US: Department of Justice Issues Final Rule Restricting the Transfer of Sensitive Personal Data and United States Government-Related Data to “Countries of Concern”

[co-authors: Morven Henderson, Rachel de Souza]

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types of personal data to designated countries of concern or covered persons.

Executive Order 14117, and the implementing Final Rule , intends to address the threat of foreign powers and state-sponsored threat actors using Americans’ sensitive personal data for malicious purposes. The Final Rule sets out the conditions under which a bulk transfer of sensitive personal data or US government-related data to a country of concern or covered person will be permitted, restricted or prohibited.

The Final Rule underpins the higher levels of scrutiny from the US government over bulk cross-border data transfers which may pose a risk to the US national interests, and the tightening of compliance requirements on US companies to protect sensitive personal data and government data when engaging with these countries, or those connected.

Scope of the Final Rule

The key elements determining the applicability and scope of the Final Rule, when applied to a data transaction by a US entity, are:

• Countries of Concern: As noted above, the Final Rule designates six countries as countries of concern: (1) China (including Hong Kong SAR and Macau SAR), (2) Cuba, (3) Iran, (4) North Korea, (5) Russia, and (6) Venezuela. The transfer of sensitive data to Covered Persons within these jurisdictions could therefore be captured.
• Covered Persons: The Final Rule defines four classes of covered persons as the transacting party that will require additional scrutiny: (1) foreign entities that are 50% or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern; (2) foreign entities that are 50% or more owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; and (4) foreign individuals primarily resident in countries of concern.
• Sensitive Personal Data: The Final Rule regulates transactions involving six categories of sensitive personal data: (1) certain covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic); (5) personal health data; and (6) personal financial data.
• Bulk Sensitive Personal Data: Within these Sensitive Personal Data categories, different thresholds for the volume of data being transferred are applied. These thresholds determine the applicability of the Final Rule to the transaction. The prohibitions and restrictions apply to covered data transactions involving sensitive personal data exceeding certain thresholds over the preceding 12 months before the transaction. For example, compliance requirements for the transfer of precise geolocation data will not be triggered unless location data from over 1,000 US persons or devices is being transferred. Contrastingly, the data transfer of the personal identifiers (such as social security numbers) of over 100,000 US persons will be required before the threshold is met. The definition of ‘bulk’ and how this applies across the categories of personal data is therefore key.

Prohibited or restricted transactions?

Alongside these key elements, the Final Rule determines that the type of transaction under which the data is being transferred will inform whether the transaction is restricted, prohibited or exempt from scrutiny. A transaction falling into the category of restricted will impose the new, additional compliance requirements on US Companies before the transaction can proceed.

The Final Rule prohibits transactions involving (1) data brokerage (i.e., “the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data”), and (2) covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data can be derived. The outright prohibition on data brokerage agreements with countries of concern is extended further, with the Final Rule also requiring US persons to contractually ensure that data brokerage transactions with other foreign persons, who are not countries of concern or covered persons, do not enable the transfer of the same data to countries of concern under subsequent arrangements. This additional safeguard on data brokerage where sensitive personal data is involved underlines the requirement for sufficient due diligence with overseas partners.

Vendor, employment, and non-passive investment agreements are captured as restricted transactions. These transactions are permitted if they meet certain security requirements developed by the Cybersecurity and Infrastructure Agency (CISA).

Finally, data transactions which fall under categories such as (but not limited to) personal communications that do not transfer anything of value, ordinary corporate group transactions between a U.S. person and its foreign subsidiary or affiliate, and financial services involving transactions ordinarily incident to and part of providing financial services, are exempt from any compliance requirements under the Final Rule: illustrating the practical intention of the requirements.

Compliance obligations

CISA requirements detail the types of cybersecurity, data retention, encryption and anonymisation policies, alongside other measures, that can be adopted by US companies in order to bring a restricted transaction into compliance, ensuring the safety of sensitive personal data.

An enhanced due diligence exercise is therefore expected when seeking to transact with covered persons, where the bulk transfer of sensitive personal data is a possibility. Key features of this include the implementation of a data compliance program, including comprehensive policies, procedures and record keeping surrounding data involved in a restricted transaction, as well the completion of third-party audits to monitor compliance with the Final Rule. Finally, reporting is expected when engaging in restricted transactions, demonstrating the depth of US government oversight and interest in these transactions.

FAQs, Compliance Guide and Enforcement Policy

On April 11, 2025, the Department of Justice published answers to Frequently Asked Questions; a Compliance Guide; and issued a Implementation and Enforcement Policy for the first 90 days of the Final Rule. (i.e. through July 8, 2025).

• Compliance Guide. The Compliance Guide aims to provide ‘general information’ to assist individuals and entities when complying with the Data Security Program (“DSP”), established by the Department of Justice’s National Security Division to implement the Final Rule and Executive Order 14117. The Compliance Guide includes guidance on a number of different areas, including, key definitions, steps that organizations should take to comply with the Final Rule, model contract language and prohibited and restricted data transactions.

• FAQs. The Department of Justice has provided answers to more than 100 FAQs, which aim to provide high level clarifications about Executive Order 14117 and the DSP, including, for example, answers to questions in relation to scope of the DSP; the effective date of the Final Rule; definitions , exemptions; and enforcement and penalties.

• Implementation and Enforcement Policy for the First 90 Days (“the Policy“): The Policy states that during the first 90 days, enforcement will be limited “to allow U.S. persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the DSP “. Specifically, the Policy is clear that there will be limited civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 “so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time”. The Policy provides examples of ‘good faith efforts’, including: conducting internal reviews of access to sensitive personal data; renegotiating vendor agreements or negotiating contracts with new vendors; transferring products and services to new vendors; implementing CISA security requirements; adjusting employee work locations, roles or responsibilities; and evaluating investments from countries of concern or covered persons. The Policy stated that at “the end of this 90-day period, individuals, and entities should be in full compliance with the DSP.”

Next steps

Whilst certain due diligence, auditing, and reporting obligations will not become effective until October 2025, preparation for effective oversight and compliance with the CISA requirements can begin now. In particular, organisations should assess current compliance measures in place to identify potential compliance gaps and establish controls to address those gaps, in order to be able to demonstrate that they are engaging in “good faith efforts.” 

[View source.]