Privacy & Information Security Law Blog

On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued a final rule (“Final Rule”) implementing Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“EO 14117”), which was published in the Federal Register on January 8, 2025. The Rule will go into effect  on April 8, 2025, with the exception of certain due diligence, audit and reporting obligations that will become effective on October 5, 2025. The program is intended to address the threat of foreign powers and state-sponsored threat actors using Americans’ sensitive personal data for malicious purposes, including intelligence collection, cyber attacks, repression and intimidation, and economic espionage.

The substance of the Final Rule is largely similar to the Notice of Proposed Rulemaking, which we covered in our previous post. As discussed in that post, the Final Rule establishes a new regulatory regime that either prohibits or restricts “covered data transactions,” which are certain transactions―namely, data brokerage, employment agreements, investment agreements and vendor agreements―that could result in access to bulk U.S. sensitive personal data or government-related data (1) by a “country of concern” (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela) or (2) a “covered person.” The term “covered persons” is defined broadly to include, for example, entities with 50% or more ownership by a country of concern, entities that are organized or chartered under the laws of, or have their principal place of business in, a country of concern, and a foreign person that is an employee or contractor of an entity described above or a primary resident of a country of concern.

The two general categories of data regulated by the Final Rule are defined as follows:

• “U.S. sensitive personal data” means precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, certain “covered personal identifiers” (i.e., certain combinations of “listed identifiers,” such as government-issued identification numbers, device-based or hardware-based identifier, demographic or contact data, and advertising identifier), or any combination thereof.
  • The Rule applies only to certain “bulk” thresholds of U.S. sensitive personal data, and those thresholds differ depending on the type of U.S. sensitive personal data at issue. For example, for precise geolocation data, the Rule applies if a covered data transaction results in access to such information of over 1,000 U.S. persons or devices by a country of concern or covered person. In contrast, for personal financial data or personal health data, the threshold is higher (i.e., more than 10,000 U.S. persons). The table below provides the relevant “bulk” threshold for category of U.S. sensitive personal data.

• “Government-related data” means any precise geolocation data, regardless of volume, for any location within any area enumerated on the “Government-Related Location Data List” or any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former U.S. government employees or contractors, or former U.S. government senior officials.

The Rule prohibits U.S. persons from engaging in certain types of covered data transactions, most importantly, covered data transactions involving (1) data brokerage or (2) bulk human ’omic data. All other covered data transactions are “restricted,” meaning that U.S. persons must comply with certain compliance requirements before engaging in such transactions, including cybersecurity requirements published on January 8, 2025, by the Cybersecurity and Infrastructure Security Agency, data compliance program requirements, annual audits and recordkeeping requirements.  

As noted above, the DOJ largely declined to make significant revisions to the preliminary version of the Rule in response to input received during the recent notice and comment period. That said, the Final Rule does include certain clarifying changes and provide additional commentary. For example, the DOJ made adjustments to certain key definitions, clarified that the Final Rule applies prospectively to transactions engaged on or after the effective date, even if the underlying agreements existed prior to the rule, and added three types of human ‘omic data to the definition of U.S. sensitive personal data (the preliminary version of the Rule already covered genomic data).

The DOJ plans to release further guidance on the Final Rule, engage with industry and other stakeholders as the program goes into effect, and publish information related to voluntary self-disclosure, advisory opinions and approval processes for otherwise prohibited or restricted transactions. In the meantime, companies should assess their readiness for the rapidly approaching enforcement date in April.