The Biden administration has finalized regulations aimed at blocking the sale of Americans’ bulk personal data to adversarial nations such as Russia, China, and Iran. However, the new rules stop short of addressing a broader privacy issue: the continued legality of selling sensitive data to allied countries and domestic entities. While these restrictions target hostile foreign powers, the ongoing trade of personal information within the US and to friendly nations raises concerns about the protection of Americans’ privacy on a global scale.
Finalized Friday after being introduced via executive order earlier this year, the measure addresses a growing threat. According to the Department of Justice, adversarial nations have exploited such data for espionage, blackmail, and influence operations, as well as other harmful purposes. The policy specifically targets the sale of genomic, biometric, health, geolocation, financial, and governmental data.
Matthew Olsen, assistant attorney general for national security, emphasized the importance of the new regulations in a statement, saying they represent a significant step toward safeguarding Americans’ private information from potentially hostile powers.
“This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access,” he said.
The rules primarily impact data brokers — companies that gather and sell information to a wide range of buyers. US officials have raised alarms over adversarial countries using such data to enhance artificial intelligence systems, refine algorithms, and conduct sophisticated analyses on large datasets.
Learn how to protect yourself from data brokers here: Opt-Out or Be Exposed: Fighting Data Brokers
The Justice Department warned that the misuse of this information extends to targeting activists, journalists, academics, and marginalized communities, enabling surveillance, suppression of dissent, and violations of fundamental civil liberties.
The list of restricted countries also includes North Korea, Cuba, and Venezuela, in addition to Russia, China, and Iran. Once published in the Federal Register, the rules will take effect after a 90-day window.
While the new rules mark a significant step toward restricting access to Americans’ sensitive data by adversarial nations, they highlight a glaring gap in the US’s approach to privacy protection.
The regulations primarily focus on preventing national security threats posed by hostile governments, yet they do little to address the broader issue of rampant data collection and sales that occur domestically and with allied countries. Data brokers remain free to monetize sensitive personal information by selling it to businesses, advertisers, and even governments outside the list of adversaries, leaving Americans exposed to potential misuse or exploitation of their data.
The lack of comprehensive privacy legislation in the United States underscores the need for systemic reform. Unlike other nations that have adopted stringent data protection frameworks, such as the European Union’s General Data Protection Regulation (GDPR), the US continues to rely on a patchwork of state-level laws and sector-specific regulations. This fragmented approach allows for the widespread collection and commodification of personal information, often without the knowledge or consent of the individuals involved. Until the US adopts a more robust and unified privacy framework, Americans’ sensitive data will remain vulnerable to misuse, regardless of whether the buyers are domestic or international.
