DOJ's "Bulk Sensitive Data Rule" Is In Effect, And May Require Significant Compliance Obligations As Enforcement Is Set To Begin

Pursuant to a newly effective U.S. Department of Justice (DOJ) regulation, the transfer and storage of certain sensitive U.S. government and personal data may be prohibited or restricted, depending on the intended recipient, based on national security risk. The new Data Security Program ("DSP" or the "Rule"), identifies certain "countries of concern" (and "covered persons"—contractors or persons connected to those countries) where either government geolocation data; sensitive government-related personal data; or "bulk U.S. Sensitive Personal data" (defined to include, among other information, human 'omic data¹ , biometric identifiers, and personal health, financial, and geolocation information) may not be transferred, or where such transfers must occur under highly restrictive conditions. Unlike HIPAA (and other similar privacy laws), the Rules apply regardless of whether the data/information is anonymized, pseudonymized, de-identified or encrypted.

The DOJ's National Security Division ("NSD") promulgated the rule in accordance with Biden-era Executive Order 14117 ("Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern"). It took effect on April 8, 2025; enforcement is set to occur on July 9, 2025; several compliance requirements become effective October 6, 2025. Although the Rule was issued by the Biden administration, the Trump administration has not moved to revoke it. Indeed, on April 11, 2025, NSD issued a Compliance Guide, lengthy set of FAQs, and an Implementation and Enforcement Policy, and has indicated that it takes enforcement of the Rule very seriously.

Application of the rule in any specific instance will depend on multiple factors, which can make compliance challenging and complex. Exemptions may also apply in specific circumstances. Penalties, however, could be severe, including investigations, civil enforcement (where parties could be subject to penalties of $377,700, or two times the value of a transaction per violation), and criminal enforcement (up to $1 million in criminal fines and/or 20 years imprisonment for willful violations). Companies in the life sciences, healthcare, and financial services industries, or that are engaged in activities where either large volumes of sensitive information are being processed or where there is a complex chain of downstream data sharing, should pay particular attention to the DSP.
This article provides an overview of the new regulations, with key dates and compliance considerations. Given its complexity and potential challenges in application, Foley Hoag stands ready to assist your organization as it considers how to comply with the DSP.

1. What Information Does the Rule Cover?

The DSP regulates the storage and transfer of two broad categories of data: government data and "bulk U.S. sensitive data." The government data specified in the regulation is affected regardless of the volume at issue; bulk U.S. sensitive data, however, is regulated only when certain volume thresholds are met, measured over a rolling 12-month period. The chart below illustrates the distinction:

DATA CATEGORY	DESCRIPTION	VOLUME THRESHOLD
Government-Related Geolocation Data	Geolocation information regarding specific U.S. sensitive areas.	N/A
Government-Related Personal Data	Data on current and former U.S. government personnel.	N/A
Human genomic and biospecimen data	Data representing the sequences that constitute all or part of the subset of a human cell's genetic instructions; or any quantity of human-derived material from which human genomic data could be derived.	100 U.S. persons
Human epigenomic data	Data derived from a systems-level analysis of human epigenetic modifications, which are changes in gene expression that do not involve alterations to the DNA sequence itself.	1,000 U.S. persons
Human proteomic data	Data derived from a systems-level analysis of proteins expressed by a human genome, cell, tissue, or organism.	1,000 U.S. persons
Human transcriptomic data	Data derived from a systems-level analysis of RNA transcripts produced by the human genome under specific conditions or in a specific cell type.	1,000 U.S. persons
Biometric identifiers	Fingerprints, voice prints, retina scans, etc.	1,000 U.S. persons
Precise geolocation data	Accurate within 1,000 meters	1,000 U.S. persons
Personal health data	Diagnostic, treatment, prescription information (not limited to protected health information, or PHI, as defined by HIPAA)	10,000 U.S. persons
Personal financial data	Banking, credit, and trading information	10,000 U.S. persons
Covered personal identifiers	Combination of the above categories linked to a specific individual	10,000 U.S. persons
Combined data	Any collection or set of data containing more than one of the above categories.	Lowest applicable number

2. Which Organizations are Affected?

The rule affects "Covered Data Transactions," which are data transactions by a "U.S. Person" that involves "access" to that data by a "Country of Concern" or a "Covered Person."

• A "U.S. Person" is any U.S. citizen, national, lawful permanent resident, refugee, asylee, or any entity organized solely under the laws of the U.S. Also referred to herein as a "covered party(ies)."
• A "Country of Concern" is one of the following specific countries: The People's Republic of China ("PRC") (including Hong Kong and Macau); Russia; Cuba; Venezuela; North Korea; and Iran.
• A "Covered Person" is an individual or entity that falls into any one of the following five categories:
  • foreign entity 50%+ owned by countries of concern or is organized under the laws of, or has its principal place of business in, a country of concern;
  • foreign individual employed or contracted by a country of concern;
  • foreign individual primarily residing in a country of concern;
  • any person determined by the Attorney General to be owned, controlled, or acting on behalf of countries of concern or covered persons, or likely to cause violations of the DSP; and
  • a foreign entity that is at least 50% owned, directly or indirectly, or in the aggregate, by one or more persons who fall into one of the four categories above.
• An applicable data transaction includes any one of the following that involves either government-related data or bulk U.S. sensitive personal data:
  • Data Brokerage: "the sale of data, licensing or access to data, or similar commercial transaction . . . involving the transfer of data from any person to any other person, where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data";
  • Vendor Agreements: "any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration";
  • Employment Agreements: "any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level"; and
  • Investment Agreements: "any agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States; or (2) a U.S. legal entity".
• Finally, "access" to the data at issue means logical or physical access, and includes "the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive" such information.

