Ropes & Gray Discusses DOJ Rule Restricting Flow of Personal Data to China and Other Countries

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024, and its Advance Notice of Proposed Rulemaking (“ANPRM”) earlier in 2024.

The Final Rule continues to assert the DOJ as a critical regulator of data transfers involving countries of concern or covered persons. Organizations transacting with entities or individuals located in or otherwise having relationships with the People’s Republic of China (including Hong Kong and Macau) (the “PRC”), Russia, Iran, North Korea, Cuba, and Venezuela should carefully review the Final Rule for potential impacts on their business models. The Final Rule prohibits certain data brokerage transactions and transactions involving human ‘omic data. The Final Rule also creates a set of restricted transactions involving vendor agreements, employment agreements, or investment agreements in which U.S. persons may engage only if they comply with a set of cybersecurity requirements. In tandem with the publication of the Final Rule, on January 8, 2025 the Cybersecurity and Infrastructure Security Agency (“CISA”) published its final security requirements for restricted transactions.

There are several exemptions, however, that may be applicable for certain industries such as financial services, telecommunications, pharmaceutical development, and clinical research. These exemptions apply to both prohibited transactions and restricted transactions.

While expansive in scope, the regulations are limited to U.S. government-related data and bulk U.S. sensitive personal data. Specifically, with respect to sensitive personal data, the Final Rule limits the prohibitions and restrictions to:

• Human ‘omic data, or to human biospecimens from which human ‘omic data could be derived, of more than 1,000 U.S. persons or, in the case of human genomic data, more than 100 U.S. persons.
• Biometric identifiers of more than 1,000 U.S. persons.
• Precise geolocation data of more than 1,000 U.S. devices.
• Personal health data of more than 10,000 U.S. persons.
• Personal financial data of more than 10,000 U.S. persons.
• Covered personal identifiers of more than 100,000 U.S. persons.

These amounts are calculated from the preceding 12 months either from one transaction or aggregated from multiple transactions involving the same parties. Like the NPRM, the Final Rule does not exempt pseudonymized, anonymized or de-identified data from the definition of sensitive personal data, though such data may qualify for certain exemptions in the rule depending on the purpose for which they are used.

The Final Rule also provides for sweeping enforcement authority for the DOJ including through audits as well as civil and criminal enforcement. Civil penalties can approach the greater of $368,136 or an amount that is twice the amount of the transaction, while willful violations can be fined as much as $1 million or 20 years’ imprisonment. The Final Rule also creates exhaustive recordkeeping and reporting requirements.

The Rule is set to go into effect April 8, 2025, 90 days after its publication in the Federal Register and certain due diligence requirements for restricted transaction are set to go into effect October 5, 2025, 270 days after the Rule’s publication in the Federal Register.

Since 90 days is a swift timeline for compliance, organizations that may be covered by these regulations should quickly review their obligations under the Final Rule and make changes, as necessary, to come into compliance.

Overview

Below, we provide an overview of the main aspects of the Final Rule along with critical details. Following this overview, we provide a summary of key areas in which the Final Rule differs from the NPRM. We have also provided a list of important definitions that inform the regulations in an appendix. It is important to note that the DOJ provides in the preamble text a significant number of examples to illustrate further the contours of the Final Rule. Organizations affected by aspects of the Final Rule should be sure to review the specific examples as they contain relevant compliance information.

Prohibited Transactions

The Final Rule prohibits U.S. persons from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person. It also prohibits any transaction that involves any access by a foreign person to government-related data or bulk U.S. sensitive personal data and that involves data brokerage with any foreign person unless the foreign person is contractually restricted from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and the U.S. person reports any known or suspected violation of the contractual requirement.

The Final Rule also prohibits U.S. persons from knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived.

Restricted Transactions

The regulations restrict U.S. persons from knowingly engaging in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless the U.S. person complies with certain security requirements published by the CISA.

