Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

DOJ Proposed Rule – Regulating Bulk Sensitive Data Transfers

Published January 1, 2025

Contributors

Usman Tariq

Data Privacy Analyst at Securiti

CIPP/US

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

Background and History

President Biden issued an Executive Order 14117 titled “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“E.O”) dated February 28, 2024 pursuant to the authority vested in the President by the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code. The E.O. seeks to limit or block certain countries of concern from accessing and collecting Americans’ sensitive personal data and United States Government-related data, as such access poses an unacceptable risk to the national security of the United States and can lead to the exploitation of sensitive data for malicious purposes.

Implementation of the E.O

Issuance of Notice of Proposed Rule Making (NPRM)

The Department of Justice (DOJ) issued the Notice of Proposed Rule Making titled “Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (Proposed Rule) dated October 29, 2024 in order to implement the E.O. The Proposed Rule builds on the DOJ’s March 24, 2024 Advanced Notice of Proposed Rulemaking (ANPRM).

Goal of the Proposed Rule

The Proposed Rule prevents U.S. persons from providing countries of concern or covered persons access to government-related data or Americans' bulk U.S. sensitive personal data through commercial data-brokerage transactions. The Proposed Rule also imposes security requirements on other kinds of commercial transactions, such as investment, employment, and vendor agreements, that involve government-related data or Americans' bulk U.S. sensitive personal data to mitigate the risk that a country of concern could access such data.

It is worth noting that currently, no federal legislation or rule categorically prohibits or imposes security requirements to prevent U.S. persons from providing countries of concern or covered persons access to sensitive personal data or government-related data through data brokerage, vendor, employment, or investment agreements.

Key Definitions Under the Proposed Rules

Countries of Concern

Under the Proposed Rule, the Attorney General has determined, with the concurrence of the Secretaries of State and Commerce, that the governments of following six countries have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of U.S. persons, and pose a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or the security and safety of U.S. persons. Following is the list of countries:

Countries of Concern
1	China (including Hong Kong and Macau)
2	Russia
3	Iran
4	North Korea
5	Venezuela
6	Cuba

Covered Persons

The Proposed Rule lists five ways that an entity or individual may be connected to a country of concern for the Proposed Rule to apply. Below is the description:

Covered Person

An entity is a covered person if it is a foreign person which is 50 percent or more owned, directly or indirectly, by a country of concern, or is organized or chartered under the laws of a country of concern, or has its principal place of business in a country of concern.

An entity is a covered person if it is a foreign person which is 50-percent or more owned, directly or indirectly, by a covered person.

Any foreign individual who is an employee or a contractor of such an entity or of the country of concern itself is also a covered person.

Any foreign person who is primarily a resident in the territorial jurisdiction of a country of concern is also a covered person.

Any person, wherever located, designated by the Attorney General:

to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person;
acting or likely to act on behalf of a country of concern or a covered person;
or knowingly caused or directed or likely to knowingly cause or direct a violation.

US Persons

US person has been defined in the following manner in the Proposed Rule:

(US Persons)
US citizen or national.	US lawful permanent resident.	Any individual admitted to the United States as a refugee or granted asylum.	Any person in the United States.	Any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches).

Kinds of Sensitive Data Covered:

Type of Sensitive Data	Description	Thresholds (S.202.205)
Human Genomic Data	Data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual's “genetic test” and any related human genetic sequencing data. The term “human genomic data” does not include non-human data, such as pathogen genetic sequence data, that is derived from or integrated into human genomic data.	More than 100 US Persons.
Biometric Identifiers	Measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.	More than 1000 US Persons.
Precise Geolocation Data	Data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.	More than 1000 US Persons.
Personal Health Data	Health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. The term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.	More than 10,000 US Persons.
Personal Financial Data	Data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data, including assets, liabilities, debts, and transactions in a bank, credit, or other financial statement; or data in a credit report or in a “consumer report”.	More than 10,000 US Persons.
Covered Personal Identifiers	Specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that—whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern—could be used to identify an individual from a data set or link data across multiple data sets to an individual. “Listed identifier” as any piece of data in any of the following data fields (S. 202. 234): (1) full or truncated government identification or account number (such as a Social Security Number, driver's license or State identification number, passport number, or Alien Registration Number); (2) full financial account numbers or personal identification numbers associated with a financial institution or financial-services company; (3) device-based or hardware-based identifier (such as International Mobile Equipment Identity (“IMEI”), Media Access Control (“MAC”) address, or Subscriber Identity Module (“SIM”) card number); (4) demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers); (5) advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID (“MAID”)); (6) account-authentication data (such as account username, account password, or an answer to a security question); (7) network-based identifier (such as internet Protocol (“IP”) address or cookie data); or (8) call-detail data (such as Customer Proprietary Network Information (“CPNI”)).	More than 100,000 U.S. persons.

The Proposed Rule does not impose any bulk threshold requirements on transactions involving government-related data.

