US Department of Justice Issues Final Rule Imposing Restrictions on Certain Data Transactions with “Countries of Concern”

On December 30, 2024, the US Department of Justice (“DOJ”) issued a Final Rule intended to prevent certain countries from exploiting specific categories of sensitive personal data and government data. The Final Rule will become effective on April 8, 2025 without any further executive or regulatory action needed from the new Trump Administration. The Final Rule represents a novel approach to the national security concerns related to sensitive personal and government data that mixes elements of US sanctions, foreign investment review, and cybersecurity and data privacy regulations.

There is a lot of detail in the Final Rule and CISA Security Requirements. We summarize some of the key points below, followed by guidance on initial steps companies can take to assess the applicability of the Final Rule to their business and proactively manage the new compliance risks created by the Final Rule.

1. Introduction to the Final Rule

The Final Rule implements Executive Order (“EO”) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (see our previous post on EO 14117 here). With the aim of preventing the exploitation of Bulk US Sensitive Personal Data or US Government-Related Data by “Countries of Concern” (currently China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia, and Venezuela), the Final Rule establishes a two-tiered system that either (i) prohibits relevant data transactions outright or (ii) requires that certain security requirements be met before the transaction can proceed.

The Final Rule, which carries potential civil and criminal penalties for noncompliance, takes effect on April 8, 2025, but certain due diligence, reporting, and auditing requirements will not take effect until October 6, 2025. DOJ issued a press release and a Fact Sheet summarizing the Final Rule and answering frequently asked questions. In tandem, the Cybersecurity and Infrastructure Security Agency (“CISA”) of the US Department of Homeland Security issued finalized security requirements for restricted transactions on January 3, 2025, that establish the organizational-, systems-, and data-level security requirements that US persons engaging in restricted transactions under the Final Rule must meet (“CISA Security Requirements”).

Given the scope and complexity of the Final Rule, it has the potential to have a significant impact on US businesses, particularly those involved in the sale, licensing, or other commercial transfer of data sets involving US data. US companies that engage in collection and maintenance of the relevant volumes of data will need to assess whether that data qualifies as “Bulk US Sensitive Personal Data” or “Government-Related Data” and, if so, examine where it is being transferred. Where the Final Rule is triggered, it will impose prohibitions or mandate potentially onerous security, due diligence, and other conditions on the continued transfer of the data.

2. Summary of the Final Rule and CISA Security Requirements

Overview

While the Final Rule explains which transactions are prohibited or restricted, it exempts certain types of data transactions and provides a process for the issuance of general and specific licenses authorizing otherwise prohibited or restricted Covered Data Transactions. The Final Rule also imposes due diligence, auditing, reporting, and recordkeeping requirements and describes the enforcement process and potential penalties for violations of the Final Rule.

Jurisdictional Scope

The Final Rule regulates activities of “US Persons,” which is defined as it is under US sanctions to include: (i) US citizens and permanent residents wherever located, (ii) entities organized under US law (including non-US branches), and (iii) any person located in the United States.

Covered Data Transactions

The Final Rule defines “Covered Data Transactions” to mean “any transaction that involves any access by a Country of Concern or Covered Person to any Government-Related Data or bulk U.S. sensitive personal data” and that involves:

• Data brokerage (i.e., selling data or licensing access to data where the recipient did not collect or process the data directly from the individuals linked to the collected or processed data);
• A vendor agreement (i.e., any agreement or arrangement, other than an employment agreement, in which a person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration);
• An employment agreement (does not include independent contractors); or
• An investment agreement (an agreement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to US real estate or a US legal entity, with exclusions for certain passive investments).

Countries of Concern

As noted, the six Countries of Concern are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. This list has not changed since DOJ announced the Advance Notice of Proposed Rulemaking in late February 2024 or the Notice of Proposed Rulemaking (“NPRM”) in October 2024.

Covered Persons

The term “Covered Person” is defined broadly and borrows US sanctions terminology from the “50 Percent Rule” from the US Department of the Treasury’s Office of Foreign Assets Control as follows:

• A  foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more Countries of Concern or persons described in paragraph (2) below or that is organized or chartered under the laws of, or has its principal place of business in, a Country of Concern;
• A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in paragraph (1) above or paragraphs (3), (4), or (5) below;
• A foreign person that is an individual who is an employee or contractor of a Country of Concern or of an entity described in paragraphs (1) or (2) above or paragraph (5) below;
• A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a Country of Concern; or
• Any person, wherever located, determined by the Attorney General:
  • To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a Country of Concern or Covered Person;
  • To act, to have acted or purported to act, or to be likely to act for or on behalf of a Country of Concern or Covered Person; or
  • To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

Thus, the Final Rule contemplates the publication of a Covered Persons List to include each Covered Person that DOJ designates.