These security requirements include an asset inventory; a chief information security officer; timely remediation of vulnerabilities (the requirements have specific timelines); documentation of all vendor agreements; maintenance of an accurate network map; a vendor cybersecurity diligence policy; an incident response plan; multi-factor authentication or sufficiently complex passwords when multi-factor authentication is not feasible; timely revocation of credentials; comprehensive logging; access management policies and procedures; data retention and deletion policies; sufficient encryption; and incorporation of privacy-enhancing technologies.

Restriction on Transactions Conducted through Foreign Persons that Would Be Prohibited if Performed by a U.S. Person
The Final Rule prohibits U.S. persons from knowingly directing any covered data transaction involving a foreign person that would be a prohibited transaction or restricted transaction that fails to comply with applicable requirements if engaged in by a U.S. person. For example, if a U.S. person is an officer, senior manager, or equivalent senior level employee at a foreign company that is not a covered person, and the foreign company undertakes a covered data transaction at that U.S. person’s direction or with that U.S. person’s approval when the covered data transaction would be prohibited if performed by a U.S. person, the U.S. person has knowingly directed a prohibited transaction.

Exempt Transactions

The Final Rule maintained the exempted transactions to which the prohibitions and restrictions do not apply. These exempted transactions are as follows:

• Nothing of Value: Data transactions to the extent that they involve any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value.
• Expressive Materials: Data transactions to the extent that they involve the importation from any country, or the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials. This is defined as expressive material, which includes publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and newswire feeds, but does not include data that is technical, functional, or otherwise non-expressive.
• Incident to Travel: Data transactions to the extent that they are ordinarily incident to travel to or from any country.
• USG Business: Data transactions to the extent that they are for the conduct of the official business of the U.S. government.
  • Example
    • A U.S. hospital receives a federal grant to conduct human genomic research on U.S. persons. As part of that federally funded human genomic research, the U.S. hospital contracts with a foreign laboratory that is a covered person, hires a researcher that is a covered person, and gives the laboratory and researcher access to the human biospecimens and human genomic data in bulk. The contract with the foreign laboratory and the employment of the researcher are exempt transactions but would be prohibited transactions if they were not part of the federally funded research.
• Financial Services: Data transactions to the extent that they are ordinarily incident to and part of the provision of financial services including:
  Banking, capital markets (including investment-management services as well as trading and underwriting of securities, commodities, and derivatives), or financial insurance services;
  • A financial activity authorized for national banks by 12 U.S.C. 24 (Seventh) and rules and regulations and written interpretations of the Office of the Comptroller of the Currency thereunder;
  • An activity that is “financial in nature or incidental to such financial activity” or “complementary to a financial activity,” section (k)(1), as set forth in section (k)(4) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)(4)) and rules and regulations and written interpretations of the Board of Governors of the Federal Reserve System thereunder;
  • The transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces);
  • The provision or processing of payments or funds transfers (such as person-to-person, business-to-person, and government-to-person funds transfers) involving the transfer of personal financial data or covered personal identifiers, or the provision of services ancillary to processing payments and funds transfers (such as services for payment dispute resolution, payor authentication, tokenization, payment gateway, payment fraud detection, payment resiliency, mitigation and prevention, and payment-related loyalty point program administration); and
  • The provision of investment-management services that manage or provide advice on investment portfolios or individual assets for compensation (such as devising strategies and handling financial assets and other investments for clients) or provide services ancillary to investment-management services (such as broker-dealers or futures commission merchants executing trades within an investment portfolio based upon instructions from an investment advisor).
  • Example
    • A U.S. investment adviser purchases securities of a company incorporated in a country of concern for the accounts of its clients. The investment adviser engages a broker-dealer located in a country of concern to execute the trade, and, as ordinarily incident to and part of the transaction, transfers to the broker-dealer its clients’ covered personal identifiers and financial account numbers in bulk. This provision of data is an exempt transaction because it is ordinarily incident to and part of the provision of investment-management services.
• Corporate Groups: Data transactions to the extent they are corporate group transactions, which are defined to include transactions that are:
