On April 22, FTC Commissioner Melissa Holyoak delivered the opening keynote at the IAPP Global Summit, where she emphasized the importance of vigorously enforcing privacy laws while warning against stretching the FTC’s authority under Section 5 of the FTC Act. She called for stronger action against companies that sell or improperly disclose Americans’ sensitive personal data and highlighted the agency’s close coordination with the U.S. Department of Justice to enforce a new rule restricting data transfers to countries of concern.
Her remarks come on the heels of a major regulatory development. On April 8, the U.S. Department of Justice (DOJ) issued its final rule implementing Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Finalized under the Trump administration, the rule represents a major regulatory shift, establishing the first national security-focused restrictions on the transfer or export of sensitive personal and government-related data to designated foreign adversaries. Additional due diligence and compliance requirements will phased in through Oct. 6.
The final rule targets six “countries of concern:” China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, as well as entities and individuals under their control. It prohibits or restricts certain transactions by U.S. persons that involve “bulk” sensitive data and U.S. government-related data when conducted with these nations or their affiliates.
“Bulk” data, as defined under the rule, refers to sensitive personal data, such as geolocation, health, financial, and biometric data that exceeds specific thresholds in the aggregate over a 12-month period, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.
The Rule’s History
In February 2024, President Biden issued Executive Order 14117, directing the DOJ to develop regulations to counter the national security risks posed by foreign adversaries seeking access to Americans’ bulk sensitive personal data and U.S. government-related data. In response, the DOJ launched a rulemaking process that included an Advance Notice of Proposed Rulemaking (ANPRM) on March 5, 2024, and a Notice of Proposed Rulemaking (NPRM) on Oct. 29, 2024. The final rule concludes the over year-long rulemaking process and reflects input from hundreds of stakeholders, including businesses, civil society organizations, and foreign partners, and was shaped through extensive interagency coordination across the U.S. government under the Biden and Trump administrations.
Scope and Requirements of the Final Rule
The DOJ’s final rule regulates transactions involving bulk sensitive personal data and U.S. government-related data between U.S. persons and foreign entities from designated “countries of concern” and “covered persons.” It places restrictions on specific types of data and identifies the conditions under which these transactions are prohibited.
Covered Data Categories
The final rule regulates two broad categories of data: U.S. sensitive personal data and U.S. government-related data.
U.S. Sensitive Personal Data
There are six categories of U.S. sensitive personal data, each with a specific threshold defining what constitutes “bulk” data. These thresholds are based on the volume of data collected or maintained across transactions involving the same U.S. person and foreign entity in a 12-month period.
- Covered Personal Identifiers: Includes data like names linked to social security numbers, email addresses, and device identifiers. The bulk threshold for this category is 100,000 U.S. persons.
- Precise Geolocation Data: Data that tracks the real-time or historical location of a device or individual within a 1,000-meter accuracy. The threshold is 1,000 U.S. devices.
- Biometric Identifiers: Physical characteristics such as facial images, fingerprints, or voice prints used for identity verification. The threshold is 1,000 U.S. persons.
- Human ‘Omic Data: Data about human genomics, proteomics, epigenomics, or transcriptomics. The bulk threshold for human ‘omic data is 1,000 U.S. persons, or 100 U.S. persons for genomic data.
- Personal Health Data: Information related to an individual’s physical or mental health, including medical records, test results, or treatment history. The threshold for this data is 10,000 U.S. persons.
- Personal Financial Data: Data on credit or bank accounts, financial transactions, and credit reports. The threshold for this category is 10,000 U.S. persons.
U.S. Government-Related Data
The rule also regulates certain types of U.S. government-related data. This includes:
- Geolocation Data: Specific areas identified by the Attorney General as sensitive, such as military sites or intelligence facilities, where data could be exploited by a country of concern.
- Sensitive Personal Data: Any personal data marketed as linked to current or former U.S. government employees, including military or intelligence personnel, regardless of volume.
Prohibitions, Restrictions, and Exemptions
The rule governs transactions involving covered data, establishing prohibitions, restrictions and exemptions.
Prohibited Transactions
The final rule outlines two primary categories of prohibited transactions:
- Data Brokerage with Countries of Concern or Covered Persons: This includes any data brokerage transaction involving access to bulk U.S. sensitive personal data or U.S. government-related data by a country of concern or a covered person.
- Foreign Access to Sensitive Data Without Safeguards: Transactions that provide a foreign person (who is not a covered person) with access to bulk U.S. sensitive personal data or U.S. government-related data, in connection with data brokerage, are also prohibited unless the foreign party agrees to specific contractual safeguards. These include restrictions on further data brokerage with countries of concern or covered persons, as well as obligations to report any known or suspected violations to the DOJ.
Definition and Scope of Data Brokerage
The rule defines “data brokerage” as the sale, licensing, or other commercial transfer of data where the recipient did not directly collect or process the data from the individuals to whom the data pertains. This excludes transactions such as employment, investment, or vendor agreements. The rule provides ten illustrative examples to clarify the scope of data brokerage, highlighting the term’s broad application.
