Publications + Presentations

Summary

• New U.S. rule restricts data transfers involving foreign adversaries (e.g., China, Russia) to protect national security.
• Protected personal and proprietary data includes PII, biometric, genomic, geolocation, health, and financial data.
• Especially impacted sectors include higher education, healthcare, finance, tech, telecom, and data brokers.
• Rule puts focus on compliance needs, such as risk assessments, vendor due diligence, access controls, and reporting to BIS.
• Non-compliance may lead to blocked deals, penalties, and liability.

---

Issued By: U.S. Department of Commerce – Bureau of Industry and Security (BIS)
Effective Date: July 8, 2025

The U.S. government has officially implemented a new rule aimed at protecting sensitive personal and proprietary data from foreign adversaries, marking a significant shift in national data security policy. This action stems from longstanding concerns over the access to and misuse of Americans’ data by foreign intelligence entities and hostile actors.

What the Rule Does

• Restricts U.S. data transactions involving "foreign adversaries" deemed national security threats (e.g., China, Russia, Iran, North Korea).
• Applies to large-scale data transfers that involve personally identifiable information (PII), genomic data, geolocation, biometric identifiers, and health or financial records.
• Authorizes the Commerce Department to block or unwind transactions that present “undue or unacceptable risk” to national security.
• Targets data brokers, cloud providers, and third-party processors, particularly those selling or transmitting bulk sensitive data overseas.

Parties Affected

• Universities and Research Institutions: Especially those conducting international collaborations, hosting foreign students, or using offshore cloud/data services.
• Healthcare, Finance, Tech, and Telecom Firms: Companies managing large datasets may face new vetting, compliance, and reporting requirements.
• Data Brokers and SaaS Providers: Any U.S. entity sharing sensitive personal data with foreign entities must re-evaluate vendor relationships and data flows.

Key Requirements

• Conduct foreign risk assessments for cross-border data transfers.
• Implement strict vendor due diligence and review of foreign ownership, influence, or access (FOCI).
• Develop data segmentation and access control systems to prevent unauthorized foreign access.
• Report certain data transactions to BIS under the new compliance protocols.

Enforcement Risks

Failure to comply may result in:

• Blocked transactions
• Monetary penalties
• National security reviews
• Civil or criminal liability

Recommended Actions

1. Audit cross-border data transfers, especially involving cloud services, academic research, or student records.
2. Review contracts and data-sharing agreements for exposure to foreign-controlled entities.
3. Update internal data governance policies in line with national security guidance.
4. Engage legal/compliance counsel to interpret the rule’s application to your operations.

Conclusion

This new data security rule underscores the growing link between data privacy and national security. U.S. institutions—especially in education, research, healthcare, and tech—must act quickly to ensure compliance and protect against regulatory and reputational risk.

For further guidance, consult the full BIS rule at: www.bis.doc.gov and find the Justice Department Fact Sheet about the rule here.

Our Global Business Practice

Kegler Brown’s Global Business practice is equipped to handle the complexities of cross-border strategy across numerous industries. Our services are broad and our experience is deep, helping clients manage mergers and acquisitions, pursue and defend international disputes, and create frameworks for global intellectual property management. For companies looking to enter the U.S. market, we provide strategic advice on inbound investments; we also assist businesses in navigating foreign markets and unique regulatory landscapes.

Led by Global Business practice leader, Vinita Mehra, the team's experience extends to forming strategic alliances, ensuring trade compliance, and adhering to GDPR requirements and other international data responsibility standards.