DOJ Issues Final Rule Prohibiting and Restricting Transfers of Bulk Sensitive Personal Data

The Department of Justice (DOJ) issued a final rule (the "Rule") on December 27, 2024, implementing Executive Order 14117 "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" (the "Order").¹ Targeting China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela, as well as individuals and entities under their control, the Rule prohibits and restricts certain data transactions that pose national security risks.²

The Rule broadly prohibits or restricts transactions involving certain types of data with six countries of concern and establishes thresholds defining "bulk" data based on the number of U.S. persons whose information is included in a given transaction. The Rule regulating data transactions goes into effect April 8, 2025, with additional compliance provisions for U.S. persons engaging in relevant transactions then coming into force by October 6, 2025.

According to the DOJ, the Rule addresses the threat of countries of concern "increasingly using bulk sensitive personal data to develop and enhance artificial intelligence (AI) capabilities and algorithms that, in turn, enable the use of large datasets in increasingly sophisticated and effective ways to the detriment of U.S. national security. Countries of concern can use AI in conjunction with multiple unrelated datasets, for example, to identify U.S. persons whose links to the federal government would be otherwise obscured in a single dataset and who can then be targeted for espionage or blackmail."³ The Rule signals a broader U.S. effort to tighten control over cross-border data flows, while seeking to enable legitimate commercial activities.

History of the Rule

President Biden issued the Order in February 2024, directing the DOJ to establish and implement regulations to address the threat from countries of concern attempting to access and exploit bulk amounts of U.S. sensitive personal data and U.S. government-related data. The DOJ considered comments received in response to its March 5, 2024 Advance Notice of Proposed Rulemaking (ANPRM) and its October 29, 2024 Notice of Proposed Rulemaking (NPRM) "as well as feedback from hundreds of representatives from companies and organizations and extensive consultation with dozens of other U.S. government agencies and offices, along with engagement [of] foreign partners."⁴

Rule scope and requirements

The Rule prohibits or restricts various categories of transactions involving bulk sensitive personal data or government-related data between U.S. persons and the countries of concern and covered persons. We explain in detail below what data and transactions are covered by the Rule, as well as how the Rule defines covered persons.

Countries of Concern and Covered Persons

U.S. companies and companies with U.S. employees will need to know whether they are transacting with countries of concern or covered persons. We listed above the countries of concern currently identified by the DOJ: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela. The list of countries can change over time, as it is based on a determination by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce, that a foreign government "(1) has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of U.S. persons, and (2) poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons."⁵

Identifying "covered persons" is more complex and allows for the Attorney General to exercise some discretion. The Rule defines a covered person as:

1. A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons …; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern
2. A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in [the other] paragraphs of this section
3. A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity [identified by] this section
4. A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern
5. Any person, wherever located, determined by the Attorney General: (i) to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) to act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.⁶

Note, the language in (5) is sufficiently broad to potentially encompass scenarios that do not involve a direct data transfer to a country of concern. This is particularly true if the transfer is a workaround intended to ultimately route the data to such a country. The interpretation and application of this provision remain to be seen.

U.S. companies will need to regularly monitor their counterparts in transactions involving bulk sensitive personal data or U.S. government-related data, as ownership structures or Attorney General designations of their counterparts could change over time, such that an entity could become a "covered person" even if it was not when their transactions began. This should be a new point of diligence in deals and transactions.

Covered Data

The Rule regulates transactions concerning two categories of data: U.S. sensitive personal data and U.S. government-related data.

There are six categories of U.S. sensitive personal data, each of which has a defined "bulk" threshold, which refers to the amount of the data transferred that meets or exceeds the threshold "at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person."⁷ Note, some of the most sensitive data types have very low thresholds.

