Publications + Presentations

Smart Summary

• The Final Rule restricts common transactions that may otherwise regularly occur as part of ordinary business, and it includes detailed requirements related to vendor, employment, and non-passive investment agreements.
• The Final Rule prohibits certain data brokerage and many other transactions where defined countries of concern (China, Cuba, Iran, North Korea, Russia, and Venezuela) or covered persons have access to certain data.
• The DOJ final rule became effective April 8, 2025, with many restrictions and requirements effective immediately, and some detailed reporting and other compliance requirements becoming effective October 6, 2025.
• On April 11^th, the DOJ provided additional time for entities and individuals to come into compliance, announcing they would not prioritize civil enforcement actions for violations occurring between April 8 and July 8, 2025, as long as good faith efforts are being taken to comply with or come into compliance during that time.
• All businesses should (i) review and modify their contracts and internal security processes and (ii) familiarize themselves with the Final Rule’s contractual, due diligence, reporting, recordkeeping, audit, and other requirements to comply with the rule and avoid civil and criminal penalties.

---

The Final Rule

On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued its final rule (the “Final Rule”) carrying out President Biden’s Executive Order 14117 on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the “EO”). The Final Rule as published in the Federal Register and became effective on April 8, 2025.

As a part of the rule, the EO also directed the U.S. Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (“CISA”) to develop related security requirements to apply to classes of restricted transactions identified in the Final Rule. This article focuses on certain core concepts contained in the Final Rule, but it is also important to note that CISA issued security requirements to implement the EO on January 3, 2025, and that material is incorporated by reference in the Final Rule.

In general, the Final Rule prohibits persons from knowingly engaging in certain transactions that involve any access of “bulk sensitive personal data” or any “U.S. government-related data” by countries of concern, as well as certain entities with ownership ties to countries of concern or covered persons, and residents of those countries, or other covered persons. The Final Rule generally classifies the data transactions into three groups (a) prohibited, (b) restricted, and (c) exempt. However, prohibited and restricted transactions may be permitted if a U.S. person follows applicable requirements and relies on a general or specific written license issued by the DOJ, as applicable. Compliance with the Final Rule generally requires adhering to strict due diligence, auditing, security, and reporting requirements.

Prohibited Transactions

No U.S. person may knowingly engage in

1. A covered data transaction involving data brokerage with a country of concern or covered person;
2. Any transaction that involves any access by a foreign person to government-related data or bulk U.S. sensitive personal data that involves data brokerage with any foreign person, UNLESS the U.S. person follows the Final Rule’s contractual and reporting requirements for prohibited transactions; or
3. A covered data transaction with a country of concern or covered person that involves certain access to Human ‘omic data or to certain human biospecimen.

Any transaction that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions is also prohibited.

Restricted Transactions

No U.S. person may knowingly engage in or direct a covered data transaction with a country of concern or covered person involving a

1. Vendor Agreement;
2. Employment Agreement; or
3.  Investment Agreement with a country of concern or covered person.

These transactions are restricted and may not be engaged in UNLESS the U.S. person complies with the Cybersecurity and Infrastructure Security Requirements for restricted transactions and all other applicable requirements, including among others developing and implementing a data compliance program.

Exempt Transactions

The Final Rule includes a list of defined exempt transactions and services. The exemptions are narrow and may only apply to the extent the applicable data transaction involves certain listed elements. These concepts require careful analysis. At a high level, exemptions may be available for certain data transactions to the extent involving:

1. Personal Communications (postal, telegraphic, telephonic, etc.)
2. Telecommunications Services
3. Information or Informational Materials
4. Transactions Ordinarily Incident to Travel
5. Official Business of the U.S. Government
6. Financial Services
7. Corporate Group Transactions (transactions between a U.S. person and its subsidiary or affiliate located in a country of concern and ordinarily incident to administrative or listed ancillary business operations)
8. Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance with Federal Law
9. Investment agreements subject to a CFIUS action
10. Drug, Biological Product, and Medical Device Authorizations
11. Other clinical investigations and post-marketing surveillance data 

Following review of comments on the topic, the DOJ expressly stated anonymized data itself can present a national security risk, and the DOJ rejected exempting anonymized data, aggregated data, de-identified data, or encrypted data.

