On December 27, 2024, the US Department of Justice (DOJ) issued a final rule establishing a new national security program to prevent access to Americans’ bulk sensitive personal data and government-related data by China (including Hong Kong and Macau), Russia, Venezuela, and other countries of concern. The rule implements President Biden’s February 28, 2024 Executive Order 14117 and addresses public comments received in response to the DOJ’s March 5, 2024 Advance Notice of Proposed Rulemaking and October 29, 2024 Notice of Proposed Rulemaking.
The final rule restricts — and in some instances prohibits — US persons from engaging in certain types of data brokerage, vendor agreements, employment agreements, and investment agreements with six “countries of concern” and “covered persons” related to those countries. Similar to the Outbound Investment Security Program, which took effect on January 2, 2025, the rule is designed to fill a perceived gap in US national security regimes, in this case to prevent the exploitation of US data for malicious cyber-enabled activities, malign foreign influence activities, or other illicit purposes, such as blackmail and espionage.
The rule takes effect on April 8, 2025, with affirmative due diligence, reporting, and auditing requirements taking effect on October 6, 2025.
* * *
The rule identifies classes of prohibited, restricted, and exempt transactions, as well as the countries of concern and covered persons to which the prohibitions and restrictions apply; establishes processes for licensing and advisory opinions; imposes recordkeeping, auditing, reporting, and other compliance requirements; and provides for enforcement mechanisms that include civil and criminal penalties. The rule also introduces a new US restricted-party list, the Covered Persons List. Key terms and provisions are summarized below.
Key Terms
US persons. The rule imposes obligations on (1) US citizens, lawful permanent residents, refugees and asylees; (2) entities organized solely under US law (along with their foreign branches, but not foreign subsidiaries); and (3) persons physically located in the United States, regardless of nationality.
Covered persons. The rule designates six countries of concern — China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela — and restricts or prohibits covered data transactions (defined below) with (1) entities owned 50% or more by, organized within, or having a principal place of business in a country of concern; (2) persons primarily resident in a country of concern; (3) persons or entities designated on a to-be-published DOJ Covered Persons List; (4) entities owned 50% or more by a covered person; and (5) employees or contractors of a covered person.
By definition, US persons (see above) are not covered persons, unless designated on the Covered Persons List.
Bulk US sensitive personal data. The rule identifies several categories of “sensitive personal data” (including human ‘omic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and so-called “covered personal identifiers”) along with corresponding “bulk” thresholds ranging from 100 to 100,000 US persons or devices. Data that has been anonymized, pseudonymized, de-identified, or encrypted remains subject to the rule.
The sensitive personal data categories capture a wide range of data. For instance, covered personal identifiers includes a combination of government IDs, names, contact information, device and network identifiers (e.g., MAC addresses, advertising IDs, IP addresses, and cookie IDs), account authentication data, and demographic data such as birth date and birthplace.
See Appendix for further detail on the categories of bulk US sensitive personal data.
Government-related data. A separate data category, which is not subject to a volume threshold, includes (1) sensitive personal data marketed as linked or linkable to current or former employees, contractors, or senior officials of the US federal government; and (2) precise geolocation data for sensitive locations or geographical areas (as identified by geographic coordinates in the rule).
Covered data transaction. A transaction that involves access by a covered person to bulk US sensitive personal data or government-related data — including a transaction involving the mere ability to obtain or view such data — through one of the following (unless exempted or authorized, as explained below):
- Data brokerage: the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data (in which the recipient did not directly collect the data)
- Vendor agreement: the exchange of goods or services, including cloud-computing services, for payment
- Employment agreement: the performance of work by an individual in exchange for payment or consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level
- Investment agreement: the exchange of payment or consideration for an interest in US real estate or a US legal entity, subject to exceptions for certain passive investments
The prohibitions on data brokerage could be far-reaching. For example, placement of tracking pixels in a mobile app or website constitutes data brokerage if the pixels transfer or provide access to government-related data or bulk US sensitive personal data. Unlike state data broker laws, which apply only to businesses that sell data collected from third parties, the DOJ rule applies even if the disclosing party itself collected the data directly from relevant individuals.
