1. Insights
  2. Publications
  3. Alerts

DOJ Regulations Will Restrict Data Transactions to Address National Security Concerns

February 20, 2025

Reading Time : 10+ min
Jump to
View Authors' DetailsView Related Services, Sectors, and Regions

By: Christian C. Davis, Katherine Penberthy Padgett, Laura Black, Joseph Hold, John W. Babcock, Elizah H. Stein

Key Takeaways

  • On January 8, 2025, the DOJ published a final rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).
  • Sensitive personal data covered by the rule includes precise geolocation data, personal health data, personal financial data, combinations of specified personal identifiers (e.g., government identification numbers, financial account numbers and personal device identifiers), human ‘omic data (e.g., genomic, epigenomic, proteomic and transcriptomic data) and biometric identifiers. To be covered, the transaction would need to involve identified “bulk thresholds” for each category of sensitive personal data, ranging from 100 to 100,000 U.S. persons.
  • Once effective, certain transactions with entities subject to the jurisdiction of countries of concern—including China and Russia—or with entities directly or indirectly owned by such entities, will be prohibited if the transaction involves the transfer of or access to bulk sensitive personal data or U.S. government-related data. Certain transactions will be permitted to proceed so long as the U.S. person complies with specific security requirements or, in other cases, obtains contractual terms restricting further transfers of the data to covered persons or countries of concern.
  • Concurrently, the Department of Homeland Security’s CISA issued the final security requirements with which U.S. persons engaged in restricted transactions must comply. In addition, the final rule also imposes a variety of compliance obligations such as annual audits, recordkeeping responsibilities, and annual or periodic reporting requirements.
  • The final rule will become effective on April 8, 2025, with certain affirmative requirements regarding due diligence and audits for restricted transactions, annual reports, and reports on rejected prohibited transactions becoming effective on October 6, 2025.
  • While this rulemaking is subject to review under President Trump’s Regulatory Freeze Pending Review Memorandum issued on January 20, 2025, DOJ has not taken any steps to delay the effective date for the final rule as of yet.

Background

The Department of Justice’s (DOJ) final rule implements President Biden’s Executive Order 14117 of February 28, 2024, on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (EO) and is intended to address a perceived gap in existing national security authorities to adequately address threats posed by the continuing effort of certain countries of concern to access Americans’ sensitive personal data and U.S. government-related data. (For additional information, please see our prior alerts on the proposed rule and issuance of the EO and DOJ’s accompanying advance notice of proposed rulemaking). This new and very complex regulatory regime reflects the U.S. government’s growing national security concerns about China and other adversarial governments obtaining access to Americans’ sensitive personal data through sales and licensing agreements, as well as certain vendor, employment and investment transactions, and that such agreements and transactions could enable these countries to use biometric, financial, ‘omic, geolocation or health data or other personal identifiers to engage in malicious cyber-enabled activities, espionage, tracking of military and national security personnel, blackmail or other nefarious activities.

The final rule addresses comments submitted by stakeholders in response to DOJ’s earlier proposed rule and advance notice of proposed rulemaking (ANPRM), which offered proposed scoping for regulations implementing the EO. Specifically, the final rule:

  • Governs a wider set of human biological data, expanding its coverage from genomic data to ‘omic data to include genomic, epigenomic, proteomic and transcriptomic data.
  • Exempts the transfer of human biospecimens for non-research medical purposes from its coverage.
  • Clarifies that the bulk thresholds apply to the cumulative total of data transfers to a particular covered person or country of concern in a 12-month period.
  • Adds 723 new locations to the list of government-related locations restricted as government-related data.
  • Allows audits to be conducted by either an external or an internal auditor, so long as the auditor is independent.
  • Exempts from the category of sensitive personal data any metadata that is ordinarily associated with, or reasonably necessary for, the transmission of information or informational materials.
  • Defines telecommunications services to include internet-based communications as well as traditional telecommunications, although it does not include all transmission of IP addresses necessary to enable internet-based communication in the telecommunications exemption.
  • Clarifies that aggregate ownership by multiple covered persons can render an entity a covered person.
  • Adds further examples to a variety of provisions to elucidate the rule’s application in certain circumstances.

In addition, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published its final security measures that, under the final rule, U.S. persons would be required to implement in order to engage in so-called restricted transactions. These are based on the National Institute of Standards & Technology (NIST) Cybersecurity Framework, the NIST Privacy Framework and CISA’s Cross-Sector Cybersecurity Performance Goals. These requirements are divided into (i) organizational and covered system-level requirements and (ii) data-level requirements (i.e., to prevent access to specific data).