Types of Data Covered

The Final Rule covers two main categories of data – “bulk sensitive personal data” and “U.S. government-related data.”

1.    Bulk Sensitive Personal Data 

There are six categories of sensitive personal data that could be exploited by a country of concern to harm U.S. national security if that data is linked or linkable to any identifiable U.S. individual or to a discrete and identifiable group of U.S. Persons. The six categories of “sensitive personal data” are: covered personal identifiers, biometric identifiers, human ‘omic data, personal financial information, and personal health data, or any combination.

“Bulk” in “bulk personal data” refers to a collection or set of sensitive personal data relating to U.S. persons, in any format. regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold below.

Data Type	Bulk Threshold	DOJ Final Rule Section
Human Genomic Data	More than 100 U.S. persons	(subpart of Human ‘omic Data)
Human ‘omic Data	More than 1,000 U.S. persons	202.224
Biometric Identifiers	More than 1,000 U.S. persons	202.204
Precise Geolocation Data	More than 1,000 U.S. devices	202.242
Personal Health Data	More than 10,000 U.S. persons	202.241
Personal Financial Data	More than 10,000 U.S. persons	202.240
Covered Personal Identifiers	More than 100,000 U.S. persons	202.212

2.    U.S. Government-Related Data 

U.S. government-related data is any precise geolocation data, regardless of volume, for any location determined by the Attorney General that may be exploited by a country of concern to reveal insights about such locations, activities, or populations in those locations. It also includes any sensitive personal data, regardless of volume that is marketed as linked or linkable to current or former U.S. Government employees and certain other individuals.

Among other examples expressly provided, the DOJ states that the following are U.S. government-related data: “a U.S. company advertises the sale of a set of sensitive personal data as belonging to ‘active duty’ personnel,” “military personnel who like to read,” “’DoD’ personnel,” “government employees,” or “communities that are heavily connected to a nearby military base.”

Implications for Global Businesses

The Final Rule is effective April 8, 2025, with certain compliance and reporting obligations effective on October 6, 2025.

However, on Friday, April 11^th, the DOJ announced its implementation and enforcement policy, indicating that its National Security Division (“NSD”) will not prioritize civil enforcement actions against any person for violations of the Data Security Program that occur from April 8 through July 8, 2025, so long as such person is engaging in good faith efforts to comply with or come into compliance with the Data Security Program during that time. These good faith efforts include engaging in compliance activities described in that policy, such as amending or renegotiating existing contracts, conducting internal reviews of data flows, and deploying the CISA security requirements.

In the announcement, the DOJ states that at the end of the 90-day period, individuals, and entities should be in full compliance with the Data Security Program. The policy does not limit NSD’s lawful authority and discretion to pursue civil enforcement if entities and individuals did not engage in good faith efforts to comply with, or come into compliance with, the Data Security Program.

To comply with the implementation and enforcement policy and the Final Rule, businesses should review existing contracts, identify sensitive personal data and related access, prohibited and restricted transactions, implement necessary security and record retention practices, and familiarize themselves with due diligence, audit and reporting and record keeping requirements and deadlines. By way of example, organizations that rely on vendors to provide services or tools related to customer service, infrastructure or security, or have employees or other oversees operations may need to analyze the related potential obligations. Proactive measures will be crucial for navigating this new regulatory landscape, safeguarding national security.

The Final Rule establishes enforcement mechanisms that include both civil and criminal penalties. Any person who violates the Final Rule or knowingly and willfully makes any materially false statements may be subject to fines and imprisonment.

If you need to know more about the implications of the EO or Final Rule, or to consult on this issue, contact Vinita Mehra.