New DOJ rule limits cross-border data transfers to protect national security

The final rule restricts covered transactions with countries of concern—China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela—and specified persons subject to their jurisdiction. U.S. persons must take reasonable steps to examine current or prospective data sharing agreements and vendor, employment, and investment agreements to determine whether those transactions involve countries of concern or covered persons. “Covered persons” include:

a) Foreign entities that are 50% or more owned (directly or indirectly, individually or in aggregate) by one or more countries of concern or covered persons.

b) Foreign entities that are organized or chartered under the laws of countries of concern.

c) Foreign entities with a principal place of business in a country of concern.

d) Foreign employees or contractors of countries of concern or of a covered person.

e) Foreign individuals who reside primarily in a country of concern.

f) Any legal entity or individual (including U.S. persons) designated by the Attorney General as covered persons.

U.S. persons (including U.S. subsidiaries of foreign companies) are not categorically treated as covered persons. However, U.S. persons may be designated covered persons by the Attorney General, pursuant to criterion (f) above. The Attorney General’s designations will be published on the National Security Division Covered Persons List and are effective immediately. Designations can only be appealed post-deprivation. 

The rule regulates transactions involving access to (1) U.S. government-related data and (2) bulk sensitive personal data. While those categories may appear narrow, they are actually quite broad in a manner that will pick up ordinary data flows for many multinational companies.  

Government-related data consist of any precise or high-risk geolocation identified as one of the 738 points in the rule’s Government-Related Location Data List or personnel data (sensitive personal data that are marketed as linkable to government employees, contractors, or senior officials). 

Bulk “sensitive personal data” considers both the types and amounts of data. Transactions involving sensitive personal data are regulated only when those transaction(s) between the same U.S. person and foreign or covered person exceed a specified “bulk” threshold within a 12-month period. Bulk thresholds apply to each entity engaged in a covered data transaction, regardless of the parties’ relationship (e.g., parent, subsidiary). The categories of sensitive personal data and their corresponding bulk thresholds are listed below:

“Covered personal identifiers” is an umbrella category listing types of data that, in combination with other information, are subject to the rule. These include demographic and contact information (like names, IDs, and public accounts), financial account numbers, advertising IDs, call-detail data, and device-, network-, and hardware-based identifiers. The definition excludes demographic and contact data that are solely linked to other demographic or contact data, as well as certain data combinations necessary for telecommunications or related services.   

In response to comments requesting more flexible regulation of health data transactions, the final rule expanded the definition of “sensitive personal data” to include four subcategories of ‘omic data with distinct risk-based bulk thresholds. Human genomic data—data representing nucleic acid sequences—have the lowest bulk threshold of 100 U.S. persons annually (indicating the highest risk), while human epigenomic, proteomic, and transcriptomic data (data concerning gene expression modifications, protein structures, and RNA sequences, respectively) have a higher bulk threshold of 1,000 U.S. persons. 

Overall, the definition of “sensitive personal data” casts a wide net, implicating many types of transactions. It includes data that are regularly exchanged in everyday commercial transactions (such as contact information, advertising IDs, and payment information). Moreover, transfers of sensitive personal data are subject to the same regulations regardless of whether the data are anonymized, pseudonymized, de-identified, or encrypted. Routine transactions involving sensitive personal data may thus be restricted or prohibited, even when robust data masking techniques are used.

The rule prohibits two types of transactions: 

• cross-border data brokerage transactions involving access to covered data; and 

• transactions that involve access to bulk human ‘omic data or biospecimens. 

Prohibited transactions are banned unless they are exempt (see Part E below) or DOJ grants a license for the transactions (see Part G below). Restricted transactions are discussed in Part D below.  

Data brokerage transactions are defined broadly as transactions (excluding employment, investment, and vendor agreements) involving a sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data to a recipient that did not collect the data directly from the linkable individual(s). The final rule prohibits data brokerage transactions with covered persons involving access to covered data.

In addition to the outright ban on data brokerage transactions involving covered persons, data brokerage transactions with any other foreign person are prohibited unless the U.S. person (1) contractually prohibits the recipient from engaging in subsequent data brokerage transaction of the data with a country of concern or covered person and (2) reports known or suspected violations of the contractual provision within 14 days of becoming aware. 

The final rule also bans all transactions involving access by a country of concern to bulk human ‘omic data or biospecimens from which such data can be derived. In other words, transactions involving access by a covered person to over 100 U.S. persons’ human genomic data or over 1,000 U.S. persons’ human epigenomic, proteomic, or transcriptomic data (or corresponding biospecimens) are prohibited. Importantly, the final rule amended the NPRM’s definition of “human biospecimen” to exclude human-derived material intended by a recipient solely for use in diagnosing, treating, or preventing any disease or condition. That includes human blood, cell, and plasma-derived therapeutics, regardless of the volume of those products provided to a country of concern or covered person. DOJ implemented that change in response to comments explaining that those products, particularly blood and plasma for transfusions, provide lifesaving and humanitarian interventions for patients globally. DOJ also agreed with comments noting the difficulty of deriving individual human genomic data from human biospecimens used in or processed into finished medical products. Persons transporting human-derived materials for such purposes to countries of concern or covered persons should be sure to memorialize the recipients’ intent to use these materials solely for diagnosing, treating, or preventing a disease or condition in humans.  