On January 20, 2025, President Trump issued the Regulatory Freeze Pending Review Memorandum, which requires all executive departments and agencies to, among other things, consider postponing the effective date for any rule that had been issued prior to January 20, 2025, but that had not yet taken effect, which would include the final rule. Thus far, DOJ has not taken any steps to delay the effective date for the final rule.

Key Scoping Terms

The following key scoping terms used in the final rule mirror those used in the proposed rule, with a few changes:

  • Covered Data Transactions – transactions that involve “access” to any “bulk U.S. sensitive personal data” or “government-related data” by a country of concern or covered person and that involve: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.
  • U.S. Person – any U.S. citizen, national or lawful permanent resident; certain protected individual (e.g., refugee or asylee); entity organized under the laws of the United States (including foreign branches); or any person in the United States.
  • Country of Concern – foreign governments determined to (i) be engaged in long-term or serious conduct significantly adverse to U.S. national security and (ii) pose a significant risk of exploiting U.S. government-related or bulk sensitive personal data to the detriment of U.S. national security. The current list is China, Cuba, Iran, North Korea, Russia and Venezuela.
  • Covered Person – this term captures:
    • Foreign entities that are 50% or more owned by a country of concern, whether directly or indirectly, individually or in the aggregate, and entities that are organized under the laws of, or have a principal place of business in, a country of concern.
    • Foreign entities that are 50% or more owned by a covered person, whether directly or indirectly, individually or in the aggregate.
    • Foreign individuals who are employees or contractors of countries of concern, or who are employees or contractors of covered persons.
    • Foreign individuals who are primarily resident in the territorial jurisdiction of a country of concern.
    • Any person, wherever located, that the Attorney General determines (i) to be, to have been, or likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) to act, to have acted or purported to act, or likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of these regulations.
    • Note: any person who constitutes a “U.S. person” will not be considered a covered person unless the Attorney General has specifically designated them as such.
  • Bulk U.S. Sensitive Personal Data – the following types and quantities of data regardless of whether it is anonymized, pseudonymized, de-identified or encrypted:
    • Precise geolocation data, defined as real-time or historical data on an individual’s location within 1,000 meters, regarding more than 1,000 U.S. devices (any device with the capacity to store or transmit data that is linked or linkable to a U.S. person).
    • Personal financial data is any information about an individual’s financial accounts, including credit or consumer reports or purchase or payment history, regarding more than 10,000 U.S. persons.
    • Personal health data, including physical measurements and attributes, diagnoses and treatment history, regarding more than 10,000 U.S. persons.
    • Covered personal identifiers regarding more than 100,000 U.S. persons. This category captures any “listed identifier” (government ID or account number, financial account or ID number, device/hardware-based identified, demographic or contact data, advertising identifier, account authentication data, network-based identifier such as an IP address or call-detail data) in combination with another listed identifier or in combination with other data that is linked or linkable to other listed identifiers or personal data. Exclusions apply for (i) demographic or contact data that is only linked or linkable to other such data and (ii) network-based identifier, account-authentication data or call-detail data linked or linkable to other such data for the purposes of telecommunications, networking or a similar service.
    • Human ‘omic data, including genomic, epigenomic, proteomic or transcriptomic data, such as the results of individual genetic testing or data from human genetic sequencing, regarding more than 1,000 U.S. persons (100 U.S. persons for genomic data).
    • Biometric identifiers, including facial recognition, voice prints, retina and iris scans, and fingerprints, regarding more than 1,000 U.S. persons.
    • In cases where there is combined data regarding the above, the lowest applicable threshold that is met for a specific category will apply to the data set.
    • Note that the following are excluded from the definition of sensitive personal data:
      • Data that does not relate to an individual, including trade secrets and proprietary information.
      • Data that is a matter of public record that is lawfully and generally available to the public, such as from government records or unrestricted, open-access repositories.
      • Personal communications that do not “involve the transfer of anything of value.”
      • Informational materials, which the proposed rule narrowly defines as “expressive material” such as art, publications, photographs, films, and records. Data that is technical, functional or otherwise non-expressive remains subject to the rule, except that metadata that is ordinarily associated with, or reasonably necessary for, the transmission of information materials is also exempted.
  • Government-Related Data - the following data, regardless of volume:
    • Precise geolocation data for locations on a “Government-Related Location Data List” that have been deemed sensitive, which currently includes 731 sites.
    • Any sensitive personal data (as described above) that a transacting party markets as being linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including the military and intelligence community.
  • Access – defined broadly as “any logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, IT systems, cloud-computing platforms, networks, security systems, equipment, or software,” as determined “without regard for the application or effect of any security requirements.”

