News & Insights

News & Insights

Client Alert

January 7, 2025

DOJ Issues Final Rule Restricting Foreign Access to U.S. Data

The rule imposes substantial new diligence, reporting, cybersecurity, and auditing obligations on companies.

On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued a final rule implementing Executive Order (“EO”) 14117 titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”  The final rule, which becomes effective 90 days after publication in the Federal Register, imposes due diligence, reporting, and auditing requirements that are expected to take effect in late 2025.  The rule will permit DOJ to investigate potential violations and establishes significant civil and criminal penalties for violators. 

The final rule will afford the incoming Trump administration a new and significant avenue to address national security risks related to China.  It is expected to be vigorously enforced.  Companies that engage in bulk data transactions—for example, social media, e-commerce and electronic payment platforms; data marketplaces and aggregators, healthcare and insurance providers; biotechnology companies; and the employees, vendors, and other third parties with whom companies in such industries do business—should be aware of what the rule requires and begin developing an effective compliance program that takes into account due diligence, reporting, and auditing requirements. 

THe Executive Order

In February 2024, President Biden signed EO 14117, which aimed to address national security threats posed by access to and exploitation of Americans’ bulk sensitive personal data and U.S. government-related data.  The EO recognized that “countries of concern” can use such data for cyber-attacks, blackmail, espionage, intimidation, military purposes, and other malicious activities.  Tools such as artificial intelligence and high-performance computing enable actors tied to those countries to more effectively manipulate and exploit that data for nefarious purposes. 

Accordingly, the EO set out to restrict mass sensitive data transfer, to include data access, to countries of concern and individuals who might be leveraged by those countries (“covered persons”). 

To implement the EO, President Biden directed DOJ to issue regulations prohibiting or restricting transactions involving bulk sensitive personal data and U.S. government-related data to countries of concern and covered persons.  DOJ did so through an Advance Notice of Proposed Rulemaking (“ANPRM”) published on March 4, 2024, and a Notice of Proposed Rulemaking (“NPRM”) on October 29, 2024, before publishing a final rule on December 7, 2024.

Final Rule Overview

DOJ’s final rule establishes a new national security program within DOJ’s National Security Division and anticipates parallel security requirements for restricted transactions that will be issued by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”).  The rule restricts and, in some instances, prohibits, certain kinds of data transactions and access with six countries of concern and their covered persons, given the national security risks of those countries accessing Americans’ bulk sensitive personal data. 

Prohibited, Restricted, and Exempt Transactions

Prohibited and Restricted Transactions.  The final rule prohibits and restricts data access and transactions with countries of concern and covered persons that involve sensitive personal data exceeding set bulk volume thresholds (discussed below).  The rule prohibits data brokerage and covered data transactions involving access to bulk human ‘omic data or human biospecimens from which ‘omic data can be derived.1EO 14117 lists several examples of “human ‘omic data,” including “human proteomic data, human epigenomic data, and human metabolomic data.”  EO 14117, § 6.  It restricts vendor, employment, and non-passive investment agreements.  Notably, however, restricted transactions are permitted if they meet U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) security requirements, which relate to organizational cybersecurity, access controls, data security, and privacy.  CISA published its final security requirements in January 2025. 

Bulk Thresholds Triggering Prohibitions and Restrictions on Transfer

The final rule defines “bulk” as any amount of sensitive personal data (even if anonymized, pseudonymized, de-identified, or encrypted) that exceeds certain thresholds, aggregated over the 12 months before a covered data transaction.  The bulk thresholds are:

  • human genomic data on over 100 U.S. persons, and the three other covered categories of human ‘omic data on over 1,000 U.S. persons;
  • biometric identifiers on over 1,000 U.S. persons;
  • precise geolocation data on over 1,000 U.S. devices;
  • personal health data and personal financial data on over 10,000 U.S. persons;
  • certain covered personal identifiers on over 100,000 U.S. persons; or
  • any combination of these data types that meets the lowest threshold for any category in the dataset.

The bulk thresholds do not apply to transactions involving U.S. government-related data, which are regulated regardless of volume.2The final rule defines government-related data as:

  • any precise geolocation data, regardless of volume, for any location within an enumerated government-related location data list that the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights – such as about facilities, activities, or populations – about U.S.-government controlled locations, to the detriment of national security; and
  • any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or former U.S. Government employees or contractors or former senior officials, including in the military or intelligence community.

Exempt Transactions.  The final rule also exempts certain data transactions, including: personal communications; official U.S. government activities; certain financial services transactions; certain corporate group transactions; transactions required or authorized by federal law or international agreements; certain investment agreements; transactions ordinarily incident to telecommunications services; data transactions with countries of concern or covered persons involving drug, biological product, device, or combination product approvals or authorizations under certain conditions; and other clinical investigations and post-marketing surveillance data, again subject to certain conditions.

