Navigating the DOJ's Final Rule on Bulk Sensitive Personal Data Transfers

DISCLAIMER: This article is not legal advice and is not intended to be provided as such. Organizations should consult independent legal counsel to assess their obligations and develop appropriate compliance strategies according to their own circumstances.

Introduction

The United States Department of Justice (DOJ) has issued a “Final Rule” implementing former President Biden’s Executive Order 14117 - Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern to address national security risks arising from access to bulk U.S. sensitive personal data and U.S. government-related data by countries of concern. This rule, effective April 8, 2025, introduces a new regulatory framework that prohibits or restricts certain data transactions with these countries and associated individuals and entities. This article provides an overview of the rule, its implications, and key considerations for United States businesses that collect, maintain, or transfer sensitive personal data, or government-related data.

Purpose of the Rule

The DOJ's final rule aims to protect U.S. national security by addressing the threat of countries of concern exploiting bulk sensitive personal data. These countries are increasingly using such data to enhance their AI capabilities for malicious purposes. The rule is part of a broader U.S. effort to tighten control over cross-border data flows while permitting legitimate commerce.

The Final Rule

Countries of Concern and Covered Persons

• The rule targets six designated "countries of concern": China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
• "Covered persons" (see §202.211 Covered Person) include:
• Foreign entities 50% or more owned by a country of concern or covered person.
• Foreign entities organized or chartered under the laws of countries of concern or with their principal place of business in such countries.
• Foreign employees or contractors of countries of concern or covered persons.
• Foreign individuals primarily residing in a country of concern.
• Any person (including U.S. persons) designated by the Attorney General as a covered person.

Covered Data

The rule regulates transactions involving "U.S. sensitive personal data" and "U.S. government-related data."

• U.S. Government-Related Data (see §202.222 Government-Related Data and §202.1401 Government-Related Location Data List) :
• Precise geolocation data for areas designated by the Attorney General as high-risk (e.g., military installations).
• Sensitive personal data marketed as linked or linkable to current or former U.S. government employees (including military and intelligence).
• No bulk threshold applies to this category.
• U.S. Sensitive Personal Data: Defined in six categories, each with a "bulk" threshold measured over the preceding 12 months:
• Human omic data: Data on more than 1,000 U.S. persons (or 100 for human genomic data).
• Biometric identifiers: Data on more than 1,000 U.S. persons (facial images, voice prints, etc.).
• Precise geolocation data: Data on more than 1,000 U.S. devices (within 1,000 meters).
• Personal health data: Data on more than 10,000 U.S. persons.
• Personal financial data: Data on more than 10,000 U.S. persons.
• Covered personal identifiers: Any of the above in combination, threshold is data on more than 100,000 U.S. persons (see§202.205 Bulk and 202.206 Bulk U.S. Sensitive Personal Data) .

Prohibited Transactions

• Data Brokerage: The sale or licensing of covered data to countries of concern or covered persons, where the recipient did not collect or process the data directly from the individuals (see 202.301 Prohibited Data-Brokerage Transactions and §202.210 Covered Data Transaction).
• Bulk Human omic Data and Biospecimens: Transactions involving access to bulk human omic data or human biospecimens from which such data could be derived (with exceptions for certain diagnostic/treatment purposes) (see 202.303 Prohibited Human `Omic Data and Human Biospecimen Transactions).

Restricted Transactions (Permitted with Compliance)

Vendor agreements, employment agreements, and investment agreements (excluding certain passive investments) involving access to bulk sensitive personal data or U.S. government-related data with countries of concern or covered persons.

These transactions are permitted only if they comply with specific diligence, audit, record-keeping, and security obligations, (see 202.401 Authorization to Conduct Restricted Transactions) including:

• Due Diligence: Establishing a data compliance program.
• Audit: Annual audit of restricted transactions.
• Security Requirements: Complying with CISA-promulgated security requirements.

