United States of America: Announced DOJ NPRM on Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern

On 21 October 2024, the United States Department of Justice (DOJ) issued a Notice of Proposed Rulemaking (NPRM) concerning the Rule on Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern, implementing Executive Order 14117. The NPRM would establish different categories of data transactions which are prohibited or restricted, identify countries of concern and allow for exemptions of the restrictions. Specifically, the NPRM does not propose a generalised data localisation requirement to store sensitive data in the US, and it does not prohibit US persons from engaging in commercial transactions. However, the NPRM suggests a new exemption for telecommunications services and clinical-trial data and specifies the exemptions for financial services and intra-corporate-group transfers. Additionally, the NPRM would require the compliance of vendor, employment and investment agreements, which qualify as restricted transactions with separate security requirements.