Special Alert: DOJ Final Rule Prohibiting Access to Bulk U.S. Sensitive Personal Data

April 2025

• Prohibited Transactions: U.S. entities are banned from engaging in data brokerage with countries of concern, particularly reselling sensitive personal data or human genomic data.
• Compliance Requirements: Organizations involved in restricted data transactions must meet stringent security standards, including independent audits, certifications, and extensive record-keeping obligations.
• Impact on Global Operations: Companies with international operations must reassess data-sharing practices, ensure compliance with new reporting mandates, and prepare for potential regulatory scrutiny.

________________________________________________________________________________________________________________________________

April 2025

The Department of Justice’s (DOJ) final rule prohibiting and restricting bulk transfers of sensitive personal data to “countries of concern” (e.g., China, Russia, Iran) goes into effect April 8, 2025. Compliance with certain provisions, including due diligence, audit, and reporting requirements, will begin October 6, 2025.

The final rule implements the February 28, 2024 Executive Order (14117) “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”, and aims to address ongoing national security risks and concerns stemming from advancements in AI, high-performance computing, and big-data analytics that may enable potential exploitation of sensitive national data by countries of concern and individuals and entities under their control (“covered persons”).

The rule will directly impact industries with cross-border data activities.

In addition, the rule:

• Identifies six categories of “sensitive personal data” to include human ‘omic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and other covered personal identifiers.
• Prohibits two categories of transactions – data brokerage and covered data transactions involving access to human ‘omic data.
• Imposes security requirements on covered data transactions involving investment, employment, and vendor agreements.
• Specifies classes of transactions exempt from the rule, including financial services transactions that are “ordinarily incident to and part of the provision of financial services” and corporate transactions that are “ordinarily incident to and part of administrative or ancillary business”.
• Establishes processes for designating specific entities or individuals as covered persons.

Note: Particularly noteworthy steps for compliance include:

• Data compliance program development, including vendor and data flow identification and policy documentation
• Annual independent audits
• Recordkeeping requirements
• Implementation of security measures as outlined by CISA, including multi-factor authentication, access control, data masking, and encryption and other privacy enhancing methods