1. Human 'omic data includes: (a) human genomic data; (b) human epigenomic data; (c) human proteomic data; or (d) human transcriptomic data but excludes pathogen-specific data embedded in human 'omic data sets.⁸ The bulk threshold for human 'omic data is data collected or maintained on more than 1,000 U.S. persons or, in the case of human genomic data, 100 U.S. persons.
2. Biometric identifiers: "measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system."⁹ The bulk threshold for biometric identifiers is data collected or maintained on more than 1,000 U.S. persons.
3. Precise geolocation data: identifies the physical location (real-time or historical) of an individual or device to within 1,000 meters.¹⁰ The bulk threshold for covered personal identifiers is data collected or maintained on more than 1,000 U.S. devices.
4. Personal health data: "indicates, reveals or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes …; social, psychological, behavioral and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications."¹¹ The bulk threshold for covered personal identifiers is data collected or maintained on more than 10,000 U.S. persons.
5. Personal financial data: "data about an individual's credit, charge or debit card or bank account, including purchases and payment history; data in a bank, credit or other financial statement, including assets, liabilities, debts or trades in a securities portfolio; or data in a credit report or in a "consumer report" (as defined in 15 U.S.C. 1681a(d))."¹²The bulk threshold for covered personal identifiers is data collected or maintained on more than 100,000 U.S. persons.
6. Covered personal identifiers: any of the above-listed identifiers (a) in combination with any of the other listed identifiers or (b) in combination with "other data that is disclosed by a transacting party…such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data."¹³ The bulk threshold for covered personal identifiers is data collected or maintained on more than 100,000 U.S. persons.

The Rule does not apply a bulk requirement to the category of U.S. government-related data, which it defines as (1) precise geolocation data for any area specifically designated by the Attorney General as posing a heightened risk of exploitation by a country of concern, which could include military installations, national security, defense or intelligence facilities, or worksites of federal national intelligence personnel and (2) any sensitive personal data that is marketed as linked or linkable to current or former U.S. government employees or officials, including from the military or intelligence community.¹⁴

Prohibited, Restricted, and Exempt Transactions

The Rule prohibits some transactions in covered data and permits others with restrictions and compliance requirements. Other specified transactions are exempt under the Rule.

Prohibited Transactions

Subpart C of the Rule identifies prohibited transactions and related activities, beginning with "data brokerage" transactions involving covered data, with covered persons. Data brokerage is defined as "the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data."¹⁵

The Rule provides ten examples of what would constitute data brokerage, which provide some clarity but also underscore the breadth of the term as used here. For example, a U.S. company operating a mobile app or website that knowingly incorporates tracking pixels or software development kits transferring bulk sensitive personal data to a social media app owned by a country of concern for targeted advertising constitutes prohibited data brokerage under the Rule.

In addition to the prohibition on data brokerage transactions directly with countries of concern and covered persons, the Rule requires any U.S. person entering into a transaction involving access by any foreign person to bulk sensitive personal data or U.S. government-related data to contractually require that foreign person to "refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person; and [to report] any known or suspected violations of this contractual requirement" to the DOJ.¹⁶

In addition to the data brokerage prohibition, the Rule also prohibits any covered data transaction with a covered person that involves access to bulk human 'omic data or to human biospecimens from which such data could be derived.¹⁷

Restricted Transactions

Except as authorized as an exempt transaction, which we discuss below, any U.S. person engaging in a covered data transaction involving an employment agreement, vendor agreement, or investor agreement with a country of concern or a covered person must comply with the Rule’s security requirements.¹⁸ (This does not apply to transactions with covered persons involving bulk human 'omic data which, as noted above, are always prohibited.)

An employment agreement, for the purposes of the Rule, is "any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level."¹⁹

The definition of an investment agreement includes agreements or arrangements whereby a person gains direct or indirect ownership of a U.S. legal entity or real estate located in the United States. It excludes "passive investments," which include publicly traded securities; funds offered by SEC-registered investment companies; limited partnership investments with no ability to control or influence fund decisions; holdings of less than 10 percent of voting and equity interest; and investments conferring no rights beyond "standard minority shareholder protections."²⁰

A vendor agreement is "any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration."²¹For example, a U.S. company collecting bulk precise geolocation data from U.S. users through an app and entering into an agreement with a company headquartered in a country of concern to process and store this data constitutes a restricted transaction.

