Introduction
The United States Department of Justice (DOJ) has introduced a final rule that reshapes the landscape of cross-border data transfers. The Final Rule represents a significant shift in regulatory oversight, directly restricting the transfer of sensitive personal data and government-related data to designated countries of concern. It establishes a new compliance framework that every business engaged in data transactions must now navigate. The rule specifically targets ‘covered transactions,’ which are subject to strict legal restrictions and compliance requirements, emphasizing the enforcement provisions for transactions involving sensitive personal data with countries of concern or government-related data.
The rule has broad implications for organizations that handle personal health data, personal financial data, human genomic data, and other categories of covered data. It applies not only to direct data brokerage transactions but also to a wide range of commercial relationships, including vendor agreements, employment agreements, and investment agreements. Businesses dealing with clinical care data, post-marketing surveillance data, or regulatory approval data must also ensure that their collected or processed data is protected in line with DOJ requirements.
The overarching purpose of the rule is to safeguard national security by reducing foreign access to bulk sensitive personal data and preventing the misuse of data, including biometric identifiers, covered personal identifiers, and clinical investigations regulated under federal law. Non-compliance exposes organizations and individuals to significant civil and criminal penalties, reinforcing the importance of building strong data compliance programs and adopting preventive measures against restricted transactions.
Identifying Restricted Parties
The DOJ rule identifies six countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela. Transfers of U.S. sensitive personal data to these jurisdictions are heavily restricted due to their potential to compromise cybersecurity and infrastructure security, threaten national security, or allow for misuse of data involving government employees and U.S. persons.
Covered persons under the rule include individuals and entities associated with these countries, such as data brokers, employees who perform job functions directly involving sensitive data, and vendors with covered person access to collected or processed data. For example, if a foreign person or company in a country of concern is involved in a covered data transaction involving bulk data, the U.S. business counterpart must carefully evaluate the arrangement to avoid prohibited transactions.
Businesses must actively identify and monitor these restricted entities when managing data flows. This requires conducting thorough due diligence to determine whether a potential counterparty falls under the definition of a covered person. Since the rule applies not only to foreign organizations but also to U.S. entities employing individuals with links to countries of concern, the scope of compliance goes far beyond simple geography.
Understanding Prohibited Activities
One of the central features of the DOJ rule is its explicit prohibition of certain data transactions. Specifically, prohibited transactions include those that provide covered persons access to bulk sensitive personal data, including human omic data such as genomic, proteomic, and other omic data. These restrictions are designed to limit the risk of foreign investment or similar commercial transactions that expose large datasets of Americans’ sensitive personal data through data transfer activities.
In addition, the rule targets data brokerage transactions involving sensitive personal data linkable to individuals. The rule also applies to transactions that specifically involve data brokerage, such as online tracking and data aggregation activities. For instance, one’s own first-party data may not be restricted, but once that information is shared or sold in a data brokerage transaction, it falls under the regulatory framework. Data brokerages are subject to the rule’s restrictions, especially in the context of prohibited or restricted transactions involving sensitive personal data. Businesses engaging in employment agreements, vendor agreements, or investment agreements that enable access to covered data by a covered person must also take preventive steps to avoid violation.
Restricted activities are not outright banned but instead require compliance with additional obligations such as recordkeeping, risk assessments, and audit requirements. By distinguishing between restricted transactions and prohibited transactions, the DOJ gives businesses a clear roadmap for determining which data-related practices may continue under stricter oversight.
Data Protection and Security
The DOJ rule emphasizes the need for organizations to adopt a robust data security program tailored to protecting sensitive data. Such a program must include strong encryption, role-based access controls, and secure storage of encrypted data to reduce exposure in the event of unauthorized access. Federal oversight, such as that provided by a cybersecurity and infrastructure agency, plays a key role in setting security standards and ensuring proper oversight in cross-border data handling. Businesses must also establish safeguards for data at rest, in transit, and during cross-border data transfers, ensuring that processed data cannot be exploited by covered persons.
Equally important is the requirement to implement ongoing risk assessments and due diligence procedures when engaging in covered data transactions. This involves monitoring clinical investigations, medical device authorizations, and post-marketing surveillance data to ensure that covered persons cannot gain unauthorized access. Companies handling employment agreements or vendor agreements involving covered data must confirm that their partners’ data security programs meet DOJ standards.
Without such measures, businesses face significant exposure to both civil penalties and criminal penalties. Failing to implement adequate data security measures increases an organization’s risk exposure to data breaches, regulatory violations, and unauthorized access to sensitive information. Beyond compliance, these measures help organizations build trust with customers by demonstrating a commitment to protecting personal identifiers and bulk sensitive personal data from unauthorized exploitation.
Transaction Requirements and Licensing
The rule establishes a licensing framework for restricted transactions, requiring businesses to obtain regulatory approval before proceeding. To engage in such transactions, companies must submit detailed applications to the DOJ, outlining the nature of the data involved, the parties to the transaction, and the proposed data compliance program. Licensing decisions are reviewed on a case-by-case basis, considering national security and the risk posed by granting access to covered data.
