An Unprecedented Cross-Border Data Regulatory Regime Version 3.0: Department of Justice Issues Final Rule Regulating Bulk Sensitive Data Transfers

The U.S. Department of Justice (“DOJ”) released final guidance on its new regulatory regime governing transactions involving certain sensitive data of U.S. persons and government‑related data and countries of concern. On December 27, 2024, the DOJ issued a Final Rule implementing President Biden’s Executive Order (“E.O.”) that seeks to limit foreign adversaries’ ability to access, collect, and purchase data that can be exploited for malicious purposes. The regulation will be a game changer for U.S. companies that collect sensitive data and transfer, share, or sell the data with non-U.S. entities, as they now have just 90 days from the Rule’s publication in the Federal Register to comply with almost all of the new requirements. For example, the Final Rule requires all U.S. companies that sell or provide access to bulk U.S. sensitive data or government-related data to have a provision in their contracts with all non‑U.S. business partners prohibiting the subsequent transfer of that data to a country of concern or covered person.

I. Final Rule Developments

II. Why This Is Significant

III. Overview of Regulatory Regime

A. Countries of Concern and Covered Persons

B. Data Categories

C. Prohibited and Restricted Transactions

D. Exemptions

E. Program Mechanics

IV. Outlook

I. Final Rule Developments

The Final Rule largely tracks the DOJ’s October 29, 2024 Notice of Proposed Rulemaking (“NPRM”). However, notable changes or additions in the Final Rule include:

Definition Changes

• amending the definition of ownership to make clear that aggregated majority ownership of a foreign entity by one or more countries of concern is sufficient to constitute a “covered person,” which aligns the definition more closely with the Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) 50-percent rule;
• expanding the sensitive personal data category of “human genomic data” to “human ’omic data,” which now includes three additional types of data: epigenomic, proteomic, and transcriptomic;
• narrowing the definition of “personal health data” to information that indicates, reveals, or describes the health condition of an individual;
• expanding the list of geofenced locations related to precise geolocation information for government data;

Exemption Clarifications

• clarifying instances in which a transaction is exempt because it is incident to the provision of financial services;
• clarifying how the corporate group transaction exemption applies to foreign subsidiaries;

Compliance Updates

• Referencing a revised version of the security requirements from the Cybersecurity and Infrastructure Security Agency (“CISA”) that will apply to a “restricted transaction”;
• providing general guidance about the sufficiency of compliance programs;
• clarifying that the regulations impose Know-Your-Data and Know-Your-Customer obligations;
• allowing independent, internal auditors to conduct the audits required for a “restricted transaction”;
• extending the compliance deadline for certain reporting requirements to 270 days after publication in the Federal Register;

Program Enhancements

• previewing the creation of a mechanism for the voluntary self-disclosure of violations;
• considering whether a general or wind-down license may be appropriate to facilitate implementation of the regulations (e.g., to allow the amendment of existing contracts); and
• promising to issue additional compliance and enforcement guidelines.

The regulations will go into effect on April 8, 2025.

Back to Top

II. Why This Is Significant

This new regime is a dramatic policy shift for the United States, which has long resisted restrictions on cross-border transfers of personal information and has no comprehensive privacy law or regulations. This regime will impact individuals and companies who are U.S. persons or that operate within the United States, respectively, if they sell or otherwise make available certain sensitive U.S. data within the program’s ambit. In practice, this new regulatory regime is likely to upend routine business decisions and make certain conduct potentially unlawful.

