US Data Localization Law Coming Soon: DOJ Issues Final Rule on Certain Data Transfers to “Countries of Concern”


10 minute read | January.17.2025

The Department of Justice has finalized prohibitions and restrictions on cross-border transfers of certain data to China and other “Countries of Concern” (as defined below).

It seeks to address what is, in the U.S. government’s view, a mounting risk that these countries could use advanced technologies, such as artificial intelligence (AI), to process large sets of U.S. sensitive personal data or U.S. government data and then leverage the insights they gained to engage in, among other things, malicious cyber and other destabilizing activities. The rule also aims to mitigate the perceived risk of AI-assisted tracking and development of profiles of U.S. individuals, including members of the military and other federal employees and contractors, for illicit purposes such as blackmail and espionage.

The rule implements Executive Order 14117, issued under the authority of the International Emergency Economic Powers Act (IEEPA), which is the authorizing statute for most U.S. sanctions programs.

What Companies Need to Know

The rule creates an expansive new regulatory regime that prohibits or otherwise restricts certain transactions involving bulk U.S. sensitive personal data and U.S. government-related data.

  • The rule:
    • Prohibits certain data brokerage transactions with a Country of Concern – China, Cuba, Iran, North Korea, Russia and Venezuela – or Covered Person (as defined below) and any other transactions that provide a Country of Concern or Covered Person with access to bulk human ‘omic data or human biospecimens from which that data can be derived.

    • Prohibits these transactions with non-covered foreign persons unless the U.S. person contractually requires the foreign person to refrain from making the same data available to a Country of Concern or Covered Person.

    • Restricts, instead of prohibits, certain vendors, employment and investor agreements with Countries of Concern or Covered Persons involving the above types of data transfer. These classes of restricted transactions are prohibited unless they comply with predefined security requirements promulgated by the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security to mitigate the risk of access to bulk U.S. sensitive personal data by Countries of Concern or Covered Persons.

The rule will become effective on April 8, 2025. However, U.S. companies engaging in restricted transactions have until October 6, 2025 to develop the required compliance programs.

Who and What is Covered?

The rule applies to U.S. persons engaging in covered transactions. A transaction is covered if it involves any access by a Country of Concern or Covered Person to certain types of sensitive data, described in more detail below.

Country of Concern refers to any foreign government that is determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce:

  • has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the U.S. or security and safety of U.S. persons; and
  • poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the U.S. or security and safety of U.S. persons.

The rule establishes China (including the Special Administrative Regions of Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela as Countries of Concern.

Covered Persons include:

  • Entities that:
    • are organized in a Country of Concern;
    • have a principal place of business in a Country of Concern;
    • are designated by DOJ as a Covered Person; or
    • are 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more Countries of Concern or Covered Persons.
  • Individuals that:
    • are employees or contractors of a Country of Concern or a Covered Person;
    • are residents of China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia or Venezuela; or
    • are designated by DOJ as a Covered Person.

DOJ will maintain a public list of designated Covered Persons. The rule authorizes DOJ to designate persons upon the basis of ownership or control by, or acting for on behalf of, a Covered Person or Country of Concern. Being subject to the jurisdiction of a Country of Concern, or knowingly causing a violation of the rule, are also bases for designation. The rule will also let designated Covered Persons seek reconsideration and removal from relevant lists.

U.S. persons seeking to identify whether a third party qualifies as a Covered Person will need to consult DOJ’s list and conduct independent diligence to identify whether the person falls within the definition of Covered Person.

What Data is Covered?

Bulk Sensitive Personal Data

The term bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to any U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted, that exceeds the thresholds listed below. The rule lists six categories of sensitive personal data:

1. Covered personal identifiers
The rule includes a list of identifiers, including government identification numbers, financial account numbers, device-based and hardware-based identifiers, demographic and contact data, advertising identifiers, account-authentication data, network-based identifiers and call-detail data.

These will be considered covered personal identifiers when combined with each other or with information disclosed pursuant to the transaction such that the identifier is linked or linkable to other listed identifiers or to other sensitive personal data.

2. Precise geolocation data
Precise geolocation data means real-time and historical data that identifies the physical location of an individual or a device with a precision of within 1,000 meters.

3. Biometric identifiers
These are “measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.”

4. Human ‘omic data
Human ‘omic data includes human genomic data, epigenomic data, proteomic data and transcriptomic data. Each of these terms is defined in the rule. Human ‘omic data excludes pathogen-specific data embedded in human ‘omic data sets. Human genomic data, representing nucleic acid sequences that constitute a set or a subset of the genetic instructions in a human cell, is subject to greater restrictions than other types of human ‘omic data, as described below. Human genomic data includes the results of an individual’s genetic test and related human genetic sequencing data.

5. Personal health data
Personal health data means health information that indicates, reveals or describes:

  1. An individual’s past, present or future physical or mental health or condition.
  2. The provision of health care to an individual, including payment information.
  3. Physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms and allergies).
  4. Social, psychological, behavioral and medical diagnostic, intervention and treatment history.
  5. Test results.
  6. Logs of exercise habits.
  7. Data on immunization, reproductive and sexual health and the use or purchase of prescribed medications.

