Today, April 8, 2025, the U.S. Department of Justice’s Final Rule restricting transfers of bulk sensitive personal data and U.S. government-related data becomes effective, implementing former President Biden’s Executive Order 14117 - Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the “Final Rule”). The Final Rule aims to protect U.S. national security by restricting certain data transactions with covered persons or countries of concern, which currently include Russia, Iran, North Korea, Cuba, Venezuela, and China (including Hong Kong and Macau). U.S. businesses must work now to ensure compliance and avoid significant penalties for violations.

The Final Rule defines many key terms such as “covered data transaction,” “country of concern,” “U.S. person,” “covered person,” “bulk U.S. sensitive personal data,” “government-related data,” “human ‘omic data,” and “knowingly,” while providing examples of restricted transactions. Ultimately, the Final Rule prohibits certain transfers of U.S. government related data and bulk U.S. sensitive personal data to covered persons (see §202.243 Prohibited Transaction), adopting a 50% ownership threshold to capture certain foreign persons as covered persons akin to Office of Foreign Assets Control (OFAC) sanction designations for covered persons (see §202.211 Covered Person).

U.S. government-related data means certain precise geolocation data, regardless of volume, explicitly enumerated in the rule and any sensitive data, regardless of volume, linkable to current or recent employees of the U.S. government (see §202.222 Government-Related Data and §202.1401 Government-Related Location Data List).

While bulk U.S. sensitive personal data means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person:

1. Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons (human ‘omic data includes human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data, but excludes pathogen-specific data embedded in human ‘omic data sets);
2. Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;
3. Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;
4. Personal health data collected about or maintained on more than 10,000 U.S. persons;
5. Personal financial data collected about or maintained on more than 10,000 U.S. persons;
6. Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or
7. certain data combinations of (a) – (f) combined data (see§202.205 Bulk and 202.206 Bulk U.S. Sensitive Personal Data).

Prohibited Transactions

The Final Rule prohibits U.S. persons from:

• Knowingly engaging in any covered data transaction involving data brokerage with a country of concern or covered person; a covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves: (a) data brokerage; (b) a vendor agreement; (c) an employment agreement; or (d) an investment agreement (see 202.301 Prohibited Data-Brokerage Transactions and §202.210 Covered Data Transaction).
• Knowingly engaging in any transaction that involves any access by a foreign person to government-related data or bulk U.S. sensitive personal data and that involves data brokerage with any person unless the foreign person is contractually restricted from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and the U.S. person reports any known or suspected violation of the contractual requirement (see 202.302 Other Prohibited Data-Brokerage Transactions Involving Potential Onward Transfer to Countries of Concern or Covered Persons).
• Knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to certain human biospecimens (see 202.303 Prohibited Human `Omic Data and Human Biospecimen Transactions).
• Knowingly directing any transaction that would be a prohibited transaction or a restricted transaction that fails to meet the applicable requirements if such transaction was engaged in by a U.S. person (see 202.305 Knowingly Directing Prohibited or Restricted Transactions).
• Evading or avoiding, causing a violation of, or attempting to violate these prohibitions (see 202.304 Prohibited Evasions, Attempts, Causing Violations, and Conspiracies).

The prohibited transactions are categorically prohibited unless otherwise authorized pursuant to an exemption, general license, or specific license.

Restricted Transactions

The Final Rule creates a set of restricted transactions, including a vendor agreement, employment agreement, or investment agreement as to which U.S. persons may engage if the U.S. person complies with certain cybersecurity program requirements published by Cybersecurity & Infrastructure Security Agent (CISA), as well as reporting and recordkeeping requirements (see §202.401 Authorization to Conduct Restricted Transactions).

Exempted Transactions

The Final Rule exempts the following categories of transactions that would otherwise be prohibited or restricted transactions:

• Personal Communications
• Information and Informational Materials
• Travel
• Official Business of the U.S. Government
• Financial Services
• Corporate Group Transactions
• Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance with Federal Law
• Investment Agreements Subject to CFIUS Action
• Telecommunication Services
• Drug, Biological Product, and Medical Device Authorizations
• Other Clinical Investigations and Post-Marketing Surveillance Data (see Exempt Transactions §§202.501 through 202.511)

Licensing and Advisory Opinions

The Final Rule provides for processes to obtain licenses authorizing otherwise prohibited or restricted transactions (see Licensing §§202.801 through 202.803). Additionally, the Final Rule provides the ability to apply for advisory opinions as necessary (see Advisory Opinions §202.901).

Reporting and Recordkeeping Requirements

The Final Rule enacts compliance requirements for due diligence, audits of restricted transactions, as well as other record keeping and annual reporting requirements. The reporting requirements include an obligation to file an annual report of certain restricted transactions becoming effective on October 6, 2025 (see Reporting and Recordkeeping Requirements §§202.1101 through 1104).

Penalties

The Final Rule provides substantial civil and criminal penalties for violations. Civil penalties can reach the greater of $368,136 or an amount that is twice the amount of the transaction (subject to adjustment for inflation). For willful violations, criminal penalties include $1 million fines and up to 20-year imprisonment (see Penalties and Finding of Violation §§202.1301 through 202.1306).

Conclusion

The Final Rule becomes effective today April 8, 2025. U.S. businesses that collect, maintain, or transfer sensitive personal data, or government-related data, should carefully review their business activities alongside related data collection and transfer policies. Then the U.S. business may assess potential exposure to liability under the Final Rule, making any necessary policy adjustments for covered data transactions to ensure ongoing compliance for data collection and transfers.