DOJ Issues National Security Rule On Sensitive Data Transfers

On January 8, the Department of Justice (DOJ) published its final Rule implementing Executive Order 14117 (EO), "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" (the Rule). The Rule establishes a new regulatory regime to be administered and enforced by the Justice Department's National Security Division. Once the Rule is in effect, it will have a significant impact on all US persons engaged in the transfer of sensitive US personal data to "countries of concern" (i.e., China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela).

The Rule identifies certain sensitive data transactions that are prohibited and other transactions subject to special security and reporting requirements. The most notable prohibitions are twofold:

First, the Rule prohibits US persons from engaging in any "data brokerage" transaction involving identified categories of sensitive US personal data with "covered persons" or "countries of concern." Put another way, the Rule bans US data brokers from licensing or otherwise transferring a wide variety of sensitive US persons data to China (among other locations).

Second, the Rule prohibits all US persons from knowingly engaging in any "covered data transaction" with "countries of concern" or "covered persons" involving access to bulk human genomic, epigenomic, proteomic, or transcriptomic data, or with human biospecimens from which such data can be derived.

A broader category of "restricted" transactions—associated with vendor, employment, and investment agreements—condition transfer of certain categories of sensitive US personal data to China and other "countries of concern" on US persons maintaining specified security standards and compliance with government diligence, audit, and reporting requirements.

The Rule is likely to have a widespread impact on many US businesses. Of particular note:

• The Rule Will Apply to a Broad Set of US Businesses and Transactions: The breadth of the Rule means it could have sweeping implications, even for companies that do not typically think of themselves as data brokers.
• Sensitive Personal Data is Defined Broadly, with Relatively Low Thresholds: A broad range of personal data collected in the course of fairly standard online transactions can trigger the Rule. For example, precise geolocation collected by mobile devices, and two or more of the following types of identifiers: device-based or hardware-based identifiers (IMEI, MAC, SIM), advertising identifiers (MAID, Google ad ID), and network-based identifiers (IP address, cookies). The Rule is triggered for such covered personal identifiers at any amount of such data that meets or exceeds 100,000 or more people during a given 12-month period, whether through one covered data transaction or multiple covered data transactions.
• Compliance Will Be Challenging: Entities are expected to focus their efforts on identifying and understanding the data transactions they engage in now in order to comply with the Rule's requirements and prohibitions on sharing bulk US sensitive personal data. In particular, the diligence, auditing, recordkeeping, and reporting requirements for restricted transactions may require that entities either build out or establish comprehensive compliance programs to comply with the Rule.
• There is No "Grandfathering" Provision: Restricted and prohibited transactions will not be grandfathered as compliant simply because any resulting covered data transactions are subject to a preexisting contract or agreement. The DOJ has indicated that businesses that believe compliance is not feasible because of existing obligations may seek a license authorizing otherwise prohibited or restricted transactions. The Rule also empowers DOJ to issue general licenses in its discretion.
• The Trump Administration Might Keep the Rule: Biden's EO 14117 was not one of the many initial recissions made by President Trump on January 20, 2025, his first day in office. The Rule was designed to be narrowly tailored, but also flexible. The focus of the Rule on China and national security appears to be consistent with other protectionist measures likely to be favored by the new administration. Indeed, it is possible the new administration may add additional countries of concern or additional categories of data through supplemental rulemaking.

The Rule is effective April 8, 2025 (90 days after the date of publication in the Federal Register). (However, the Rule is also subject to President Trump's executive order on a regulatory freeze pending review by a new agency leader.) Certain affirmative compliance obligations will be phased in with a later effective date of October 6, 2025 (270 days after the Rule's publication in the Federal Register).

Key Definitions

The Rule captures a substantial range of economic activity with coverage potentially triggered through licensing, joint ventures, investments, employment and vendor agreements, and other transactions resulting in access to certain carefully defined categories of sensitive personal data associated with US persons.

"Country of Concern" and "Covered Person"

The Rule imposes limitations and prohibitions on the ability of "US persons"—defined as US citizens, entities organized under the laws of the US, and individuals lawfully resident in the US—to engage in certain data transfer transactions with "countries of concern" or "covered persons."

The Rule identifies six "countries of concern": China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela.

"Covered persons" are effectively entities and individuals with a substantial nexus to a country of concern. Specifically, "covered persons" are:

1. foreign persons that are 50 percent or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern;
2. a foreign person that is 50 percent or more owned by a covered person;
3. a foreign person who is an employee or contractor of countries of concern or entities that are covered persons;
4. foreign persons primarily resident in countries of concern; or
5. a foreign person specially designated by the Attorney General of the United States as a covered person.