Resale Risks.  The final rule notes that, to address resale risks, DOJ plans to issue compliance guidance that will include model contractual language requiring foreign persons to refrain from reselling or otherwise allowing countries of concern or covered persons to access sensitive data. 

Countries of Concern and Covered Persons

The final rule designates six countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.  It also designates four classes of covered persons: 

  1. foreign entities that are 50 percent or more owned by a country of concern, organized under the laws of country of concern, or have their principal place of business in a country of concern;
  2. foreign entities that are 50 percent or more owned by a covered person;
  3. foreign employees or contractors of countries of concern or entities that are covered persons; and
  4. foreign individuals primarily resident in countries of concern.

These four categories are supplemented by a public list of DOJ-designated covered persons.

Licensing and Advisory Opinion Processes

General and Specific Licenses.  The final rule authorizes DOJ to issue general licenses that authorize otherwise prohibited or restricted transactions and specific licenses for specific transactions.  It also sets out the process for applying for a license or seeking reconsideration of a denied license. 

Advisory Opinions.  The final rule also permits regulated parties to ask DOJ to issue advisory opinions interpreting the regulations and addressing whether they are applicable to actual, specific transactions (not hypothetical transactions).  In the final rule, DOJ notes that, in addition to publishing advisory opinions, it intends to publish general interpretive guidance—such as Frequently Asked Questions—online.

Recordkeeping, Auditing, Reporting, and Compliance Requirements

A senior DOJ national security official has previously noted that the final rule requires covered U.S. companies and individuals to develop and implement “risk-based compliance programs tailored to their individualized risk profiles,” similar to expectations in the sanctions and export control regime.  DOJ notes that if a violation occurs, it will assess the adequacy of that compliance program in any enforcement action.

The final rule also clarifies that U.S. persons and companies engaging in restricted transactions must satisfy certain specific compliance obligations, including establishing a comprehensive compliance program.  That program must include implementing risk-based procedures to:

  • Verify and log data flows of sensitive personal and government-related data types and volume, transaction parties’ identities, data end-use and transfer methods, and vendor identities;
  • Establish written data security and compliance policies for restricted transactions that are certified annually by a responsible officer or employee;
  • Conduct annual independent audits to verify compliance with CISA security requirements; and
  • Maintain (and certify accuracy of) records for 10 years documenting data transfer methods, dates, agreements, licenses, and any other relevant documentation.

As noted above, CISA’s finalized security requirements include technical elements and reflect practices that covered companies may not yet have in place. 

Reporting Requirements.  The final rule also establishes four specific reporting requirements: 

Cloud Computing.  Annual reports filed by U.S. persons engaged in restricted transactions involving cloud-computing services, if they are 25 percent or more owned, directly or indirectly, by a country of concern or covered person;

Prohibited Transaction Offers.  Reports by any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage;

Resale Restriction Violations (Known or Suspected).  Reports by U.S. persons engaged in a covered data transaction involving data brokerage with a foreign non-covered person if the U.S. person knows or suspects that the foreign counterparty is violating the restrictions on resale and onward transfer to countries of concern or covered persons; and

Exemptions related to marketing drugs, products, or devices.  Reports by U.S. persons invoking the exemption for certain data transactions that are necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern.

Companies can use existing audits and either internal or external audits (as long as they are independent) to satisfy these requirements.

Enforcement Mechanisms and Civil and Criminal Penalties

As DOJ previewed, the final rule contains an enforcement strategy with “real teeth,” backed by civil and criminal authorities under the International Emergency Economic Powers Act.  It permits DOJ to conduct investigations, hold hearings, examine and depose witnesses, and issue subpoenas for witnesses and documents related to investigations of potential violations of the rule.  It also permits civil and criminal penalties for violations.  Civil penalties can be the greater of $368,136 or twice the amount of the transaction involved, while criminal penalties can include fines of up to $1,000,000 and up to 20 years’ imprisonment. 

Notably, DOJ advises that U.S. persons that provide third-party platforms or infrastructure are not civilly or criminally liable for customers’ prohibited or restricted transactions on those platforms.

What to Expect

The final rule goes into effect 90 days after it is published in the Federal Register, which is generally within a month of a rule’s announcement.  The rule’s reporting requirements will become effective 270 days after that same publication.  This means companies should expect that this rule—and its compliance and reporting requirements—will be fully in effect by late 2025.

Even though this EO was issued by President Biden, companies should not expect the coming change in administrations to slow enforcement of this rule.  The national security risks posed by bulk data collection have received bipartisan attention, and addressing these risks enjoys broad support.  We expect that the incoming presidential administration will be eager to enforce this rule, particularly given the Trump administration’s persistent focus on the national-security threats posed by China.

Related
Special Matters and Government Investigations Government Matters Securities Enforcement and Regulation International Trade National Security and Corporate Espionage Data, Privacy and Security Global Investigations