Life Sciences Companies Must Navigate the DOJ Data Rule

Life sciences companies have long been outside the scope of US national security regulations and benefited from significant exemptions under US privacy laws. But a Department of Justice (DOJ) final rule, effective April 8, 2025, now prohibits or restricts access to bulk sensitive personal data of US persons by individuals or entities tied to China (including Hong Kong and Macau) or other countries of concern (Cuba, Iran, North Korea, Russia, and Venezuela).¹ 

The rule targets categories of data routinely handled by life sciences companies, such as human genomic and other ‘omic data (and biospecimens from which such data can be derived), biometric identifiers, and personal health information. Importantly, and unlike the Committee on Foreign Investment in the United States (CFIUS) regulations and many privacy laws, the rule does not exempt key-coded or otherwise anonymized, pseudonymized, de-identified, or encrypted data.

While the rule contains critical exemptions for certain passive investments and data sharing that is necessary to obtain or maintain regulatory approvals, life sciences companies should carefully reexamine their cross-border collaborations, global clinical investigations, post-market monitoring, and sharing of clinical or regulatory data across jurisdictions under the new national-security-focused framework. Violations can result in civil and criminal penalties.

Following a brief introduction to the rule, we examine the rule’s application to seven common scenarios arising in the life sciences sector. For more information on the DOJ’s rule, please see Goodwin’s alerts published on January 10 and April 4 of this year.

The DOJ published guidance and FAQs on April 11, along with a policy for delayed enforcement until July 8, 2025, so long as the US person is engaging in good faith efforts to comply with or come into compliance with the rule.

Covered Data Transactions Under the DOJ Rule

The rule prohibits or restricts covered data transactions that result in access (1) to bulk US sensitive personal data; (2) by a covered person; (3) through data brokerage, vendor agreements, employment agreements, or investment agreements.

1. Categories of Bulk US Sensitive Personal Data

Life sciences companies are most likely to encounter four categories of bulk US sensitive personal data, which includes data that is anonymized, pseudonymized, de-identified, or encrypted – but perhaps at data volumes below the bulk thresholds:

The term “bulk” refers to a data volume exceeding the listed threshold at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same counterparty (i.e., the foreign person or covered person).

Critically for life sciences companies, absent an exemption, the rule prohibits covered data transactions involving bulk human genomic, epigenomic, proteomic, or transcriptomic data, or biospecimens from which such data can be derived.

The rule also applies to other types of data — including precise geolocation data, personal financial data, and covered personal identifiers — that are more prevalent in other industries. In all cases, publicly available data sets are excluded from the rule.

2. Covered Persons

A covered person is one with a material nexus to a country of concern, including (a) an entity organized in or that has its principal place of business in China; (b) employees or contractors of such an entity; (c) individuals who reside primarily in China; or (d) persons identified on a forthcoming DOJ Covered Persons List. The term also includes entities owned 50% or more by one of these covered persons or by the government of country of concern. Individuals physically located in the United States are excluded, unless designated on the Covered Persons List.

3. Types of Covered Data Transactions

The rule targets four types of transactions of interest to life sciences companies — if the transaction involves access to bulk US sensitive personal data by a covered person (or in a country of concern). Examples relevant for life sciences companies may include:

• For data brokerage: Selling, licensing, or providing access to nonpublic data that the recipient did not collect directly from individuals; transferring data to non-US regulators
• For vendor agreements: Engaging a service provider to prepare regulatory filings; storing data on third-party servers; engaging an independent contractor
• For employment agreements: Hiring an employee; appointing a board member
• For investment agreements: Issuing an equity interest to a collaboration partner

Together, these elements result in covered data transactions that are either prohibited or restricted, unless eligible for an exemption.

The rule prohibits US persons from knowingly engaging in: 

• Vendor, employment, or investment agreements involving access by a covered person to bulk human genomic, epigenomic, proteomic, or transcriptomic data (or human biospecimens from which such data can be derived)
• Data brokerage involving the provision of any bulk US sensitive personal data to covered persons or to a country of concern
• Data brokerage involving the provision of any bulk US sensitive personal data to non-US persons (e.g., a Canadian entity) without contractual restrictions prohibiting onward data transfers to a covered person or to a country of concern

The rule restricts US persons from knowingly engaging in vendor, employment, or investment agreements involving covered-person access to categories of bulk US sensitive personal data (other than human ‘omic data), but only if the US person maintains a sufficient data compliance program, implements certain security requirements published by the Cybersecurity and Infrastructure Security Agency (CISA), and conducts annual compliance audits.

