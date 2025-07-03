Author: On January 8, 2025, the Department of Justice ("DOJ") issued a final rule under Executive Order 14117, which established the Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the "Rule"). The Rule, which took effect on April 8, 2025, establishes export-like restrictions and prohibitions on transferring specific types of "bulk U.S. sensitive personal data" and certain specified "government-related data" (including of current or recent U.S. Government employees and sensitive government location data) to designated "countries of concern," including China (with Hong Kong and Macau), Iran, North Korea, Cuba, Venezuela, and Russia, as well as transactions involving "covered persons," which includes entities that are established under the laws of by a country of concern and their employees. The Rule established high civil penalties and allows for criminal enforcement. However, on April 11, 2025, DOJ paused civil enforcement until July 8, 2025, on the express condition of "good-faith" efforts to comply, or to come into compliance with the Rule, in the meantime. Criminal enforcement was not paused.

1. Who and What is Covered?

The Rule delineates four main categories of "covered data transactions," which are defined as:

any transaction that involves any access by a country of concern or covered person; to any bulk U.S. sensitive personal data or government -related data; and that involves:

data brokerages; vendor agreements (including those involving cloud services); employment agreements; or investment agreements.

"Sensitive personal data" is classified into seven distinct types, specifically:

covered personal identifiers (e.g., name and contact information, financial account numbers, Social Security Numbers, IP addresses, MAC addresses, device IDs, and Ad IDs); precise geolocation data (within 1,000 meters); biometric identifiers; human-omic data (i.e., genomic, epigenomic, proteomic, and transcriptomic data); personal health data (broadly defined); personal financial data (broadly defined); and Any combination of the above categories.

"Bulk" means any amount of sensitive personal data that meets or exceeds the threshold for the respective "sensitive personal data" at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person. As seen in the table below, each category of sensitive personal data has a different bulk threshold:

A "covered person" under the Rule is:

A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern; A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in points (1), (3), (4), or (5); A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in points (1), (2), or (5); A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or Any person, wherever located, determined by the Attorney General:

To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

Corporate subsidiaries are treated as separate entities and are covered persons if they otherwise meet the Rule's definition, while business units of a company are not, even if they are located in a country of concern. The Rule also grants the Attorney General wide discretion to determine whether a person has become a covered person.

The Rule also provides several examples to clarify the scope of "covered person" under the Rule. For example, citizens of a country of concern are exempt if they primarily reside in the U.S. or a third country, unless they are individually designated as a covered person by the Attorney General or are employed by a country of concern or covered person.

2. Prohibited Transactions

The Rule categorically prohibits certain high-risk transactions, such as "data brokerage" transactions involving covered data with countries of concern or covered persons, and transactions involving access to bulk human-omic data or biospecimens.

Data brokerage is defined as "the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data."

The Rule intentionally adopts a broad definition of data brokerage to ensure that "there are no significant loopholes for countries of concern to continue to leverage the data brokerage market as a means of acquiring and exploiting government-related or bulk U.S. sensitive personal data."

DOJ emphasized this point in its Compliance Guide published on April 11, 2025, explaining that the definition of data brokerage captures "activities that may not be thought of in ordinary parlance as data brokerage [but] may nonetheless constitute data brokerage under the [Rule]." For example:

"A U.S. company maintaining a website or mobile application that contains ads with tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company. That transfer or provision of access to government-related or bulk U.S. sensitive personal data to covered persons or countries of concern could constitute data brokerage and could be a violation of the [Rule.]"

While data brokerage transactions with countries of concern or covered persons are prohibited, data brokerage transactions causing covered data to be sent to other countries (i.e., not countries of concern), require onward transfer contractual provisions and the reporting of violations to ensure that the covered data is not subsequently transferred to a country of concern.

3. Restricted Transactions

Other types of data transactions, including those in connection with vendor, employment, and investment agreements, are only "restricted," and therefore permitted under strict conditions. These transactions must adhere to robust security requirements developed by the Cybersecurity and Infrastructure Security Agency ("CISA"), which include organizational and system-level cybersecurity controls, data-level protections like encryption and data minimization, and annual independent audits with detailed recordkeeping. Restricted transactions are also subject to due diligence, audit, recordkeeping, and reporting requirements that mandate the development and implementation of a written data compliance program, by no later than October 6, 2025.

The Rule also imposes significant record keeping requirements requiring full and accurate records for any transaction (not just those that are prohibited or restricted) subject to the Rule to be kept for at least 10 years. There are also heightened record keeping requirements for U.S. persons engaging in restricted transactions (including written policies describing the data compliance program, implementation of the security requirements, results of annual audits and due diligence conducted to verify the data flow involved in any restricted transaction).

Restricted transactions are limited to data transactions in connection with vendor agreements, employment agreements, and investment agreements, each of which is defined in the Rule and discussed in its accompanying commentary.

