CLS Blue Sky Blog

Ropes & Gray Discusses DOJ Rule Restricting Flow of Personal Data to China and Other Countries

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024, and its Advance Notice of Proposed Rulemaking (“ANPRM”) earlier in 2024.

The Final Rule continues to assert the DOJ as a critical regulator of data transfers involving countries of concern or covered persons. Organizations transacting with entities or individuals located in or otherwise having relationships with the People’s Republic of China (including Hong Kong and Macau) (the “PRC”), Russia, Iran, North Korea, Cuba, and Venezuela should carefully review the Final Rule for potential impacts on their business models. The Final Rule prohibits certain data brokerage transactions and transactions involving human ‘omic data. The Final Rule also creates a set of restricted transactions involving vendor agreements, employment agreements, or investment agreements in which U.S. persons may engage only if they comply with a set of cybersecurity requirements. In tandem with the publication of the Final Rule, on January 8, 2025 the Cybersecurity and Infrastructure Security Agency (“CISA”) published its final security requirements for restricted transactions.

There are several exemptions, however, that may be applicable for certain industries such as financial services, telecommunications, pharmaceutical development, and clinical research. These exemptions apply to both prohibited transactions and restricted transactions.

While expansive in scope, the regulations are limited to U.S. government-related data and bulk U.S. sensitive personal data. Specifically, with respect to sensitive personal data, the Final Rule limits the prohibitions and restrictions to:

These amounts are calculated from the preceding 12 months either from one transaction or aggregated from multiple transactions involving the same parties. Like the NPRM, the Final Rule does not exempt pseudonymized, anonymized or de-identified data from the definition of sensitive personal data, though such data may qualify for certain exemptions in the rule depending on the purpose for which they are used.

The Final Rule also provides for sweeping enforcement authority for the DOJ including through audits as well as civil and criminal enforcement. Civil penalties can approach the greater of $368,136 or an amount that is twice the amount of the transaction, while willful violations can be fined as much as $1 million or 20 years’ imprisonment. The Final Rule also creates exhaustive recordkeeping and reporting requirements.

The Rule is set to go into effect April 8, 2025, 90 days after its publication in the Federal Register and certain due diligence requirements for restricted transaction are set to go into effect October 5, 2025, 270 days after the Rule’s publication in the Federal Register.

Since 90 days is a swift timeline for compliance, organizations that may be covered by these regulations should quickly review their obligations under the Final Rule and make changes, as necessary, to come into compliance.

Overview

Below, we provide an overview of the main aspects of the Final Rule along with critical details. Following this overview, we provide a summary of key areas in which the Final Rule differs from the NPRM. We have also provided a list of important definitions that inform the regulations in an appendix. It is important to note that the DOJ provides in the preamble text a significant number of examples to illustrate further the contours of the Final Rule. Organizations affected by aspects of the Final Rule should be sure to review the specific examples as they contain relevant compliance information.

Prohibited Transactions

The Final Rule prohibits U.S. persons from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person. It also prohibits any transaction that involves any access by a foreign person to government-related data or bulk U.S. sensitive personal data and that involves data brokerage with any foreign person unless the foreign person is contractually restricted from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and the U.S. person reports any known or suspected violation of the contractual requirement.

The Final Rule also prohibits U.S. persons from knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived.

Restricted Transactions

The regulations restrict U.S. persons from knowingly engaging in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless the U.S. person complies with certain security requirements published by the CISA.

These security requirements include an asset inventory; a chief information security officer; timely remediation of vulnerabilities (the requirements have specific timelines); documentation of all vendor agreements; maintenance of an accurate network map; a vendor cybersecurity diligence policy; an incident response plan; multi-factor authentication or sufficiently complex passwords when multi-factor authentication is not feasible; timely revocation of credentials; comprehensive logging; access management policies and procedures; data retention and deletion policies; sufficient encryption; and incorporation of privacy-enhancing technologies.

Restriction on Transactions Conducted through Foreign Persons that Would Be Prohibited if Performed by a U.S. Person
The Final Rule prohibits U.S. persons from knowingly directing any covered data transaction involving a foreign person that would be a prohibited transaction or restricted transaction that fails to comply with applicable requirements if engaged in by a U.S. person. For example, if a U.S. person is an officer, senior manager, or equivalent senior level employee at a foreign company that is not a covered person, and the foreign company undertakes a covered data transaction at that U.S. person’s direction or with that U.S. person’s approval when the covered data transaction would be prohibited if performed by a U.S. person, the U.S. person has knowingly directed a prohibited transaction.

Exempt Transactions

The Final Rule maintained the exempted transactions to which the prohibitions and restrictions do not apply. These exempted transactions are as follows:

The Final Rule contemplates a licensing regime that could issue general licenses that would be applicable to specific types of transactions as well as specific licenses that would be applicable to certain transactions.

Recordkeeping

The regulations require entities engaging in restricted transactions to implement a data compliance program, which requires comprehensive policies, procedures, and recordkeeping surrounding data involved in a restricted transaction. The Final Rule would also require entities to conduct a yearly third-party audit to assess its compliance with the regulations as well as require entities to maintain comprehensive records surrounding compliance with the Final Rule.

Penalties

The Final Rule provides for civil and criminal enforcement. Civil penalties can approach the greater of $368,136 or an amount that is twice the amount of the transaction, while willful violations can be fined as much as $1 million or 20-years imprisonment. If the DOJ determines that a civil monetary penalty is warranted, it will issue a pre-penalty notice informing the alleged violator of the agency’s intent to impose a monetary penalty. An alleged violator has the right to respond to a pre-penalty notice or finding of violation by making a written presentation to the Department of Justice. The Final Rule also allows organizations to solicit advisory opinions on the applicability of the rule to certain transactions.

Major Changes from the NPRM

Covered Person Definition Clarification

Under the Final Rule, the term covered person was broadened to include companies that are 50% owned individually or in the aggregate by a country of concern or certain other covered persons. The revised definition of “covered person” is found in the appendix.

Addition of Human ‘Omic Data

In the Final Rule, the DOJ added human ‘omic data to its definition of sensitive personal data and expanded the first category of prohibited transactions to include human ‘omic data as opposed to only human genomic data. Human ‘omic data encompasses not only “human genomic data,” but also human epigenomic data, human proteomic data, and human transcriptomic data. The term does not include pathogen-specific data embedded in human ‘omic data sets.

The Final Rule’s bulks threshold for human ‘omic data is data collected about or maintained on more than 1,000 U.S. persons, but for the subset of human genomic data it is data collected about or maintained on more than 100 U.S. persons.

The Final Rule prohibits a U.S. person from knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived.

The Final Rule added a few examples related to human ‘omic data, which suggests the need for an exchange of payment or other valuable consideration between the parties for an activity to be considered a “covered transaction”:

A U.S. researcher shares bulk human ‘omic data on U.S. persons with a researcher in a country of concern (a covered person) with whom the U.S. researcher is drafting a paper for submission to an academic journal. The two researchers exchange bulk U.S. human ‘omic data over a period of several months to analyze and describe the findings of their research for the journal article. The U.S. person does not provide to or receive from the covered person or the covered person’s employer any money or other valuable consideration as part of the authors’ study. The U.S. person has not engaged in a covered data transaction involving data brokerage, because the transaction does not involve the sale of data, licensing of access to data, or similar commercial transaction involving the transfer of data to the covered person.

A U.S. researcher receives a grant from a university in a country of concern to study bulk personal health data and bulk human ‘omic data on U.S. persons. The grant directs the researcher to share the underlying bulk U.S. sensitive personal data with the country of concern university (a covered person). The transaction is a covered data transaction because it involves access by a covered person to bulk U.S. sensitive personal data and is data brokerage because it involves the transfer of bulk U.S. sensitive personal data to a covered person in return for a financial benefit.

The Final Rule also continues to contain an exception for transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States government, which may exempt certain research activities involving human ‘omic data that are funded by the U.S. government that would otherwise be prohibited. Such activities would instead be subject to any future restrictions issued by the funding agency.

New Exclusion from the Definition of Human Biospecimen for Certain Diagnostic and Treatment Activities
The Final rule defines human biospecimens (as relevant from the prohibition on transactions involving bulk human ‘omic data) as a quantity of tissue, blood, urine, or other human-derived material, including such material classified under certain 10-digit Harmonized System-based Schedule B numbers. The Final Rule clarifies, however, that the term human biospecimens does not include human biospecimens, including human blood, cell, and plasma-derived therapeutics, intended to be used by a recipient solely for diagnosing, treating, or preventing any disease or medical condition.

Revamped Security Requirements for Restricted Transactions

Like the NPRM, the Final Rule allows restricted transactions (in contrast to prohibited transactions) to take place if the U.S. person complies with the security requirements. The security requirements have been separately promulgated by CISA. As result of feedback CISA received in response to the security requirements in its Notice of Proposed Rulemaking, CISA made some important changes in its Final Rule including:

Expanded Telecommunications Service Exemption

The Final Rule exempts transactions that are ordinarily incident to and part of telecommunications services. The Final Rule expands the definition of telecommunications services to include voice and data communications over the internet in addition to telecommunications services meeting the definition in 47 U.S.C. 153(53).