6. Personal financial data
This includes credit card and bank account data and information from financial statements and credit or consumer reports.

What is “bulk” data?

The rule considers a transaction to involve bulk data if the sensitive personal data therein meets or exceeds the below thresholds, or if the sum of such data in the current transaction and all transactions with the same foreign person in the preceding 12 months exceeds these thresholds.

  • Human ‘omic data: 1,000 U.S. persons, or in the case of human genomic data, more than 100 U.S. persons
  • Biometric identifiers: 1,000 U.S. persons
  • Precise geolocation data: 1,000 U.S. devices
  • Personal health data: 10,000 U.S. persons
  • Personal financial data: 10,000 U.S. persons
  • Covered personal identifiers: 100,000 U.S. persons

U.S. Government-related Data

The rule defines U.S. government-related data as:

  • Precise geolocation data for any location within an enumerated list of specific geofenced areas associated with military, government and other sensitive locations.
  • Sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including those in the military and intelligence community.

What Transactions are Prohibited or Restricted?

A “covered data transaction” under the rule is any transaction that involves any access by a Country of Concern or Covered Person to any government-related data or bulk U.S. sensitive personal data and that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.

Prohibited Transactions

The rule will prohibit three categories of “highly sensitive” covered data transactions:

  1. Data brokerage transactions involving Countries of Concern or Covered Persons.
  2. Data brokerage transactions with non-covered foreign persons unless the U.S. person contractually requires the foreign person to refrain from engaging in a covered data transaction involving the same data with a Country of Concern or Covered Person. The rule will also require U.S. persons to report violations by foreign parties.
  3. Transactions that provide a Country of Concern or Covered Person access to bulk human ‘omic data or human biospecimens from which human ‘omic data can be derived.

Restricted Transactions

The rule restricts certain covered data transactions by prohibiting them, unless they comply with security requirements issued by CISA. CISA recently proposed these requirements in a separate rulemaking.

The rule restricts three categories of covered data transactions:

  1. Vendor agreements, including technology services and cloud service agreements such as Software-as-a-Service (SaaS).
  2. Employment agreements, including employment on a board or committee, executive-level agreement and employment services at an operational level.
  3. Investment agreements, including investments in U.S. real estate or legal entities.

Exempt Transactions

The rule exempts, among others, data transactions:

  • Involving personal communications.
  • Involving importation and exportation of information or informational materials.
  • Ordinarily incident to travel to or from any country.
  • For the conduct of the official business of the U.S. government.
  • Ordinarily incident to and part of the provision of financial services.
  • Between a U.S. person and its subsidiaries and affiliates located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a Country of Concern, to the extent that the transactions are incidental to administrative or ancillary business operations.
  • Required or authorized by Federal law or pursuant to an international agreement.
  • Involving an investment agreement subject to a CFIUS action.
  • Ordinarily incident to and part of the provision of telecommunications services.
  • Involves “regulatory approval data” and is necessary to obtain or maintain regulatory approval to market a drug, biological product, device or a combination of products in a Country of Concern, provided that U.S. persons relying on this exemption comply with certain reporting requirements.
  • Ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration (FDA) or the collection or processing of clinical care data necessary to support or maintain authorization by the FDA, provided the data is deidentified.

Enforcement and Compliance

The rule establishes civil penalty amounts based on IEEPA. The maximum civil penalty for violations of IEEPA is $368,136 (expected to increase to $377,700 this year) or twice the amount of the violating transaction, whichever is larger. Criminal violations could trigger fines of up to $1 million and imprisonment of up to 20 years.

The rule includes a pre-penalty notice and an opportunity for people and companies to respond before a final decision is made. It prohibits U.S persons from “knowingly” violating the rule.

The rule does not impose affirmative due diligence and recordkeeping requirements on every U.S. person in a covered data transaction with a Covered Person or Country of Concern. Rather, it imposes these requirements as a condition of engaging in a restricted transaction. However, due diligence is needed as a practical matter to identify the involvement of Covered Persons, and DOJ is likely to consider the adequacy of compliance programs in any enforcement actions.

In addition, the rule permits DOJ to issue licenses authorizing some prohibited or restricted transactions.

What’s Next?

Companies should:

  • Assess the rule’s potential impact on future transactions by conducting initial assessments, including but not limited to:
    • Determining the types of data the company maintains and whether such data is covered under the rule;
    • If the company collects data covered under the rule, determining the scope of the collection, processing and/or sharing of such covered data;
    • Assessing the overall risks of any processing that involves a Country of Concern, which could include assessing a company’s downstream partners, vendors and clients, as well as a company’s supply chain; and
    • Consider implementing additional review procedures to mitigate the identified risks.
  • Review the Framework for OFAC Compliance Commitments, given that DOJ modeled compliance program requirements on OFAC’s approach.

Want to know more? Reach out to one of the authors (Harry Clark, Ben Hutten, Thora Johnson, Jeanine McGuinness, Shannon Yavorsky, Elizabeth Zane, James Chou, Olivia Rauh and Cosmas Robless) or another member of the Orrick team.