• Data Access, U.S.-Person Status, and Work Location Matter: The regime does not just regulate the sale of sensitive data; it regulates who can have access to the data, including employees, vendors, investors, and senior personnel, and how entities must protect information implicated by the regime. Violations also depend upon the U.S.-person status and location of individuals who access sensitive data—facts potentially difficult to ascertain.
• Asset Inventories, Data Mapping, and Know-Your-Customer Expectations: Entities that collect information from U.S. persons will need asset and data inventories, as well as Know-Your-Customer/vendor guidelines, to scrutinize where their data goes, how it gets there, who has access to it, and how it is protected. And these entities may need to revamp compliance, diligence, and Know-Your-Customer and Know-Your-Vendor programs to meet these new requirements.
• New Security Requirements: The regulations impose new cyber and data security requirements on entities that engage in restricted transactions, which include: updating asset inventories monthly, patching known exploited vulnerabilities within 45 days, implementing multifactor authentication on all covered systems, storing relevant logs for 12 months, including an allowlist by default, annually updating key policies (e.g., Incident Response Plan, Data Deletion/Retention), and having detailed encryption requirements.
• Reporting Requirements: The Final Rule requires U.S. companies to affirmatively report to the DOJ within 14 days of when they receive and reject an offer from another person to engage in a prohibited transaction, or when they become aware that a non-U.S. business subsequently made their sensitive data available to a covered person. This requirement will not go into effect until 270 days after the Final Rule is published in the Federal Register.
• Compliance Requirements for All: U.S. companies that engage in transactions with U.S. sensitive data must be sure to have a contract provision with all non-U.S. business partners prohibiting the subsequent transfer of that data to a covered person. Further, for U.S. companies who engage in restricted and prohibited transactions, the additional compliance requirements are significant. In the Final Rule, the DOJ declined to endorse specific compliance practices and instead suggested that companies take “reasonable measures” to develop compliance programs tailored to their unique risk profiles, considering factors like their size and sophistication, types of products and services offered, and geographic location. Among other things, the DOJ expressed approval for companies leveraging existing privacy and data security programs, possibly using commercially available screening software, and instituting regular reviews to ensure foreign counterparts comply with contract restrictions and Know-Your-Data/Customer requirements.
• Enforcement Is Real: The program will be administered by the DOJ, which can pursue civil and criminal penalties.

Back to Top

III. Overview of Regulatory Regime

The new regime, which builds on previous executive orders,[1] establishes a regulatory program (hereafter, the “Bulk Sensitive Data Regulatory Program” or “Program”) to prevent certain transfers of, and access to, sensitive data of U.S. persons and sensitive U.S. government data to foreign countries that are considered a national security threat. The United States will now join dozens of other jurisdictions, including the EU Member States and China, in limiting the cross‑border transfer of certain types of information.

The Bulk Sensitive Data Regulatory Program has been established pursuant to the president’s authorities under the International Emergency Economic Powers Act (“IEEPA”). It is intended to prevent foreign adversaries from: (1) collecting and purchasing sensitive data of U.S. persons or sensitive U.S. government data through legal means; (2) collating, leveraging, and exploiting that information with artificial intelligence and data analytics; and (3) using that information to facilitate malicious purposes such as cyber operations, espionage, and transnational repression. The Program will not regulate all cross-border data flows from the United States; rather, it will block certain transfers and condition others.

The Bulk Sensitive Data Regulatory Program will apply generally to transactions of specific types of bulk sensitive U.S. data involving “covered persons” linked to six countries of concern. The Final Rule clarifies that only those transactions that involve “access by a country of concern or covered person” are implicated in the regime, but “access” is defined broadly, and the regulations apply even if the sensitive data is anonymized, pseudonymized, de-identified, or encrypted. These transactions will be regulated based on the nature and volume of data, although for transactions involving sensitive U.S. government data, there is no volume requirement. The Program contemplates a two-tiered system regulating data transactions:

(1) transactions that are prohibited, and

(2) transactions that are restricted, which may proceed subject to the security requirements promulgated by CISA.

Back to Top

A. Countries of Concern and Covered Persons

The Bulk Sensitive Data Regulatory Program is intended to cover transactions with certain counterparties (“covered persons”) that are connected to six countries identified as “countries of concern”—China (including Hong Kong and Macau), Russia, Iran, North Korea, Venezuela, and Cuba.[2] As shown in the graphic below, the Rule lists five ways that an entity or individual may be connected to a country of concern for the regulations to apply. Of note, the Final Rule’s definition of a covered person now includes entities with 50% ownership “individually or in the aggregate” by a country of concern. The new language reflects the Department’s intent for the rule to be applied in a similar manner to OFAC’s 50% rule. The DOJ also warns that companies should be cautious of transactions in which a covered person attempts to evade the regulations by holding an ownership interest just below 50%, holds a significant minority ownership interest, or otherwise retains rights that typically exceed minority shareholder protections.

The Program also allows the Attorney General to designate specific persons linked to or acting on behalf of these countries of concern. Such designated individuals would be on a public list.[3] Critically, a person or entity need not be designated to be subject to the Program.

As in the NPRM, the Final Rule makes clear that the Program will not apply to data transactions involving entities or persons that have connections to the United States. For example, citizens of countries of concern who reside in the United States would not be considered a covered person unless they were individually designated by the Attorney General. Of particular interest for most U.S. companies, any U.S. entity that is organized under the laws of the United States and has a foreign branch in a country of concern is considered to be a U.S. person. However, if a U.S. parent company has a subsidiary organized under the laws of a country of concern, even if the subsidiary is also organized under U.S. law, the subsidiary is considered a foreign person while the parent company is considered a U.S. person.

Back to Top

B. Data Categories

The Bulk Sensitive Data Regulatory Program would regulate two types of data.

1. Sensitive Personal Data: The Final Rule defines six categories of U.S. sensitive personal data to be regulated: (i) human ’omic data, (ii) biometric identifiers, (iii) precise geolocation data, (iv) personal health data, (v) personal financial data, and (vi) covered personal identifiers. A regulated transaction must be with a covered person, involve one or more of the six types of sensitive personal data, and exceed certain volume thresholds detailed in the graphic below.

2. Government-Related Data: Transactions with covered persons involving any government‑related data, which is defined as (a) data relating to enumerated government geolocations or (b) data marketed as linked or linkable to government employees and contractors, will be prohibited, regardless of volume. The Final Rule includes a list of more than 700 geofenced areas near government facilities that fall within this category, with the DOJ noting that more locations will be added.

Back to Top

C. Prohibited and Restricted Transactions

The Program creates a two-tiered system for transactions covered by the regulations. Certain types of transactions with a country of concern or covered person are prohibited regardless of the type of data; other data transactions are restricted and could proceed if the security requirements promulgated by CISA are satisfied. Companies engaged in restricted transactions are also subject to data compliance program requirements, independent annual audits, and recordkeeping requirements.

1. Prohibited Data Transactions

• Data-Brokerage Transactions: Data-brokerage transactions with a country of concern or covered person are prohibited. “Data brokerage” is defined as the sale or transfer of data from any person to a recipient that did not collect or process the data directly from the individual to whom the data relates. For example, if a U.S. organization maintained bulk personal health data, and they license that data to a covered person, it would constitute a prohibited transaction. But even if a data‑brokerage transaction did not involve a covered person, the Final Rule also prohibits “onward” transactions, as did the NPRM, by placing an affirmative obligation on U.S. persons involved with data-brokerage transactions to contractually require any foreign person counterparty from subsequently selling the same data to a covered person, and to report any known or suspected violations to the DOJ. Of note, the Final Rule also clarifies that data-sharing platforms are not exempt from this prohibition.
• Bulk Human ’Omic Data: Transactions with a country of concern or covered person that involve bulk human ’omic data or human biospecimens from which such data can be derived are also prohibited.

2. Restricted Data Transactions

• Vendor Agreements: A vendor agreement is defined as an agreement for goods or services, including cloud-computing services, in exchange for payment. For example, if a U.S. company collects bulk precise geolocation data from U.S. users on a mobile app and enters into an agreement with a covered person to process and store the data, the U.S. company would be engaging in a restricted transaction.
• Employment Agreements: An employment agreement is any agreement or arrangement for employment (not for independent contractors), including on a board of directors or committee. For example, an app provider that collects bulk sensitive personal information and intends to hire an executive who is a covered person and would have access to that data could be engaging in a restricted transaction.
• Investment Agreements: An investment agreement is any agreement in which a person obtains direct or indirect ownership of a U.S. legal entity or real estate in the United States. The DOJ provided an example of a restricted transaction: a foreign private equity fund, located in a country of concern, agrees to provide capital for the construction of a data center for a U.S. company that stores sensitive data in exchange for acquiring a majority ownership stake in the data center.

i. Security Requirements

Soon after publication of the Final Rule, CISA released revised security requirements that will apply to restricted transactions, including any sharing or access with a covered vendor, employee, or investor. These security requirements mandate: (1) organizational and system-level requirements and (2) data-level requirements that include:

• maintaining an asset inventory that is updated monthly;
• patching vulnerabilities on certain timelines (e.g., 45 days for known exploited vulnerabilities);
• documenting all vendor agreements;
• storing logs for covered systems for at least 12 months;
• applying a combination of data minimization and masking;
• using MFA, encryption, and cryptographic key management; and
• creating an allowlist for specific systems by default.

In addition, entities will need to implement logical and physical access controls on covered systems to prevent covered persons from accessing the data. In practice, this will require entities to cross‑reference work locations and job responsibilities (likely from their HR system), with system accesses (i.e., active directory) of employees and contractors.

ii. Compliance Program, Audits, and Recordkeeping

For any entity engaging in restricted transactions, the Final Rule mandates due diligence requirements such as: (1) identifying transacting parties, including the ownership, citizenship, and residence of individuals; (2) creating written compliance policies and procedures for implementing security requirements; and (3) verifying data flows in an auditable manner for any restricted transaction.

In addition, the Rule requires an audit to review annually restricted transactions and the company’s procedures. The DOJ clarified in the Final Rule that U.S. persons can use either internal or external auditors so long as the auditor is independent. Entities engaged in restricted transactions must also maintain records for at least 10 years, including: a full and accurate record of every transaction (requirement also applies to those engaged in prohibited transactions), the annual audit reports, the written policies related to their data compliance program, the identity and due diligence of the transaction parties and any associated agreements or contracts, and annual compliance certifications.

The DOJ also provided an extended compliance period (270 days from publication of the Rule in the Federal Register) for U.S. companies to file annual reports if they are engaged in restricted transactions involving cloud-computing services and 25% or more of the company is owned by a country of concern or covered person.

Back to Top

D. Exemptions

Several categories of transactions will be exempt from these regulations, including:

• Financial Services: Transactions ordinarily incident to and part of financial services, payment processing, and regulatory compliance. Examples include banking, capital markets, trading and underwriting of securities, commodities, and derivatives, or financial‑insurance services; the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services; and legal and regulatory compliance. The Rule includes additional examples about how this exemption applies.
• Corporate Groups Transactions: Transactions between a U.S. entity and a subsidiary or affiliate located in a country of concern and “ordinarily incident to and part of ancillary business operation” (such as human resources and payroll). For example, if a U.S. company sends bulk sensitive data to a subsidiary in a country of concern for the purposes of developing a software tool, it is not an exempt transaction. In contrast, if a U.S. company sends sensitive bulk sensitive data to a foreign branch located in a country of concern, it would satisfy the corporate group transaction exemption because the foreign branch would be considered part of the U.S. company. In the latter scenario, however, if covered persons employed by the foreign branch have access to the sensitive data, it would be a restricted transaction.
• Telecommunication Services: Data transactions ordinarily incident to and part of the provision of voice and data communications services are exempt. Data brokerage transactions, however, by U.S. telecommunications providers are not exempt.
• Drug and Medical Authorizations and Clinical Investigations: Transactions will be exempt if the transactions involve “regulatory approval data” necessary to obtain or maintain regulatory approval in a country of concern. “Regulatory approval data” consists of de‑identified sensitive personal data required by a regulatory entity to research or market a drug, biological product, device, or combination product, including post-marketing studies and surveillance. It excludes data not necessary for assessing safety and effectiveness.
• U.S. Government: Activities of the U.S. government and its contractors, employees, and grantees, such as federally funded health and research activities.
• CFIUS-Mitigated Investment Agreements: Investment agreements that are subject to mitigation or other actions that the Committee on Foreign Investment in the United States (“CFIUS”) are exempt.
• Passive Investment Agreements: An investment agreement with a covered person is exempt as “passive” if it is (a) less than 10%; (b) in a publicly traded securities, index funds, or mutual funds and made as a limited partner into an investment fund; and (c) does not give the covered person rights beyond those reasonably considered to be standard minority shareholder protections.
• Required by Federal Law: Transactions required or authorized by federal law or international agreements, such as the exchange of passenger manifest information, Interpol requests, and public health surveillance.

These carveouts are meant to ensure that cross‑border commercial data flows are not impacted by the Program, in line with the Administration’s expressed goal of ensuring that the United States remains a global economic leader and protector of cross‑border data flows.

Back to Top

E. Program Mechanics

The Program’s structure and definitions will be modeled on existing U.S. regulations based on IEEPA, such as those administered by OFAC. Like those programs, the Bulk Sensitive Data Regulatory Program establishes a process for the DOJ to issue general and specific licenses. Of note, the DOJ advised in the Final Rule that general licenses will be issued only in rare circumstances. However, the DOJ did leave open the possibility that it may issue general or wind‑down licenses at the outset to facilitate implementation of the Rule. To supplement general and specific licenses, the DOJ will also issue advisory opinions in response to requests, similar to the DOJ’s Foreign Agent Registration Act and Foreign Corrupt Practices Act regulatory programs.

