Background and History
President Biden issued an Executive Order 14117 titled “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“E.O”) dated February 28, 2024 pursuant to the authority vested in the President by the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code. The E.O. seeks to limit or block certain countries of concern from accessing and collecting Americans’ sensitive personal data and United States Government-related data, as such access poses an unacceptable risk to the national security of the United States and can lead to the exploitation of sensitive data for malicious purposes.
Implementation of the E.O
Issuance of Notice of Proposed Rule Making (NPRM)
The Department of Justice (DOJ) issued the Notice of Proposed Rule Making titled “Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (Proposed Rule) dated October 29, 2024 in order to implement the E.O. The Proposed Rule builds on the DOJ’s March 24, 2024 Advanced Notice of Proposed Rulemaking (ANPRM).
Final Rule
The DOJ issued the final rule (the “Final Rule”) on December 27, 2024 in order to implement the E.O. The Final Rule went into effect on April 8, 2025.
Goal of the Final Rule
The Final Rule prevents U.S. persons from providing countries of concern or covered persons access to government-related data or Americans' bulk U.S. sensitive personal data through commercial data-brokerage transactions. The Final Rule also imposes security requirements on other kinds of commercial transactions, such as investment, employment, and vendor agreements, that involve government-related data or Americans' bulk U.S. sensitive personal data to mitigate the risk that a country of concern could access such data.
Prior to the enactment of the Final Rule, it is worth noting that no federal legislation or rule categorically prohibited or imposed security requirements to prevent U.S. persons from providing countries of concern or covered persons access to sensitive personal data or government-related data through data brokerage, vendor, employment, or investment agreements.
Key Definitions Under the Proposed Rules
Countries of Concern
Under the Final Rule, the Attorney General has determined, with the concurrence of the Secretaries of State and Commerce, that the governments of following six countries have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of U.S. persons, and pose a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or the security and safety of U.S. persons. Following is the list of countries:
| 1 |
China (including Hong Kong and Macau) |
| 2 |
Russia |
| 3 |
Iran |
| 4 |
North Korea |
| 5 |
Venezuela |
| 6 |
Cuba |
Covered Persons
The Final Rule lists five ways that an entity or individual may be connected to a country of concern for the Final Rule to apply. Below is the description:
| An entity is a covered person if it is a foreign person which is 50 percent or more owned, directly or indirectly, by a country of concern, or is organized or chartered under the laws of a country of concern, or has its principal place of business in a country of concern. |
| An entity is a covered person if it is a foreign person which is 50-percent or more owned, directly or indirectly, by a covered person. |
| Any foreign individual who is an employee or a contractor of such an entity or of the country of concern itself is also a covered person. |
| Any foreign person who is primarily a resident in the territorial jurisdiction of a country of concern is also a covered person. |
Any person, wherever located, designated by the Attorney General:
- to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person;
- acting or likely to act on behalf of a country of concern or a covered person;
- or knowingly caused or directed or likely to knowingly cause or direct a violation.
|
US Persons
US person has been defined in the following manner in the FinalRule:
| US citizen or national. |
| US lawful permanent resident. |
| Any individual admitted to the United States as a refugee or granted asylum. |
| Any person in the United States. |
| Any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches). |
Kinds of Sensitive Data Covered:
Type of Sensitive Data
|
Description
|
Thresholds (S.202.205)
|
| Human ’omic Data |
Human ‘omic data includes:
- Human genomic data;
- Human epigenomic data;
- Human proteomic data; and
- Human transcriptomic data
The term human `omic data excludes pathogen-specific data embedded in human `omic data sets. |
Human `omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons. |
| Biometric Identifiers |
Measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system. |
More than 1000 US Persons. |
| Precise Geolocation Data |
Data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters. |
More than 1000 US Persons. |
| Personal Health Data |
Health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. The term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications. |
More than 10,000 US Persons. |
| Personal Financial Data |
Data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data, including assets, liabilities, debts, and transactions in a bank, credit, or other financial statement; or data in a credit report or in a “consumer report”. |
More than 10,000 US Persons. |
| Covered Personal Identifiers |
The term covered personal identifiers means any listed identifier:
(1) In combination with any other listed identifier; or
(2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data. |
More than 100,000 U.S. persons. |
The Final Rule does not impose any bulk threshold requirements on transactions involving government-related data. The government-related data is defined as:
- Precise location data for sensitive federal areas listed in § 202.1401, which the Attorney General says could harm national security if misused by a country of concern. These areas include:
- Workplaces of federal employees or contractors in national security roles
- Military bases
- Other sites involved in national defense, intelligence, law enforcement, or foreign policy
- Sensitive personal data that is advertised or sold as being linked (or linkable) to current or recent U.S. government workers, senior officials, military personnel, or intelligence community members.
Covered Data Transactions
The Final Rule defines a “covered data transaction” as any transaction that involves any access to any government-related data or bulk U.S. sensitive personal data and that involves: (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement. The Department has determined that these categories of covered data transactions pose an unacceptable risk to U.S. national security because they may enable countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data.
