On April 8, new data export rules from the U.S. Department of Justice ("DOJ") will require U.S. companies to significantly curtail—and in some cases prohibit—access to U.S. data by individuals and entities located in China and other designated countries. The Rule represents a major next step in the U.S. government's emerging regulation of cross-border data transfers apart from—and, in some cases, beyond—existing restrictions under sanctions and export control regimes.
The DOJ's final rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the "Rule") implements the Biden administration's Executive Order 14117, which in turn built on the first Trump administration's Executive Order 13873, reflecting a growing concern that foreign adversaries could use sensitive data to undermine national security.
To address this concern, the Rule broadly prohibits or restricts the ability of U.S. businesses to share bulk U.S. sensitive data and government-related data with certain foreign entities or persons located in "countries of concern"—currently China, Russia, Iran, Cuba, North Korea and Venezuela. By extending the restrictions to all persons located in such countries rather than only designated individuals and entities, the Rule goes well beyond many existing restrictions on foreign transactions.
Here's what else you should know:
What's in Scope?
The Rule prohibits U.S. persons and entities from engaging in certain covered data transactions involving individuals from China and other designated countries, while significantly restricting their engagement in other such covered data transactions. A "covered data transaction" generally refers to any transaction involving access by a "country of concern" or person located in a "country of concern" to "government-related data or bulk U.S. sensitive personal data" in various contexts.
"Bulk" U.S. sensitive data refers to an amount of sensitive personal data in any format—including anonymized, pseudonymized, de-identified or encrypted—that exceeds annual content-specific and risk-based volume thresholds. Under this framework, bulk U.S. sensitive data includes the precise geolocation of more than 1,000 devices; biometric identifiers of more than 1,000 U.S. persons; personal health data or personal financial data of more than 10,000 persons; and certain personal identifiers of more than 100,000 U.S. persons.
Prohibited and Restricted Data Transactions
The Rule can be understood as introducing a presumptive ban on covered data transactions that takes place on or after April 8, 2025, even if the transaction is addressed by an agreement that predates the Rule's effective date. Certain covered data transactions are barred outright ("prohibited transactions"), whereas others are permitted if the U.S. person involved in the covered data transaction complies with certain security requirements ("restricted transactions"), or—in rare cases—obtains a license from DOJ.
- Prohibited transactions include data brokerage transactions—such as selling or licensing access to covered data to a recipient that did not directly collect the data—that involve the provision of bulk U.S. sensitive data or government-related data to covered persons. One example of a prohibited transaction cited by the Rule is where a U.S. company operates a mobile application and knowingly incorporates into the mobile application certain tracking pixels or software development kits that in turn transfer bulk sensitive personal data to social media applications owned by a country of concern. Such transactions are prohibited without exception.
- Restricted transactions include commercial transactions that constitute "covered data transactions," which may include employment agreements, vendor agreements and investment agreements. Restricted transactions may proceed only if certain security measures designed to prevent or minimize access by persons located in countries of concern are applied, including organization, system and data-level protections. For example, a U.S. company that collects bulk geolocation data about U.S. users through a mobile application and then shares that data with a vendor located in a country of concern must comply with specific security protocols to ensure the data remains protected. Specifically, a restricted transaction is only permitted if the entity applies the security requirements outlined in CISA's Executive Order 14117, which took effect in January 2025, in a manner that prevents access by individuals in the countries of concern.
Exempt from the Rule are a variety of transactions such as personal communications; telecommunications services; travel; financial services; drug, biological product and medical device authorizations; transactions necessary for compliance with federal law; and some corporate group transactions.
Penalties and Enforcement
The Rule contemplates sweeping enforcement authority for the DOJ through audits, civil investigative demands and criminal inquiries. Non-compliance with the Rule could lead to significant penalties, including civil penalties up to $377,700 per violation, or double the value of the covered transaction.Willful violations of the Rule can bring criminal fines of up to $1 million and up to two years in prison.
Before imposing penalties, the DOJ will notify alleged violators through a pre-penalty notice process, which will provide the alleged violators an opportunity to respond. The DOJ will issue more detailed compliance and enforcement guidance, which we expect will offer insight into the department's stance on voluntary self-disclosures.
What's Next?
With the April 8 effective date fast approaching, a group of global U.S. companies requested an extension citing potential complications with compliance. However, DOJ has since issued a statement that the Rule will go into effect as scheduled. U.S. businesses should work with legal counsel to assess whether and to what extent they may be involved in covered data transactions with individuals or entities located in China and other countries of concern. In many cases, this will require a close evaluation of data supply chains among data processors and subprocessors to ensure all instances of potential access by individuals located in countries of concern are addressed. Now more than ever, it is essential for all businesses to review their existing data collection and sharing practices, security protocols, and privacy protections, paying particular attention to data governance controls within multinational companies and contract-based controls with third parties.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