Prohibited Transactions

U.S. persons are prohibited from knowingly engaging in the following types of covered data transactions:

  1. Those involving data brokerage with a country of concern or a covered person. Data brokerage is defined broadly as the sale of data, licensing of access to data or similar commercial transactions involving the transfer of data from any person to any other person (the recipient), if the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. Transactions where a covered person or country of concern transfers covered data to a U.S. person are not included in the prohibition.
  2. Those involving data brokerage with any foreign person who is not a covered person unless the U.S. person:
    1. Contractually requires that the foreign person refrain from engaging subsequent covered data transactions involving data brokerage of the same data with a covered foreign person or a country of concern.
    2. Reports any known or suspected violations of this contractual requirement consistent with certain requirements in the regulations.
  3. Those with a country of concern or a covered foreign person that involve access to bulk U.S. sensitive personal data related to bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived.
  4. Knowingly directing a transaction that would be a prohibited transaction or a restricted transaction that fails to meet the applicable requirements, if such transaction was engaged in by a U.S. person. (This category is discussed in further detail below).
  5. Evading or avoiding these prohibitions, such as by having a covered person travel to the U.S. for the sole purposes of rendering them a U.S. person for just the duration of the transaction.

In addition, any U.S. person that receives and affirmatively rejects an offer to engage in a prohibited transaction involving data brokerage must report this instance to DOJ within 14 days of the rejection. This requirement takes effect 270 days after the rule’s publication, on October 6, 2025.

Restricted Transactions and Accompanying Compliance Obligations

The following transactions are restricted transactions, meaning that a U.S. person may engage in these otherwise prohibited transactions so long as they comply with the CISA security requirements and other ongoing compliance obligations, explained in more detail below.

  1. Covered data transaction involving a “vendor agreement,” which is a non-employment agreement in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.
  2. Covered data transaction involving an “employment agreement,” which is an agreement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.
  3. Covered data transaction involving an “investment agreement,” which is an agreement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States; or (2) a U.S. legal entity.

The final CISA security requirements will require any U.S. persons engaging in a transaction with a covered person that involves access to bulk sensitive personal data or government-related data in the context of a vendor agreement, an employment agreement or an investment agreement to comply with a series of organizational, system-level and data-level requirements. Those requirements range from implementing basic organizational cybersecurity policies, practices and requirements, such as logical and physical access controls; to applying data minimization and masking strategies, encryption and privacy-enhancing techniques, and implementing denial of access processes.

In addition to those cybersecurity-related measures covered by the CISA security requirements, under the final rule, U.S. persons engaging in restricted transactions after October 6, 2025, will be required to:

  • Engage in due diligence prior to pursuing any restricted transactions, which will involve utilizing “Know Your Customer/Know Your Vendor” programs to screen potential partners.
  • Develop and implement a data compliance program that includes risk-based procedures for (i) verifying data flows; (ii) verifying vendors; (iii) a written policy that describes the data compliance program that is to be certified annually; (iv) a written policy describing the implementation of the CISA security requirements; and (v) any other information that DOJ may require.
  • Conduct an annual audit of all restricted transactions.
  • Maintain records for all restricted transactions going back at least 10 years, in an auditable manner.
  • Furnish reports of any covered data transactions at DOJ’s request.
  • File an annual report for any transactions involving cloud-computing services where a covered person owns 25% or more of the U.S. person.

Knowingly Directing

Importantly, U.S. persons will be prohibited from “knowingly directing” covered data transactions by non-U.S. persons (e.g., their employer) that would be a prohibited transaction or restricted transaction that fails to comply with the final rule’s requirements if engaged in by a U.S. person. The final rule does not define “knowingly directing,” but this term has been used in other regulatory regimes to cover situations where a U.S. person exercises their authority to direct, order, decide upon or approve a transaction. Unlike other rules that impose “knowingly directing” prohibitions on U.S. persons, the final rule does not expressly limit this obligation to just U.S. person officers, directors and other persons with executive responsibilities at non-U.S. person companies. Rather, as the examples in the final rule demonstrate, any U.S. person—regardless of their position in the non-U.S. person’s organizational hierarchy—can be subject to the prohibition on knowingly directing covered data transactions so long as they have authority to approve or direct actions of the company that the U.S. person knows will result in prohibited covered data transactions, e.g., signing a contract with a vendor that involves providing a covered person access to sensitive personal data when the company has not adopted the CISA security measures.

