10 minute read | January.17.2025
The Department of Justice has finalized prohibitions and restrictions on cross-border transfers of certain data to China and other “Countries of Concern” (as defined below).
It seeks to address what is, in the U.S. government’s view, a mounting risk that these countries could use advanced technologies, such as artificial intelligence (AI), to process large sets of U.S. sensitive personal data or U.S. government data and then leverage the insights they gained to engage in, among other things, malicious cyber and other destabilizing activities. The rule also aims to mitigate the perceived risk of AI-assisted tracking and development of profiles of U.S. individuals, including members of the military and other federal employees and contractors, for illicit purposes such as blackmail and espionage.
The rule implements Executive Order 14117, issued under the authority of the International Emergency Economic Powers Act (IEEPA), which is the authorizing statute for most U.S. sanctions programs.
The rule creates an expansive new regulatory regime that prohibits or otherwise restricts certain transactions involving bulk U.S. sensitive personal data and U.S. government-related data.
Prohibits certain data brokerage transactions with a Country of Concern – China, Cuba, Iran, North Korea, Russia and Venezuela – or Covered Person (as defined below) and any other transactions that provide a Country of Concern or Covered Person with access to bulk human ‘omic data or human biospecimens from which that data can be derived.
Prohibits these transactions with non-covered foreign persons unless the U.S. person contractually requires the foreign person to refrain from making the same data available to a Country of Concern or Covered Person.
The rule will become effective on April 8, 2025. However, U.S. companies engaging in restricted transactions have until October 6, 2025 to develop the required compliance programs.
The rule applies to U.S. persons engaging in covered transactions. A transaction is covered if it involves any access by a Country of Concern or Covered Person to certain types of sensitive data, described in more detail below.
Country of Concern refers to any foreign government that is determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce:
The rule establishes China (including the Special Administrative Regions of Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela as Countries of Concern.
Covered Persons include:
DOJ will maintain a public list of designated Covered Persons. The rule authorizes DOJ to designate persons upon the basis of ownership or control by, or acting for on behalf of, a Covered Person or Country of Concern. Being subject to the jurisdiction of a Country of Concern, or knowingly causing a violation of the rule, are also bases for designation. The rule will also let designated Covered Persons seek reconsideration and removal from relevant lists.
U.S. persons seeking to identify whether a third party qualifies as a Covered Person will need to consult DOJ’s list and conduct independent diligence to identify whether the person falls within the definition of Covered Person.
The term bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to any U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted, that exceeds the thresholds listed below. The rule lists six categories of sensitive personal data:
1. Covered personal identifiers
The rule includes a list of identifiers, including government identification numbers, financial account numbers, device-based and hardware-based identifiers, demographic and contact data, advertising identifiers, account-authentication data, network-based identifiers and call-detail data.
These will be considered covered personal identifiers when combined with each other or with information disclosed pursuant to the transaction such that the identifier is linked or linkable to other listed identifiers or to other sensitive personal data.
2. Precise geolocation data
Precise geolocation data means real-time and historical data that identifies the physical location of an individual or a device with a precision of within 1,000 meters.
3. Biometric identifiers
These are “measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.”
4. Human ‘omic data
Human ‘omic data includes human genomic data, epigenomic data, proteomic data and transcriptomic data. Each of these terms is defined in the rule. Human ‘omic data excludes pathogen-specific data embedded in human ‘omic data sets. Human genomic data, representing nucleic acid sequences that constitute a set or a subset of the genetic instructions in a human cell, is subject to greater restrictions than other types of human ‘omic data, as described below. Human genomic data includes the results of an individual’s genetic test and related human genetic sequencing data.
5. Personal health data
Personal health data means health information that indicates, reveals or describes:
6. Personal financial data
This includes credit card and bank account data and information from financial statements and credit or consumer reports.
The rule considers a transaction to involve bulk data if the sensitive personal data therein meets or exceeds the below thresholds, or if the sum of such data in the current transaction and all transactions with the same foreign person in the preceding 12 months exceeds these thresholds.
The rule defines U.S. government-related data as:
A “covered data transaction” under the rule is any transaction that involves any access by a Country of Concern or Covered Person to any government-related data or bulk U.S. sensitive personal data and that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.
The rule will prohibit three categories of “highly sensitive” covered data transactions:
The rule restricts certain covered data transactions by prohibiting them, unless they comply with security requirements issued by CISA. CISA recently proposed these requirements in a separate rulemaking.
The rule restricts three categories of covered data transactions:
The rule exempts, among others, data transactions:
The rule establishes civil penalty amounts based on IEEPA. The maximum civil penalty for violations of IEEPA is $368,136 (expected to increase to $377,700 this year) or twice the amount of the violating transaction, whichever is larger. Criminal violations could trigger fines of up to $1 million and imprisonment of up to 20 years.
The rule includes a pre-penalty notice and an opportunity for people and companies to respond before a final decision is made. It prohibits U.S persons from “knowingly” violating the rule.
The rule does not impose affirmative due diligence and recordkeeping requirements on every U.S. person in a covered data transaction with a Covered Person or Country of Concern. Rather, it imposes these requirements as a condition of engaging in a restricted transaction. However, due diligence is needed as a practical matter to identify the involvement of Covered Persons, and DOJ is likely to consider the adequacy of compliance programs in any enforcement actions.
In addition, the rule permits DOJ to issue licenses authorizing some prohibited or restricted transactions.
Companies should:
Want to know more? Reach out to one of the authors (Harry Clark, Ben Hutten, Thora Johnson, Jeanine McGuinness, Shannon Yavorsky, Elizabeth Zane, James Chou, Olivia Rauh and Cosmas Robless) or another member of the Orrick team.