Vendor agreements are defined as "any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration." As the definition of vendor agreements is very broad, the Rule provides helpful examples of what constitutes a vendor agreement. Specifically:

Example 1 involving a country of concern vendor that processes and stores bulk precise geolocation data collected through an app owned by a US company.

Example 2 involving IT-related services provided by a country of concern vendor to a US medical facility.

Example 3 involving a country of concern vendor providing data centers that provide managed services to US companies; and

Example 4 involving a US mobile games developer that receives software developments services from a country of concern vendor.

A written agreement is not required by the text of the Rule but is recommended in order to make the nature of a data transactions between parties clearly within the "vendor agreement" (and thus restricted, rather than prohibited) category, and to be able to respond to a DOJ inquiry.

Employment agreements involve "any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level." In terms of a restricted employment agreement, the Rule describes a situation where a U.S. company hires an individual from a country of concern to perform job functions that involve access to sensitive U.S. data.

Investment agreements are defined as any arrangement where a person gains direct or indirect ownership interests or rights in U.S. real estate or a U.S. legal entity in exchange for payment or other consideration and excludes certain passive investments that do not pose national security risks, such as those with less than 10% voting and equity interest without substantive decision-making rights. An example of a restricted investment agreement is a U.S. company planning to build a data center in a U.S. territory to store bulk personal health data on U.S. persons, with a foreign private equity fund from a country of concern providing capital in exchange for a majority ownership stake.

4. Restricted Transactions and Compliance Obligations

U.S. entities involved in restricted transactions (i.e., covered data transactions in connection with vendor agreements, employment agreements, or investment agreements) are required to establish risk-based written compliance programs, conduct thorough due diligence on counterparties, including ownership and control checks, maintain detailed records, and complete annual independent audits.

Additionally, U.S. persons must report specific transactions, including rejected prohibited transactions, and maintain comprehensive records of all restricted transactions. In its April 11, 2025, supplementary package, including press release, Compliance Guide, FAQs, and Implementation and Enforcement Policy DOJ emphasized the importance of strict compliance with these procedural aspects of the Rule.

Importantly, DOJ also retains the authority to request information or documents, to require testimony, and to conduct hearings, regarding any act, or any transaction—whether prohibited or restricted under the Rule or not—at any time, underscoring the importance of compliance and detailed recordkeeping. Violations of the Rule can result in severe civil penalties (up to $368,136 per violation, or twice the amount of the transaction at issue, whichever is greater), and criminal penalties including prison sentences of up to 20 years and fines up to USD 1,000,000.

While DOJ paused civil enforcement until July 8, 2025, that paused is expressly conditioned on "good-faith efforts" to comply, or to come into compliance with the Rule between now and then. To emphasize the serious nature of its expectations during this civil enforcement pause, DOJ spelled out what it means by "good-faith efforts," which includes the following types of activities:

Conducting internal reviews of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage; Reviewing internal datasets and datatypes to determine if they are potentially subject to DSP; Renegotiating vendor agreements or negotiating contracts with new vendors; Transferring products and services to new vendors; Conducting due diligence on potential new vendors; Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions; Adjusting employee work locations, roles or responsibilities; Evaluating investments from countries of concern or covered persons; Renegotiating investment agreements with countries of concern or covered persons; and Implementing the CISA Security Requirements, including the combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transactions.

5. Exemptions

The Rule provides several exemptions for otherwise restricted or prohibited data transactions, including official U.S. government business, financial services, corporate group transactions, and certain clinical investigations and regulatory submissions for drugs, biological products, and medical devices. For the purposes of this alert, we will only analyze the financial services and corporate group transactions exemptions.

Financial Services

The exemption for financial services, specifically relates to data transactions that are "ordinarily incident to and part of the provision of financial services," these include, for example:

Banking, capital markets, or financial insurance services; The transfer of covered data incidental to the purchase and sale of goods and services (such as online shopping or e-commerce market places); The provision or processing of payments or funds transfers (such as services for payment dispute resolution, payor authentication, tokenization, payment gateway, payment fraud detention); and Provision of investment management services.

The Rule addresses ecommerce in §202.205(a)(4):

§ 202.505 Financial services.

(a) Exemption. Subparts C, D, J, and K (other than § 202.1102 and § 202.1104) of this part do not apply to data transactions, to the extent that they are ordinarily incident to and part of the provision of financial services, including:

(4) The transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces)

The Rule also provides 12 examples for what data transactions may fall within the financial services exemption. One of the examples relates specifically to e-commerce:

As part of operating an online marketplace for the purchase and sale of goods, a U.S. company, as ordinarily incident to and part of U.S. consumers' purchase of goods on that marketplace, transfers bulk contact information, payment information (e.g., credit-card account number, expiration data, and security code), and delivery address to a merchant in a country of concern. The data transfers are exempt transactions because they involve access by a covered person to bulk personal financial data, but they are ordinarily incident to and part of U.S. consumers' purchase of goods.

