DOJ’s Final Rule on Bulk Data Transfers: A Road Map

To help prevent countries of concern or “covered persons” from accessing U.S. government-related data and Americans’ bulk sensitive personal data, the National Security Division (NSD) of the U.S. Department of Justice (DOJ) issued a final rule (“2025 Final Rule”), which took effect in April. The DOJ will begin enforcing the 2025 Final Rule on July 8, 2025.

The 2025 Final Rule implemented the prior administration’s Executive Order 14117 of February 28, 2024—entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”)—by prohibiting and restricting particular data transactions with certain countries or persons. The 2025 Final Rule prohibits and restricts “bulk” data transactions with countries that have demonstrated a willingness and capability to use Americans' sensitive personal data to threaten U.S. national security.

The change in presidential administrations has not kept the DOJ from moving forward with implementing the 2025 Final Rule to protect U.S. information from misuse abroad. Though framed as part of a Data Security Program (DSP) delivering on promises made by President Donald Trump in his first term, this “unusual and extraordinary threat” has been “repeatedly recognized across political parties and by all three branches of government,” the DOJ stated in an April 11, 2025, press release. An initial list of more than 100 Frequently Asked Questions the DOJ issued on that date, in fact, stemmed in part from comments received from the proposed version of the 2025 Final Rule.

“If you’re a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access?” Deputy Attorney General Todd Blanche asked in the press release. The DSP, he added, “makes getting that data a lot harder.”

This Insight will focus on various components of the 2025 Final Rule, including (i) the transactions and relationships that may be impacted, (ii) the timing of enforcement, and (iii) data reporting and other compliance requirements.

Background

EO 14117, issued by President Joe Biden, directed the attorney general and the Secretary of Homeland Security to issue regulations “that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (transaction), where the transaction”:

• involves bulk sensitive personal data or U.S. government-related data, as defined by the regulations;
• falls within a class of transactions that has been determined by the attorney general in the regulations to pose an unacceptable risk to U.S. national security because the transactions may enable “countries of concern” or “covered persons” to access bulk sensitive personal data or U.S. government-related data;
• was initiated, is pending, or will be completed after the effective date of the regulations;
• does not qualify for an exemption provided in, or is not authorized by a license issued pursuant to, the regulations; and
• is not, as defined by the regulations, ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any federal statutory or regulatory requirements.

Prohibited Transactions

The 2025 Final Rule—which prohibits knowing engagement in certain exchanges with covered persons and countries—applies to transactions with the following three elements, as they are deemed to pose an unacceptable risk to U.S. national security should the data fall into the wrong hands:

First, the transaction must constitute a “covered data transaction,” which means any access by a “country of concern” or “covered person” (defined below) to “any bulk U.S. sensitive personal data” or “any government-related data” (defined below), that also involves one or more of the following:

• A data brokerage (defined as “the sale of data, licensing of access to data, or similar commercial transactions … where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data”).[1]
  • Note that the requirement in § 202.302—“Other prohibited data-brokerage transactions involving potential onward transfer to countries of concern or covered persons”—places obligations on transactions involving access by foreign persons to government-related data or bulk U.S. sensitive data “that involves data brokerage with any foreign person that is not a covered person,” with exceptions.
  • A DSP compliance guide issued on April 11, 2025 (“Compliance Guide”), states that the 2025 Final Rule would prohibit primary data brokers (who collect and sell information about their own customers) and third-party data brokers (“who purchase and resell data that they did not collect in the first instance”) from “engaging in data brokerage transactions involving bulk U.S. sensitive personal data or government-related data with (1) countries of concern or covered persons [citing § 202.301] or (2) other foreign persons, unless the data brokerage transaction included a contractual prohibition on resale of any such data” [citing § 202.302].
  • The Compliance Guide further suggests that a data brokerage could include a U.S. company “maintaining a website or mobile application that contains ads with tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company. That transfer or provision of access to government-related or bulk U.S. sensitive personal data to covered persons or countries of concern could constitute data brokerage and be a violation of the DSP.”
• A vendor agreement (defined as “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person” for consideration).[2]
• An employment agreement (defined as “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person” for consideration).[3]
• An investment agreement (defined as an “arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to” U.S. real estate or a U.S. legal entity;[4] however, there is an exception for certain passive investments).