Covered Data

To be a Covered Data Transaction, a data transaction must involve access
to “Government-Related Data” or “Bulk US Sensitive Personal Data.”

• “Government-Related Data” means:
  • Any precise geolocation data, regardless of volume, for any location within any area listed on the Government-Related Location Data List found in Section 202.1401 of the Final Rule (the Final Rule lists 736 locations as compared to eight in the NPRM); or
  • Any “sensitive personal data” (defined below) regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the US government.
• “Bulk US Sensitive Personal Data” is built on multiple other defined terms and means “a collection or set of sensitive personal data relating to US Persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds” the “bulk” thresholds set forth in Section 202.205 of the Final Rule.
• “Sensitive Personal Data” means “covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.”
  • Each of the terms in the definition of Sensitive Personal Data has its own definition in the Final Rule.
  • Human ‘omic data” includes human genomic, epigenomic, proteomic, and transcriptomic data but excludes pathogen-specific data embedded in human ‘omic data sets. DOJ expanded the scope of ‘omic data captured by the Final Rule compared to the NPRM, which only captured human genomic data.
• Non-government-related Sensitive Personal Data will only be subject to the Final Rule if it meets or exceeds the “bulk” thresholds described in Section 202.205 at any point in the preceding 12 months, whether through a single Covered Data Transaction or aggregated across Covered Data Transactions involving the same US Person and the same foreign person or Covered Person.

Prohibited Transactions

US Persons are prohibited from knowingly (i.e., with actual knowledge or reasonably should have known) engaging in the following transactions:

• Covered Data Transactions involving data brokerage with a Country of Concern or a Covered Person.
• Covered Data Transactions with a Country of Concern or Covered Person that involve access by that Country of Concern or Covered Person to Bulk US Sensitive Personal Data that involves bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived.
• Transactions that involve any access by a foreign person (note this is far broader than a Covered Person) to Government-Related Data or Bulk US Sensitive Personal Data and that involves data brokerage with any foreign person that is not a Covered Person unless the US Person:
  • Contractually requires that the foreign person refrain from engaging in a subsequent Covered Data Transaction involving data brokerage of the same data with a Country of Concern or Covered Person; and
  • Reports any known or suspected violations of this contractual requirement to DOJ within 14 days of becoming aware of it.
• Any transaction that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions above. Conspiring to violate the Final Rule is also prohibited.

Restricted Transactions

For Covered Data Transactions that are not in the prohibited categories above, US Persons are restricted from knowingly engaging in Covered Data Transactions involving vendor agreements, employment agreements, or investment agreements with a Country of Concern or Covered Person unless the US Person complies with the CISA Security Requirements.

To engage in restricted transactions, in addition to complying with the CISA Security Requirements, US Persons must, by October 6, 2025, develop and implement a written data compliance program that includes risk-based procedures for verifying data flows involved in restricted transactions. They must also conduct annual independent (internal or external) audits for each calendar year in which the US Person engages in any restricted transactions. The audit must examine the US Person’s restricted transactions and its data compliance program, among other requirements.

CISA Security Requirements

The CISA Security Requirements are broken down into organizational- and system-level requirements, on the one hand, and data-level requirements, on the other.

• At the organizational and system level, the CISA Security Requirements include steps such as:
  • Ensuring basic organizational cybersecurity policies, practices, and requirements are in place;
  • Implementing logical and physical access controls to prevent Covered Persons or Countries of Concern from gaining access to covered data that does not comply with the data-level requirements, including through information systems, cloud-computing platforms, networks, security systems, equipment, or software; and
  • Conducting an internal data risk assessment that evaluates whether and how the data-level security measures selected and implemented sufficiently prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by Covered Persons or Countries of Concern. The risk assessment must include a mitigation strategy for how to prevent access to such covered data.
• At the data level, US Persons engaging in restricted Covered Data Transactions must implement a combination of the following mitigations consistent with the required data risk assessment:
  • Apply data minimization and data masking strategies to reduce the need to collect, or sufficiently obfuscate, covered data to prevent visibility into that data;
  • Apply encryption techniques to protect covered data during the course of restricted transactions;
  • Apply privacy enhancing technologies, such as privacy preserving computation, or differential privacy techniques, to process covered data; and/or
  • Configure identity and access management techniques to deny authorized access to covered data by Covered Persons and Countries of Concern within all covered systems.

