On April 8, 2025, the Department of Justice’s Final Rule, titled “Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” (the “Final Rule”) came into force. The Department of Justice (“DOJ”) announced that it would not enforce the Final Rule through July 8, 2025, so long as companies are engaging in good faith efforts to comply or come into compliance. The DOJ issued the Final Rule on December 27, 2024, to implement Executive Order 14117, which was signed by President Biden. The purpose of the Final Rule is to address the threat of foreign adversaries acquiring or buying Americans’ sensitive personal data in bulk and using it for malicious purposes. The Final Rule establishes a new regulatory regime, the Data Security Program (“DSP”), that restricts certain “covered data transactions”, prohibits others, and introduces new compliance obligations and potential civil and criminal penalties for noncompliance.

Definitions and Applicability

The Final Rule defines a “covered data transaction” as a transaction that involves any access to “bulk U.S. sensitive personal data or government-related data” by a “country of concern” or a “covered person”, and that involves data brokerage, or a vendor, employment, or investment agreement. The countries that are considered “countries of concern” are China, Cuba, Iran, North Korea, Russia, and Venezuela. A “covered person” is an entity organized under the laws of, or with its principal place of business in, a country of concern; an entity with 50% or more ownership (directly or indirectly, individually or in the aggregate) by a country of concern or persons otherwise defined as covered person; including a foreign person who is an employee or contractor of such entity or a primary resident of a country of concern. There are no exceptions for anonymized, pseudonymized or de-identified data.

The Final Rule defines U.S. “sensitive personal data” as “covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.” Covered personal identifiers refer to combinations of certain listed data elements including partial government identification numbers, PINs, contact information, and a range of online trackers and device identifiers (cookies, ad IDs, etc.). The Final Rule only applies to certain “bulk” thresholds of U.S. sensitive personal data, which differ depending on the type of U.S. sensitive personal data at issue:

The Final Rule does not include thresholds for “government-related data”, defined as precise geolocation data, regardless of volume, for any location within any area enumerated on the “Government-Related Location Data List” or any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former U.S. government employees or contractors, or former U.S. government senior officials.

Cross-border transfers involving covered data transactions will fall into two defined categories: restricted or prohibited. “Restricted” transactions involve covered data transactions pursuant to vendor agreements, employment agreements, or investment agreements. Restricted transactions require U.S. persons to comply with the cybersecurity requirements published on January 8, 2025, by the Cybersecurity and Infrastructure Agency (“CISA”), data compliance program requirements, annual audits, and recordkeeping requirements. “Prohibited” transfers are certain types of covered data transactions that U.S. persons are prohibited from engaging in, primarily those involving data brokerage or bulk human ‘omic data (with a covered person or country of concern). Of the prohibited transfers, however, data brokerage agreements involving the transfer of government-related data or bulk U.S. sensitive personal data to any foreign person under 28 CFR § 202.302 are prohibited unless U.S. persons meet certain compliance obligations, including contractual prohibitions regarding onward transfers and ongoing reporting requirements. The Final Rule also specifically bars any transactions that are conducted for the purpose of avoiding DSP prohibitions. The Final Rule defines data brokerage broadly, to include commonly used online tracking technologies, potentially impacting numerous companies that are not otherwise considered data brokers.  

Key Requirements

The CISA compliance requirements for restricted transactions are divided into two sections: (1) organizational- and system-level requirements and (2) data-level requirements.

The organizational- and system-level requirements for “covered systems” that interact with the covered data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified include:

• maintaining an updated asset inventory;
• designating a person responsible and accountable for (1) cybersecurity and (2) governance, risk and compliance (can be one person for both, or two different people);
• remediating known exploited vulnerabilities within 45 days;
• documenting and maintaining all vendor/supplier agreements for covered systems;
• developing and maintaining an accurate network topology and any network interfacing with a covered system (to support visibility and incident response);
• implementing a policy for requiring approval for new hardware or software, and maintaining a risk-informed allowlist;
• maintaining incident response plans and reviewing at least annually;
• implementing logical and physical access controls to prevent covered persons/countries of concern from accessing covered data, with mandatory measures that include: enforcing MFA/robust password practices, promptly revoking credentials upon termination/role change, logging related to access- and security-focused events (and associated practices), implementing deny-by-default configurations, and managing credentials that adequately prevent access to covered data, transactions and functions by covered persons and/or countries of concern; and
• conducting an internal risk assessment (including mitigation strategies).

The data-level requirements for restricted transactions, to be implemented in a combination that is “sufficient to fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern, consistent with the data risk assessment” include:

• applying data minimization and masking strategies;
• applying specific encryption techniques;
• applying privacy enhancing technologies; and
• configuring the identity and access management techniques to deny authorized access to covered data.

The CISA requirements clarify that any systems used to implement data-level requirements (e.g., systems used to store encryption keys) should also be treated as covered systems.

Enforcement

Civil penalties for violations, assessed pursuant to Section 206 of the International Emergency Economic Powers Act (IEEPA), include fines of up to $368,136 or twice the amount of the transaction that is the basis of the violation, whichever is greater. IEEPA also allows for criminal penalties in cases of willful noncompliance, including attempts, conspiracy, or aiding and abetting. Criminal convictions can result in up to 20 years’ imprisonment and/or a fine of up to $1,000,000. The DOJ is permitted to demand complete information, including reports, related to acts, transactions, and covered data transactions related to any DSP matter under investigation.  

Conclusion and Next Steps

The Final Rule is broad and will apply to many companies due to the routine transactions and data it encompasses, including companies that may not have historically had significant exposure to cross-border restrictions. While the DOJ granted a brief reprieve from enforcement, the grace period is quickly drawing to a close and companies should take proactive steps toward substantial compliance prior to the July deadline. These immediate steps include a robust “know-your-data” effort, including a data inventory that covers commercial transactions, vendor arrangements and employee data; a review of online tracking technology compliance; an assessment of vendor management program(s); a review of security measures and remediation if needed; and preparing an appropriate risk assessment. Companies should also assess the impact of the Final Rule on related cross-border compliance programs, including export controls, economic sanctions, CFIUS agreements, and the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).

For more information, please contact Amanda Witt and Jennie Cunningham.