On November 27, 2024, the Electronic Privacy Information Center (EPIC) announced that it submitted comments in response to the Department of Justice's (DOJ) notice of proposed rulemaking on Executive Order 14117 of February 28, 2024, on provisions regarding access to Americans' bulk sensitive personal data and Government-related data by countries of concern.

Proposed rulemaking

The DOJ's notice of proposed rulemaking intends to implement the Executive Order by prohibiting and restricting certain data transactions with certain countries or persons. In particular, the proposed rule outlines, among other things:

• covered data transactions;
• covered personal identifiers;
• determination of countries of concern;
• covered persons;
• due diligence and audit requirements;
• reporting and recordkeeping requirements; and
• penalties and finding of violation.

Comments of EPIC

According to the submitted comments, EPIC first applauded the DOJ for recognizing the state of re-identification technology and protecting Government data and bulk US sensitive personal data regardless of whether it has been anonymized, pseudonymized, de-identified, or encrypted.

EPIC also suggested to make the following changes, among other things:

• the definition of covered data transactions should make clear that the proposed rule only limits countries of concern and covered persons from accessing Government-related data and bulk US sensitive data, not US persons' access data abroad, including in countries of concern, which could unduly burden expressive speech such as news reporting on suspicious Government activity;
• inclusion of Social Security Numbers in the definition of covered personal identifiers would reduce its unnecessary collection, considering its sensitive nature and frequent use as a primary (and sometimes only) identity authentication tool by Government agencies, while imposing minimal compliance costs on regulated entities; and
• to prevent the criminalization of providing basic internet connectivity, internet service providers (ISPs) should receive the same explicit exemptions as telecommunications providers due to the contested nature of ISPs' inclusion as telecommunications service providers.

You can read the press release here, the submitted comments here, and the notice of proposed rulemaking here.