Exempt Transactions

The Final Rule does not apply to certain categories of data transactions. These include, among others:

• Transactions ordinarily incident to and part of the provision of financial services;
• Corporate group transactions between a US Person and its foreign subsidiary or affiliate provided they are ordinarily incident to and part of administrative or ancillary business operations;
• Telecommunications services (i.e., data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of telecommunications services);
• Drug, biological product, and medical device authorizations (i.e., necessary obtain or maintain regulatory authorization or approval to research or market such products); and
• Other clinical investigations and post-marketing surveillance data (e.g., product safety monitoring).

Licensing and Advisory Opinions

The Final Rule sets forth processes for DOJ to issue general and specific licenses, both of which may carry additional conditions and recordkeeping and reporting requirements that go beyond what the Final Rule requires. Both prohibited and restricted transactions are eligible for specific license; in the latter case, DOJ could authorize proceeding with an otherwise restricted transaction without the US Person meeting all of the CISA Security Requirements. Before, or possibly in lieu of, submitting a specific license request, US Persons engaging in data transactions that could be subject to the Final Rule can submit an advisory opinion request to DOJ asking that it provide a statement of its “present enforcement intentions” with respect to the transaction.

Recordkeeping Requirements

US Persons engaging in any transaction subject to the Final Rule are required to keep “a full and accurate record” of each such transaction for at least 10 years after the date of such transaction (measured from the date of transfer, not the date of any agreement). Engaging in restricted transactions imposes additional recordkeeping requirements, including creating and maintaining:

• A written policy describing the data compliance program and that is certified annually by an officer, executive, or other employee responsible for compliance;
• A written policy describing the implementation of the CISA Security Requirements (also certified annually);
• The results of any annual audits and any conditions on a license;
• Documentation of the due diligence conducted to verify data flow involved in the restricted transaction;
• Documentation of the method of data transfer;
• Documentation of the dates the transaction began and ended;
• Copies of any agreements associated with the transaction;
• Copies of any relevant licenses or advisory opinions from DOJ;
• A copy of any relevant documentation received or created in connection with the transaction; and
• An annual certification by an officer, executive, or employee responsible for ensuring the completeness and accuracy of the records documenting due diligence.

Reporting Requirements

The Final Rule imposes reporting requirements, including:

• Reports by any US Person that receives and affirmatively rejects an offer from another person to engage in a prohibited transaction involving data brokerage (due within 14 days of rejection, but this requirement does not become effective until October 6, 2025);
• Reports of suspected violations of contractual restrictions required for restricted transactions by a counterparty reselling or onward transferring to Countries of Concern or Covered Persons (due within 14 days of becoming aware of the suspected violation); and
• Annual reports filed by US Persons engaged in restricted transactions involving cloud-computing services, if the US Person is 25% or more owned, directly or indirectly, by a Country of Concern or Covered Person.

Enforcement

Violations of the Final Rule can result in civil and criminal penalties. Civil penalties can be the greater of nearly $370,000 or twice the amount of the transaction involved. Willful violations can be subject to criminal fines of up to $1 million and up to 20 years’ imprisonment. Given that the Final Rule is issued pursuant to the International Emergency Economic Powers Act, which contains a prohibition on causing violations to occur, in theory non-US Persons could face liability to the extent they cause US Persons to engage in activities that violate the Final Rule.

3. Next Steps

Companies across different industry verticals should take steps to consider whether the Final Rule may apply to their business, and if so, how to address such requirements. Among other key points:

• Assess applicability. Companies should assess whether any of their products, services, or business operations fall within the scope of the Final Rule. Given that the purpose of the rule focuses on national security (and not commercial data privacy), this may require some effort to understand and apply the definitions to company activities.
• Develop and implement compliance plan. To the extent the Final Rule may apply to some or all business activities, companies will need to develop and implement a compliance plan that can be accomplished in a short time frame given the fast-approaching implementation deadline. Depending on the context, such a plan could involve various steps, including:
  • Reducing outbound data transfers. It may be possible in some cases to reduce or eliminate outbound data transfers that otherwise would be covered by the Final Rule, so as to avoid or minimize application of the requirements to the business activities.
  • Implementing contractual terms. Implement appropriate contractual terms with third party recipients, including necessary CISA security terms, so as to address the requirements for restricted transactions.
  • Maintain documentation to address recordkeeping and reporting requirements. Maintain policies, procedures, and compliance documentation so as to address the Final Rule’s recordkeeping and reporting requirements.
• Ongoing monitoring. Companies should engage in ongoing monitoring of changes in business activities and operations so as to assure alignment of its compliance plan with such actual operations. Companies should also continue to monitor for further rulemaking and changes given evolving geopolitical risks and regulatory obligations.