Summary:
Le ministère américain de la Justice a publié un programme de sécurité des données, qui devient effectif le 8 avril 2025. Ce programme inclut les données anonymisées dans son champ d’application, posant des défis aux entités qui vendent ou utilisent ces données, notamment pour l’intelligence artificielle. Les violations peuvent entraîner des sanctions civiles et criminelles, reflétant des préoccupations en matière de sécurité nationale. Les parties prenantes sont encouragées à évaluer leurs pratiques en fonction des nouvelles exigences de sécurité.
Original Link:
Original Article:
The U.S. Department of Justice (DOJ) published a Data Security Program (DSP), pursuant to a final rule (Final Rule), which became effective on April 8, 2025. The DSP identifies prohibited and restricted transactions involving U.S. data access by countries of concern or by classes of covered persons. Unlike most privacy and data broker laws, the DSP does not exclude anonymized, pseudonymized, or de-identified data but rather expressly includes the foregoing within the definition of certain covered data. This alert focuses on the inclusion of anonymized, pseudonymized, and de-identified data within the scope of covered data, the broad applicability of the DSP, and the potential impacts on such data moving forward.
Data licensors and other entities selling, licensing, or otherwise providing access to anonymized, pseudonymized, or de-identified data and entities using such data to develop or train artificial intelligence tools may feel the impact. Violations of the DSP can result in both civil and criminal penalties, as the U.S. Attorney General has determined these transactions pose unacceptable risks to national security.
Assess data license agreements to determine if they involve any covered data under the DSP. The DSP can apply to a variety of agreements beyond traditional data licensing. Notably, the risks of re-identification of anonymized, pseudonymized, and de-identified data raise vital compliance considerations moving forward. The DSP aims to ensure enhanced protection against potential misuse of what was previously considered non-identifiable data, reflecting concerns over re-identification and national security risks.
The DSP includes restrictions that may be permitted if entities comply with security requirements set by the Cybersecurity and Infrastructure Security Agency (CISA). The DOJ has indicated that not all de-identification techniques are acceptable and is pushing for updated standards in light of advanced technology capabilities that allow re-identification of previously anonymized data. Stakeholders are urged to evaluate current practices against CISA’s data-level requirements and remain vigilant for future regulatory developments regarding sensitive personal data.