Rules Navigator

DOJ rule regulating cross-border data transfers goes into effect

Image of a man looking at trade data, holding an iPad.
Photo: Michael M. Santiago/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Final rule prohibits and restricts some data transactions with certain countries or persons to protect bulk US sensitive personal data.

The US Department of Justice (DOJ) rule to implement Executive Order 14117, which restricts the exchange of sensitive personal data with “countries of concern,” took effect April 8.

The order was issued under the Biden administration and is designed to address the threat posed by foreign actors’ accessing sensitive data.

The order, Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, states that all US persons are restricted and, in some instances, prohibited from engaging in certain categories of data transactions with China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, plus certain people and entities subject to coercion by those countries.

The final rule was published in January, the effective date April 8, and one section goes into effect on October 6, 2025. This obligates all US persons involved in restricted transactions to implement compliance programs based on their individualized risk profiles.

In terms of DOJ’s use of the term “bulk data” in the rule (and title), the agency means any amount of sensitive personal data, whether the data is anonymized, pseudonymized, de-identified, or encrypted, that exceeds certain thresholds in the aggregate over the preceding 12 months before a “covered data transaction.

And in terms of what the rule means by “government-related data” (which are regulated regardless of the volume), this includes data on the locations of government activities and data on US government personnel.

Personal data covered

The rule considers the following to be sensitive personal data:

  • certain covered personal identifiers (for example, names linked to device identifiers, social security numbers, driver’s license, or other full or truncated government identification numbers);
  • precise geolocation data (for example, , GPS coordinates); 
  • biometric identifiers (for example, facial images, voice prints and patterns, and retina scans);
  • human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic);
  • personal health data (for example, height, weight, vital signs, symptoms, test results, diagnosis, digital dental records, and psychological diagnostics); and 
  • personal financial data (for example, information related to an individual’s credit, debit cards, bank accounts, and financial liabilities, including payment history).

Data that would be excluded from the rule includes public or nonpublic data that do not relate to an individual (for example, trade secrets and proprietary information) and data that is already lawfully publicly available from government records or widely distributed media.

Prohibited transactions

Prohibited transactions include permitting access to any government-related data or bulk US sensitive personal data in the following manner:

  • the sale, licensing of access to the data, or similar commercial transactions;
  • any covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data can be derived. (The final rule defines human ‘omic data as human genomic, human epigenomic, human proteomic, and human transcriptomic data.)
  • any covered data transaction that a US person knowingly directs;
  • those transactions designed to evade the regulations;
  • any transactions that cause or attempt to cause a violation of the regulations;
  • any conspiracies to violate the regulations; and
  • data-brokerage transactions involving potential onward transfer to countries of concern or covered persons.

Not prohibited, but restricted

The regulations prohibit US companies from permitting access to any government-related data or bulk US sensitive personal data to covered persons through the following types of transactions, unless the US company complies with burdensome due diligence, audit, reporting, and recordkeeping obligations. These restricted-but-not-prohibited transactions include:

  • the sale, licensing of access to the data, or similar commercial transactions;
  • vendor agreements;
  • employment agreements; and
  • non-passive investment agreements. 

Totally exempt from the rule would be transactions that are merely communications – they don’t transfer anything of value – such as the import or export of informational materials involving expressive materials, and travel information. Also exempt are transactions ordinarily incident to and part of providing financial services, and any transactions required or authorized by federal law or international agreements, among a couple of others.

Compliance obligations

US persons engaged in any of the above-mentioned restricted transactions are expected to develop and implement compliance programs based on their individualized risk profiles. This comprehensive compliance program, must include:

  • risk-based procedures to verify and log data flows;
  • sensitive personal and government-related data types and volume, transaction parties’ identities, data end-use and transfer methods, and vendor identities;
  • written policies on data security and compliance that are certified annually by a responsible officer or employee;
  • retaining the results of an annual audit by an internal or external independent auditor to verify compliance with the security requirements established by the Cybersecurity and Infrastructure Security Agency or CISA; and
  • maintaining and certifying the accuracy of records for 10 years documenting data transfer methods, transaction dates, agreements, licenses, advisory opinions, and any relevant documentation received or created in connection with the transactions.

Reporting Requirements

US persons need to pursue active reporting in the following cases:

  • The US person has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage.
  • US persons engaged in restricted transactions involving cloud computing services, if they are 25% or more owned, directly, or indirectly, by a country of concern or covered person, need to provide an annual report.
  • US persons engaged in a covered data transaction involving data brokerage with a foreign non-covered person, if they know or suspect that the foreign counterparty is violating the restrictions on resale and onward transfer to countries of concern or covered persons.
  • US persons invoking the exemption for certain data transactions that are necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern. 

Audits

Existing audits, reports, and other compliance practices can be used here if they meet the requirements of the rule, and thus there is no need to create duplicative or separate systems or reports, DOJ notes.

Such individuals may use either internal or external audits, just as long as they are independent and meet the other requirements of the rule. Audits for restricted transactions need to only examine a US person’s restricted transactions (not all data transactions) and only relevant policies, personnel, and systems. 

Meeting obligations – ideas for compliance

Bulk data transfers are incredibly commonplace for US businesses, and they often involve data transfers between corporate departments, service providers and can often include a variety of countries.

Starting with an inventory of what data could fit the definitions included here, plus countries of concern, is a good first start, including who controls those data flows and where it resides.

Employers must check for cross-border data access, processing, or storage by vendors located in or owned/controlled by entities in countries of concern and see if vendor contracts need to be revisited to meet the newly effective requirements.

Covered entities could consider how to control data flows with new internal controls that flag an prohibited transfers or require more levels of oversight and supervisory sign-off.

Update training should be provided to the relevant employees so all of the relevant ones that handle such data are aware of the rule’s requirements and employees are escalating questionable cases to the appropriate parties.

New technology that can help assist with such supervisory, flagging and training components could be wise resource additions to a compliance program too, especially since DOJ investigations with national security implications and sensitive data inclusion is a significant reputational risk for regulated firms.

, , , ,

You may also like