On December 27, 2024, the Department of Justice (the “DOJ”) issued its final rule (the “Rule”) carrying out Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Rule is designed to prevent access to certain categories of U.S. data by China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela (collectively, “Countries of Concern”), as well as foreign entities or individuals with significant ties to these nations (“Covered Persons”) and will take effect on April 8, 2025.

Scope

The Rule applies to U.S. government-related data and the following categories of U.S. sensitive personal data, each as defined in the Rule (collectively, “Covered Data”):

• Precise geolocation data
• Biometric identifiers
• Human ‘omic data
• Personal health data
• Personal financial data
• Personal identifiers

The Rule sets out bulk thresholds applicable to each of these categories of U.S. sensitive personal data. There is no bulk threshold applicable to U.S. government-related data. Notably, the Rule applies to bulk U.S. sensitive personal data regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted.

Under the Rule, transactions involving Covered Data with Countries of Concern or Covered Persons are categorized as: (1) Prohibited Transactions; (2) Restricted Transactions; or (3) Exempt Transactions, as detailed below:

1. Prohibited Transactions: The Rule prohibits the following:
   1. Countries of Concern / Covered Persons: Any transaction of Covered Data involving data brokerage (e.g., sale, licensing, or other similar commercial transaction) with a Country of Concern or Covered Person;
   2. Foreign Persons that are not Covered Persons: Any transaction of Covered Data involving data brokerage with a foreign person that is not a Covered Person unless certain requirements are met as set out in the Rule.
2. Restricted Transactions: The Rule prohibits the following, unless the U.S. entity conducting the data transaction complies with the Rule’s security and other requirements:
   1. Any transaction of Covered Data with Countries of Concern or Covered Persons involving a/an (i) vendor agreement, (ii) employment agreement, or (iii) investment agreement (each as defined in the Rule).
3. Exempt Transactions – Certain data transactions are exempt from these prohibitions and restrictions, subject to specific conditions.

Compliance Deadlines

• The Rule takes effect on April 8, 2025.
• Additional diligence requirements for Restricted Transactions become enforceable beginning on October 6, 2025.

Implications & Next Steps

The Rule, designed to address risks to U.S. national security posed by access to sensitive data by foreign adversaries, is broad in its scope and regulates data transactions through a framework that deviates significantly from existing data privacy protection laws. The DOJ has stated it intends to issue additional guidance on the Rule’s requirements. We continue to monitor developments with respect to the Rule.

The Rule has significant implications for businesses handling sensitive data and engaging in cross-border data transactions. Organizations should assess their data-sharing and receiving practices, ensure compliance with the Rule’s requirements, and avoid Prohibited Transactions.

Correct application of the Rule requires careful analysis.