Type of Data	Description
Precise Geolocation Data	Any precise geolocation data, regardless of volume, within any area enumerated on the Government-Related Location Data List (eight specific geofenced areas near government facilities in the Washington, D.C. metro area, Georgia, Hawaii, and Texas).
Sensitive Personal Data	Any sensitive personal data, regardless of volume, which a transacting party markets as linked or linkable to current or recent former employees, contractors, or former senior officials of the US government, including the military and intelligence community.

Covered Data Transactions

The Proposed Rule defines a “covered data transaction” as any transaction that involves any access to any government-related data (regardless of volume) or bulk U.S. sensitive personal data (based on the aforementioned thresholds) and that involves: (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement. See § 202.210. The Department has determined that these categories of covered data transactions pose an unacceptable risk to U.S. national security because they may enable countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data.

Prohibited and Restricted Transactions

The Proposed Rule creates a two-tiered system for covered transactions. Certain types of transactions are prohibited regardless of the type of data; other data transactions are restricted and could proceed if the security requirements promulgated by CISA are satisfied.

Prohibited Transactions

Data Brokerage Transactions

Data brokerage is defined as the sale or transfer of data from any person to a recipient that did not collect or process the data directly from the individual to whom the data relates. For example, if a U.S. organization maintained bulk personal health data, and it licensed such data to a covered person, it would constitute a prohibited transaction.

The proposed rule prohibits any U.S. person from knowingly engaging in a covered data transaction involving data brokerage with any foreign person that is not a covered person unless the U.S. person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving that data with a country of concern or covered person, and to report any known or suspected violations to the DOJ.

Genomic Data Transactions

The Proposed Rule prohibits any U.S. person from knowingly engaging in any covered data transaction involving human genomic data that provides a country of concern or covered person with access to bulk U.S. sensitive personal data that consists of human genomic data or human biospecimens from which such data can be derived.

Restricted Transactions

The proposed rule sets forth three classes of transactions (vendor agreements, employment agreements, and investment agreements) that are prohibited unless the U.S. person entering into the transactions complies with the “security requirements” set out by the Cybersecurity and Infrastructure Security Agency (CISA).

Restricted Transactions
Vendor Agreements	A vendor agreement is defined as “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.” A potential example of a vendor agreement covered by the proposed rule is a medical facility in the United States that contracts with a company headquartered in a country of concern to provide information technology (“IT”) related services. The medical facility has bulk personal health data on its U.S. patients, and the IT services provided under the contract involve access to the medical facility's systems containing that bulk personal health data.
Employment Agreements	An employment agreement is any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level. A potential example of an employment agreement is a U.S. company that employs a team of individuals who are citizens of and primarily reside in a country of concern and have access to back-end IT services and company systems that contain bulk human genomic data. Similarly, the employment of a lead project manager or a CEO of a U.S. company who primarily resides in a country of concern and who has access to bulk U.S. sensitive personal data would be considered a restricted transaction
Investment Agreements	The proposed rule defines an “investment agreement” as any agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to: (1) real estate located in the United States; or (2) a U.S. legal entity. The DOJ provided an example of a restricted transaction: a foreign private-equity fund, located in a country of concern, agrees to provide capital for the construction of a data center for a U.S. company that stores sensitive data in exchange for acquiring a majority ownership stake in the data center.

CISA Security Requirements

The proposed security requirements require U.S. persons engaging in restricted transactions to comply with:

(A) Organizational and System-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and requirements are in place; and (B) Data-level Requirements, such as data minimization and masking, encryption, or privacy-enhancing techniques. Furthermore, data-level requirements also include:

maintaining an asset inventory that is updated monthly;
patching vulnerabilities on certain timelines (e.g., 14 days for known exploited vulnerabilities and 15 days for non-exploited critical vulnerabilities);
documenting all vendor agreements;
storing logs for covered systems for at least 12 months;
applying a combination of data minimization and masking;
using MFA, encryption, and cryptographic key management; and
creating an allow list for specific systems by default.

In addition, entities will need to implement logical and physical access controls on covered systems to prevent covered persons from accessing the data. In practice, this will require entities to cross‑reference work locations and job responsibilities (likely from their HR system), with system accesses (i.e., active directory) of employees and contractors.

The proposed rule also clarifies that restricted transactions are not prohibited only if they comply with the security requirements and other applicable requirements for conducting restricted transactions.

Compliance Program, Audits, and Recordkeeping

For any entity engaging in restricted transactions, the Proposed Rule mandates due diligence requirements such as (i) identifying transacting parties, including the ownership, citizenship, and residence of individuals; (ii) written compliance policies and procedures for implementing security requirements; and (iii) verifying data flows in an auditable manner for any restricted transaction.

In addition, the Proposed Rule requires an independent, external audit to review annually restricted transactions and the company’s procedures. Entities engaged in restricted transactions must also maintain records for at least 10 years, including a full and accurate record of every transaction, the annual audit reports, the written policies related to their data compliance program, the identity and due diligence of the transaction parties and any associated agreements or contracts, and annual compliance certifications.

