Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Data Privacy Data Protection

Primer on the DOJ final rule on protecting Americans’ sensitive data from foreign adversaries

by and 11 Mins Read

This article was originally published by IAPP linked here.

On 8 Jan., the U.S. Department of Justice published in the Federal Register its final rule on protecting Americans’ sensitive data from foreign adversaries. As a follow-up, on 11 April, the DOJ’s National Security Division took additional steps to implement the final rule. Specifically, the DOJ issued answers to more than 100 frequently asked questions, published a compliance guide, and issued a limited enforcement policy for the first 90 days of the final rule.

This overview of the final rule outlines its statutory authority, describes covered data transactions, and provides background on key definitions, various exemptions, exclusions and other provisions.

What is the statutory basis for the final rule?

On 28 Feb. 2024, the Biden administration declared a national emergency regarding access by China and other countries of concern to U.S. sensitive personal data and government-related data under the International Emergency Economic Powers Act. Specifically, the administration issued Executive Order 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” and directed the DOJ to adopt a regulation implementing the order. The executive order directed various U.S. government agencies to take actions, including a directive for the DOJ to develop the final rule.

What is a ‘covered data transaction’ under the final rule?

The term “covered data transaction “means any transaction that involves any access by a country of concern or covered person to any bulk “U.S. sensitive personal data” or “government-related data” and that involves:

  • Data brokerage. The sale, licensing, or similar commercial transaction involving covered data and a country of concern or covered person, excluding vendor, employment and investment agreements.
  • A vendor agreement. Any agreement or arrangement, other than an employment agreement, in which a person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.
  • An employment agreement. Any agreement, other than an independent contractor arrangement, where an individual performs work for another person in exchange for payment or other consideration.
  • An investment agreement. Any agreement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to U.S. real estate or a U.S. legal entity, with exclusions for certain passive investments.

Bulk U.S. sensitive personal data means “a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds” the “bulk” thresholds set forth in the final rule.

U.S. sensitive personal data is:

  • Covered personal identifiers on more than 100,000 U.S. persons. This means any “listed identifier” combined with another such identifier, such as government IDs, full financial account numbers or PINs, device-based or hardware-based identifiers, MAC, for example, demographic or contact data — including name, birthdate, zip code, residential address, phone or email — advertising identifier, such as MAID, account authentication data, network-based identifier, like IP address, and call-detail data.
  • Precise geolocation data of more than 1,000 U.S. persons—meaning location within 1,000 meters.
  • Biometric identifiers of more than 1,000 U.S. persons —meaning measurable physical characteristics or behaviors used to recognize or verify identity.
  • Human ‘omic data of more than 1,000 and human genomic data of more than 100 U.S. persons.
  • Personal health data of more than 10,000 U.S. persons — meaning health information that indicates, reveals or describes the past, present or future physical or mental health of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to the individual.
  • Personal financial data of more than 10,000 U.S. persons — meaning data about an individual’s credit, charge or debit card, or bank account, including purchases and payment history; data in a bank, credit or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or consumer report.
  • Any combination thereof — meaning any listed identifier plus a category above, where the lowest threshold is met.

Government-related data means: Any precise geolocation data, regardless of volume, for any location within any area on the Government-Related Location Data List found within the final rule or any “sensitive personal data,” regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government.

What are the countries of concern? Who are the covered persons?

The six countries of concern are China — including Hong Kong and Macau — Cuba, Iran, North Korea, Russia and Venezuela. This list has not changed since the DOJ announced the advance notice of proposed rulemaking in late February 2024 or the proposed rule in October 2024.

The term “covered person” is defined broadly and borrows U.S. sanctions terminology from the U.S. Department of the Treasury’s Office of Foreign Assets Control’s “50 Percent Rule”:

  • A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in the bullet below; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern.
  • A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in the bullet above or bullets below.
  • A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in the bullets above or below.
  • A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern.
  • Any person, wherever located, determined by the attorney general to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; to act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

The final rule accordingly contemplates the publication of a covered persons list to include each covered person the DOJ designates.

How does the final rule treat covered data transactions?

The final rule establishes a multitiered framework that prohibits certain covered data transactions, provides exemptions and exclusions for certain data transactions, and permits other covered data transactions if rigorous Cybersecurity and Infrastructure Security Agency security requirements are applied and other conditions are met.

