Join our mailing list to receive the latest updates and alerts Flag Subscribe

The Final Rule issued by the U.S. Department of Justice (DOJ) on December 27, 2024, to implement the Executive Order 14117 of February 28, 2024, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” will come into effect on April 8, 2025. The Final Rule prohibits or restricts certain data transactions to six countries of concern including China. Certain affirmative compliance obligations for U.S. persons engaging in relevant transactions will come into force by October 6, 2025.

General Overview

Countries of Concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela.

Covered Persons: (1) foreign entities that are 50% or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern; (2) foreign entities that are 50% or more owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; (4) foreign individuals primarily resident in countries of concern; and (5) a public list of individuals and entities designated by the Department as covered persons.

Sensitive Personal Data: (1) certain covered personal identifiers (e.g., names linked to device identifiers, social security numbers, driver’s license or other government identification numbers); (2) precise geolocation data (e.g., GPS coordinates); (3) biometric identifiers (e.g., facial images, voice prints and patterns, and retina scans); (4) human genomic data and three other types of human 'omic data (epigenomic, proteomic or transcriptomic); (5) personal health data (e.g., height, weight, vital signs, symptoms, test results, diagnosis, digital dental records and psychological diagnostics); and (6) personal financial data (e.g., information related to an individual’s credit, debit cards, bank accounts and financial liabilities, including payment history). Certain categories of data are excluded, e.g. public or nonpublic data that do not relate to an individual, already lawfully publicly available from government records or widely distributed media, and personal communications and certain informational materials.

Bulk Sensitive Personal Data Thresholds: “Bulk” refers to any amount of sensitive personal data, whether the data are anonymized, pseudonymized, de-identified or encrypted, that exceeds certain thresholds in the aggregate over the preceding 12 months before a covered data transaction, meeting the following thresholds:

  • human genomic data on over 100 U.S. persons, and the three other covered categories of human 'omic data on over 1,000 U.S. persons;
  • biometric identifiers on over 1,000 U.S. persons;
  • precise geolocation data on over 1,000 U.S. devices;
  • personal health data and personal financial data on over 10,000 U.S. persons;
  • certain covered personal identifiers on over 100,000 U.S. persons;
  • any combination of these data types that meets the lowest threshold for any category.

U.S. Government-Related Data: (1) any precise geolocation data within geographic areas listed on the DOJ’s public Government-Related Location Data List; and (2) any sensitive personal data marketed as linked to current or recent former U.S. Government employees or contractors (including the military and intelligence community).

Prohibitions and Restrictions: The Final Rule identifies categories of covered data transactions involving access by countries of concern or covered persons to bulk sensitive personal data or government-related data that U.S. persons are prohibited or restricted from engaging in with countries of concern or covered persons.

Prohibited transactions: data brokerage and covered data transactions involving access to bulk human 'omic data or human biospecimens from which such data can be derived, with 'omic data being defined as human genomic, human epigenomic, human proteomic, and human transcriptomic data.

Restricted transactions: vendor, employment and non-passive investment agreements. Restricted transactions with countries of concern or covered persons are permitted if meeting certain security requirements of the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA).

Exempt Transactions: The Final Rule exempts certain classes of data transactions:

  • Personal communications that do not transfer anything of value; the import or export of informational materials involving expressive materials; and travel information, including data about personal baggage, living expenses, and travel arrangements.
  • Official U.S. Government activities.
  • Financial services if they involve transactions ordinarily incident to and part of providing financial services, such as banking, capital markets, futures or derivatives, or financial insurance services; financial activities authorized for national banks; activities defined as financial in nature or complementary to a financial activity; transfer of personal financial data incidental to e-commerce; and the provision of investment management services that provide advice on portfolios or assets for compensation, including related ancillary services.
  • Corporate group transactions between a U.S. person and its foreign subsidiary or affiliate, if they are ordinarily incident to and part of routine administrative or business operations, such as human resources, payroll, taxes, permits, compliance, risk management, travel, and customer support.
  • Transactions required or authorized by federal law or international agreements. Additionally, transactions are exempt to the extent they are ordinarily incident to and part of compliance with federal law and regulations.
  • Investment agreements after they have become subject to certain mitigation or other action taken by the Committee on Foreign Investment in the United States (CFIUS), if CFIUS explicitly designates them as exempt.
  • Transactions that are ordinarily incident to and part of the provision of telecommunications services, including all voice and data communications services regardless of format or mode of delivery, including communications services delivered over cable, Internet Protocol, wireless, fiber, or other transmission mechanisms, as well as arrangements for network interconnection, transport, messaging, routing, or international voice, text, and data roaming.
  • Data transactions with countries of concern or covered persons involving drug, biological product, device, or combination product approvals or authorizations if the data transactions involve “regulatory approval data” necessary to obtain or maintain regulatory approval.
  • Other clinical investigations and post-marketing surveillance data if the transactions are part of clinical investigations regulated by the FDA, or support FDA applications for research or marketing permits for drugs, biological products, devices, combination products, or infant formula, and the data are de-identified or pseudonymized consistent with FDA regulations.
  • Transactions data that are lawfully publicly available from government records or widely distributed media, and metadata that is ordinarily associated with expressive materials, or that is reasonably necessary to enable the transmission or dissemination of expressive materials (such as geolocation data embedded in digital photographs).

Licensing: The Final Rule authorizes the DOJ to issue general licenses to authorize certain categories of otherwise prohibited or restricted transactions under specified conditions and to issue specific licenses for specific transactions by parties who apply for and disclose details of their intended transactions in a license application to the DOJ.

Guidance and Advisory Opinions: The Final Rule permits the DOJ to issue general public guidance to address frequently asked questions and common issues, as well as advisory opinions to address the applicability of the regulations to specific transactions, and permits regulated parties to request advisory opinions about the interpretation and application of the regulations to actual specific transactions.

Compliance Obligations: The Final Rule does not prescribe general due-diligence, recordkeeping, reporting or other compliance requirements across the U.S. economy or across all data transactions. Instead, U.S. companies and individuals are expected to develop and implement compliance programs based on their individualized risk profiles.

The Final Rule establishes affirmative compliance obligations only as conditions for U.S. persons engaged in a restricted transaction, which would include implementing risk-based procedures to verify and log data flows, sensitive personal and government-related data types and volume, transaction parties’ identities, data end-use and transfer methods, and vendor identities, establishing written policies on data security and compliance that are certified annually by a responsible officer or employee, conducting and retaining the results of an annual audit by an internal or external independent auditor to verify compliance with the security requirements established by CISA, and maintaining and certifying the accuracy of records for 10 years documenting data transfer methods, transaction dates, agreements, licenses, advisory opinions, and any relevant documentation received or created in connection with the transactions.

Reporting Requirements: As previewed in the Advance Notice of Proposed Rulemaking (ANPRM) and Notice of Proposed Rulemaking (NPRM), the Final Rule establishes certain reporting requirements to ensure compliance with these rules and safeguard national security, including:

  • Annual reports filed by U.S. persons engaged in restricted transactions involving cloud- computing services, if they are 25% or more owned, directly or indirectly, by a country of concern or covered person;
  • Reports by any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage;
  • Reports by U.S. persons engaged in a covered data transaction involving data brokerage with a foreign non-covered person if the U.S. person knows or suspects that the foreign counterparty is violating the restrictions on resale and onward transfer to countries of concern or covered persons; and
  • Reports by U.S. persons invoking the exemption for certain data transactions that are necessary to obtain or maintain regulatory approval to market a drug, biological product, device or a combination product in a country of concern.

Enforcement: The Final Rule permits the DOJ to conduct investigations, hold hearings, examine and depose witnesses, and issue subpoenas for witnesses and documents related to any matter under investigation. Violations can result in civil and criminal penalties. Civil penalties can be up to $368,136 or twice the amount of the transaction involved, whichever is greater. Willful violations can lead to criminal fines up to $1 million and up to 20 years’ imprisonment.

Navigating the U.S. Data Rule Landscape

As U.S. data policies evolve, we are closely monitoring developments and can assist both U.S. and foreign businesses in navigating the complex U.S. data rule landscape. Please contact us if you have any questions concerning the material discussed in this client alert or otherwise in connection with assessing the impact of U.S. data rule on your business.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.