Prohibited Transactions
The rule prohibits US persons from knowingly engaging in:
- A covered data transaction involving data brokerage with a country of concern or covered person
- Any transaction involving data brokerage with any foreign person, absent certain contractual protections requiring the foreign person to (i) refrain from subsequent covered data transactions involving data brokerage of such data with a country of concern or covered person and (ii) report known or suspected violations of the contractual requirement
- A covered data transaction — whether through data brokerage or a vendor, employment, or investment agreement — involving access to bulk human ‘omic data or human biospecimens from which bulk human ‘omic data could be derived
- Any transaction with the purpose of evading or violating these prohibitions
US persons, including officers or employees of foreign companies, are also prohibited from knowingly directing any covered data transaction by a foreign person that, if engaged in by a US person, would be a prohibited transaction (including a restricted transaction that fails to comply with the rule).
Restricted Transactions and Security Requirements
US persons may engage in non-prohibited covered data transactions — i.e., those involving vendor, employment, or investment agreements (but not data brokerage or bulk human ‘omic data) — only if the US person maintains a sufficient data compliance program (as described in the rule), implements “security requirements” published by the Cybersecurity and Infrastructure Security Agency (CISA), and conducts annual compliance audits. Absent these safeguards, such covered data transactions by a US person would also be prohibited.
The CISA security requirements, published concurrently with the final rule, are based on aspects of existing cybersecurity frameworks and guidance, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the NIST Privacy Framework, and CISA’s Cross-Sector Cybersecurity Performance Goals. As such, the requirements are consistent with the controls and procedures that CISA recommends critical infrastructure entities voluntarily implement to meaningfully address cybersecurity risks.
The security requirements are categorized as (1) Organizational- and System-Level and (2) Data-Level, and require US persons to maintain a cybersecurity policy (including an inventory of data-related assets and an incident response plan); implement logical and physical access controls; conduct a data risk assessment (including a mitigation strategy to prevent such access); and apply a combination of data-level requirements (such as masking or encryption) to prevent access to data by countries of concern/covered persons, among other requirements.
Exemptions and Authorizations
The rule exempts several categories of transactions that would otherwise be prohibited or restricted, although some remain subject to reporting and recordkeeping requirements:
US government contracts and grants. The rule exempts official business of the US government; activities authorized by any federal department or agency; and transactions conducted pursuant to a grant, contract, or other agreement with the US government (but not necessarily all activities undertaken in connection with the contract).
Drug development; regulatory approval. The rule exempts certain transactions (involving de-identified or pseudonymized data) that are necessary to obtain or maintain regulatory approval for a drug, biological, medical device, or combination product, such as submissions to a country of concern’s regulatory authority. US persons must comply with the rule’s special recordkeeping and reporting requirements.
In addition to exemptions under federally funded grants or contracts, the rule also permits certain transactions (involving de-identified or pseudonymized data) ordinarily incident to and part of clinical investigations and post-marketing surveillance, including FDA-regulated clinical investigations, clinical investigations that support FDA applications, and the collection or processing of real-world performance data or post-marketing surveillance data necessary for FDA authorizations.
Financial services. The rule exempts transactions “ordinarily incident to and part of” the provision of financial services, including data transfers pertaining to e-commerce and other purchases/sales of goods and services; banking, investment-management, and financial-insurance services; trading and underwriting of securities, commodities, and derivatives; payment processing services; and financial activities authorized under national banking laws.
Passive investments; CFIUS action. Investment agreements between a US person and covered person that meet all of the following characteristics of a passive investment are not covered data transactions:
- The investment is made (1) into a publicly traded security, (2) into a security offered by an SEC-registered investment company (e.g., index funds, mutual funds, or exchange traded funds) or an SEC-regulated business development company, or (3) as a limited partner into a venture capital fund, private equity fund, fund of funds, or other pooled investment fund, or private entity;
- The investment gives the covered person less than 10% of the US person’s voting and equity interests; and
- The investment gives no rights to the covered person beyond standard minority shareholder protections. Nonstandard rights that would remove this exemption include, among others, the ability to nominate or appoint board members or observers, or involvement in substantive business decisions, management, or strategy of the US person.
Also exempt are investment agreements for which CFIUS has imposed mitigation conditions or taken certain other actions. Transactions notified to CFIUS, even if they are cleared with no further action, remain subject to the DOJ rule.
Other exemptions include certain transactions relating to administrative functions within a corporate group (e.g., between a US person and its foreign subsidiary); the provision of telecommunications services; personal communications; the exchange of information or informational materials; compliance with US law or international agreements; or personal travel activities.