Key Exemptions for the Life Sciences Industry

The rule exempts several categories of life sciences transactions that would otherwise be prohibited or restricted:

• A regulatory approval data exemption permits transactions that involve de-identified or pseudonymized (i.e., key-coded) data necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product in or outside of a country of concern. The exemption does not apply to the sharing of sensitive personal data that is not reasonably necessary for a regulatory entity to assess the safety and effectiveness of the drug, biological product, device, or combination product. Companies relying on this exemption must still comply with certain recordkeeping and reporting obligations.
• A clinical investigation data exemption allows:
  • Transactions that are ordinarily incident to and part of clinical investigations regulated by the Food and Drug Administration (FDA) or that support applications to the FDA for research and marketing permits for drugs, biologics, devices, combination products, or infant formula
  • Transactions involving de-identified or pseudonymized data that are ordinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or of post-marketing surveillance data, provided in each case that such data is necessary for FDA authorization
• A federal funding exemption for transactions that are conducted pursuant to a grant, contract, or other agreement entered into with the US federal government
• An exemption for passive investments, where the covered-person investor:
  • Acquires less than 10% voting and equity interest in the US person;
  • Receives no rights beyond standard minority shareholder protections, including board membership or observer rights or other involvement, beyond the voting of shares, in substantive business decisions, management, or the strategy of the US person; and
  • The investment is made into a publicly traded security, into a security offered by an SEC-regulated investment company, or by a “limited partner” into a fund or private entity.

US persons can seek a license from the DOJ to authorize covered data transactions that do not qualify for an exemption.

Scenarios Encountered in the Life Sciences Industry

1. My company is entering into a collaboration agreement with a Chinese company to jointly develop a drug candidate. 

US companies collaborating with Chinese partners should evaluate whether the arrangement would afford the partner access to human ’omic data, biometric identifiers, or personal health data relating to US persons above the bulk thresholds identified above. If so, the arrangement may be a prohibited or restricted covered data transaction.

For example, the collaboration could involve a US company licensing its drug candidate to a Chinese partner for development and commercialization in China and providing clinical data to the Chinese partner. Or a US company could license a drug candidate from a Chinese partner for development and commercialization in the United States and license back clinical data to the Chinese partner. Such collaborations could involve data brokerage (i.e., the sale or license of data to parties that did not collect or process such data) or constitute a vendor agreement in which the Chinese partner develops the drug candidate for the US company. Collaboration agreements may even be accompanied by an acquisition of equity in the US company or a convertible debt arrangement within the scope of investment agreements. Each of these transactions could be prohibited or restricted if the US company collects or maintains bulk US sensitive personal data.

The US company could avail itself of the regulatory approval exemption in sharing bulk sensitive personal data, if such sharing is necessary for the US person or its Chinese partner to obtain or maintain regulatory approval. (In other words, to rely on the regulatory approval exemption, the US company that is sharing the data does not need to be the company seeking regulatory approval.) This exemption is particularly helpful when a US company has licensed Chinese intellectual property to develop a drug candidate in the United States, or licensed its intellectual property to its Chinese partner to develop a drug candidate in China but is contractually required to share data with the Chinese partner for regulatory purposes.

2. My company is seeking regulatory approval for a therapy candidate in China, which requires the submission of clinical data to regulatory authorities. We plan to use a local firm to assist with the process.

The regulatory approval exemption allows for the submission of de-identified data to regulatory authorities that is (a) required by the regulator to obtain or maintain approval to research or market a drug, biologic, device, or a combination product, and (b) reasonably necessary to evaluate the safety and effectiveness of the product. Although the exempt transaction is not prohibited or restricted under the rule, it remains subject to the rule’s recordkeeping and reporting requirements.

Notably, the exemptions allow vendor or employment agreements with a Chinese vendor or China-based employee where Chinese law requires that a local vendor or employee prepare data for submission to the Chinese regulator. 