As a result, the financial services exemption provides some allowance for online marketplaces and other forms of e-commerce, even where bulk personal financial data is transferred to a country of concern. However, the limits of the "ecommerce" provision of the financial services exemption addressed in the Rule and in the example addressed above are not addressed with specificity in the Rule or the Rule's Preamble. Whether the provision of covered personal financial data and personal identifiers is incidental to the purchase, sale, or transfer of consumer products and services through online shopping or ecommerce marketplaces depends on the facts. Accordingly, a case-by-base evaluation is necessary, as misplaced reliance on an exemption could lead to steep penalties – or worse. We expect that DOJ will address this issue with more detail in future guidance.

Corporate Group Transactions

The corporate group transactions exemption permits otherwise prohibited or restricted data transactions "between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control) of a country concern," where they are ordinarily incident to and part of the administrative or ancillary business operations. According to the Rule, such ordinarily incident activities include:

Human resources; Payroll, expense monitoring and reimbursement and other corporate financial activities; Paying business taxes; Obtaining business permits or licenses; Sharing data with auditors or law firms for regulatory compliance; Risk management; Business-related travel; Customer support; Employee benefits; and Employees' internal and external communications.

In the Rule's commentary as well as the FAQs published on April 11, 2025, DOJ clarified that while the administrative and ancillary business are "illustrative and not exhaustive," those exempt activities do not include "core business activities, such as product development and research."

As with other areas of the Rule, these two exemptions are complex, and misapplication of them could have serious consequences. When considering them, and other aspects of the Rule, consult competent counsel.

Finally, U.S. persons may also seek specific licenses for otherwise prohibited transactions on a case-by-case basis.

6. Impact and Compliance Recommendations for Chinese Enterprises

In order to comply with the Rule, Chinese enterprises with U.S. business exposure, particularly those maintaining local entities in the United States, must carefully scrutinize their operational frameworks, including business models, and personnel deployment.

Where potential access to bulk U.S. sensitive personal data or government-related data exists, such enterprises should: (i) assess whether there are compliance risks under the current regulatory framework of the Rule, and (ii) implement mitigating controls, as well as necessary due diligence, auditing, recordkeeping and reporting policies and procedures, to ensure adherence to these new regulatory requirements.

Pursuant to the Rule and the DOJ's guidance documents on DSP, we recommend the following compliance measures for Chinese Enterprises:

Initiate immediate due diligence on relevant transactions and associated data transfers, including the business scenarios, data flows, types, and scale of data transferred from the U.S. to China; Evaluate whether the relevant transactions constitute restricted or prohibited transactions under the Rule, and whether the transactions qualify for exemptions under the Rule; If the relevant transactions are considered restricted or prohibited, conduct analysis on business model adjustments, and assess the feasibility of terminating the data flows to China; Review and amend third party agreements to embed data sovereignty clauses to restrict secondary transfers through indemnification provisions; Implement role-based access controls for U.S.-based personnel; Establish a comprehensive data compliance management plan system aligned with DOJ's compliance guidelines, including management processes and corresponding policies for transaction evaluation and data mapping, vendor due diligence and verification, written organizational data compliance management policies and compliant security management policies, employee training mechanisms, recordkeeping, reporting, and regular audit mechanisms; and Ensure that your U.S. partner in covered data transactions is carefully following all applicable requirements of the Rule (including compliance with the CISA security requirements, where applicable).

Where Chinese enterprises are collaborating with U.S. counterparts, we recommend the following additional compliance measures:

Conduct a deep-dive analysis of the transactions and data sharing mechanisms with U.S. companies and evaluate whether and to what extent they are subject to the Rule. Assess the impact of the Rule on Chinese enterprises' U.S. business and consult with legal counsel regarding contingency strategies such as implementing geofencing for domestic U.S. data access and exploring alternative business models.

In addition, Chinese enterprises should continue to monitor DOJ's regulatory updates (and those of this article's co-authors at JunHe and ArentFox Schiff LLP), follow up on the release and updates of the Covered Persons List, and take timely response measures.

Key Takeaways

The Rule significantly expands U.S. national security controls over sensitive personal data, and will affect a broad spectrum of U.S. businesses, particularly in e-commerce, technology, healthcare, financial services, and cloud computing. While initial compliance costs, such as assessments and remediation, are one-time expenses, businesses will encounter numerous ongoing obligations, including continuous due diligence, compliance program updates, monitoring, regular audits, and detailed recordkeeping and reporting.

Industries such as e-commerce and online advertising, which depend on vast amounts of personal data to enhance customer engagement and optimize marketing strategies, will be significantly affected by the Rule. The broad definition of data brokerage under the Rule has important implications for how these industries manage data transactions. E-commerce businesses may need to reevaluate and update their data management practices, especially as it pertains to third-party vendors and other service providers that may have access to sensitive data.

The Rule is detailed and complex, and compliance is time-consuming and resource intensive. Now is the time to consult experienced counsel, take inventory of your data transactions, assess compliance obligations, and engage in the types of "good-faith efforts" enumerated by the DOJ and listed above.