  • Between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and
  • Ordinarily incident to and part of administrative or ancillary business operations, including:
    • Human resources;
    • Payroll, expense monitoring and reimbursement, and other corporate financial activities;
    • Paying business taxes or fees;
    • Obtaining business permits or licenses;
    • Sharing data with auditors and law firms for regulatory compliance;
    • Risk management;
    • Business-related travel;
    • Customer support;
    • Employee benefits; and
    • Employees’ internal and external communications.
    • Example
      • A U.S. company has a foreign subsidiary located in a country of concern, and the U.S. company’s U.S.-person contractors perform services for the foreign subsidiary. As ordinarily incident to and part of the foreign subsidiary’s payments to the U.S.-person contractors for those services, the U.S. company engages in a data transaction that gives the subsidiary access to the U.S.-person contractors’ bulk personal financial data and covered personal identifiers. This is an exempt corporate group transaction.
• Required by law or treaty: Data transactions to the extent they are required or authorized by federal law or pursuant to an international agreement to which the United States is a party.
• CFIUS: Data transactions to the extent that they involve an investment agreement that is subject to a CFIUS action.
• Telecommunications: Data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of telecommunications services, including international calling, mobile voice, and data roaming.
• Regulatory Approval: Data transaction that involves “regulatory approval data” and is necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product, provided that the U.S. person complies with the recordkeeping and reporting requirements set forth in §§ 202.1101(a) and 202.1102 with respect to such transaction.
  • Examples
    • A U.S. pharmaceutical company seeks to market a new drug in a country of concern. The company submits a marketing application to the regulatory entity in the country of concern with authority to approve the drug in the country of concern. The marketing application includes the safety and effectiveness data reasonably necessary to obtain regulatory approval in that country. The transfer of data to the country of concern’s regulatory entity is exempt from the prohibitions in this part.
    • Same as the above example, except the regulatory entity in the country of concern requires that the data be de-anonymized. The transfer of data is not exempt under this section, because the data includes sensitive personal data that is identified to an individual.
    • Same as the first example, except country of concern law requires foreign pharmaceutical companies to submit regulatory approval data using (1) a registered agent who primarily resides in the country of concern, (2) a country of concern incorporated subsidiary, or (3) an employee located in a country of concern. The U.S. pharmaceutical company enters into a vendor agreement with a registered agent in the country of concern to submit the regulatory approval data to the country of concern regulator. The U.S. pharmaceutical company provides to the registered agent only the regulatory approval data the U.S. pharmaceutical company intends the registered agent to submit to the country of concern regulator. The transaction with the registered agent is exempt, because it is necessary to obtain approval to market the drug in a country of concern. The U.S. pharmaceutical company must comply with the recordkeeping and reporting requirements set forth in §§ 202.1101(a) and 202.1102 with respect to such transaction, however.
• Clinical Studies: Data transactions to the extent that those transactions are:
  • Ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration (“FDA”) under sections 505(i) and 520(g) of the Federal Food, Drug, and Cosmetic Act (“FD&C Act”) or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products, or infant formula; or
  • Ordinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA, provided the data is deidentified or pseudonymized consistent with the standards of 21 CFR 314.80.

The Final Rule contemplates a licensing regime that could issue general licenses that would be applicable to specific types of transactions as well as specific licenses that would be applicable to certain transactions.

Recordkeeping

The regulations require entities engaging in restricted transactions to implement a data compliance program, which requires comprehensive policies, procedures, and recordkeeping surrounding data involved in a restricted transaction. The Final Rule would also require entities to conduct a yearly third-party audit to assess its compliance with the regulations as well as require entities to maintain comprehensive records surrounding compliance with the Final Rule.

Penalties

The Final Rule provides for civil and criminal enforcement. Civil penalties can approach the greater of $368,136 or an amount that is twice the amount of the transaction, while willful violations can be fined as much as $1 million or 20-years imprisonment. If the DOJ determines that a civil monetary penalty is warranted, it will issue a pre-penalty notice informing the alleged violator of the agency’s intent to impose a monetary penalty. An alleged violator has the right to respond to a pre-penalty notice or finding of violation by making a written presentation to the Department of Justice. The Final Rule also allows organizations to solicit advisory opinions on the applicability of the rule to certain transactions.