Second, the “covered data transaction” must involve “bulk U.S. sensitive personal data” or “government-related data.”

• “Bulk U.S. sensitive personal data”:
  • “Bulk” must meet or exceed the following thresholds within the preceding 12-month period, whether in a single covered data transaction or aggregated across those involving the same U.S. person and covered or foreign person:
    • Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or in the case of human genomic data, more than 100 U.S. persons;
    • Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;
    • Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;
    • Personal health data collected about or maintained on more than 10,000 U.S. persons;
    • Personal financial data collected about or maintained on more than 10,000 U.S. persons;
    • Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or
    • Combined data, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data. [5]
  • “Sensitive personal data” means covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic (includes genomic) data, personal health data, personal financial data, or any combination.[6]
• “Government-related data” includes any geolocation data, regardless of volume, involving, for example, worksites of government employees in national security positions; military installations; or sensitive personal data linkable to employees, contractors, senior officials, etc.[7]

Third, the “covered data transaction” must involve providing a “country of concern” or “covered person” with “access” to such controlled data.

• “Country of concern”: This term is defined as those engaging in a long-term pattern or serious instances of conduct significantly adverse to U.S. national security or the security and safety of U.S. persons, and that pose a significant risk of exploiting government-related or bulk U.S. sensitive personal data.[8] Six countries currently meet this definition: China, Iran, North Korea, Russia, Venezuela, and Cuba.
• “Covered person”: This term is defined in § 202.211(a)(1) through (5) as follows:
  • (1) A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in paragraph (a)(2), or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
  • (2) A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in paragraphs (a)(1), (3), (4), or (5);
  • (3) A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in paragraphs (a)(1), (2), or (5);
  • (4) A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or
  • (5) Any person determined by the attorney general:
    • (i) To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person;
    • (ii) To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or
    • (iii) To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.[9]
• “Access”: This term is defined as “logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software.”[10]

The 2025 Final Rule clarifies that transactions that do not provide “access” to a country of concern or a covered person are not restricted. Commenters questioned whether the 2025 Final Rule would apply to other transactions that are related to a covered data transaction but that do not themselves provide a country of concern or a covered person access to bulk U.S. sensitive personal data or government-related data. The NSD provides an illustration of permissible transfers of U.S. bulk data involving countries of concern that do not constitute “access”:

For instance, a U.S. research institution that entered into a vendor agreement with a covered person cloud-services provider in a country of concern to store bulk U.S. personal health data or bulk human genomic data in a country of concern would have to comply with the security requirements mandated by subpart D [authorizing restricted transactions under certain conditions if the U.S. person complies with the security requirements of § 202.408, see below]. But the rule would not impose any restrictions or prohibitions on the ability of U.S. or foreign persons who are not covered persons to access or analyze the bulk U.S. sensitive personal data stored by a country of concern cloud-services provider.[11]

Restricted Transactions: Due Diligence and Audit Requirements

With exceptions, the 2025 Final Rule states in subpart D that no U.S. person may knowingly engage in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless the U.S. person complies with the security requirements specified in § 202.248, described below. Thus, a “prohibited transaction” may become a “restricted transaction.” Here is a recap:

“Prohibited transaction” is defined in the 2025 Final Rule as a data transaction subject to the prohibitions described in subpart C—generally including, with exceptions, covered data transactions involving data brokerage with a country of concern or covered person, and covered data transactions with a country of concern or covered person involving access to bulk U.S. sensitive personal data involving bulk human ‘omic data or human biospecimens from which bulk human ‘omic data could be derived.