3. What Transactions are Prohibited or Restricted?

Under the DPS, whether a data transaction is prohibited or restricted is a fact-specific analysis. It depends on (1) the type of data, (2) the volume of data, (3) the type of transaction, and (4) the identify of the recipient.
The DSP prohibits the following transactions:

• Data brokerage transactions with Countries of Concern or Covered Persons;
• Bulk human 'omic data or biospecimen data access by Countries of Concern or Covered Persons; and
• Any transaction that violates restricted transfer requirements in the Rule.

The DSP allows for the following kinds of transactions on restricted basis, provided that they comply with the Rule's requirements and security requirements from the Cybersecurity and Infrastructure Security Agency (CISA):

• Vendor Agreements;
• Employment Agreements; and
• Investment Agreements.

The DSP also requires that U.S. persons engaging in a data brokerage transaction with any foreign person, even if not from a Country of Concern, must include language in the data brokerage transaction contract forbidding the foreign person from providing the applicable data to Covered Persons or Countries of Concern.

Additionally, affected organizations should keep in mind that formal compliance alone may be insufficient: the government will likely expect companies to engage in some level of compliance diligence in this context, and knowledge of or willful blindness to improper data diversion could create compliance risk.

4. What Exemptions or Licenses Apply?

Certain transactions may be exempt from application of the Rule, including the following:

• Official transactions of the U.S. government;
• Personal communications not involving the transfer of anything of value;
• Transactions that are "ordinarily incident to and part of the provision of financial services," including banking services, the purchase and sale of goods and services, payment processing transfers, and investment-management services;
• Transactions subject to a Committee on Foreign Investment in the United States ("CFIUS") national security agreement, during the pendency of the agreement;
• Corporate group transactions "ordinarily incident to and part of administrative or ancillary business operations," including human resources, payroll, and other employee management and corporate financial activities;
• Telecommunication services transactions;
• Drug, biological product, and medical device operations and authorizations; and
• Clinical investigations and post-marketing surveillance data.

Transactions that do not fall within an exemption may nevertheless be authorized if covered by a general or specific license granted by NSD. No general licenses have been issued to date by NSD and the practical ability of parties to obtain a specific license remains unclear.

5. How Must Companies Comply?

Covered parties engaged in covered transaction types that involve government-related or bulk U.S. sensitive personal data with countries of concern/covered persons may be directly impacted by the Final Rules. To ensure compliance, covered parties should take the following steps:

• Review Current Transactions: Review current transactions that fall within the covered datasets, and evaluate whether such transactions are prohibited, restricted, or subject to new requirements.
• Establish a Process to Assess Applicability of Rules to Future Transactions: When establishing agreements implicating one or more of the four covered transaction types, covered parties should confirm that (a) the contractual counterparty is not a country of concern or covered person; and (b) the transaction does not fall into a prohibited category.

If a covered party is currently involved in or seeks to engage in a restricted transaction, it is important to understand and pursue the appropriate steps to comply with the additional security requirements, due diligence, auditing, reporting, and record-keeping requirements as outlined in the Final Rules. Notably, the covered party must:

• Comply With Additional Security Requirements: The Cybersecurity and Infrastructure Agency has published additional requirements for protecting datasets that must be complied with.
• Establish Robust Data Compliance Programs: Programs must include risk-based procedures for verifying data flows, identifying transaction parties, and ensuring the end-use of data aligns with regulatory requirements.
• Conduct Annual Independent Audits: Covered parties must conduct an annual, independent audit to verify compliance with security requirements and document audit findings.
• Maintain Detailed Records: Information should include the types and volumes of data involved, the identities of transaction parties, and the methods of data transfer, and records must be kept for at least ten years.

Covered parties must ensure compliance with additional measures for restricted transactions no later than October 6, 2025.

Even if a covered party is not directly engaged in covered transactions, it is essential to stay prepared for potential indirect effects and updates to the Final Rules. Covered parties should consider the following:

• Engagement with Affected Partners: If dealing with partners or vendors affected by the Rule, it is crucial to understand their compliance status and any potential risks associated with data transactions. Covered parties should remember that the Rule applies to U.S. Persons that "knowingly direct" covered data transactions to a foreign entity that would be prohibited or restricted if engaged by a U.S. Person; and
• Monitor Regulatory Developments: The DOJ has signaled that it intends to continue to engage with companies and stakeholders, and determine, for example, whether any wind-down or other general licenses are appropriate. Staying updated on additional DOJ or other relevant agency guidance will help ensure compliance with evolving regulations that may come to affect indirect parties.

Footnote

1. Human genomic, epigenomic, proteomic, and transcriptomic information is referred to as "human 'omic data."