Prohibited transactions
U.S. persons are prohibited from knowingly — that is, with actual knowledge or that they reasonably should have known — engaging in the following transactions:

  • Covered data transactions involving data brokerage with a country of concern or a covered person.
  • Covered data transactions with a country of concern or covered person that involve access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived.
  • Transactions that involve any access by a foreign person — note this is far broader than a covered person — to government-related data or bulk U.S. sensitive personal data and that involves data brokerage with any foreign person that is not a covered person unless the U.S. person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and reports any known or suspected violations of this contractual requirement to the DOJ within 14 days of becoming aware of it.
  • Any transaction that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions above. Conspiring to violate the final rule is also prohibited.

Exempt transactions
The final rule does not apply to certain categories of exempt data transactions. Although the language around the exemptions appears broad, the examples in the final rule demonstrate that the DOJ considers each to be relatively narrow. Among those exempted are:

  • Transactions ordinarily incident to and part of the provision of financial services.
  • Corporate group transactions between a U.S. person and its foreign subsidiary or affiliate provided they are ordinarily incident to and part of administrative or ancillary business operations.
  • Telecommunications services — that is, data transactions, other than those involving data brokerage, to the extent they are ordinarily incident to and part of the provision of telecommunications services.
  • Drug, biological product and medical device authorizations — that is, necessary to obtain or maintain regulatory authorization or approval to research or market such products.
  • Other clinical investigations and post-marketing surveillance data, for example, product safety monitoring.

Exclusion from covered personal identifiers

The final rule provides a helpful exclusion from the term covered personal identifiers for demographic or contact data that is linked only to other demographic or contact data — such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers. 

Restricted transactions
For covered data transactions that are not prohibited, nor exempted/excluded, the final rule still prohibits U.S. persons from engaging in such transactions, unless the U.S. person applies rigorous CISA security requirements, and complies with certain recordkeeping and other obligations.

The CISA security requirements are broken down into organizational- and system-level requirements, on the one hand, and data-level requirements, on the other. As explained in the FAQs, these requirements are intended to prevent countries of concern and covered persons from accessing the underlying data in covered data transactions — that is, serve as a form of de facto data prohibition with respect to access to the identified personal data by covered persons or countries of concern.  

At the organizational and system level, the CISA Security Requirements include steps such as: ensuring basic organizational cybersecurity policies, practices and requirements are in place; implementing logical and physical access controls to prevent covered persons or countries of concern from gaining access to covered data that does not comply with the data-level requirements, including through information systems, cloud-computing platforms, networks, security systems, equipment, or software; and conducting an internal data risk assessment that evaluates whether and how the data-level security measures selected and implemented sufficiently prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons or countries of concern. The risk assessment must include a mitigation strategy for how to prevent access to such covered data.

At the data level, U.S. persons engaging in restricted covered data transactions must implement a combination of the following mitigations consistent with the required data risk assessment: apply data minimization and data masking strategies to reduce the need to collect, or sufficiently obfuscate, covered data to prevent visibility into that data; apply encryption techniques to protect covered data during the course of restricted transactions; apply privacy enhancing technologies, such as privacy preserving computation, or differential privacy techniques, to process covered data; and/or configure identity and access management techniques to deny authorized access to covered data by covered persons and countries of concern within all covered systems.

Beyond the CISA security requirements, to engage in restricted data transactions, U.S. persons must, by 6 Oct. 2025, develop and implement a written data compliance program that includes risk-based procedures for verifying data flows involved in restricted transactions. They must also conduct annual independent — internal or external — audits for each calendar year in which the U.S. person engages in any restricted transactions. The audit must examine the U.S. person’s restricted transactions and its data compliance program, among other requirements.

Brian Hengesbaugh is a partner and chair of global data privacy and security, and Janet Kim is a partner in outbound trade and investment compliance, with a focus on navigating geopolitical risks, at Baker McKenzie.

Categories:
Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Janet Kim focuses on outbound trade compliance issues that arise under US economic sanctions, export control laws, investment restrictions, antiboycott regulations, anti-money laundering laws and the Foreign Corrupt Practices Act. She represents and advises US and non-US companies in criminal and regulatory proceedings, internal investigations, and compliance audits relating to these areas of law.

Related Posts