“Restricted transaction” is defined in the 2025 Final Rule as a data transaction subject to the prohibitions described in subpart D—which include covered data transactions involving employment, vendor, or investment agreements with a country of concern or a covered person. U.S. persons engaging in these transactions would have to comply with (1) the Cybersecurity and Infrastructure Agency (or “CISA”) Security Requirements for Restricted Transactions; (2) data compliance program and audit requirements as described by Subpart J; and (3) the specific recordkeeping requirements of § 202.1101 as they pertain to restricted transactions.

U.S. persons engaging in restricted transactions, however, must develop and implement a data compliance program and conduct an audit as specified by the rule, no later than October 6, 2025.

Exempt Transactions

Under Subpart E, exemptions to the prohibitions and restrictions of the DSP include the following:  

• Personal communications (includes personal communications that do not involve the transfer of anything of value).
• Information or informational materials.
• Travel (i.e., data transactions to the extent that they are ordinarily incident to travel to or from any country).
• Official business of the U.S. government (i.e., data transactions for the conduct of the official business of the U.S. government by employees, grantees, or contractors, and transactions conducted pursuant to a grant, contract, or other agreement entered into with the U.S. government).
• Financial services (i.e., data transactions to the extent that they are ordinarily incident to and part of the provision of financial services).
• Corporate group transactions (including data transactions between a U.S. person and a subsidiary or affiliate in a country of concern, as long as they are ordinarily incident to and part of administrative or ancillary business operations; however, the DOJ declined to expand the corporate group transactions exemption to include data transactions involving government-related data and bulk U.S. sensitive personal data with corporate affiliates of U.S. companies in countries of concern for routine research and development purposes).
• Transactions required or authorized by federal law or international agreements, or necessary for compliance with federal law.
• Investment agreements subject to a Committee on Foreign Investment in the United States (CFIUS action).
• Telecommunications services (i.e., data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of financial services).
• Drug, biological product, and medical device authorizations (i.e., certain data transactions that involve “regulatory approval data” necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or combination product, if reporting and recordkeeping requirements are met).
  • Scope. “Regulatory approval data”[12] includes data from post-market clinical investigations (conducted under applicable Food and Drug Administration (FDA) regulations, such as 21 CFR parts 50 and 56), clinical care data, and post-marketing surveillance, including data on adverse events. For example, where continued approval to market a drug in a country of concern is contingent on submission of data from ongoing product vigilance or other post-market requirements, the exemption applies. The exemption also applies even where FDA authorization for a product has not been sought or obtained. The DOJ does not intend to require U.S. companies to first pursue authorization to market a product in the United States before seeking regulatory approval or authorization from a country of concern.
  • Third-party vendors. The exemption allows U.S. persons seeking to market drugs, biological products, devices, or combination products in a country of concern to engage third-party vendors to assist with the submission of data to regulatory entities—where it is “necessary” to obtain or maintain regulatory approval from a country of concern regulator, and where such data is de-identified or pseudonymized, consistent with FDA regulations, and reasonably necessary for the country of concern regulator to assess safety and effectiveness.
  • The DOJ declined to adopt a broad regulatory exemption that would allow “country of concern” regulators unrestricted access to bulk U.S. sensitive personal data. However, the agency will continue to evaluate this concern, including the appropriateness of a general license.
• Other clinical investigations and post-marketing surveillance data (i.e., data transactions to the extent that they are ordinarily incident to and part of certain clinical investigations or the collection and processing of certain clinical care data or post-marketing surveillance data).

No consent exemption. Citing the threat to national security, the DOJ declined to adopt a consent exception that would have allowed U.S. individuals and companies to choose to share government-related data or bulk U.S. sensitive personal data with countries of concern or covered persons.

Licensing

The DOJ may issue general or specific licenses to authorize transactions that are subject to the prohibitions or restrictions of the 2025 Final Rule.