Exempt Transactions

Several categories of transactions are exempt from the rule (see Exempt Transactions §§202.501 through 202.511), including:

• Personal communications not involving the transfer of "anything of value."
• Information or informational materials.
• Travel-related activities.
• Official business of the U.S. Government.
• Financial services.
• Corporate group transactions.
• Transactions required or authorized by U.S. federal law or international agreements.
• Investment agreements subject to CFIUS action.
• Telecommunications services (excluding data brokerage).
• Drug, biological product, and medical device authorizations.
• Other clinical investigations and post-marketing surveillance data.

Licenses and Advisory Opinions

• The DOJ can issue general or specific licenses for prohibited/restricted transactions (see Licensing §§202.801 through 202.803).
• U.S. persons can seek advisory opinions from the DOJ regarding the rule's application to specific transactions (see Advisory Opinions §202.901).

Compliance, Recordkeeping, and Penalties

• Compliance Obligations
• The Final Rule outlines three main compliance obligations for U.S. entities involved in restricted transactions. First, they must develop and implement a data compliance program. Second, these entities must conduct an annual audit. Third, these entities must maintain complete and accurate records of each transaction for at least 10 years.
• Violations can result in significant civil penalties (greater of $368,136 or twice the transaction value) and criminal penalties (fines up to $1,000,000 and/or imprisonment for up to 20 years for willful violations)(see Penalties and Finding of Violation §§202.1301 through 202.1306).

Implementation Timeline

• The rule was published on January 8, 2025.
• The rule became effective on April 8, 2025.
• Due diligence, audit, and certain reporting obligations are effective starting October 6, 2025.

Key Takeaways

• The rule represents a significant expansion of U.S. regulatory authority over cross-border data transfers based on national security concerns.
• Compliance will require a comprehensive understanding of data flows, counterparties, and the rule's specific definitions and thresholds.
• Proactive due diligence, robust compliance programs, and adherence to security requirements are crucial.
• The broad definitions of "bulk sensitive personal data" and "covered persons" necessitate a thorough assessment of existing and future international data transactions.
• Sectors dealing with significant amounts of personal data, particularly omic data, healthcare, finance, and those handling government data will be particularly impacted.
• U.S. businesses that collect, maintain, or transfer sensitive personal data, or government-related data should consult legal counsel to assess their obligations and develop appropriate compliance strategies.

What Can U.S. Businesses Do?

• Identify your information/data:
• Companies, with guidance from their legal counsel, should closely examine the Rule to understand the information and date affected and map the types and amounts of data they process that fall within its scope. Establishing a record retention schedule will jump start a data inventory build. This analysis of the organization’s data assets is essential for ensuring compliance. As the DOJ states in its commentary on the Rule, it “expects companies to know their data when they are dealing in government-related data and bulk U.S. sensitive personal data. Companies that choose to engage in these types of data transactions should have a clear understanding of the volume of data they possess and are transacting.”
• Examine active engagements and contracts:
• Companies should review their existing engagements and contractual agreements (e.g., data brokerage, employment, investment, vendor) that involve covered data, even if not explicitly. These agreements may need to be modified or, in some cases, terminated, including agreements governing intracompany data access. Companies should also prepare for the possibility of replacing vendors or moving certain operations across borders, depending on where their current vendors are located.
• Ensure compliance with Cybersecurity and Infrastructure Security Agency (CISA) requirements:
• Information technology and security teams should collaborate with data owners and legal counsel to ensure that all security requirements are implemented, maintained, and documented.
• Develop a foundational information governance process:
• Companies involved in restricted transactions will need to ensure they meet the Rule’s requirements for due diligence, compliance, recordkeeping, auditing, and reporting. Given that various internal departments may already perform similar functions, it may be most effective to consolidate efforts within one department with complex cross-functional team channels or collaborate with industry leaders like Iron Mountain to assist in creating an inclusive information governance practice.

Conclusion

The Final Rule became effective April 8, 2025, with due diligence, audit, and certain reporting obligations becoming effective October 6, 2025. The new DOJ rule is just one part of a much larger responsibility. Companies today need a comprehensive approach to information governance, identifying the records that need to be retained, ensuring they meet the requirements of various jurisdictions, navigating evolving privacy and AI regulations, and adhering to industry standards. It's crucial to establish a foundational information governance strategy in order to keep your operations secure and legally compliant.