Navigating the New DOJ Rule: Restrictions on Sensitive U.S. Data Transfers to “Countries of Concern”
Background and Purpose
The DOJ’s rule is a response to the national security risks associated with foreign adversaries accessing and utilizing Americans’ bulk sensitive personal data and U.S. government-related data. The concern is that such data could be used to develop AI capabilities and algorithms for activities detrimental to U.S. interests, such as identifying individuals for espionage or blackmail. This initiative builds upon efforts from both the Trump and Biden administrations to regulate cross-border data flows. The rule aims to make it more difficult for foreign adversaries to obtain Americans’ data through purchase on the open market or by compelling companies under their jurisdiction to provide access.
Scope of the Rule
The regulation targets specific types of data, designated countries, and particular transactions.
Covered Data
The rule applies to “bulk sensitive personal data” and “U.S. government-related data”. “Bulk” data is defined by thresholds based on the number of U.S. persons whose information is part of a transaction over a 12-month period. Sensitive personal data includes categories like geolocation, health, financial, and biometric information. Notably, the rule applies even if the data is anonymized, pseudonymized, de-identified, or encrypted.
Countries of Concern
The designated “countries of concern” are:
- China (including Hong Kong and Macau)
- Russia
- Iran
- Cuba
- North Korea
- Venezuela
Covered Persons
The restrictions extend to individuals and entities located in or subject to the jurisdiction of these countries of concern. This is broader than many existing restrictions that only target designated individuals and entities.
Covered Transactions
The rule prohibits or restricts “covered data transactions” involving the sharing of or access to the specified data by covered persons or countries of concern. These transactions include data brokerage, vendor relationships, employment arrangements, and investment agreements. The rule impacts a wide array of commercial activities, such as M&A deals, real estate transactions, data licensing, and supplier management.
Key Provisions and Requirements
U.S. companies are now required to significantly curtail, and in some cases prohibit, access to U.S. data by individuals and entities in the designated countries. The rule is part of the DOJ’s new Data Security Program (DSP).
Key requirements include:
- Prohibitions and Restrictions: Certain data transactions are outright prohibited, while others are restricted, requiring specific security measures.
- Compliance Obligations: Starting October 6, 2025, additional compliance provisions, including due diligence, audit, and reporting requirements, will come into force.
- Data Security Program (DSP): The DOJ has released a Compliance Guide, FAQs, and an Implementation and Enforcement Policy to assist entities in understanding and complying with the DSP. This includes having a keen understanding of their data, access controls, and implementing a tailored compliance program.
Impacted Industries
The rule will significantly affect industries with cross-border data activities. Sectors with greater exposure due to the sensitivity of their data and business operations include:
- Healthcare, life sciences, and medical devices
- Financial services
- Information technology and adtech
- Data brokers
- Defense/government contracting
- Consumer industries
- E-commerce and online advertising, which rely on large volumes of personal data.
Companies with shared services centers, AI research teams, cloud vendors, or other operations in countries of concern that handle U.S. person data will also be impacted.
Exemptions
The rule includes several exemptions for otherwise restricted or prohibited data transactions. These include transactions related to:
- Official U.S. government business
- Financial services
- Intra-corporate group transactions (for employees and contractors, for ancillary business operations, and for compliance with certain foreign regulations).
- Certain clinical investigations and regulatory submissions for drugs, biological products, and medical devices. However, even exempt data transactions related to clinical studies may still be subject to reporting and recordkeeping obligations.
These exemptions are often narrow and complex to apply in practice.
Compliance and Enforcement
The rule became effective on April 8, 2025. However, the DOJ has stated it will not prioritize civil enforcement actions for violations occurring between April 8 and July 8, 2025, provided companies make “good faith efforts to comply with or come into compliance with” the rule. Egregious, willful violations will still be pursued.
Good-Faith Efforts
The DOJ has outlined activities that demonstrate “good-faith efforts,” such as:
- Conducting internal reviews of sensitive personal data access and data brokerage activities.
- Reviewing internal datasets to determine if they are subject to the rule.
- Renegotiating vendor agreements or contracting with new vendors.
- Transferring products and services to new vendors and conducting due diligence on them.
- Implementing required security measures for restricted transactions.
Penalties
Violations can lead to severe penalties:
- Civil Penalties: Up to $368,136 per violation or twice the amount of the transaction, whichever is greater.
- Criminal Penalties: For willful violations, fines up to $1 million and/or imprisonment for up to 20 years.
Unlike many U.S. export controls, penalties under this rule operate under a “knowledge” standard, meaning the U.S. person had actual knowledge or reasonably should have known about the conduct, circumstance, or result. Failure to implement a data compliance program could be an aggravating factor in enforcement actions.
Compliance Steps for Businesses
Companies are urged to take immediate steps to assess their obligations and ensure compliance. Key actions include:
- Review Data and Data Flows: Understand the nature, volume, location, and security of covered data, as well as where it is being sent and who has access, including intra-company transfers and vendor access. Data mapping, reviewing records of processing activities, and interviewing stakeholders are crucial.
- Assess Regulatory Impact: Conduct a legal analysis of covered data transactions to determine if they are prohibited or restricted and if any exemptions apply.
- Develop and Implement a Tailored Compliance Program: This should be based on a comprehensive risk assessment and address auditing, reporting, and recordkeeping requirements. The program should include written policies, due diligence protocols, training, and testing of internal controls.
- Establish Tone from the Top and Resource Compliance: Senior management support is critical. The CEO and board are expected to review annual attestations and compliance reports. A designated individual with sufficient authority, expertise, and resources should lead the compliance program.
- Engage in Cross-Functional Collaboration: Data privacy teams can lead data mapping, while supply chain and trade compliance functions can manage “know your customer/provider” due diligence.
Future Outlook
The regulatory landscape surrounding these data transfers is expected to evolve. The DOJ has invited companies to submit informal inquiries and has indicated it will provide further guidance, though formal license or advisory opinion requests are recommended to be submitted after July 8, 2025.