The final rule’s prohibitions take effect on April 8, 2025.

The final rule imposes substantial restrictions on (1) vendor agreements, (2) employment agreements, and (3) investment agreements (except certain passive investments) that involve access to U.S. bulk sensitive personal data or government-related data. Restricted transactions are prohibited unless they comply with the diligence, audit, recordkeeping, and security obligations set forth below, or unless they are licensed by DOJ (see Part G below). 

• Due diligence obligations: U.S. persons must implement a robust data compliance program that includes written compliance policies as well as risk-based procedures governing data flows.

• Audit obligations: The rule requires an annual audit of the U.S. person’s restricted transactions and compliance with due diligence, recordkeeping, and security obligations. While the NPRM only allowed external audits, the final rule permits internal audits if they are sufficiently independent.

• Recordkeeping obligations: U.S. persons are required to maintain a complete and accurate record of every restricted transaction for at least 10 years. They must also keep documents demonstrating compliance with due diligence, audit, and security obligations. 

• Security requirements as promulgated by CISA: U.S. persons with covered systems (information systems used to access covered data as part of a restricted transaction) must comply with system-level requirements. These include obligations to review and approve new hardware or software deployed in covered systems, establish access controls including either multi-factor authentication of 15-character-minimums on passwords, and remediate known exploited vulnerabilities in internet-facing covered systems within 45 days (prioritizing the most critical vulnerabilities first). U.S. persons engaging in restricted transactions must also implement data-level requirements, such a data minimization and masking strategies, encryption, privacy enhancing technologies, and access management techniques. 

To permit time to modify compliance programs, the final rule’s due diligence and audit requirements take effect on October 6, 2025. However, regulated entities should be mindful that recordkeeping, security, and some reporting obligations take effect much sooner, on April 8, 2025.

The final rule prohibits U.S. persons from “knowingly” engaging in covered transactions, including covered transactions which the U.S. person “reasonably should have known” were prohibited or restricted. This standard creates a general obligation to take reasonable steps to identify risks associated with cross-border transactions.

DOJ also creates reporting obligations that are generally applicable to all U.S. entities (not merely to those engaging in restricted or prohibited transactions). 

• “Every person” must furnish reports with “complete information” about any act or transaction to DOJ on demand. This obligation applies even if the transaction is exempt or licensed. This reporting obligation takes effect on April 8, 2025.

• Any U.S. person with 25% or more of its equity interests owned by a country of concern or covered person and that engages in a restricted transaction involving cloud-computing services must file an annual report. This reporting obligation takes effect on October 6, 2025.

• Any U.S. person that receives and rejects an offer to engage in a prohibited transaction must report the offer and rejection to DOJ within 14 business days of rejection. This reporting obligation takes effect on October 6, 2025.

The liability standard and reporting obligations create a general due diligence baseline for all U.S. entities engaging in cross-border transactions. “At a minimum,” DOJ states, “U.S. persons must conduct sufficient due diligence to be able to comply with the reporting requirements, which could include periodic reviews with foreign counterparties….” ¹

The final rule exempts a range of transactions from its prohibitions and restrictions, as well as due diligence, audit, and some reporting obligations. Transactions are exempt to the extent that they:

• Involve any personal communications that do not involve the transfer of “anything of value.”

• Involve information or informational materials, commercial or otherwise.

• Are ordinarily incident to travel.

• Are for conduct of the official business of the U.S. government.

• Are ordinarily incident to the provision of financial services. 

• Are between a U.S. person and its subsidiary or affiliate located in or directed by a country of concern. The transaction must be ordinarily incident to and part of administrative or ancillary business operations (such as human resources, payroll, or customer support). 

• Are required or authorized by federal law or international agreements.

• Are investment agreements subject to a Committee on Foreign Investment in the U.S. (CFIUS) action.

• Do not involve data brokerage and are usually incident to providing telecommunications services. 

• Are necessary for regulatory approval to research or market a drug or product. The data must be adequately de-identified or pseudonymized, and the regulated entity must comply with recordkeeping and reporting requirements. 

• Are ordinarily incident to clinical investigations regulated by the Food and Drug Administration (FDA), applications to the FDA, or post-marketing surveillance. The data must be adequately de-identified or pseudonymized.

DOJ may issue general licenses for prohibited and restricted transactions, which will be published in the Federal Register. Regulated parties can also apply for specific licenses. Companies should note that licenses may be limited or conditioned on adhering to certain obligations. 

DOJ contemplates potential licenses in the final rule’s executive summary. It considers issuing a wind-down license that would permit the amendment of agreements involving ongoing covered transactions signed before the rule’s effective date.² DOJ also notes that “it may be appropriate to issue general licenses that broadly authorize the submission of health- and medical research-related data to specific entities.” ³

U.S. persons may also seek advisory opinions concerning actual transactions, which may be relied upon but will not bind agencies other than DOJ.