DOJ restricts data transfers to protect national security; research exemptions expanded in final rule

Background

In October 2024, the DOJ issued a Notice of Proposed Rulemaking (NPRM), titled “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” proposed to prohibit and restrict certain data transactions with certain countries or persons, as we summarized at the time online here. The DOJ has now finalized that rule, which restricts data brokerage transactions involving access to bulk U.S. sensitive personal data and transactions involving access to bulk human genomic data – and ‘omic data more broadly – or biospecimens from which such data can be derived. The fact sheet for the final rule is online here, and the press release is online here.

• Covered countries and persons. The final rule prohibits or restricts the sharing of U.S. government-related data or bulk sensitive personal data with designated “countries of concern” as well as persons subject to their jurisdiction (“covered persons”). The DOJ identified six countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 

The final rule differs from the NPRM in that the term “covered person” was expanded to include companies that are 50% owned individually or in the aggregate by a country of concern or certain other covered persons. 

• Prohibited and restricted transactions. There are two categories of affected transactions:
  • Prohibited transactions: Data brokerage transactions involving access to bulk U.S. sensitive personal data and transactions involving access to bulk human genomic data or biospecimens from which such data can be derived. Such transactions are strictly prohibited unless they meet one of the rule’s exceptions or unless licensed by the DOJ. 
  • Unlike the NPRM, the final rule states that the term “human biospecimens” does not include “human biospecimens intended by the recipient of the human biospecimens solely for use in diagnosing, treating, or preventing any disease or medical condition.” This change is in response to comments “that blood-, cell-, and plasma-derived therapeutic products; human organs for transplant; and blood and plasma for transfusions, in particular, provided lifesaving interventions for patients globally,” which highlighted “the humanitarian interest of the United States in enabling the transfer of such products to care for patients in countries of concern.” The change also took into account the decreased risk posed by such biospecimens due to “the difficulty of deriving individual human genomic data from human biospecimens used in or processed by finished medical products.
  • Restricted transactions: Vendor, employment, and investment agreements that involve access to government-related data or bulk U.S. sensitive personal data. Restricted transactions are prohibited unless they comply with due diligence, audit, reporting, and recordkeeping obligations; or if DOJ issues a license for the transaction. 
• Sensitive data: The final rule’s definition of “sensitive personal data” is notably broad, going beyond current definitions of “sensitive” personal data in U.S. state consumer privacy laws and Committee on Foreign Investment in the United States (CFIUS) regulations, and includes:

1. combinations of personal identifiers (including government identifiers, device IDs, financial account numbers, login credentials, demographic identifiers, and call records), 
2. personal financial data, 
3. personal health data, 
4. precise geolocation data, 
5. biometric identifiers, and 
6. human ‘omic data. 

Note that “personal health data” is broadly defined, and DOJ states that “the rule applies across the board, regardless of whether data is de-identified.” 

One other notable change in the final rule is that the proposed prohibition on covered data transactions involving bulk “human genomic data” was expanded to include certain bulk “human ‘omic data,” which consists of human epigenomic, proteomic, and transcriptomic data. The final rule provides definitions for each of these three new human ‘omic data categories and defines them to exclude certain “routine clinical measurements” for “individualized patient care purposes.” The final version of the rule also expressly excludes “pathogen-specific data embedded in ‘omic data sets” from the scope of all four human ‘omic data categories. 

The final rule also added to the NPRM examples related to human ‘omic data, which suggests the need for an exchange of payment or other valuable consideration between the parties for an activity to be considered a “covered transaction.” 

Research exemptions 

The DOJ finalized exemptions for research, notably including exemptions for “Drug, biological product, and medical device authorizations,” as described in Section 202.510 of the final rule, and “Other clinical investigations and post-marketing surveillance data,” found in final rule Section 202.511. 

1. Data transferred for the purpose of drug, medical device, and biological product authorizations. This exemption applies to a data transaction that:

1. involves “regulatory approval data,” which is:
   1. sensitive personal data that is de-identified or pseudonymized consistent with the standards of 21 CFR 314.80,
   2. required by a regulatory entity to obtain or maintain authorization or approval to research or market a drug, biological product, device, or combination product; and,
   3. “reasonably necessary” to assess the safety and effectiveness of the covered product.”
2. is necessary to obtain or maintain regulatory approval to market a drug, biological, device, or combination product in a country of concern, and provided that the U.S. person complies with certain recordkeeping and reporting requirements with respect to such transaction.

This exemption as proposed was perceived by many commenters as narrow, and many in industry expressed concern on the NPRM that it would not allow a sponsor to meet the practical requirements for the regulatory approval process. For example, the proposed exemption did not extend to vendor agreements in countries of concern tasked with preparing regulatory submissions. The final rule clarified that if the law of a country of concern requires a pharmaceutical company to submit regulatory approval data through a registered agent or covered person located in the country of concern, the medical product exemption will still apply, as long as the pharmaceutical company provides the registered agent with only the data required for regulatory approval. Such U.S. pharmaceutical companies must comply with recordkeeping and reporting requirements even though the transaction is exempt. 

2. Clinical Research Exemption: This second exemption applies to data transactions “ordinarily incident to” (a) clinical investigations regulated by or supporting applications to FDA, and (b) part of the collection or processing of clinical care data indicating real-world performance or safety of products, postmarketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA. For transactions fitting within this exemption, the data need to be de-identified or pseudonymized consistent with the standards of 21 CFR 314.80.

DOJ confirmed that this exemption applies only to FDA-regulated activities, and that local clinical trials conducted in a country of concern to support an application for regulatory approval in the country of concern are not exempt. DOJ noted, however, that such transactions may often proceed as restricted transactions. 

De-identified vs. pseudonymized data

The final rule’s two research exemptions both significantly differ from the NPRM in that the latter had only permitted these exemptions where data were de-identified; the final version of the rule, however, permits de-identified or pseudonymized data, consistent with FDA’s regulations governing post-marketing reporting of adverse drug experiences. The distinction is important. DOJ explained that it made the change in response to comments explaining that researchers often “pseudonymize” patient records by assigning a unique code in place of a patient name in order to be able to trace and study the data longitudinally. Although DOJ noted that the risks of re-identification are higher when using pseudonymized data than using fully de-identified data, DOJ determined that expanding the exemption to include pseudonymized data in the context of these two research exemptions was warranted. Specifically, DOJ said it expanded this exemption “given the importance of being able to associate patient data longitudinally, the FDA's practice in this regard, and the established industry protocols for preserving patient or subject anonymity.”

“Official business” exemption

As in the proposed version of the rule, the final rule also contains an exemption for transactions conducted pursuant to a grant, contract, or other agreement entered into with the U.S. government, which may exempt certain research activities involving human ‘omic data that are funded by the U.S. government that would otherwise be prohibited. However, the DOJ explicitly declined to include in the final rule an express exemption for non-federally funded research programs.

 Authored by Melissa Bianchi, Michael Druckman, and Melissa Levine.