Justice Department Issues Final Rule on Bulk Transfers of Sensitive Personal Data to Certain Countries
The final rule establishes prohibitions and restrictions on the transfer of certain data due to national security risks from specified countries of concern.
On Friday, December 27, 2024, the U.S. Department of Justice ("DOJ") issued the final rule implementing the Biden White House's Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." Those countries include: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The rule creates a new national security regulatory program within DOJ and establishes the country's first prohibitions and restrictions on the transfer or export of personal data in certain transactions. The rule is designed to address national security risks and is not a federal privacy regulation. The rule goes into effect April 8, 2025.
Generally, the rule applies to entities that are 50% or more owned by a country of concern or covered person. A covered person includes foreign entities that are 50% or more owned (directly or indirectly) by a country of concern, organized under the laws of a country of concern, or have a principal place of business in a country of concern. Covered persons also include foreign employees or contractors, or individuals residing, in countries of concern. A U.S. subsidiary is generally not a covered person unless specifically designated by DOJ.
"Covered data transactions" are those involving any access to any government-related data or bulk U.S. sensitive personal data and that involves data brokerage, a vendor agreement, an employment agreement, or an investment agreement. "Sensitive" personal data means: (i) covered personal identifiers; (ii) precise geolocation; (iii) biometric identifiers; (iv) human genomic data and other human omic data; (v) personal health data; and (vi) personal financial data. There are several exempted transactions, including those related to certain corporate group transactions, clinical investigations, or drug approval processes, among others.
Prohibited transactions: U.S. persons are prohibited from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person. Brokerage means sale of data, licensing of access to data, or commercial transactions involving data transfers where the recipient did not collect or process data directly from individuals. This prohibition applies to data that is resold or transferred through third parties to countries of concern. Also, the rule prohibits knowingly engaging in any covered data transaction that provides access to bulk human genomic data to a country of concern or covered person.
Restricted transactions: U.S. persons cannot knowingly engage in bulk transfers of sensitive personal data related to vendor, employment, and non-passive investment agreements unless the transaction meets certain security requirements developed by the Cybersecurity and Infrastructure Security Agency ("CISA"). There are affirmative compliance requirements for restricted transactions, including annual audits by an independent auditor, annual certifications, risk-based procedures, and recordkeeping for 10 years.
There are certain annual and ad hoc reporting requirements for both prohibited and restricted transactions.
