The Biden administration announced on Monday new proposed rules for regulating the transfer of certain data to adversarial countries such as China and Russia, creating specific requirements for how sensitive personal and federal information can be shared, if at all.

The proposed regulations follow the release of a February executive order designed to block foreign adversaries from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic and other data to carry out cyberattacks or spy on Americans.

Under the proposed rules, data transfers to companies and individuals in six countries — China, Russia, Iran, North Korea, Venezuela and Cuba — will be prohibited when specific pre-set volume thresholds are exceeded, according to a detailed fact sheet released by the administration and comments from senior administration officials.

Specifically, U.S. companies will be restricted from transferring more than 100 Americans’ genomic data across any 12-month period to the targeted countries. Data transfers for more than 1,000 Americans’ geolocation data and biometric identifiers, more than 10,000 Americans’ health and financial data and more than 100,000 Americans’ personal identifiers also will be barred. 

Personal identifiers include names linked to device IDs, Social Security numbers and driver’s license numbers.

Data belonging to even a single active duty member of the military or federal personnel will be prohibited from being transferred, as will data broker sales where the seller has reason to believe the information they are peddling will make its way to any of the six countries.

U.S.-based data brokers of all sizes and types are primary targets for the rule, a senior administration official suggested during a Monday press call. Both third-party data brokers and companies selling data they have collected will be entirely prohibited from data transactions tied to the six designated countries. 

Data broker sales to those countries pose a serious threat to national security, the official said.

“Countries of concern can buy the data on the open market,” the official said. “Once acquired … that data can be used for a wide variety of nefarious activities.”

These activities include executing cyberattacks, creating disinformation campaigns, building profiles used to track national security leaders, surveilling and mapping government facilities, threatening dissidents and journalists and understanding the “patterns of life” of average Americans, the official said. 

Restrictions would apply to a variety of other business relationships with entities and individuals in the six countries, including investment in American companies, the hiring of subcontractors and data processing or storage. 

Companies making such transactions will be required to comply with a new Cybersecurity and Infrastructure Security Agency (CISA) regulatory regime drawing from existing National Institute of Standards and Technology (NIST) cybersecurity and privacy frameworks. Those frameworks include physical access control, data minimization and encryption standards. 

Certain categories of data would be exempt from the restrictions, including personal communications, telecommunications services, travel information, financial services, routine administrative operations and official U.S. government activities.Certain types of clinical trials data for pharmaceuticals and medical devices also would be exempt .

China, Russia and other targeted countries are already buying sensitive personal and government data from data brokers and others, according to the official.

“These are pressing risks that are exacerbated with ongoing advancements in big data analytics, artificial intelligence and other technologies, and then countries of concern can rely on AI and advanced technologies to improve their ability to understand, manipulate and exploit sensitive personal data,” the official said. 

All companies engaged in business involving the flow of American data to the targeted countries will be required to meet compliance requirements for record keeping and reporting. They also will need to demonstrate that they understand who they are doing business with and how the data they are transferring is being used. 

Firms which violate the proposed regulations would be subject to civil penalties and criminal prosecution, the official said.