Major Changes from the NPRM

Covered Person Definition Clarification

Under the Final Rule, the term covered person was broadened to include companies that are 50% owned individually or in the aggregate by a country of concern or certain other covered persons. The revised definition of “covered person” is found in the appendix.

Addition of Human ‘Omic Data

In the Final Rule, the DOJ added human ‘omic data to its definition of sensitive personal data and expanded the first category of prohibited transactions to include human ‘omic data as opposed to only human genomic data. Human ‘omic data encompasses not only “human genomic data,” but also human epigenomic data, human proteomic data, and human transcriptomic data. The term does not include pathogen-specific data embedded in human ‘omic data sets.

The Final Rule’s bulks threshold for human ‘omic data is data collected about or maintained on more than 1,000 U.S. persons, but for the subset of human genomic data it is data collected about or maintained on more than 100 U.S. persons.

The Final Rule prohibits a U.S. person from knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived.

The Final Rule added a few examples related to human ‘omic data, which suggests the need for an exchange of payment or other valuable consideration between the parties for an activity to be considered a “covered transaction”:

A U.S. researcher shares bulk human ‘omic data on U.S. persons with a researcher in a country of concern (a covered person) with whom the U.S. researcher is drafting a paper for submission to an academic journal. The two researchers exchange bulk U.S. human ‘omic data over a period of several months to analyze and describe the findings of their research for the journal article. The U.S. person does not provide to or receive from the covered person or the covered person’s employer any money or other valuable consideration as part of the authors’ study. The U.S. person has not engaged in a covered data transaction involving data brokerage, because the transaction does not involve the sale of data, licensing of access to data, or similar commercial transaction involving the transfer of data to the covered person.

A U.S. researcher receives a grant from a university in a country of concern to study bulk personal health data and bulk human ‘omic data on U.S. persons. The grant directs the researcher to share the underlying bulk U.S. sensitive personal data with the country of concern university (a covered person). The transaction is a covered data transaction because it involves access by a covered person to bulk U.S. sensitive personal data and is data brokerage because it involves the transfer of bulk U.S. sensitive personal data to a covered person in return for a financial benefit.

The Final Rule also continues to contain an exception for transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States government, which may exempt certain research activities involving human ‘omic data that are funded by the U.S. government that would otherwise be prohibited. Such activities would instead be subject to any future restrictions issued by the funding agency.

New Exclusion from the Definition of Human Biospecimen for Certain Diagnostic and Treatment Activities
The Final rule defines human biospecimens (as relevant from the prohibition on transactions involving bulk human ‘omic data) as a quantity of tissue, blood, urine, or other human-derived material, including such material classified under certain 10-digit Harmonized System-based Schedule B numbers. The Final Rule clarifies, however, that the term human biospecimens does not include human biospecimens, including human blood, cell, and plasma-derived therapeutics, intended to be used by a recipient solely for diagnosing, treating, or preventing any disease or medical condition.

Revamped Security Requirements for Restricted Transactions

Like the NPRM, the Final Rule allows restricted transactions (in contrast to prohibited transactions) to take place if the U.S. person complies with the security requirements. The security requirements have been separately promulgated by CISA. As result of feedback CISA received in response to the security requirements in its Notice of Proposed Rulemaking, CISA made some important changes in its Final Rule including:

• CISA changed the requirement surrounding asset inventories to require documented inventories only “to the maximum extent practicable,” eliminated the requirement to inventory MAC addresses, and allows for dynamic curation of inventories.
• CISA revised its vulnerability remediation timelines to prioritize critical assets and remediate vulnerabilities within a risk-informed span of time.
  CISA reduced the burden around installation of new hardware and/or software by removing the reference to “firmware” and requirements for either allowlists or approvals to address specific software versions.
• CISA revised the requirement to revoke access to covered systems for terminated employees or employees with changed roles from “immediately” to “promptly.”
• CISA clarified language around security log retention to state that organizations are required to implement a notification process when security logs are not being produced and/or retained as expected rather than referring to logs being disabled.
• CISA removed the requirement to maintain organizational policies and processes to ensure that unauthorized media and hardware are not connected to covered assets.
• CISA clarified that the idea of “deny by default” does not only include the use of network firewalls but may also be implemented in other ways, such as via authentication of users and other information systems to the covered system.