Due diligence and audit requirements: U.S. persons conducting restricted transactions under the Rule must, by October 6, 2025, establish a data compliance program that includes, at a minimum:

1. Procedures for verifying data flows, and logging the type and volume of data transferred, as well as the identity and ownership (or citizenship or permanent residency) of the parties
2. Procedures to verify identity of vendors
3. A written data compliance policy and a written policy describing implementation of security requirements that are both certified annually by an officer, executive or other employee responsible for compliance

The Rule also requires an annual independent audit, producing a written report that the U.S. person must retain for at least ten years. The audit must:

1. Describe all restricted transactions for that 12-month period
2. Describe the audit methodology
3. Describe the effectiveness of the data compliance program
4. Describe any vulnerabilities in the implementation of the security requirements that affected or could have affected a country of concern gaining access to government data or bulk personal data
5. Describe any instances where security requirements failed or were not effective
6. Recommend improvements to policies and practices to improve compliance with security requirements²²

The Rule prohibits U.S. persons from "knowingly directing" any transaction that would be a prohibited transaction or restricted transaction under this rule.²³ For example, if a U.S. person owns and operates a foreign entity that is not a covered person and instructs the entity to engage in what would be a prohibited transaction, that U.S. person would have knowingly directed a prohibited transaction.

Exempt Transactions

The categories of transactions exempt from the Rule are:

1. Personal communications
2. Information or informational materials
3. Travel
4. Official business of the U.S. Government
5. Financial services
6. Corporate group transactions
7. Transactions required or authorized by U.S. federal law or international agreements, or necessary for compliance with federal law
8. Investment agreements subject to CFIUS action
9. Telecommunications services
10. Drug, biological product and medical authorizations
11. Other clinical investigations and post-marketing surveillance data

Potential Liability

Under the Final Rule, civil penalties for violations are substantial, with the amount not exceeding the greater of US$377,700 (adjusted for inflation) or twice the value of the transaction that forms the basis of the violation. In cases of willful violations, criminal penalties can be severe, including a fine of up to US$1,000,000, imprisonment for up to 20 years, or both.²⁴ Additionally, the Final Rule retains the proposed pre-penalty notice process, under which the DOJ will notify the alleged violator in writing of its intent to impose a penalty before taking further action.²⁵

Advisory Opinions

Under the Order, any U.S. person party to a transaction potentially regulated by the Order, or their agent acting on their behalf, may request an advisory opinion from the Attorney General regarding the Department of Justice's enforcement intentions with respect to the transaction.²⁶ This request will clarify whether the transaction may be subject to the prohibitions or restrictions set forth in the Order and its related provision.

Security Requirements

If a U.S. person is engaging in restricted transactions, they must implement a comprehensive set of security measures to ensure compliance with CISA security requirements, which focus on organizational, system and data-level safeguards to protect covered data. The Rule incorporates by reference the Cybersecurity and Infrastructure Agency (CISA) Security Requirements for Restricted Transactions E.O. 14117 Implementation, Final edition, 2024.²⁷

At the organizational level, entities must implement cybersecurity policies, access controls, and conduct regular risk assessments to ensure restricted persons or countries cannot access sensitive data. These assessments must evaluate whether data is protected from being identifiable, linkable, or decryptable using common technologies and include a mitigation strategy. On the data level, data minimization, masking and encryption should be used to protect sensitive information during transactions. Privacy-enhancing technologies must also be applied to prevent misuse of data. Identity and access management systems should be configured to restrict unauthorized access to covered data.

