Export of Sensitive Personal Data: US Department of Justice Issues Final Rule to Regulate

On December 27, 2024, the Department of Justice (DOJ) released a Final Rule, Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. The Final Rule (“Rule”) will take effect 90 days from the date of its publication in the Federal Register, with certain affirmative due diligence, reporting, and auditing requirements taking effect 270 days after publication. The Rule establishes a new national security program regulating foreign access to US government-related data and bulk US sensitive personal data as directed by Executive Order 14117 in March 2024, first contemplated in DOJ’s Advance Notice of Proposed Rulemaking (ANPRM) in March 2024 (which we analyzed in a Legal Update), and further detailed in DOJ’s Notice of Proposed Rulemaking (NPRM) in October 2024 (which we also analyzed in a Legal Update).

In the Rule, DOJ made limited revisions to the NPRM, focused mostly on clarifying the application of certain definitions, fixing minor inconsistencies, and adding examples. From the commentary, it is clear that DOJ rejected almost all comments focused on easing the burdens of complying with the Rule, explaining that such suggestions would not sufficiently mitigate the national security risks that make the Rule necessary. In some instances, DOJ’s commentary also provides helpful clarification on certain topics despite there being no corresponding changes to the text of the Rule. Below we provide a summary of the Rule, key clarifications on and changes from the NPRM, and suggestions for next steps for entities that may be affected by the Rule.

Summary of the Final Rule

Under the Rule, certain categories of transactions between US persons and persons and entities with a nexus to China or other countries of concern¹ and involving several broad categories of data (including precise geolocation, biometric, human ‘omic, health, and financial data; personal identifiers; and government-related data) will either be:

• Prohibited outright; or
• Permitted only if the US person:
• Complies with certain security requirements (i.e., “restricted transactions”); or,
• In unique and unlikely circumstances, obtains a license from DOJ.

In addition, US persons engaging in restricted transactions are required to adhere to certain due diligence, recordkeeping, reporting, and audit requirements.

The Rule outright prohibits US persons from “knowingly” engaging in or directing:

• Any data-brokerage transaction involving covered data with a covered person or country of concern;
• Any other form of covered data transaction² involving access to bulk human ‘omic data or to human biospecimens from which bulk human ‘omic data could be derived; and
• Covered data transactions involving other forms of covered data with covered persons or countries of concern unless certain security requirements³ are implemented that either:
• Allow access only to an appropriately mitigated version of the data; or
• Completely deny countries of concern and covered persons access to the data itself.

For a more detailed explanation of the mechanics and elements of the Rule (which remain largely unchanged from the NPRM), refer to our Legal Update on the NPRM.

Clarifications and Changes in the Final Rule

• Prospective Application: DOJ clarified that the Rule applies to covered data transactions engaged on or after the effective date, regardless of whether they are conducted pursuant to agreements that pre-exist the rule. For existing agreements that become subject to the requirements in § 202.302 (concerning data brokerage transactions with any foreign person), DOJ is considering whether to issue a wind-down license that would allow for a country of concern or covered person to access bulk US sensitive personal data or government-related data after the rule becomes effective, while any contractual terms are renegotiated.

• Covered Persons: DOJ changed the 50-percent rule language in § 202.211(a)(1) and (2) to more closely match OFAC’s 50-percent rule language, because DOJ intends for the rules “to generally be applied in a similar manner.” DOJ noted that this version of the language will capture, as was originally intended, “indirect ownership as it relates to certain complex ownership structures—such as where two covered persons each own minority stakes in a subsidiary, but their aggregate ownership meets or exceeds the 50-percent threshold—consistent with OFAC’s implementation of the 50-percent rule.” DOJ also made other technical corrections to the definition, which did not alter the scope of the criteria for “covered persons.”

• Sensitive Personal Data: DOJ made several significant clarifications and changes involving the scope of sensitive personal data covered by the rule. DOJ:
• Clarified that a “biometric identifier” includes raw data, as opposed to just data that has been processed with specific technologies. In other words, even if a database of fingerprints or retinal scans is not processed through a system for identification purposes, the underlying data is within the Rule’s scope.
• Clarified that an IP address itself qualifies only as a “listed identifier” and not “precise geolocation data” (even though many IP addresses can be geolocated within a kilometer). In other words, a set of IP addresses alone is not “sensitive personal data.”
• Added three types of human ‘omic data (in addition to human genomic data) to the scope of the rule: epigenomic data, proteomic data, and transcriptomic data. Like transactions involving bulk human genomic data, transactions with covered persons involving these types of human ‘omic data are prohibited outright.
• Revised the definition of “human biospecimens” to exclude human biospecimens intended by a recipient solely for use in diagnosing, treating, or preventing any disease or medical condition.
• Revised the definition of “sensitive personal data” to exclude metadata related to expressive information and informational materials (e.g., geolocation data embedded in digital photographs) from the scope of the Rule.