Expanded Telecommunications Service Exemption

The Final Rule exempts transactions that are ordinarily incident to and part of telecommunications services. The Final Rule expands the definition of telecommunications services to include voice and data communications over the internet in addition to telecommunications services meeting the definition in 47 U.S.C. 153(53).

Explicitly Exempting Securities, Commodities, and Derivatives

The Final Rule exempts data transactions to the extent that they are ordinarily incident to and part of the provision of financial services. The exemplary, non-exhaustive list of the data transactions that qualify for this exemption now explicitly includes trading and underwriting of securities, commodities, and derivatives. The NPRM only implicitly included those transactions.

Expanding the Drug, Biological Product, and Medical Device Authorizations and Other Clinical Investigations and Post-Marketing Surveillance Data Exemptions

The Final Rule exempts data transactions that involve “regulatory approval data” and are necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product provided that the U.S. person complies with the Final Rule’s recordkeeping and reporting requirements. The NPRM limited the exemption to only those necessary to obtain or maintain approval to market a drug, biological product, or device. Additionally, under the Final Rule, regulatory approval data includes sensitive personal data that is pseudonymized consistent with the standards of 21 CFR 314.80 (FDA’s regulations governing post-marketing reporting of adverse drug experiences) in addition to data that are de-identified. This is an important clarification given the broad use of pseudonymized data for research and regulatory purposes.

The Final Rule provided several examples to illustrate this exemption. Broadly stated, these examples suggest that where a country of concern’s laws require certain activities in connection with a regulatory approval, for example, using a registered agent to make submissions to the country of concern regulatory authority, the activity is likely to fall within the exemption. However, if the U.S. individual has discretion as to whether to undertake an activity, such activity is unlikely to fall within the exemption.

The Final Rule also exempts certain clinical investigations and post-marketing surveillance data. The exemption includes transactions that are ordinarily incident to and part of clinical investigations regulated by the U.S. FDA or used to support applications to the FDA for research or marketing permits for certain FDA-regulated products. It also exempts the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA. The NPRM only allowed for the above exemption if the data were de-identified. The Final Rule allows for de-identified or pseudonymized data consistent with the standards of 21 CFR 314.80 (FDA’s regulations governing post-marketing reporting of adverse drug experiences).

Conclusion

The DOJ is taking its direction under Executive Order 14117 seriously and has crafted a comprehensive regulatory regime for the transfer of bulk sensitive data to countries of concern and covered persons. The penalties for violations are significant and may have a material impact on some organizations’ business models. Given the short timeframe for compliance, organizations should begin evaluating which of their transactions may implicate the Final Rules prohibitions and restrictions to come into compliance.

Appendix A: Important Definitions

Access means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software. For purposes of determining whether a transaction is a covered data transaction, access is determined without regard for the application or effect of any security requirements.

Bulk U.S. Sensitive Personal Data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted where such data meets or exceeds the applicable threshold set forth in § 202.205.