The Program will also require U.S. entities to report within 14 days (1) any received and rejected offers from persons to engage in prohibited data brokerage transactions and (2) any awareness that a non-U.S. business partner subsequently made the U.S. entities’ sensitive U.S. data available to a covered person. The DOJ will likely use these reports for investigative purposes to identify entities engaging in prohibited transactions or seeking sensitive data of U.S. persons.

Once Program enforcement begins in April 2025, individuals who fail to comply with its prohibitions or conditions could face civil and criminal penalties. Before enforcement ramps up, the DOJ is expected to issue (1) additional compliance and enforcement guidance, and (2) guidance about how the Department will assess voluntary self-disclosures about possible violations of the Rule.

Back to Top

IV. Outlook

Key takeaways from this announcement include:

• The clock is now ticking. Companies have just 90 days to comply with almost all of this dramatic policy shift. Given the complexity of the rule and the transactions being regulated, the time to assess the readiness of compliance programs and the regulation’s impact on agreements with non-U.S. vendors, employers, and investors is now.
• Compliance programs will need to be revamped—or overhauled—soon. Current export compliance, sanctions, and data privacy compliance programs may not adequately deal with the new framework. Organizations will need to examine: (1) the types of information they collect, (2) the entities or individuals to which they sell or with whom they share that information, and (3) the entities or individuals involved in data collection and processing. Entities should ensure that compliance programs are updated accordingly.
• The Program does not just regulate the sale of sensitive data; it regulates who can access data. Although the Program is not intended to prevent all transactions with countries of concern or covered persons that involve the data of U.S. persons, the Program casts a wide net. Given the broad categories of covered data and transactions, parties will need to understand (1) whether they engage with sensitive data and (2) who has access to that data, including members of the board of directors, investors, third-party vendors, and affiliates.
• Intra-company data flows and access should be scrutinized. The Program restricts intra‑entity data transfers (i.e., transfers between affiliates or foreign branches)—but only certain types. The Rule exempts corporate group transactions to the extent that they are: (1) between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, or jurisdiction) a country of concern; and (2) ordinarily incident to and part of administrative or ancillary business operations (e.g., sharing sensitive personal data for human resources purposes, payroll transactions, etc.). Companies with operations or affiliates in countries of concern will need to assess their operations and data access to determine if they are engaging in activities that may now be unlawful.
• Citizenship and location of individuals who access data may be the basis for liability. Citizens of countries of concern who reside in the United States are not covered by the Program unless individually designated, and citizens of countries of concern located in third countries will not automatically be treated as covered persons, either. But if a U.S. company hires an employee who is a covered person and that individual has access to sensitive bulk data, that could be considered a restricted transaction. The nuance to this framework is important; the Rule’s requirements do not flow from citizenship alone.
• The enforcement risk is real. Rather than setting up the program in Treasury or Commerce, the E.O. tasked the DOJ with establishing a licensing process to authorize otherwise prohibited transactions and enforce violations. This means that the DOJ is expected to use its investigative tools and experience to identify and enforce violations, and the DOJ appears prepared to do so. Ultimately, the U.S. government will now have a powerful new tool that can be adapted and expanded.

The Bulk Sensitive Data Regulatory Program is a transformative addition to the U.S. government’s growing set of tools aimed at blocking foreign adversaries’ access to Americans’ sensitive data. It is critical to recognize that this new regime is not limited to the sale of bulk data—it is focused on the transfer of and access to such data. Now that the regime is finalized, we expect that the DOJ will not hesitate to employ these new authorities.

Back to Top

Please join us for our webinar “How the New Rules on Bulk Data Will Impact Your Company” on February 12, 2025, for additional thought leadership on this topic. Register.

Emilee Karr, an associate in our Washington, D.C. office, contributed to the writing of this article.

[1] See Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain (May 15, 2019); Executive Order 14034, Protecting Americans’ Sensitive Data from Foreign Adversaries (June 9, 2021).

[2] These are the same six countries that are covered by the Department of Commerce’s information and communications technology and services regulations.

[3] This public list would be similar to the U.S. Treasury Department’s Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons list.