ARTICLE
20 January 2025

Justice Department Issues Final Rule On Bulk Transfers Of Sensitive Personal Data To Certain Countries

JD
Jones Day

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
On Friday, December 27, 2024, the U.S. Department of Justice ("DOJ") issued the final rule implementing the Biden White House's Executive Order 14117, "Preventing Access to Americans...
Worldwide Privacy

The final rule establishes prohibitions and restrictions on the transfer of certain data due to national security risks from specified countries of concern.

On Friday, December 27, 2024, the U.S. Department of Justice ("DOJ") issued the final rule implementing the Biden White House's Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." Those countries include: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The rule creates a new national security regulatory program within DOJ and establishes the country's first prohibitions and restrictions on the transfer or export of personal data in certain transactions. The rule is designed to address national security risks and is not a federal privacy regulation. The rule goes into effect April 8, 2025.

Generally, the rule applies to entities that are 50% or more owned by a country of concern or covered person. A covered person includes foreign entities that are 50% or more owned (directly or indirectly) by a country of concern, organized under the laws of a country of concern, or have a principal place of business in a country of concern. Covered persons also include foreign employees or contractors, or individuals residing, in countries of concern. A U.S. subsidiary is generally not a covered person unless specifically designated by DOJ.

"Covered data transactions" are those involving any access to any government-related data or bulk U.S. sensitive personal data and that involves data brokerage, a vendor agreement, an employment agreement, or an investment agreement. "Sensitive" personal data means: (i) covered personal identifiers; (ii) precise geolocation; (iii) biometric identifiers; (iv) human genomic data and other human omic data; (v) personal health data; and (vi) personal financial data. There are several exempted transactions, including those related to certain corporate group transactions, clinical investigations, or drug approval processes, among others.

Prohibited transactions: U.S. persons are prohibited from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person. Brokerage means sale of data, licensing of access to data, or commercial transactions involving data transfers where the recipient did not collect or process data directly from individuals. This prohibition applies to data that is resold or transferred through third parties to countries of concern. Also, the rule prohibits knowingly engaging in any covered data transaction that provides access to bulk human genomic data to a country of concern or covered person.

Restricted transactions: U.S. persons cannot knowingly engage in bulk transfers of sensitive personal data related to vendor, employment, and non-passive investment agreements unless the transaction meets certain security requirements developed by the Cybersecurity and Infrastructure Security Agency ("CISA"). There are affirmative compliance requirements for restricted transactions, including annual audits by an independent auditor, annual certifications, risk-based procedures, and recordkeeping for 10 years.

There are certain annual and ad hoc reporting requirements for both prohibited and restricted transactions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More