The DOJ may issue general licenses authorizing additional classes of transactions; parties may also request a specific license authorizing a particular transaction.
Reporting and Recordkeeping
Rejected prohibited data brokerage transactions. US persons that have received and affirmatively rejected (including automatic rejections using software, technology, or automated tools) an offer from another person to engage in a prohibited data brokerage transaction are required to submit a report to the DOJ’s National Security Division within 14 days of rejecting the transaction.
Annual reports for certain restricted transactions. US persons that are owned 25% or more by a country of concern or a covered person and engaged in a restricted transaction involving cloud-computing services must file an annual report (by March 1) regarding transactions during the prior calendar year.
Recordkeeping. US persons must maintain records regarding transactions subject to the rule for 10 years, with additional requirements for US persons engaging in restricted transactions (including records of its data compliance program, compliance with CISA security requirements, and the results of annual audits).
Questions to Assess Potential Obligations
US persons should evaluate whether their activities may be prohibited or restricted as of April 8, 2025, and, if so, whether additional compliance measures will be required as of October 6, 2025.
The questions below are intended to help US persons identify potential coverage under the rule.
- Does the US person collect or maintain bulk US sensitive personal data or government-related data?
- Does the US person have (or expect to have) employment and vendor agreements with countries of concern or covered persons, including officers or directors of the US person? If so, could the employee/vendor relationship involve access to the US person’s data systems or oversight of such data?
- Is the US person contemplating an investment agreement with a country of concern or covered person?
- Does the US person engage in any data brokerage, including with foreign persons that are not covered persons? For example, does the US person license, sell, or otherwise transfer data to any third parties that did not collect the data?
- Is there an exemption that applies to the US person’s business or industry? For example, life sciences companies engaged in multinational clinical trials or drug development should consider the extent to which their activities may be exempt (even if still subject to recordkeeping and reporting obligations).
- Is the US person owned 25% or more by a country of concern or covered person? If so, does it engage in “restricted transactions” involving cloud-computing services that may trigger the annual reporting requirement?
- Does the US person need to implement (or update) its data compliance program, including with respect to annual security audits? What additional measures would the US person need to implement to meet the CISA security requirements?
- If the answer to any of the above questions is “yes,” who specifically at the US person/company will be responsible for ensuring compliance with the new rule?
Appendix: Bulk US Sensitive Personal Data Categories and Government-Related Data
| Data Category |
“Bulk” Threshold |
| Human genomic data (i.e., nucleic acid sequences constituting a set or subset of genetic instructions in a human cell, including individual “genetic test” results and any related genetic sequencing data) |
More than 100 US persons |
| Human epigenomic, proteomic, and transcriptomic data (excluding certain routine clinical measurements for individualized patient care purposes and pathogen-specific data embedded in human ‘omic data sets) |
More than 1,000 US persons |
| Biometric identifiers (i.e., measurable physical characteristics or behaviors used to recognize or verify the identity of an individual) |
More than 1,000 US persons |
| Precise geolocation data (i.e., data identifying the physical location of an individual or a device with a precision of within 1,000 meters) |
More than 1,000 US devices |
| Personal health data (e.g., physical or mental health; payment for healthcare services; physical measurements and health attributes; social, psychological, behavioral, and medical history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; data on the use or purchase of prescribed medications) |
More than 10,000 US persons |
| Personal financial data (e.g., data relating to credit/debit cards or bank accounts, including purchases and payment history; data in a bank, credit, or financial statement, including assets, liabilities, debts, or trades in a securities portfolio; data in a credit report or consumer report) |
More than 10,000 US persons |
|
Covered personal identifiers (one of the following “listed identifiers” with another listed identifier or with other sensitive personal data):
|
More than 100,000 US persons |
|
Government-related Data
|
No minimum threshold |
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- /en/people/m/matheny-iii-richard
Richard L. Matheny III
Partner - /en/people/o/osborn-jacob
Jacob R. Osborn
PartnerCo-Chair, Global Trade - /en/people/p/pierce-justin
Justin C. Pierce
Partner - /en/people/m/marta-peter
Peter M. Marta
Partner - /en/people/t/tene-omer
Omer Tene
Partner - /en/people/m/miller-carrie
Carrie E. Miller
Counsel