Additional Prohibitions
Beyond these categories, the rule also explicitly prohibits any data brokerage or covered data transaction involving access to bulk human ‘omic data or human biospecimens from which such data can be derived, when such transactions involve a covered person.
Restricted Transactions
The rule classifies transactions into three categories: vendor agreements, employment agreements, and investment agreements. Except for exempt transactions, as discussed below, U.S. persons engaging in these restricted transactions must adhere to the rule’s security requirements. (It does not apply to transactions with covered persons involving bulk human ‘omic data, as mentioned above, are always prohibited.)
- Vendor Agreements: Any agreement where a person provides goods or services (e.g., cloud-computing services) to another in exchange for payment or other consideration.
- Employment Agreements: Agreements where an individual performs work for another, other than as an independent contractor, in exchange for compensation, including board services or executive-level arrangements.
- Investment Agreements: Agreements where a person gains direct or indirect ownership of a U.S. legal entity or U.S. real estate, excluding passive investments (e.g., publicly traded securities or limited partnership investments without control rights).
For restricted transactions, U.S. persons must implement a data compliance program by Oct. 6, which includes procedures for verifying data flows, logging data types, and ensuring proper identification of parties. Additionally, the compliance program must include a certified written policy for implementing security measures developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). U.S. persons must also conduct an independent annual audit, that must be retained for at least ten years which examines the effectiveness of their security measures and identifies vulnerabilities that could compromise sensitive data.
Knowingly Directing Prohibited or Restricted Transactions
The rule prohibits U.S. persons from “knowingly directing” transactions that would be prohibited or restricted. For instance, if a U.S. person owns and controls a foreign entity that is not a covered person and instructs it to engage in prohibited transactions, they would be in violation of the rule.
Exempt Transactions
The final rule provides exemptions for certain types of transactions, as long as specific requirements are met. These exemptions apply to personal communications, information or informational materials (including expressive content), and travel-related data. Additionally, transactions involving the official business of the U.S. Government, certain financial services, and ordinary financial transactions are also exempt. Corporate group transactions, as well as those required or authorized by U.S. federal law or international agreements, are included, especially when necessary for compliance with federal regulations. Investment agreements that are subject to a CFIUS mitigation agreement and transactions related to the provision of telecommunications services are also exempt. Furthermore, data transactions involving regulatory approvals for drugs, biological products, and medical devices, in accordance with U.S. Food and Drug Administration (FDA) regulations, are exempt, as are clinical investigations and post-marketing surveillance data governed by the FDA. These exemptions ensure that essential and routine data transactions remain unaffected by the rule.
Potential Liability
The final rule imposes significant penalties for violations. Civil penalties can reach up to USD $377,700 (adjusted for inflation) or twice the value of the transaction involved, whichever is greater. For willful violations, criminal penalties can include fines up to USD $1,000,000, imprisonment for up to 20 years, or both. The rule also retains the pre-penalty notice process, requiring the DOJ to notify the alleged violator of its intent to impose a penalty before taking further action.
Key Documents Released by the Department of Justice’s National Security Division
On April 11, 2025, the DOJ’s National Security Division (NSD) released several important documents to assist entities in complying with the final rule regulating the transfer of bulk U.S. sensitive personal data. These documents provide crucial guidance on compliance strategies, enforcement expectations, and the specific legal requirements under the final rule. The key documents include:
- Data Security Program (DSP) Compliance Guide
This guide offers practical advice for entities seeking to meet the requirements of the final rule. It includes recommendations on contractual safeguards for data brokerage transactions, such as clauses to prevent onward data transfers to countries of concern, as well as security safeguards, including cybersecurity risk assessments, vendor due diligence, and employee training.
- Frequently Asked Questions (FAQ) Document
The FAQ document provides clarity on the scope and purposes of the Data Security Program. It addresses specific compliance concerns related to various data transactions, the interaction of the DSP with other regulatory regimes (like CFIUS), and how entities can navigate the compliance process. NSD will periodically update this document to offer further guidance as needed.
- Implementation and Enforcement Policy
This policy outlines how the NSD will enforce compliance with the DSP during the first 90 days following the final rule’s effective date. It includes a grace period (April 8 to July 8) during which entities making good faith efforts to comply will not face civil enforcement actions. After this period, full compliance will be expected, and NSD will pursue enforcement for violations.
These documents are essential resources for businesses and individuals working to ensure compliance with the final rule, and NSD is expected to release additional guidance throughout the year to further assist in meeting the regulatory requirements.
Conclusion
The final rule introduces critical protections for sensitive personal and government-related data against foreign adversaries. By restricting data transfers to certain countries, the rule addresses significant personal data and national security risks. With compliance deadlines upon us, U.S. companies must ensure they follow strict due diligence and security protocols, particularly for data brokerage and transactions with designated “countries of concern.” The DOJ has provided helpful guidance to assist entities in navigating these requirements, with penalties for non-compliance being substantial.
As the rule takes effect, it reinforces the U.S.’s commitment to protecting sensitive data from exploitation, while also allowing essential transactions to continue. Staying compliant will be key for businesses to avoid legal and financial risks.