Key Takeaways

• Focus on national security: The core purpose of this rule is the protection of U.S. national security. The DOJ espouse a concern with an increasing threat posed by foreign adversaries, particularly countries of concern, in accessing and exploiting Americans' data for malicious purposes, including espionage, blackmail and the development of bioweapons. The rule explicitly aims to create a mechanism to address this data security threat.
• Proactive and categorical approach: The Rule defines specific types of transactions that are either prohibited outright or restricted unless they meet stringent security and privacy requirements. While there are questions regarding the application and enforcement of the Rule, it provides greater clarity and predictability for businesses and individuals engaging in data transactions than would a case-by-case approach.
• Balance between security and commerce: The Rule attempts to strike a balance between protecting national security and enabling legitimate commercial activities. It includes a range of exemptions for activities such as official government business, financial services, corporate group transactions and certain health research activities. The licensing process further allows for exceptions to be granted on a case-by-case basis.
• Emphasis on data brokerage: The Rule places a particular emphasis on data brokerage, prohibiting transactions involving the sale or licensing of covered data to countries of concern or covered persons. This highlights the concern over the readily available commercial market for sensitive personal data and the potential for its misuse by foreign adversaries.
• Importance of security requirements: For restricted transactions, compliance with security requirements issued by the CISA is crucial. These requirements, incorporating existing cybersecurity standards, aim to mitigate the risks of unauthorized access to sensitive data by covered persons or countries of concern.
• Robust compliance and enforcement: The Rule establishes a robust compliance and enforcement regime, including due diligence requirements, annual audits, reporting obligations, and civil and criminal penalties for violations. This underscores the seriousness with which the DOJ views these data security risks.
• Ongoing review and adaptation: The Rule anticipates the need for ongoing review and adaptation to address evolving technologies and threats. The DOJ plans to continue stakeholder engagement, issue guidance and assess the rule's effectiveness over time. The inclusion of licensing and advisory opinion processes allows for flexibility and responsiveness to specific circumstances.

_{1 Available at NSD 104 - Data Security - 1124-AA01 - Final Rule: Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons
2 Justice Department Fact Sheet: Justice Department Issues Final Rule to Address Urgent National Security Risks Posed by Access to U.S. Sensitive Personal and Government-Related Data from Countries of Concern and Covered Persons, available at https://www.justice.gov/opa/media/1382526/dl
3 Office of Public Affairs | Justice Department Issues Final Rule Addressing Threat Posed by Foreign Adversaries' Access to Americans' Sensitive Personal Data | United States Department of Justice
4 Justice Department Fact Sheet: Justice Department Issues Final Rule to Address Urgent National Security Risks Posed by Access to U.S. Sensitive Personal and Government-Related Data from Countries of Concern and Covered Persons, available at Justice Department Fact Sheet available at https://www.justice.gov/opa/media/1382526/dl
5 § 202.209
6 § 202.211
7 § 202.205
8 § 202.224 Human 'omic data. (a) The term human 'omic data means: (1) Human genomic data. Data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual's "genetic test" (as defined in 42 U.S.C. 300gg-91(d)(17)) and any related human genetic sequencing data. (2) Human epigenomic data. Data derived from a systems-level analysis of human epigenetic modifications, which are changes in gene expression that do not involve alterations to the DNA sequence itself. These epigenetic modifications include modifications such as DNA methylation, histone modifications, and non-coding RNA regulation. Routine clinical measurements of epigenetic modifications for individualized patient care purposes would not be considered epigenomic data under this rule because such measurements would not entail a systems-level analysis of the epigenetic modifications in a sample. (3) Human proteomic data. Data derived from a systems-level analysis of proteins expressed by a human genome, cell, tissue, or organism. Routine clinical measurements of proteins for individualized patient care purposes would not be considered proteomic data under this rule because such measurements would not entail a systems-level analysis of the proteins found in such a sample. (4) Human transcriptomic data. Data derived from a systems-level analysis of RNA transcripts produced by the human genome under specific conditions or in a specific cell type. Routine clinical measurements of RNA transcripts for individualized patient care purposes would not be considered transcriptomic data under this rule because such measurements would not entail a systems-level analysis of the RNA transcripts in a sample.
9 § 202.204
10 § 202.242
11 § 202.241
12 § 202.240
13 § 202.212
14 § 202.222
15 § 202.214
16 § 202.302
17 § 202.303
18 § 202.401
19 § 202.217
20 § 202.228
21 § 202.258
22 § 202.1002
23 § 202.305
24 § 202.1301
25 § 202.1302
26 § 202.901
27 § 202.248}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}