Prohibited and Restricted Transactions
The Final Rule creates a two-tiered system for covered transactions. Certain types of transactions are prohibited regardless of the type of data; other data transactions are restricted and could proceed if the security requirements promulgated by CISA are satisfied.
| Data Brokerage Transactions |
The term data brokerage means the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.
Example: A U.S. company sells bulk U.S. sensitive personal data to an entity headquartered in a country of concern. The U.S. company engages in prohibited data brokerage. |
| Data Brokerage Transactions Involving Potential Onward Transfer to Covered Persons of Countries of Concern |
After the effective date, a U.S. person cannot knowingly take part in any deal that gives a foreign person access to government-related data or bulk U.S. Sensitive data through data brokerage, unless:
- The US person has a contract with the foreign person that says they cannot sell or share the same data with a country of concern or a restricted party (covered person); and
- The US person reports any known or suspected violations of that contract in accordance with the Final Rule.
Example: A U.S. business knowingly enters into an agreement to sell bulk human genomic data to a European business that is not a covered person. The U.S. business is required to include in that agreement a limitation on the European business' right to resell or otherwise engage in a covered data transaction involving data brokerage of that data to a country of concern or covered person. Otherwise, the agreement would be a prohibited transaction. |
| Evasions, causing Conspiracies and Violations |
Any transaction on or after the effective date that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions set forth in this part is prohibited. Any conspiracy formed to violate the prohibitions set forth in this part is prohibited.
Example: A U.S. data broker plans to sell bulk U.S. sensitive personal data to a foreign person residing in China, knowing they are a covered person. To evade regulations, the broker invites the individual to the U.S. to complete the transaction. Although the transaction occurs in the U.S.—where the individual is considered a U.S. person and not a covered person unless specifically designated—the arrangement is designed to bypass the rules. Because the intent is to evade the regulations, the transaction is prohibited. |
| Knowingly Directing Prohibited or Restricted Transactions |
A U.S. person shall not knowingly direct any covered data transaction that would be a prohibited transaction or restricted transaction that fails to comply with the requirements of the Final Rule.
Example: A U.S. person is an officer, senior manager, or equivalent senior-level employee at a foreign company that is not a covered person, and the foreign company undertakes a covered data transaction at that U.S. person's direction or with that U.S. person's approval when the covered data transaction would be prohibited if performed by a U.S. person. The U.S. person has knowingly directed a prohibited transaction. |
| Genomic Data Transactions |
The Final Rule prohibits any U.S. person from knowingly engaging in any covered data transaction involving human genomic data that provides a country of concern or covered person with access to bulk U.S. sensitive personal data that consists of human genomic data or human biospecimens from which such data can be derived. |
Restricted Transactions
The Final Fule sets forth three classes of transactions (vendor agreements, employment agreements, and investment agreements) that are prohibited unless the U.S. person entering into the transactions complies with the “security requirements” set out by the Cybersecurity and Infrastructure Security Agency (CISA).
| Vendor Agreements |
A vendor agreement is defined as “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.”
Example: A U.S. company collects bulk precise geolocation data from U.S. users through an app. The U.S. company enters into an agreement with a company headquartered in a country of concern to process and store this data. This vendor agreement is a restricted transaction. |
| Employment Agreements |
An employment agreement is any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.
Example: A U.S. company that collects bulk U.S. sensitive personal data through its apps plans to hire a CEO designated as a covered person due to ties to a country of concern. Since the CEO would have access to all collected data, the employment agreement would be a restricted transaction. |
| Investment Agreements |
The Final Rule defines an “investment agreement” as any agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to: (1) real estate located in the United States; or (2) a U.S. legal entity.
Within this definition, there exists an exemption for passive investments.
Example: A U.S. company intends to build a data center located in a U.S. territory. The data center will store bulk personal health data on U.S. persons. A foreign private equity fund located in a country of concern agrees to provide capital for the construction of the data center in exchange for acquiring a majority ownership stake in the data center. The agreement that gives the private equity fund a stake in the data center is an investment agreement. The investment agreement is a restricted transaction. |
CISA Security Requirements
The security requirements require U.S. persons engaging in restricted transactions to comply with:
(A) Organizational and System-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and requirements are in place; and
(B) Data-level Requirements, such as data minimization and masking, encryption, or privacy-enhancing techniques. Furthermore, data-level requirements also include:
- maintaining an asset inventory that is updated monthly;
- patching vulnerabilities on certain timelines (e.g., 14 days for known exploited vulnerabilities and 15 days for non-exploited critical vulnerabilities);
- documenting all vendor agreements;
- storing logs for covered systems for at least 12 months;
- applying a combination of data minimization and masking;
- using MFA, encryption, and cryptographic key management; and
- creating an allow list for specific systems by default.
In addition, entities will need to implement logical and physical access controls on covered systems to prevent covered persons from accessing the data. In practice, this will require entities to cross‑reference work locations and job responsibilities (likely from their HR system), with system accesses (i.e., active directory) of employees and contractors.