3. My company conducts multinational clinical trials, including in the United States and China. How does the DOJ rule restrict my sharing or aggregating of data?

The DOJ rule does not categorically preclude clinical trials in China or another country of concern, but it may prohibit US persons from providing covered persons with access to bulk US sensitive personal data – subject to the various exemptions.

The rule exempts certain transactions that are connected with FDA-regulated clinical investigations or that support applications to the FDA for research and marketing permits. The rule also exempts transactions involving the collection or processing of de-identified clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data, and necessary to support or maintain authorization by the FDA. This exemption could permit certain data transactions involving China or Chinese counterparties.

4. Are there special exemptions for federally funded research?

Yes. The rule exempts transactions that are conducted pursuant to a US federal grant, contract, or other agreement. This includes medical research contracts between US persons and laboratories or researchers that are covered persons — transactions that could otherwise be prohibited if not authorized under the federally funded research. 

5. My company engages with multiple vendors in China that may have access to different types of company data. For example, one vendor provides generic, cloud-based data storage, and another provides services for biomedical data analysis.

Vendor agreements by which Chinese persons store or process bulk US sensitive personal data could be prohibited or restricted, depending on the type of data. For example, such vendor agreements involving human ‘omic data are generally prohibited, while those involving biometric identifiers or personal health data could be restricted, subject to implementation of a data compliance program, the CISA security requirements, and annual audits.

6. My life sciences company is contemplating investment from a Hong Kong-based investor.

The rule includes Hong Kong and Macau in the definition of China. US companies receiving investment from a Hong Kong investor (including based on upstream ownership) should consider whether the transaction is prohibited or restricted by the rule. US companies should also consider whether other, related transactions implicate the rule, as could the collaboration agreement discussed in scenario 1 above.

Certain passive investments — resulting in less than 10% of the US person’s voting and equity interests and with no rights in the US person beyond standard minority shareholder protections — are exempt from the rule. Investments must also be made into a publicly traded security, into a security offered by an SEC-regulated investment company, or “as a limited partner” into a fund “or private entity.”  While the “limited partner” requirement raises some ambiguity, the rule appears to contemplate direct investments into private companies by investors that resemble limited partners, even if the target company is not structured as a partnership. The DOJ may clarify this part of the passive investment exception in future guidance.

The parties should also consider whether the proposed transaction is subject to CFIUS jurisdiction, including a potential mandatory filing under that regime (although CFIUS filings are rarely required for life sciences companies taking foreign investment).

7. My life sciences company is planning to sell assets to a foreign buyer, including human genomic data or personal health data that meets the bulk thresholds.

A sale of these assets could be prohibited data brokerage if the foreign buyer is a covered person (e.g., a UK subsidiary of a Chinese company). And if the foreign buyer is not a covered person, the life sciences company selling these assets must obtain a contractual commitment restricting the foreign buyer from sending the same data to a country of concern or covered person.

For example, a life sciences company may seek to transfer an application for an Investigational New Drug (IND) to another company in the context of a transaction or collaboration. The transfer of clinical data collected for the IND application may be prohibited or restricted depending on the nature of the transferee company and whether the clinical data contains bulk US sensitive personal data. 

Conclusion

Life sciences companies should evaluate their current and prospective business practices against the DOJ rule by:

1. Assessing whether the types and volume of sensitive personal data collected constitute bulk sensitive personal data
2. Identifying touchpoints with China (or another country of concern) or with covered persons
3. Determining whether the company may engage in covered data transactions with such persons and, if so, whether an exemption may apply
4. Ensuring collaboration agreements, licensing terms, and other relevant contracts include provisions that align with the scope of applicable exemptions and, if required, restrictions on onward data transfers

Businesses with in-scope activities may need to implement the security requirements set forth by the rule, including those published by the CISA, or modify their business practices to avoid covered data transactions. The rule also requires that US companies implement additional compliance measures, including due diligence and audit requirements, for restricted transactions by October 6, 2025.

^[1] Although the definition of “country of concern” includes several countries in addition to China, this alert focuses on China (including Hong Kong and Macau) because it is the country of highest interest to the US life sciences industry. Moreover, the other countries of concern are already subject to US economic sanctions that make the rule’s application to those countries less impactful, particularly in the government-regulated life sciences industry.

[View source.]