing this rule after the Biden administration directed federal agencies to issue regulations to respond to the concern of misuse of sensitive data that could impact national security. The NPRM addresses comments provided through the advance notice process, details the proposed rule, and provides for an additional 30-day comment period. As discussed below, the proposed rule is a significant effort to regulate data through civil and criminal enforcement mechanisms akin to sanctions and export control regulations. Businesses potentially subject to its reach should carefully consider how to handle the rule’s implementation.