Timing

The 2025 Final Rule became effective April 8, 2025, and all impacted individuals and entities are now required to comply. The three exceptions to this date are (1) the affirmative obligations of subpart J, related to due diligence and audit requirements for restricted transactions; (2) § 202.1103, related to reporting requirements for certain restricted transactions; and (3) § 202.1104, relating to reports on rejected prohibited transactions. Entities and individuals are required to comply with those three provisions starting October 6, 2025.

Because the DOJ recognized that individuals and companies may need time for compliance with the entire DSP, the NSD stated in its April 11 Implementation and Enforcement Policy document that it would not prioritize enforcement actions against any person for violations occurring from April 8 through July 8, 2025, with exceptions for willful violations. After July 8, “individuals and entities should be in full compliance with the DSP and should expect NSD to pursue appropriate enforcement with respect to any violations.”   

Data Reporting

Reporting Requirements. As previewed in the Advance Notice of Proposed Rulemaking and Notice of Proposed Rulemaking, the 2025 Final Rule establishes certain reporting requirements to ensure compliance with these rules and to safeguard national security, including:

• annual reports filed by U.S. persons engaged in restricted transactions involving cloud-computing services, if those services are 25 percent or more owned, directly or indirectly, by a country of concern or covered person;
• reports by any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage;
• reports by U.S. persons engaged in a covered data transaction involving data brokerage with a foreign non-covered person if the U.S. person knows or suspects that the foreign counterparty is violating the restrictions on resale and onward transfer to countries of concern or covered persons; and
• reports by U.S. persons invoking the exemption for certain data transactions that are necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern.

The 2025 Final Rule allows companies to use existing audits, reports, and other compliance practices as long as they meet the requirements of this rule, and, thus, there is no need to create duplicative or separate systems or reports.

Enforcement

The DOJ’s 90-day safe harbor window, during which it will not prioritize enforcement actions for violations, ends on July 8, 2025. Companies can reasonably expect that the DOJ will not bring enforcement actions based on covered transactions occurring during this period if the company has engaged in good-faith efforts to come into compliance with the 2025 Final Rule. However, the DOJ has explicitly reserved its right to bring enforcement actions against those companies or individuals that have willfully violated the 2025 Final Rule during this 90-day window. Beginning July 8, 2025, individuals or entities that knowingly, or conspire to, evade these restrictions or prohibitions could face criminal or civil penalties, as described in Subpart M of the 2025 Final Rule.

Conclusion

The 2025 Final Rule applies broadly, covering routine business transactions and data transfers across all business sectors. Notably, the 2025 Final Rule encompasses companies that may not have historically had significant exposure to international restrictions.

Companies must closely evaluate their vendor relationships and employment agreements, along with commercial transactions, to assess their compliance with the 2025 Final Rule’s requirements. With the non-enforcement window closing on July 8, 2025, companies must initiate good-faith efforts to evaluate and come into compliance with the 2025 Final Rule. In particular, the DOJ has directed U.S. persons to “know their data,” including the volume and type of data collected that relates to a U.S. person and how their company uses the data in business transactions, with careful consideration given to whether such transactions are covered data transactions under the 2025 Final Rule, as the Compliance Guide states (note, however, that EO 14117 and the 2025 Final Rule take precedence over the Compliance Guide in the case of inconsistencies). At a minimum, all companies that conduct business with—or regularly affiliate with—a country of concern or covered individual should perform due diligence into the nature and extent of those relationships.

U.S. persons may submit requests for advisory opinions in connection with the 2025 Final Rule.

****

Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this Insight.

ENDNOTES

[1] 90 Fed. Reg. 1646 (Jan. 8, 2025) (to be codified at 28 C.F.R. pt. 202).

[2] Id. at 1716.

[3] Id. at 1711.

[4] Id. at 1713.

[5] Id. at 1708.

[6] Id. at 1716.

[7] Id. at 1712.

[8] Id. at 1708.

[9] Id.

[10] Id. at 1707.

[11] Id. at 1646.

[12] Id. at 1724.

[View source.]