DOJ Finalizes Rule Prohibiting and Restricting Foreign Transfer of Personal Sensitive Data

On January 8, 2025, the U.S. Department of Justice (DOJ) issued a final rule titled "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons." The final rule establishes prohibitions and restrictions around the transfer of Americans' bulk sensitive personal data and U.S. government-related data to countries of concern. It also requires covered entities that conduct certain restricted transactions to follow cybersecurity requirements issued by the Cybersecurity and Infrastructure Security Agency (CISA).^Footnote1

The final rule is the product of Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Data and United States Government-Related Data by Countries of Concern." In the executive order, President Biden identified the continuing efforts of certain countries of concern to access U.S. data and use it "to engage in a wide range of malicious activities" as an unusual and extraordinary threat.^Footnote2 The order directed the U.S. Attorney General to issue regulations that prohibit or otherwise restrict U.S. persons from "engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest" in transactions that involve U.S. government-related data or bulk U.S. sensitive personal data.

Under the final rule, U.S. persons and companies that engage in transactions with "covered persons"—defined as foreign persons or entities located in or owned by residents of countries of concern (China, Russia, Cuba, Iran, North Korea, and Venezuela)—will be subject to prohibitions and restrictions if such transactions could provide access to U.S. bulk sensitive personal data or U.S. government-related data via a covered data transaction.^Footnote3

Types of Data Covered Under the Rule

The categories of data considered as "bulk sensitive personal data" include human 'omic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, covered personal identifiers, or a combination of data within those categories.^Footnote4 The threshold for defining a dataset as "bulk" is determined separately for each data category. U.S. government-related data includes geolocation for any location deemed a threat by the Attorney General. It also includes sensitive personal data that is linked or is linkable to former employees or contractors, or former senior officials of the U.S. government, regardless of the bulk volume thresholds outlined in the rule.

Data Transactions Prohibited and Restricted Under the Rule

The rule applies to data transactions that grant a country of concern or covered person access to any government-related data or bulk U.S. sensitive personal data, including transactions that involve data brokerage, a vendor agreement, an employment agreement, or an investment agreement. The rule specifies what types of data transactions are prohibited and restricted.

• Prohibited transactions: The rule prohibits U.S. persons and companies from engaging in data brokerage transactions with covered persons that involve the transfer of bulk sensitive personal information or any amount of U.S. government-related data.^Footnote5 Moreover, it prohibits companies holding bulk human 'omic data from engaging in any covered data transaction with a country of concern or covered person, meaning that companies holding bulk human 'omic data are prohibited from engaging in data brokerage transactions and entering into a vendor, employment, or investment agreement with any covered person.
• Restricted transactions: The rule restricts U.S. persons and companies from engaging in vendor, employment, or investment agreements with covered persons that provide access to data covered under the rule until the person or company meets the cybersecurity requirements established by CISA.
• Exemptions: The rule establishes certain exemptions from the restrictions and prohibitions around covered data transactions. For example, data transactions conducted as official business of the U.S. government by its employees, grantees, or contractors or conducted pursuant to a grant, contract, or other agreement entered into with the U.S. government are exempt.

U.S. companies may not engage in certain agreements that are permissible under the final rule until they have met the cybersecurity requirements issued by CICA. The requirements mandate that companies establish and adhere to a written plan that integrates CISA's organizational measures, systems measures, data-level measures, due diligence procedures, annual compliance audits, and record retention. The final rule is comprehensive, and DOJ and CISA have both signaled that they are open to providing further guidance as entities embark on compliance. The core data prohibition and restriction components in the final rule are effective April 8, 2025. However, the due diligence and audit requirements under CISA's cybersecurity standards are not effective until October 6, 2025.

That said, President Trump issued an executive order upon taking office that placed a freeze on any regulations in the process of being finalized. The executive order also suggested that agencies "consider postponing for 60 days from the date of this memorandum the effective date for any rules that have been published in the Federal Register, or any rules that have been issued in any manner but have not taken effect, for the purpose of reviewing any questions of fact, law, and policy that the rules may raise."^Footnote6 It remains to be seen how the Trump DOJ will apply this suggestion to this particular regulation, particularly as the Trump administration has consistently focused on China-related threats to U.S. national security and economic policy. EDUCAUSE will continue to monitor the status of the regulation.

Notes

1. U.S. Department of Justice, "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons," Federal Register 90, no. 5 (January 8, 2025): 1636–1752; Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, "Security Requirements for Restricted Transactions, E.O. 14117 Implementation," (January 2025). Jump back to footnote 1 in the text.↩
2. Executive Office of the President, "Executive Order 14117: Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," Federal Register 89, no. 42 (February 28, 2024): 15421–15430. Jump back to footnote 2 in the text.↩
3. U.S. DOJ, "Preventing Access to U.S. Sensitive Personal Data," 1708, 1712. Bulk U.S. sensitive personal data is defined as "a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold set forth in §202.205" of the regulation. Government-related data includes geolocation data for any location determined as a threat by the Attorney General and sensitive personal data (regardless of volume). This is linked or linkable to former employees or contractors, or former senior officials of the U.S. government. "A covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data," and that involves data brokerage, a vendor agreement, an employment agreement, or an investment agreement. Jump back to footnote 3 in the text.↩
4. Ibid., 1712, 1708. The term "human 'omic data" includes human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data. The term "bulk human 'omic data" refers to any data "collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons." Jump back to footnote 4 in the text.↩
5. Ibid., 1710. Data brokerage transactions encompass "the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or vendor agreement, involving the transfer of data from any person to any other person where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data." Jump back to footnote 5 in the text.↩
6. White House, "Regulatory Freeze Pending Review," Presidential Actions, January 20, 2025. Jump back to footnote 6 in the text.↩

Kathryn Branson is a Partner at Ulman Public Policy.