ARTICLE
28 April 2025

New DOJ Rule On Foreign Access To U.S. Data: What Businesses Need To Know

NM
Nelson Mullins Riley & Scarborough LLP

Contributor

Flexibility, practical business sense, and tireless advocacy are among Nelson Mullins’ service hallmarks. Our growth over the past 120 years continues to be client-focused.

Our culture and multidisciplinary platform provide our community of clients trusted advice to meet a broad range of business needs and our team members an opportunity to be part of a Firm that values relationships, collaboration, thinking ahead, leadership within our profession, and helping those in need through pro bono and community service.

On Jan. 8, 2025, the U.S. Department of Justice (DOJ) published its final rule implementing Executive Order 14117, (the "Rule") aimed at preventing "countries of concern"— which currently...
United States Privacy

On Jan. 8, 2025, the U.S. Department of Justice (DOJ) published its final rule implementing Executive Order 14117, (the "Rule") aimed at preventing "countries of concern"— which currently include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela —from accessing sensitive personal data of U.S. persons. The Rule establishes a new regulatory framework known as the Data Security Program (DSP), to be administered by the DOJ's National Security Division.

This framework introduces significant restrictions on the transfer of certain categories of data and imposes substantial compliance obligations on U.S. businesses.

Key Dates

  • April 8, 2025: The DOJ's Data Security Program (DSP) takes effect
  • July 8, 2025: End of the 90-day leniency period for civil enforcement
  • Oct. 6, 2025: Full compliance required, including due diligence, audit, and reporting obligations

Key Definitions Under the DOJ's Rule on Sensitive Data Transfers

Covered Data
"Covered data" includes a broad range of personal information that could be exploited to identify or profile U.S. individuals, particularly when transferred to foreign entities. The Rule organizes covered data into the following categories:

1. Covered Personal Identifiers
These are specific data elements that, alone or in combination, may be used to identify individuals. Covered personal identifiers include:

  • Full or truncated government ID or account numbers (e.g., SSN, passport number, driver's license)
  • Full financial account or personal ID numbers
  • Device- or hardware-based identifiers (e.g., IMEI, MAC address, SIM number)
  • Advertising identifiers (e.g., Google Advertising ID, Apple IDFA)
  • Account authentication credentials (e.g., usernames, passwords, security question answers)
  • Network-based identifiers (e.g., IP addresses, cookies)
  • Call-detail data (e.g., Customer Proprietary Network Information or CPNI)
  • Demographic or contact data, only when linked to the above or other sensitive identifiers (e.g., name and address linked to device ID)

Exclusion: Demographic/contact data and network/account-authentication data not linked to other sensitive elements are excluded if used solely for telecommunication/network functionality.

2. Sensitive Personal Data
The Rule identifies six specific types of sensitive data that are especially protected:

  • Precise Geolocation Data: Real-time or historical data pinpointing an individual's or device's location within 1,000 meters.
  • Biometric Identifiers: Unique physical/behavioral traits used to identify individuals, including facial images and voiceprints.
  • Human 'Omic Data: Genetic information including nucleic acid sequences and other biological process indicators.
  • Personal Health Data: Information indicating an individual's physical/mental condition, care received, or payment for care.
  • Personal Financial Data: Data on accounts, transactions, assets, liabilities, and credit or consumer report information.
  • Covered Personal Identifiers (as detailed above)

Exclusion: Publicly available government records, trade secrets, metadata from expressive materials, and data that does not relate to individuals are not considered sensitive personal data under this Rule.

Bulk U.S. Sensitive Personal Data

This refers to large-scale collections of sensitive personal data about U.S. persons. Whether data is anonymized, pseudonymized, de-identified, or encrypted is irrelevant. The Rule defines the following volume thresholds:

Data Category Volume Threshold (U.S. Persons)
Human 'omic data 1,000 (or >100 for genomic data)
Biometric identifiers or geolocation More than 1,000
Health data or financial data More than 10,000
Covered personal identifiers More than 100,000
Any combination of the above Threshold is met if any category's limit is exceeded

Government-Related Data

This includes:

  • Precise geolocation data for specific sensitive U.S. locations (the appendix lists 736 geographic areas).
  • Any sensitive personal data marketed as linked to U.S. government personnel (including intelligence, military, or contractors).

Covered Person

A "covered person" includes any foreign entity or person who is:

  • Owned, controlled by, or subject to the direction of a country of concern;
  • Organized under the laws of a country of concern;
  • A citizen or permanent resident of a country of concern;
  • Located in or operating out of a country of concern;
  • On the Entity List or subject to certain U.S. national security-related sanctions

Key Prohibitions & Requirements

Prohibited Transaction
The rule establishes five categories of prohibited transactions:

  1. *Data Brokerage with Countries of Concern: U.S. persons are prohibited from engaging in data brokerage transactions involving SPD with countries of concern or covered persons.
  2. *Human Genomic and Other 'Omic Data or Human Biospecimens: Prohibits transactions involving bulk human genomic, epigenomic, proteomic, or transcriptomic data, or human biospecimens from which such data can be derived, with countries of concern or covered persons.
  3. *Knowingly Directing a Transaction Out of Compliance: U.S. persons are prohibited from directing transactions that would violate the rule if carried out by a U.S. person.
  4. *Data Brokerage or Government-Related Data Transactions without Contractual Restrictions: Requires U.S. persons to contractually restrict foreign persons from reselling or providing access to data to countries of concern or covered persons.
  5. *Evasion Activities and Conspiracies: Prohibits efforts to evade the rule's restrictions or enter into conspiracies to do so.

Restricted Transaction
Restricted transactions involve vendor, employment, or investment agreements that transfer SPD to countries of concern or covered persons. These transactions must comply with specific security rules and compliance requirements, including:

  • Implementing a Data Compliance Program
  • Conducting due diligence and risk assessments.
  • Maintaining detailed records for at least 10 years.
  • Submitting annual reports to the DOJ.

Key Guidance & Resources

To assist with compliance, the DOJ's National Security Division (NSD) issued guidance on April 11, 2025, including:

  • An overarching implementation and enforcement policy for the program ("Enforcement Policy") through the next 90 days.
  • A 21-page Compliance Guidance.
  • A 45-page guide to frequent answers and questions ("FAQ").

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More