The Final Rule also clarifies that restricted transactions are not prohibited only if they comply with the security requirements and other applicable requirements for conducting restricted transactions.
Compliance Program, Audits, and Recordkeeping
For any entity engaging in restricted transactions, the Final Rule mandates due diligence requirements such as (i) identifying transacting parties, including the ownership, citizenship, and residence of individuals; (ii) written compliance policies and procedures for implementing security requirements; and (iii) verifying data flows in an auditable manner for any restricted transaction.
In addition, the Final Rule requires an independent, external audit to review annually restricted transactions and the company’s procedures. Entities engaged in restricted transactions must also maintain records for at least 10 years, including a full and accurate record of every transaction, the annual audit reports, the written policies related to their data compliance program, the identity and due diligence of the transaction parties and any associated agreements or contracts, and annual compliance certifications.
Exemptions
Several categories of transactions have been provided exemptions under the Final Rule. The following are major exemptions:
- Personal Communications: The Final Rule does not apply to data transactions to the extent that they involve any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value.
- Information or Informational Materials: The Final Rule does not apply to data transactions to the extent that they involve the importation from any country, or the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials.
- Travel: The Final Rule does not apply to data transactions to the extent that they are ordinarily incident to travel to or from any country, including importation of accompanied baggage for personal use; maintenance within any country, including payment of living expenses and acquisition of goods or services for personal use; and arrangement or facilitation of such travel, including nonscheduled air, sea, or land voyages.
- Corporate Groups Transactions: The Final Rule exempts covered data transactions to the extent that they are: (1) between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and (2) ordinarily incident to and part of administrative or ancillary business operations, including human resources, payroll, expense monitoring and reimbursement, and other corporate financial activities, paying business taxes or fees, obtaining business permits or licenses, sharing data with auditors and law firms for regulatory compliance, risk management,business-related travel, customer support, employee benefits, and employees' internal and external communications.
Examples:
- A U.S. company has a foreign subsidiary located in a country of concern that conducts research and development for the U.S. company. The U.S. company sends bulk personal financial data to the subsidiary for the purpose of developing a financial software tool. The transaction is not an exempt corporate group transaction because it is not ordinarily incident to and part of administrative or ancillary business operations.
- A U.S. company has a foreign subsidiary located in a country of concern, and the U.S. company's U.S.-person contractors perform services for the foreign subsidiary. As ordinarily incident to and part of the foreign subsidiary's payments to the U.S.-person contractors for those services, the U.S. company engages in a data transaction that gives the subsidiary access to the U.S.-person contractors' bulk personal financial data and covered personal identifiers. This is an exempt corporate group transaction.
- Financial Services: Transactions ordinarily incident to and part of financial services, payment processing, and regulatory compliance. Examples include banking, capital markets, or financial-insurance activities; the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services; and legal and regulatory compliance.
- Telecommunication Services: Data transactions related to the extent that they are ordinarily incident to and part of the provision of the telecommunication services, including international calling, mobile voice, and data roaming, are exempt. Data brokerage transactions, however, by U.S. telecommunications providers are not exempt.
- Drug and Medical Authorizations, and Clinical Investigations: Transactions will be exempt if the transactions involve “regulatory approval data” necessary to obtain or maintain regulatory approval in a country of concern. “Regulatory approval data” consists of de-identified sensitive personal data required by a regulatory entity to research or market a drug, biological product, device, or combination product, including post-marketing studies and surveillance. It excludes data not necessary for assessing the safety and effectiveness of the drug, biological product, device, or combination product.
- Official Business of the U.S. Government: The Final Rule does not apply to data transactions to the extent that they are for the conduct of the official business of the United States Government by its employees, grantees, or contractors; any authorized activity of any United States Government department or agency (including an activity that is performed by a Federal depository institution or credit union supervisory agency in the capacity of receiver or conservator); or transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States Government. Example: A U.S. hospital receives a Federal grant to conduct human genomic research on U.S. persons. As part of that federally funded human genomic research, the U.S. hospital contracts with a foreign laboratory that is a covered person, hires a researcher that is a covered person, and gives the laboratory and researcher access to the human biospecimens and human genomic data in bulk. The contract with the foreign laboratory and the employment of the researcher are exempt transactions but would be prohibited transactions if they were not part of the federally funded research.
- Investment Agreements: Investment agreements that are subject to mitigation or other actions that the Committee on Foreign Investment in the United States (CFIUS) explicitly designates as exempt.
- Required by Federal Law: Transactions required or authorized by federal law or international agreements, such as the exchange of passenger manifest information, Interpol requests, and public health surveillance.
Conclusion
The DOJ's Final Rule is a significant advance in preventing countries of concern from illegally accessing Americans' personal data and government-related data. The rule addresses the gaps in current federal law that expose such data to exploitation by enforcing security requirements and limiting access through commercial transactions.
As the regulatory process advances, stakeholders across industries must closely monitor developments and prepare to align with the final rule’s requirements. Compliance will mitigate legal risks, reinforce national security, and foster trust in data governance practices.