• Sensitive Personal Data means covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.
• Covered Personal Identifiers means government ID number, financial account numbers, device-based identifier, demographic or contact data, advertising identifier, account-authentication data, network-based identifier, or call-detail data.
• To be considered covered personal identifiers, these above identifiers must be combined with an additional identifier or linkable with an additional identifier, with some specific exclusions.
• Precise Geolocation Data means data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.
• Biometric Identifiers means measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.
• Human ‘Omic Data means:
  • Human genomic data, which is data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual’s “genetic test” (as defined in 42 U.S.C. § 300gg-91(d)(17)) and any related human genetic sequencing data.
  • Human epigenomic data, which is data derived from a systems-level analysis of human epigenetic modifications, which are changes in gene expression that do not involve alterations to the DNA sequence itself. These epigenetic modifications include modifications such as DNA methylation, histone modifications, and non-coding RNA regulation. Routine clinical measurements of epigenetic modifications for individualized patient care purposes would not be considered epigenomic data under this rule because such measurements would not entail a systems-level analysis of the epigenetic modifications in a sample.
  • Human proteomic data, which is data derived from a systems-level analysis of proteins expressed by a human genome, cell, tissue, or organism. Routine clinical measurements of proteins for individualized patient care purposes would not be considered proteomic data under this rule because such measurements would not entail a systems-level analysis of the proteins found in such a sample.
  • Human transcriptomic data, which is data derived from a systems-level analysis of RNA transcripts produced by the human genome under specific conditions or in a specific cell type. Routine clinical measurements of RNA transcripts for individualized patient care purposes would not be considered transcriptomic data under this rule because such measurements would not entail a systems-level analysis of the RNA transcripts in a sample.
  • The definition excludes pathogen-specific data embedded in human ‘omic data sets.

Personal Health Data means health information that indicates, reveals, or describes to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

Personal Financial Data means data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report.”

Country of Concern currently is defined as China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Covered Data Transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves data brokerage, vendor agreement, employment agreement, or investment agreement.

• Data Brokerage means the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.
• Vendor Agreement means any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.
• Employment Agreement means any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.
• Investment Agreement is an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to: (1) Real estate located in the United States; or (2) A U.S. legal entity.
  • Does not include certain passive investments.

Covered Person means:

1. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in bullet 2; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
2. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in bullets 1, 3, 4, or 5;
3. A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in bullets 1, 2, or 5;
4. A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or
5. Any person, wherever located, determined by the Attorney General: (i) to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) to act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

Directing means having any authority (individually or as part of a group) to make decisions for or on behalf of an entity and exercising that authority.

Engage is undefined in the regulations.

Foreign Person means any person that is not a U.S. person.

Government-Related Data means certain precise geolocation data, regardless of volume, explicitly enumerated in the rule and any sensitive data, regardless of volume, linkable to current or recent employees of the U.S. government.

Human Biospecimens means a quantity of tissue, blood, urine, or other human-derived material including such material classified under any of the following 10-digit Harmonized System-based Schedule B numbers:

• (a) 0501.00.0000 Human hair, unworked, whether or not washed or scoured; waste of human hair;
• (b) 3001.20.0000 Extracts of glands or other organs or of their secretions;
• (c) 3001.90.0115 Glands and other organs, dried, whether or not powdered;
• (d) 3002.12.0010 Human blood plasma;
• (e) 3002.12.0020 Normal human blood sera, whether or not freeze-dried;
• (f) 3002.12.0030 Human immune blood sera;
• (g) 3002.12.0090 Antisera and other blood fractions, other;
• (h) 3002.51.0000 Cell therapy products;
• (i) 3002.59.0000 Cell cultures, whether or not modified, other;
• (j) 3002.90.5210 Whole human blood;
• (k) 3002.90.5250 Blood, human/animal, other;
• (l) 9705.21.0000 Human specimens and parts thereof.

The definition does not include human biospecimens, including human blood, cell, and plasma-derived therapeutics, intended by a recipient solely for use in diagnosing, treating, or preventing any disease or medical condition.

Knowingly means with respect to conduct, a circumstance, or a result, that a person has actual knowledge, or reasonably should have known, of the conduct, the circumstance, or the result.

U.S. Person means any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. § 1157 or granted asylum under 8 U.S.C. § 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.

This post comes to us from Ropes & Gray LLP. It is based on the firm’s memorandum, “DOJ Issues Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and Other Countries of Concern,” dated January 9, 2025, and available here.