In light of the authority of the Attorney General to designate specific persons as "covered persons," regardless of location, the Rule essentially creates a sanctions-type list for covered transactions in the future. To determine whether an entity is controlled or subject to the influence of a country of concern, the DOJ will determine whether an entity is subject to the direction or control of a country of concern or covered person and, if so, will publicly designate them as a covered person (§ 202.211(a)(1) through (4)). Accordingly, US companies can rely on the published Covered Persons List when conducting due diligence.

"Covered Data" and "Bulk US Sensitive Personal Data"

Under the Rule, "covered data" includes a broad range of personal data that many companies collect in the ordinary course of doing business. Specifically, it includes the following types of data:

• "Covered personal identifiers" are "any listed identifier: (1) In combination with any other listed identifier; or (2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data."
  • This includes "specifically listed classes of personally identifiable data that are reasonably linked to an individual" and could be used to identify an individual, but excludes (1) demographic or contact data that is linked only to other demographic or contact data (such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers); and (2) a network-based identifier, account-authentication data, or calldetail data that is linked only to other network-based identifier, account-authentication data, or call detail data as necessary for the provision of telecommunications, networking, or similar.
• "Listed identifier" means any piece of data in any of the following data fields:
  • Full or truncated government identification or account number (such as a Social Security number, driver's license or State identification number, passport number, or Alien Registration Number);
  • Full financial account numbers or personal identification numbers associated with a financial institution or financial services company;
  • Device-based or hardware-based identifier (such as International Mobile Equipment Identity (IMEI), Media Access Control (MAC) address, or Subscriber Identity Module (SIM) card number);
  • Demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers);
  • Advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID (MAID));
  • Account-authentication data (such as account username, account password, or an answer to security questions);
  • Network-based identifier (such as Internet Protocol (IP) address or cookie data); or
  • Call-detail data (such as Customer Proprietary Network Information (CPNI).
• "Precise geolocation data" is data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters. Examples of "precise geolocation data" include GPS coordinates and IP address geolocation.
• "Biometric Identifiers" are measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns.
• "Human 'omic data" is human genomic data representing nucleic acid sequences and certain other 'omic data which examines biological processes that contribute to the form and function of cells and tissues.
• "Personal health data" is health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
• "Personal financial data" is data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data, including assets liabilities debts, and transactions in a bank, credit, or other financial statement; or data in a credit report or in a "consumer report."

The Rule excludes certain categories of data from the scope of the term "sensitive personal data," such as public or nonpublic data that do not relate to an individual (e.g., trade secrets and proprietary information), data that is already lawfully publicly available from government records (such as court records) or widely distributed media, personal communications and certain informational materials, including metadata associated with expressive materials (e.g., geolocation data embedded in digital photographs).

The term "bulk US sensitive personal data" means a collection or set of sensitive personal data relating to US persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same US person and the same foreign person or covered person, where such data meets or exceeds the following applicable threshold[s]:

• Human 'omic data: 1,000 US persons, or, in the case of human genomic data, more than 100 US persons.
• Biometric identifiers and precise geolocation data: More than 1,000 US persons.
• Personal health data and personal financial data: More than 10,000 US persons.
• Covered personal identifiers: More than 100,000 US persons.
• Any combination of these data types.

"Government-Related Data"

The Rule creates a variety of strict restrictions on the transfer of "government-related data," which is defined as:

• Any volume of precise geolocation data for geographic areas identified by longitude and latitude in an appendix to the Rule (the appendix currently includes 736 such geographic locations); and
• – Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.

"Covered Data Transactions"

The Rule defines a "covered data transaction" as any transaction involving any access by a country of concern or covered persons to any government-related data or bulk US sensitive personal data and that involves:

1. data brokerage;
2. a vendor agreement;
3. an employment agreement; or
4. an investment agreement.

The Rule includes illustrative examples of covered data transactions for US entities engaging with a vendor, such as: "[a] US person engages in a vendor agreement with a covered person involving access to bulk US sensitive personal data. The vendor agreement is a restricted transaction. To comply with the relevant security requirements, the US person, among other things, uses data-level requirements to mitigate the risk that the covered person could access the data. The vendor agreement remains a covered data transaction subject to the requirements of this part." The Rule clarifies that US persons or entities engaging with a vendor who is a covered person, but who already has possession of bulk US sensitive personal data, would not be considered a covered data transaction "because the transaction does not involve access by the covered person."

Prohibited Transactions

The Rule establishes five categories of prohibited transactions.

To view the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.