Certain exempt transactions are not subject to the rule’s restrictions. Exempt transactions typically include those involving government activity, national security, or transactions that are otherwise excluded by regulatory frameworks. Notably, transactions involving informational materials are specifically exempted from regulation under the Bulk Data Rule. Understanding what qualifies as an exempt transaction, especially those related to informational materials, is crucial for compliance, as it helps organizations avoid unnecessary regulatory obligations and ensures proper adherence to the law.
Businesses seeking approval may need to provide evidence of their ability to maintain regulatory authorization across multiple agencies, particularly when handling regulatory approval data, clinical care data, or clinical investigations regulated under federal law. The DOJ, often working with the Cybersecurity and Infrastructure Security Agency, evaluates whether such restricted transactions pose risks that cannot be mitigated even with robust safeguards.
This licensing process underscores the importance of legal and compliance teams within organizations. Companies must not only prepare applications but also integrate DOJ requirements into ongoing contracts, including investment agreements, vendor agreements, and employment agreements.
Managing Restricted Transactions
Businesses that engage in restricted transactions must establish clear management protocols. These include thorough due diligence on counterparties, ongoing monitoring of data flows, and regular internal reviews to ensure compliance with the DOJ rule. Maintaining a clear audit trail of covered data transactions is critical for demonstrating accountability and avoiding potential civil penalties.
Additionally, companies must ensure that third-party vendors comply with the same standards. This means embedding compliance clauses into vendor agreements and requiring regular certifications from data brokers or contractors. Given that violations may result in prohibited transactions, oversight cannot be limited to in-house operationsβit must extend across the organization’s full supply chain.
Recordkeeping requirements obligate businesses to maintain detailed documentation of such transactions, including logs of collected or processed data, identities of covered persons, and results of due diligence investigations. Reporting obligations also require notifying regulators of any suspicious activity, further ensuring transparency in cross-border data transfers.
Compliance and Bulk Data
Compliance is not optional. Companies must build and implement a comprehensive data compliance program that addresses both operational risks and regulatory requirements. This includes policies for handling bulk data such as human genomic data, clinical care data, and government-related data. Businesses must demonstrate how they prevent unauthorized access to covered personal identifiers and sensitive personal data linkable to individuals.
Audits and risk assessments form the backbone of compliance. These processes enable businesses to identify gaps in data security programs, evaluate exposure risks from foreign persons, and implement necessary safeguards. Compliance programs should also account for obligations under other federal law, including the International Emergency Economic Powers Act, ensuring consistency across legal frameworks.
Failure to comply may result in steep penalties. Civil penalties can reach $368,136 or twice the amount of the transaction, while criminal penalties may involve imprisonment and significant fines. By proactively adopting compliance measures, businesses can reduce risk, ensure ongoing access to global markets, and protect themselves from reputational harm.
Enforcement and Next Steps
The DOJ’s National Security Division has been tasked with enforcing these rules, highlighting the seriousness of compliance. Enforcement efforts will target both U.S. and foreign businesses that attempt to bypass restrictions through indirect data brokerage transactions or improperly structured investment agreements. By leveraging tools like the International Emergency Economic Powers Act, regulators are positioned to impose sanctions, fines, and other remedies against violators.
Businesses must therefore take immediate steps to align with the new requirements. This includes revising employment agreements, vendor agreements, and data brokerage transactions to ensure compliance, training staff who perform job functions directly involving covered data, and investing in advanced data security programs. Conducting internal audits and establishing escalation protocols for suspicious activity should also be prioritized.
The rule marks a significant shift in how the U.S. regulates cross-border data transfers, signaling that sensitive data is now considered a core component of national security. Organizations that adapt early will not only avoid penalties but also position themselves as leaders in data protection and compliance.
Conclusion
The DOJ’s final rule on cross-border data transfers represents a fundamental change for businesses handling sensitive personal data. By restricting covered data transactions with countries of concern and imposing strict requirements on data brokerage, vendor agreements, and investment agreements, the regulation places national security above convenience.
For businesses, the challenge lies in balancing operational efficiency with compliance. Whether managing bulk sensitive personal data, biometric identifiers, or collected or processed data in clinical investigations, companies must prioritize a strong data compliance program. It is important to note that certain transactions that are ordinarily incident to clinical investigations or post-marketing surveillance may be exempt from the rule, so understanding these exceptions is crucial for compliance. With civil penalties reaching hundreds of thousands of dollars and potential criminal penalties on the line, compliance is no longer optionalβit is essential.
The path forward requires vigilance, investment in data security programs, and a commitment to transparency in all covered data transactions. By taking these steps, businesses can maintain trust, safeguard U.S. sensitive personal data, and operate securely in an increasingly regulated global data economy.
