Second Compliance Deadline for DOJ Rule on Bulk Sensitive Data Approaching

August 5, 2025 16:38:01

The U.S. Department of Justice (DOJ) issued earlier this year the “Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (the “Final Rule”), implementing Executive Order 14117. Executive Order 14117 puts forth a framework for safeguarding Americans’ sensitive personal and government-related data against so-called “foreign adversaries”, one of which is China. The Final Rule generally took effect April 8, 2025. The three exceptions to the April 8, 2025 effective date are certain affirmative obligations related to (i) due diligence and audit requirements for restricted transactions (Subpart J), (ii) reporting requirements for certain restricted transactions (§ 202.1103), and (ii) reporting requirements for rejected prohibited transactions (§ 202.1104). The deadline for complying with these three provisions is October 6, 2025.

Subpart J – Due Diligence and Audit Requirements

U.S. persons, which include both individuals and entities, engaging in restricted transactions must prepare to comply with several affirmative obligations under the Final Rule. Specifically, U.S. persons must conduct proactive due diligence to assess and verify the nature of data transactions before proceeding. They are also required to implement risk-based data compliance programs to identify and verify the types and volumes of data involved, confirm the identity of all transaction parties, and evaluate the end use of the data. In addition, U.S. persons must maintain detailed records of their due diligence efforts and retain the results of annual audits that verify their compliance with applicable security requirements and, where relevant, license conditions.

U.S. persons engaging in restricted transactions are required to undergo an annual audit to verify and enhance compliance with the security requirements. The audit obligation serves as a condition for conducting restricted transactions. Pursuant to Subpart J, U.S. persons must ensure that an independent auditor prepares a written report detailing the audit methodology, including the specific policies and documents reviewed, personnel interviewed, and any facilities, equipment, networks, or systems examined during the audit process.

Section 202.1103 – Reporting Restricted Transactions

U.S. persons engaging in restricted transaction involving cloud-computing services must file an annual report if 25% or more of their equity is owned (directly or indirectly) by a country of concern or covered persons. The report, which is due by March 1 each year, must include details of the data transaction as it stood on December 31 of the preceding year —such as the type and volume of sensitive data, data transfer methods, involved parties and their locations, and supporting documentation.

Section 202.1104 – Reporting Rejected Prohibited Transactions

U.S. persons who affirmatively reject an offer to engage in a prohibited transaction involving data brokerage must report the rejection to the U.S. Department of Justice within 14 days. The report must include, to the extent known at the time, details such as the rejecting party’s identity, the date and nature of the rejected transaction, the types and volume of sensitive or government-related data involved, the method of data transfer, information on the parties and jurisdictions involved (including any countries of concern), and copies of related documents. In addition, reports must be submitted in accordance with DOJ procedures under the Final Rule 

The Final Rule applies to transactions that meet the following three requirements:

“Covered Data” Transaction

The transaction involves access to “covered data” by a “covered person” or a “country of concern” (defined below), and includes one of the following types of arrangements:

· “Data brokerage”: Sale, licensing, or transfer of access to data by a party that did not directly collect the data.

· “Vendor agreement”: A contractual relationship where goods or services are provided in exchange for consideration.

· “Employment agreement”: Work or services performed by an individual (not as an independent contractor) in exchange for compensation.

· “Investment agreement”: Direct or indirect acquisition of ownership interests in U.S. real estate or legal entities (with limited exceptions for passive investments).

 Involves “Bulk U.S. Sensitive Personal Data” or “Government-Related Data” 

“Covered data” consist of two types of data: “bulk U.S. sensitive personal data” and “government-related data.”

· “Government-related data” have two categories: (1) precise geolocation data for any area designated as posing a heightened risk of exploitation, such as military bases, government buildings, and critical infrastructure; and (2) sensitive personal data linked to U.S. Government personnel, meaning any such data that are marketed or identified as linked or linkable to current or recent former employees or contractors, or former senior officials of the U.S. Government. “Recent former” refers to individuals who worked for or provided services to the U.S. Government, paid or unpaid, within the past two years.

o “Bulk U.S. sensitive personal data” is also defined in the Final Rule. The Final Rule defines six categories of sensitive personal data, each with specific bulk thresholds that, if exceeded within 12 months before the transaction, trigger prohibitions or restrictions. The bulk threshold applies even to anonymized, pseudonymized, de-identified, or encrypted data. Covered personal identifiers: Bulk threshold: more than 100,000 U.S. persons.

o Precise geolocation data: bulk threshold: more than 1,000 U.S. devices.

o Biometric identifiers: bulk threshold: more than 1,000 U.S. persons. Human ‘omic data: bulk threshold: human ‘omic data collected about or maintained on more than 1,000 U.S. persons; or human genomic data collected about or maintained on more than 100 U.S. persons.

o Personal health data: bulk threshold: more than 10,000 U.S. persons.

o Personal financial data: financial information linked to individuals. Bulk Threshold: more than 10,000 U.S. persons.

Access by a “Country of Concern” or “Covered Person”

The transaction must involve access to the data by:

· “Countries of concern” include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

· “Covered person” include foreign entities that are 50% or more owned (directly or indirectly) by a country of concern, organized under the laws of a country of concern, or having a principal place of business in a country of concern. It also includes foreign employees, contractors, or individuals residing in countries of concern. A U.S. subsidiary is generally not considered a covered person unless specifically designated by the DOJ.

Access includes both logical and physical access, e.g., reading, copying, editing, decrypting, or even the ability to view data stored in systems.

Further Classification

Once a transaction falls within the scope of the Final Rule, it is subject to further classification. The Final Rule then distinguishes between “restricted transactions” and “prohibited transactions.”

“Restricted Transactions”

U.S. persons are prohibited from knowingly engaging in data transactions with a country of concern or a covered person that involves any access to any covered data and related to any of the following transactions, unless they comply with Cybersecurity and Infrastructure Security Agency (CISA) security requirements: (1) a “vendor agreement”; (2) an “employment agreement”; or (3) an “investment agreement” (excluding certain passive investments). Such transactions must meet a series of affirmative compliance obligations.

“Prohibited Transactions”

U.S. persons are prohibited from engaging in data brokerage transactions with a country of concern or a covered person, including the sale, licensing, or transfer of data where the recipient did not directly collect it. This restriction also applies to resold or third-party-transferred data. Additionally, the Final Rule bans covered transactions granting access to bulk human genomic data to restricted entities.

Important Note: This communication, which we believe may be of interest to our clients and friends of MagStone Law, LLP, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions.