The U.S. Department of Justice (“DOJ”) final rule implementing Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (the “Rule”) becomes effective (for the most part) on Tuesday 8 April 2025. Some affirmative due diligence and audit requirements are not effective until Monday 6 October 2025.

As the title suggests, the Rule regulates transactions between US persons (i.e. individuals and/or organizations) and persons in specific countries – or, in some cases, foreign persons in the US – which involve access to sensitive personal data. Some transactions are prohibited altogether, while some are allowed subject to restrictions.

What are the Penalties for Violation of the Rule?

Violations of the Rule can result in civil fines up to $368,136 or twice the amount of the transaction. In the event of a person willfully committing, willfully attempting to commit, or aiding and abetting in the commission of violations, a conviction could result in criminal penalties of up to $1,000,000 fine and/or imprisonment of up to 20 years.

What Does the Rule Restrict?

The Rule relates to “covered data transactions”, meaning any transaction involving “access” by a “country of concern” or “covered person” to any government-related data or “bulk” US “sensitive personal data” that involves data brokerage, a vendor agreement, an employment agreement, or an investment agreement. We have defined the key terms below.

The main prohibitions and restrictions in the Rule are:

1. A prohibition (§ 202.301) on knowingly engaging in covered data transactions involving data-brokerage between US persons and a country of concern or covered person.
2. A restriction (§ 202.401) on knowingly engaging in covered data transactions involving:
   1. a vendor agreement (defined at §252.258),
   2. an employment agreement (defined at §252.217), or
   3. an investment agreement (defined at §252.228),
      each with a country of concern or covered person, requiring organizations to comply with certain security, due diligence and audit requirements.
      The relevant security standards are the Cybersecurity and Infrastructure Agency Security Requirements for Restricted Transfers E.O. 14117 Implementation, January 2025, which are published on the CISA website and are largely based on requirements in the NIST Cybersecurity and Privacy Frameworks and CISA’s Cross-Sector Cybersecurity Performance Goals.
3. A prohibition (§ 202.302) on knowingly engaging in data-brokerage transactions involving access by any foreign person (i.e. not limited to countries of concern or covered persons) to US bulk sensitive personal data, unless the US person:
   1. contractually requires that the foreign person refrains from engaging in subsequent covered data transactions involving data-brokerage of the same data with a country or concern or covered person; and
   2. reports any known or suspected violations of this contractual requirement within 14 days of becoming aware (include specific details set out in the Rule).
4. A prohibition (§ 202.303) on knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk sensitive personal data involving bulk “human ‘omic data”, or to human biospecimens from which bulk human ‘omic data could be derived.
5. A prohibition (§ 202.305) on US persons knowingly directing any covered data transaction that would be prohibited transaction or restricted transaction that fails to comply with the requirements in the Rule if engaged in by a US person. This specifically deals with individual officers, senior managers or other senior-level employees (US persons) making decisions on behalf of an organization which isn’t a US person (e.g. a foreign company).

The prohibitions and restrictions are subject to certain exceptions, which we have set out below.

The definition of “covered data transaction” does not specify that the country of concern or covered person must be a party to the transaction. Combined with the broad definition of “access”, organizations should take into account subcontractors to their counterparties, as well as other third parties who may access sensitive personal data or government-related data as part of a transaction.

In addition to regulating the prohibited and restricted transactions described above, the Rule also requires that, if a US person engages in any data-brokerage transaction involving access by any foreign person (i.e. not limited to countries of concern/ covered persons) to US bulk sensitive personal data, the US person must:

1. Contractually require the foreign person to refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person.
2. Report any known or suspected violation of the contractual requirement to the DOJ within 14 days of becoming aware of such known or suspected violation.

Definitions

The current “countries of concern” are China (which expressly includes Hong Kong and Macao), Cuba, Iran, North Korea, Russia and Venezuela. However, countries can be added to or removed from this list.

A “covered person” is:

1. a foreign entity 50% or more owned (directly or indirectly) by one or more countries of concern or persons described in paragraph 2.
2. a foreign entity 50% or more owned (directly or indirectly) individually or in the aggregate by one or more persons described in paragraphs 1, 3, 4 or 5.
3. a foreign individual who is an employee or contract of a country of concern or of an entity described in paragraphs 1, 2 or 5.
4. a foreign individual who is primarily resident in the territorial jurisdiction of a country of concern (i.e. this excludes citizens of countries of concern located in the US).
5. any person, wherever located, determined by the Attorney General (i) to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction of a country of concern or covered person; (ii) to act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct, a violation of the Rule.