• Government-Related Data: DOJ added hundreds of new locations to the Government-Related Location Data List, including commonly known Department of Defense sites and installations. DOJ also revised the definition of “sensitive personal data” to clarify that each category of sensitive personal data—including precise geolocation data, which is a key part of the government-related data definition—excludes publicly available data, which was unclear from the NPRM.

• Access: DOJ fixed a confusing interplay between the definition of “access” in the NPRM and in the Cybersecurity and Infrastructure Security Agency’s (CISA) security requirements. A commenter pointed out that application of the security requirements (for restricted transactions) may deny “access” such that the transaction no longer remains a covered data transaction. DOJ revised the definition of “access” to clarify that, in determining whether a transaction is a covered data transaction, access is determined without regard to the effect of any security requirements.

• Data Brokerage: Although DOJ declined to narrow the definition of “data brokerage,” it revised the definition to exclude investment agreements, employment agreements, and vendor agreements (i.e., “restricted transactions” for purposes of the Rule).

• Investment Agreement: DOJ adopted a 10-percent “de minimis” threshold for total voting and equity interest in excluded passive investments. In other words, a passive investment (one meeting the other requirements of the exclusion set forth in § 202.228(b)) will be excluded from the meaning of “investment agreement” so long as it gives the covered person less than 10 percent in total voting and equity interest in a US person. In response to a commenter’s suggestion, DOJ also modified the requirements of the investment agreement exclusion for passive investments to include limited partner investments into private entities.

• “Knowingly” Standard: DOJ clarified that, with respect to incorporating the “knowingly” standard, US persons are “not responsible for conduct, circumstances, or results that they could not reasonably have known about.”

• Security Requirements: DOJ and CISA both clarified that restricted transactions may move forward (and that covered persons may have some form of access to covered date), provided that such access is consistent with a risk mitigation strategy that “prevents access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern, taking into consideration the likelihood of disclosure and the likelihood of harm based on the nature of the transaction and the data at issue, to include potential data misuse and associated consequences.” This can be accomplished “by applying a sufficient combination of data-level techniques (such as pseudonymization, de-identification, aggregation, and/or encryption, as outlined in the security requirements) that either allow access to an appropriately mitigated version of the data or [bolded for emphasis] directly deny countries of concern and covered persons access to the data itself, in conjunction with implementing the organizational and system level requirements.”

• Audits: DOJ revised the audit requirements for persons engaging in restricted transactions so that the audit no longer has to be conducted by an “external” source. However, internal audits still must be sufficiently independent. DOJ cautioned in the commentary that external audits often provide more effective and comprehensive assessments than internal audits. DOJ intends to provide additional guidance on the requirements for a sufficiently independent audit.

• Voluntary Self Disclosure (VSD): In response to a comment encouraging DOJ to adopt a VSD mechanism for violations of the Rule, DOJ stated that it intends to publish compliance and enforcement guidance, which will likely address how the department would assess VSD.

Next Steps

Companies that may be impacted by the Rule should take steps now to ensure they are in compliance once the Rule comes into effect. As noted above, the Rule will come into effect 90 days after publication in the Federal Register, with certain compliance requirements for restricted transactions coming into effect 270 days after publication. While DOJ plans to publish additional guidance (including FAQs) on compliance with the Rule, companies and other entities can take the following steps to ensure they are prepared once the Rule comes into effect:

1. Know your data: Companies, with assistance from counsel, should examine the Rule closely to understand impacted categories of data and then map the types/quantities of data they process that may be in scope. Keeping a data inventory or other record of the organization’s data assets is crucial for maintaining compliance. In the commentary of the Rule, DOJ states that it “expects companies know their data when they are dealing in government-related data and bulk U.S. sensitive personal data. Companies choosing to engage in these categories of data transactions can and should have some awareness of the volume of data they possess and in which they are transacting.”

2. Examine contracts and prepare accordingly: Companies should examine existing contractual agreements (e.g., data brokerage, employment, investment, vendor) implicating covered data (even if not explicitly), which may require modification or, in some instances, termination. This includes agreements governing intracompany access to data. Prepare for the eventualities of replacing vendors or moving certain operations across borders.

3. Ensure compliance with CISA’s security requirements for restricted transactions: Information technology and security groups should work with data owners and counsel to ensure that all security requirements are implemented, maintained, and documented.

4. Develop or adjust existing compliance programs as needed: Companies engaging in restricted transactions will need to ensure they follow the Rule’s due diligence, compliance, recordkeeping, auditing, and reporting requirements. Acknowledging that different internal organizations may already conduct similar functions, it may be best to designate a single point of contact (or lead organization) to assign and track various requirements across groups, as needed. The lead should also create documentation (e.g., checklists, decision trees), initiate regular communications between responsible organizations, and develop training for employees with roles that necessitate familiarity with the Rule.

¹ Countries of concern include China, Cuba, Iran, North Korea, Russia, and Venezuela.

² A covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk US sensitive personal data and that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.

³ https://www.cisa.gov/sites/default/files/2025-01/Security_Requirements_for_Restricted_Transaction-EO_14117_Implementation508.pdf