While the final rule does not expressly address it, non-U.S. companies should consider developing recusal policies for their U.S. person employees with relevant responsibilities to ensure those employees are not participating in covered data transactions such that they are exposed to potential liability under the final rule.

Exempt Transactions

As in the proposed rule, the final rule exempts the following transactions that would otherwise be prohibited or restricted:

  1. Personal Communications – data transactions that involve any postal, telegraphic, telephonic or other personal communications that do not involve the transfer of anything of value.
  2. Information and Informational Materials – data transactions that involve the importation of information or exportation of any “information and informational materials” (defined above), or of any metadata that is ordinarily associated with, or reasonably necessary for, the transmission of the information or informational materials.
  3. Travel – data transactions that are ordinarily incident to travel to or from any country.
  4. Official Business of the U.S. Government – data transactions to the extent that they are for the conduct of official business of the U.S. government by its employees, grantees or contractors, such as activities specifically funded by federal grants or the authorized activity of federal departments.
  5. Financial Services – data transactions that are ordinarily incident to and part of the provision of financial services, including e-commerce transactions.
  6. Corporate Group Transactions – data transactions that (i) are between a U.S. person and its affiliates located in a country of concern; and (ii) are ordinarily incident to and part of administrative or ancillary business operations, such as the sending of bulk biometric information and personal health information about U.S. employees to a human resources department located abroad.
  7. Transactions to Comply with Law – data transactions that are (i) required or authorized under federal law or pursuant to an international agreement to which the U.S. is a party; (ii) required or authorized under certain global health agreements or frameworks; or (iii) ordinarily incident to and are part of ensuring compliance with federal laws.
  8. Investment Agreements Subject to CFIUS Action – data transactions to the extent that they involve an investment agreement subject to a Committee on Foreign Investment in the United States (CFIUS) action (e.g., a national security agreement).
  9. Telecommunications Services – data transactions, other than data brokerage, that are ordinarily incident and part of the provision of telecommunications services, including internet-based telecommunications services.
  10. Drug, Biological Product and Medical Device Authorizations – data transactions that are necessary to obtain or maintain regulatory approvals subject to certain conditions.
  11. Other Clinical Investigations and Post-Marketing Surveillance Data – data transactions ordinarily incident to and part of Food and Drug Administration (FDA) clinical investigations and post marketing surveillance data demonstrating the real-world performance or safety of medications released on the market, such as the global collection of data on the side effects of a particular medication, including effects on U.S. persons, for safety or efficacy analysis outside the United States, so long as CISA security requirements are followed in de-identifying or pseudonymizing the data.

Authorizations and Advisory Opinions

DOJ intends to adopt a comprehensive licensing regime, whereby it will be able to issue both general and specific licenses authorizing transactions that are otherwise subject to the prohibitions and restrictions of the rule. Persons applying for specific licenses will be required to submit information about the prohibited or restricted transaction at issue and may be requested to furnish additional information DOJ deems necessary to make a determination on the application. DOJ intends to issue determinations on specific license applications within 45 days of receipt of the request. General and specific licensees may be required to file reports with DOJ as a condition of reliance on the authorization. In addition, DOJ intends to accept requests for advisory opinions regarding DOJ’s “present enforcement intentions” regarding proposed transactions.

Penalties

Under the authority of the International Emergency Economic Powers Act, civil penalties for violations of this rule are capped at the larger of $368,136, subject to adjustment for inflation, or twice the amount of the violating transaction. Criminal penalties of up to $1 million and/or 20 years in prison may apply to willful violations.

Conclusion

The final rule applies to an array of transactions, many of which would not normally be described as data brokerage transactions or that do not involve access to sensitive personal data as the primary purpose for the transaction. Companies that collect and maintain—or otherwise facilitate the transfer of or access to—sensitive personal data or government-related data in the normal course of their business activities should carefully review their data collection and transfer activities, as well as all vendor and employment agreements to assess their potential exposure to liability under the final rule and make any necessary adjustments to ensure compliance. Once effective, companies undertaking covered data transactions will become subject to a novel and complex set of cybersecurity, reporting and diligence requirements, requiring the development of robust and effective compliance programs and procedures.

Share This Insight

Related Services, Sectors, and Regions

View All
© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.