Exemptions

Several categories of transactions have been provided exemptions under the Proposed Rule. The following are major exemptions:

Corporate Groups Transactions: The Proposed Rule exempts covered data transactions to the extent that they are: (1) between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and (2) ordinarily incident to and part of administrative or ancillary business operations (such as sharing employees' covered personal identifiers for human-resources purposes; payroll transactions like the payment of salaries and pensions to overseas employees or contractors; paying business taxes or fees; purchasing business permits or licenses; sharing data with auditors and law firms for regulatory compliance; and risk management). This exemption can also be termed as “intra-entity transactions”.

Examples:

A U.S. company has a foreign subsidiary located in a country of concern that conducts research and development for the U.S. company. The U.S. company sends bulk personal financial data to the subsidiary for the purpose of developing a financial software tool. The transaction is not an exempt corporate group transaction because it is not ordinarily incident to and part of administrative or ancillary business operations.
A U.S. company has a foreign subsidiary located in a country of concern, and the U.S. company's U.S.-person contractors perform services for the foreign subsidiary. As ordinarily incident to and part of the foreign subsidiary's payments to the U.S.-person contractors for those services, the U.S. company engages in a data transaction that gives the subsidiary access to the U.S.-person contractors' bulk personal financial data and covered personal identifiers. This is an exempt corporate group transaction.

Financial Services: Transactions ordinarily incident to and part of financial services, payment processing, and regulatory compliance. Examples include banking, capital markets, or financial-insurance activities; the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services; and legal and regulatory compliance.

Telecommunication Services: Data transactions related to the extent that they are ordinarily incident to and part of the provision of the telecommunication services, including international calling, mobile voice, and data roaming, are exempt. Data brokerage transactions, however, by U.S. telecommunications providers are not exempt.

Drug and Medical Authorizations, and Clinical Investigations: Transactions will be exempt if the transactions involve “regulatory approval data” necessary to obtain or maintain regulatory approval in a country of concern. “Regulatory approval data” consists of de-identified sensitive personal data required by a regulatory entity to research or market a drug, biological product, device, or combination product, including post-marketing studies and surveillance. It excludes data not necessary for assessing the safety and effectiveness of the drug, biological product, device, or combination product.

U.S. Government: Activities of the U.S. government and its contractors, employees, and grantees, such as federally funded health and research activities.

Example: A U.S. hospital receives a Federal grant to conduct human genomic research on U.S. persons. As part of that federally funded human genomic research, the U.S. hospital contracts with a foreign laboratory that is a covered person, hires a researcher that is a covered person, and gives the laboratory and researcher access to the human biospecimens and human genomic data in bulk. The contract with the foreign laboratory and the employment of the researcher are exempt transactions but would be prohibited transactions if they were not part of the federally funded research.

Investment Agreements: Investment agreements that are subject to mitigation or other actions that the Committee on Foreign Investment in the United States (CFIUS) explicitly designates as exempt.
Required by Federal Law: Transactions required or authorized by federal law or international agreements, such as the exchange of passenger manifest information, Interpol requests, and public health surveillance.

Conclusion

The DOJ's Proposed Rule is a significant advance in preventing countries of concern from illegally accessing Americans' personal data and government-related data. The rule addresses the gaps in current federal law that expose such data to exploitation by enforcing security requirements and limiting access through commercial transactions.

As the regulatory process advances, stakeholders across industries must closely monitor developments and prepare to align with the final rule’s requirements. Compliance will mitigate legal risks, reinforce national security, and foster trust in data governance practices.

DOJ Proposed Rule – Regulating Bulk Sensitive Data Transfers

Background and History

Implementation of the E.O

Issuance of Notice of Proposed Rule Making (NPRM)

Goal of the Proposed Rule

Key Definitions Under the Proposed Rules

Countries of Concern

Covered Persons

US Persons

Kinds of Sensitive Data Covered:

Covered Data Transactions

Prohibited and Restricted Transactions

Restricted Transactions

CISA Security Requirements

Compliance Program, Audits, and Recordkeeping

Exemptions

Conclusion

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

DOJ Proposed Rule – Regulating Bulk Sensitive Data Transfers

Background and History

Implementation of the E.O

Issuance of Notice of Proposed Rule Making (NPRM)

Goal of the Proposed Rule

Key Definitions Under the Proposed Rules

Countries of Concern

Covered Persons

US Persons

Kinds of Sensitive Data Covered:

US Government-Related Data

Covered Data Transactions

Prohibited and Restricted Transactions

Restricted Transactions

CISA Security Requirements

Compliance Program, Audits, and Recordkeeping

Exemptions

Conclusion

Join Our Newsletter

Share

More Stories that May Interest You

What is Classified as Sensitive Data, and How to Classify It?

Data Security: Meaning, Importance, Best Practices, and Solutions

Data Regulations in India’s Financial Sector: Navigating Compliance and Security

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New