Explicitly Exempting Securities, Commodities, and Derivatives

The Final Rule exempts data transactions to the extent that they are ordinarily incident to and part of the provision of financial services. The exemplary, non-exhaustive list of the data transactions that qualify for this exemption now explicitly includes trading and underwriting of securities, commodities, and derivatives. The NPRM only implicitly included those transactions.

Expanding the Drug, Biological Product, and Medical Device Authorizations and Other Clinical Investigations and Post-Marketing Surveillance Data Exemptions

The Final Rule exempts data transactions that involve “regulatory approval data” and are necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product provided that the U.S. person complies with the Final Rule’s recordkeeping and reporting requirements. The NPRM limited the exemption to only those necessary to obtain or maintain approval to market a drug, biological product, or device. Additionally, under the Final Rule, regulatory approval data includes sensitive personal data that is pseudonymized consistent with the standards of 21 CFR 314.80 (FDA’s regulations governing post-marketing reporting of adverse drug experiences) in addition to data that are de-identified. This is an important clarification given the broad use of pseudonymized data for research and regulatory purposes.

The Final Rule provided several examples to illustrate this exemption. Broadly stated, these examples suggest that where a country of concern’s laws require certain activities in connection with a regulatory approval, for example, using a registered agent to make submissions to the country of concern regulatory authority, the activity is likely to fall within the exemption. However, if the U.S. individual has discretion as to whether to undertake an activity, such activity is unlikely to fall within the exemption.

The Final Rule also exempts certain clinical investigations and post-marketing surveillance data. The exemption includes transactions that are ordinarily incident to and part of clinical investigations regulated by the U.S. FDA or used to support applications to the FDA for research or marketing permits for certain FDA-regulated products. It also exempts the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA. The NPRM only allowed for the above exemption if the data were de-identified. The Final Rule allows for de-identified or pseudonymized data consistent with the standards of 21 CFR 314.80 (FDA’s regulations governing post-marketing reporting of adverse drug experiences).

Conclusion

The DOJ is taking its direction under Executive Order 14117 seriously and has crafted a comprehensive regulatory regime for the transfer of bulk sensitive data to countries of concern and covered persons. The penalties for violations are significant and may have a material impact on some organizations’ business models. Given the short timeframe for compliance, organizations should begin evaluating which of their transactions may implicate the Final Rules prohibitions and restrictions to come into compliance.

Appendix A: Important Definitions

Access means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software. For purposes of determining whether a transaction is a covered data transaction, access is determined without regard for the application or effect of any security requirements.

Bulk U.S. Sensitive Personal Data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted where such data meets or exceeds the applicable threshold set forth in § 202.205.

Personal Health Data means health information that indicates, reveals, or describes to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

Personal Financial Data means data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report.”

Country of Concern currently is defined as China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Covered Data Transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves data brokerage, vendor agreement, employment agreement, or investment agreement.

Covered Person means:

  1. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in bullet 2; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
  2. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in bullets 1, 3, 4, or 5;
  3. A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in bullets 1, 2, or 5;
  4. A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or
  5. Any person, wherever located, determined by the Attorney General: (i) to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) to act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

Directing means having any authority (individually or as part of a group) to make decisions for or on behalf of an entity and exercising that authority.

Engage is undefined in the regulations.

Foreign Person means any person that is not a U.S. person.

Government-Related Data means certain precise geolocation data, regardless of volume, explicitly enumerated in the rule and any sensitive data, regardless of volume, linkable to current or recent employees of the U.S. government.

Human Biospecimens means a quantity of tissue, blood, urine, or other human-derived material including such material classified under any of the following 10-digit Harmonized System-based Schedule B numbers:

The definition does not include human biospecimens, including human blood, cell, and plasma-derived therapeutics, intended by a recipient solely for use in diagnosing, treating, or preventing any disease or medical condition.

Knowingly means with respect to conduct, a circumstance, or a result, that a person has actual knowledge, or reasonably should have known, of the conduct, the circumstance, or the result.

U.S. Person means any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. § 1157 or granted asylum under 8 U.S.C. § 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.

This post comes to us from Ropes & Gray LLP. It is based on the firm’s memorandum, “DOJ Issues Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and Other Countries of Concern,” dated January 9, 2025, and available here.

Exit mobile version