“Access” has a broad definition, which includes the ability to obtain, read or view data, as well as to receive it in any form. It is determined without regard for the application or effect of any security requirements.

“Sensitive personal data” in this context includes data which has been anonymized, pseudonymized, de-identified or encrypted. This is unusual – under most data protection and privacy laws, anonymized (and often de-identified) data is carved out from the definition of personal data.

Whether data is accessed in “bulk” will depend on the numeric threshold for the category of data, but it applies to any amount of sensitive personal data that meets or exceeds the relevant threshold at any point in the preceding 12 months – either in one transaction or aggregated across multiple transactions involving the same US person and the same foreign or covered person. The thresholds are as follows:

The prohibitions and restrictions relate to “knowingly” engaging in certain types of transaction. This means either that a person has actual knowledge, or that they reasonably should have known.

Can You Rely on Any Exceptions?

Subparts C (Prohibited Transactions), D (Restricted Transactions), J (Due Diligence and Audit Requirements) and K (Reporting and Recordkeeping Requirements) other than § 202.1102 (Reports to be furnished on demand) and § 202.1104 (Reports on rejected prohibited transactions) do not apply to data transactions:

1. to the extent that they are ordinarily incident to and part of the provision of financial services (examples of which are provided at § 202.505).
2. to the extent that they are between a US person and its subsidiary or affiliate located in a country of concern (or otherwise subject to their ownership, direction, jurisdiction or control), provided that they are ordinarily incident to and part of administrative or ancillary business operations (e.g. HR, payroll and employee benefits, tax, business permits, business travel, employee communications). This does not exempt all intra-group transfers from the Rule – examples are given at § 202.506 which clarify when a transaction would not be ordinarily incident to and part of administrative or ancillary business operations.
3. to the extent that they involve an investment agreement that is subject to a CFIUS action (i.e. certain agreements or conditions entered into or imposed by the Committee on Foreign Investment in the United States to resolve a national security risk, as further defined in § 202.207).
4. to the extent that they are ordinarily incident to and part of the provision of telecommunications services (except if they involve data brokerage).
5. involving “regulatory approval data” and are necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device or combination product, provided that the US person complies with specific recordkeeping and reporting requirements.
6. in specific circumstances related to FDA authorization or regulated activities (see § 202.511).

The DOJ also has the ability to issue general or specific licenses to authorize transactions which would otherwise be subject to the prohibitions or restrictions of the Rule. The license must be issued prior to the transaction taking place; they cannot retroactively authorize a previous transaction.

What Can You Do to Comply?

There are several steps organizations should take to ensure they are compliant with the new Rule, including:

1. Updating vendor due diligence processes to identify:
   1. Involvement of covered persons, foreign persons, and/or countries of concern,
   2. whether the transaction involves sensitive personal data,
   3. whether the transaction includes data-brokerage, and
   4. whether it would be a prohibited or restricted transaction.
2. Implementing transfer impact assessment processes to demonstrate compliance with the Rule. Many organizations will have a process in place specifically for international transfers from the United Kingdom and European Economic Area, which can be adapted for the US.
3. Reviewing existing arrangements with foreign counterparties (including intra-group arrangements) to identify any risk of prohibited or restricted transactions. In our experience, the most likely of these will be agreements with entities in China, particularly Hong Kong.
4. Updating standard vendor contracts or data processing agreements to require that vendors are not and do not become covered persons (e.g. by requiring that personal data is not processed in the specified countries of concern). Bortstein Legal Group’s standard template Privacy Exhibits have already been updated to specifically prohibit transfers to the countries of concern.
5. Where you identify any covered data transactions, follow these additional compliance steps:
   1. conduct additional due diligence which complies with § 202.1001 (including verifying and logging types and volumes of data involved in the transaction, and written policies describing the data compliance program and the implementation of the security requirements);
   2. ensure the contract includes obligations to comply with the CISA security standards;
   3. ensure the contract includes audit provisions which comply with § 202.1002; and
   4. perform annual audits to confirm adherence to the CISA security standards (note that including an audit provision is not sufficient to comply; the audits must actually take place).
6. Where you identify any data-brokerage transactions, ensure a contract is executed including the mandatory contractual restrictions on subsequent transactions.

QUESTIONS? 

If you require assistance identifying whether you are subject to the Rule, or in ensuring that your transactions are compliant, please contact Benjamin Ross (Global Head of Privacy & Cybersecurity), Jessica Vautier (Senior Associate) or Julian Conway (Senior Associate) in Bortstein Legal Group’s Privacy team.