DOJ Issues Final Rule on Bulk Transfers of Sensitive Personal Data

2025-03-09 21:19:17

On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued "Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons" (the “Final Rule”). This rule further clarifies Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Data and United States Government-Related Data by Countries of Concern," aiming to safeguard sensitive personal and U.S. government-related data from exploitation by certain foreign nations and persons. The Final Rule was published in the Federal Register on January 8, 2025, and will become effective on April 8, 2025.

Key Definitions in the Final Rule

“countries of concern” means: China (including Hong Kong and Macau); Cuba; Iran; North Korea; Russia; Venezuela.

 “covered persons” means: foreign entities that are 50% or more owned (directly or indirectly) by a country of concern, organized under the laws of a country of concern, or having a principal place of business in a country of concern. It also includes foreign employees, contractors, or individuals residing in countries of concern. A U.S. subsidiary is generally not considered a covered person unless specifically designated by the DOJ.

"U.S. persons" means: U.S. citizens, nationals, or lawful permanent residents; any person who has been granted asylum or refugee status in the United States any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); as well as any person in the U.S. In addition, non-U.S. persons are also prohibited by the Final Rule from inducing, conspiring, or facilitating violations of the Final Rule by U.S. persons, as well as from engaging in transactions intended to circumvent the Final Rule.

 

Prohibited Transactions

According to the Final Rule, U.S. persons are prohibited from engaging in data brokerage transactions with a country of concern or a covered person, including the sale, licensing, or transfer of data where the recipient did not directly collect it. This restriction also applies to resold or third-party-transferred data. Additionally, the Final Rule bans covered transactions granting access to bulk human genomic data to restricted entities.

 

Restricted Transactions

U.S. persons are prohibited from knowingly engaging in data transactions with a country of concern or a covered person that involves any access to any U.S. government-related data or bulk U.S. sensitive personal data and related to any of the following transactions, unless they comply with Cybersecurity and Infrastructure Security Agency (CISA) security requirements: (1) a vendor agreement; (2) an employment agreement’ or (3) an investment agreement (excluding certain passive investments). Such transactions must meet a series of affirmative compliance obligations.

 

Categories of Sensitive Personal Data

The Final Rule defines six categories of sensitive personal data, each with specific bulk thresholds that, if exceeded within 12 months before the transaction, trigger prohibitions or restrictions. The bulk threshold applies even to anonymized, pseudonymized, de-identified, or encrypted data.

1. Covered Personal Identifiers: Bulk Threshold: more than 100,000 U.S. persons.

2. Precise Geolocation Data: Bulk Threshold: more than 1,000 U.S. devices.

3. Biometric Identifiers: Bulk Threshold: more than 1,000 U.S. persons.

4. Human 'Omic Data: Bulk Threshold: Human ‘omic data collected about or maintained on more than 1,000 U.S. persons; or Human genomic data collected about or maintained on more than 100 U.S. persons.

5. Personal Health Data:  Bulk Threshold: more than 10,000 U.S. persons.

6. Personal Financial Data: Financial information linked to individuals. Bulk Threshold: more than 10,000 U.S. persons.

 

Compliance and Reporting Requirements

U.S. persons engaging in restricted transactions must establish a data compliance program by no later than October 6, 2025 and comply with compliance requirements, which include but not limited to:

· Establishing risk-based procedures for verifying data flows involved in any restricted transaction.

· Conducting audit that complies with the Final Rule.

· Keeping a full and accurate record of each such transaction engaged for at least 10 years after the date of such transaction, except as otherwise provided in the Final Rule.

· Maintaining annual certification by an officer, executive, or other employee responsible for compliance of the completeness and accuracy of the records documenting due diligence.

 

Implementation Timeline of the Final Rule

The Final Rule becomes effective on April 8, 2025. Certain affirmative due diligence and audit requirements for restricted transactions will be phased in and will not become effective until October 6, 2025.

 

Implications for Businesses

Businesses, especially those involved in data brokerage, vendor agreements, employment agreements, or investment agreements that may involve sensitive personal data, should assess their data handling practices as soon as possible to ensure compliance with the new rule. This includes, but not limited to:

· evaluating relationships with entities or individuals associated with the identified countries of concern,

· implementing necessary safeguards to prevent unauthorized data access and

· complying with the applicable compliance requirements.

Failure to comply with the Final Rule may result in criminal and civil penalties enforced by the DOJ.