February 4, 2025

The Busy Lawyer’s Guide to the New “Data Export Control” Rules

Demian Ahn, Grace Beck, Joshua Gruenspecht, Stephen Heifetz, Libby Weingarten

+ Follow Contact

Send

Embed

Wilson Sonsini Goodrich & Rosati

On January 8, 2025, the U.S. Department of Justice (DOJ) published final rules (the Final Rules) to prohibit or restrict transactions by U.S. persons that could result in access to sensitive data by persons associated with certain countries of concern, including most notably the People’s Republic of China (PRC); further, broadly defined “data brokerage” with any foreign person can trigger obligations and prohibitions under the Final Rules.

The Final Rules came hard on the heels of the DOJ’s October 2024 issuance of a Notice of Proposed Rulemaking (NPRM). As discussed in our prior mailers on the NPRM, the Final Rules mark the DOJ’s emergence as a critical regulator in the entirely new arena of “data export” controls. Barring any changes or delays by the incoming Trump administration, this development will have profound impacts on companies across the U.S. economy in ways that may not be fully felt for years to come.

Critically, any U.S. person or business that stores or maintains any of the “covered data” types discussed below (i.e., either certain government-related data or bulk personal data of U.S. persons), will need to assess whether any of its agreements with third parties, as well as certain of its relationships with employees, may lead to transactions that fall within the requirements of the Final Rules.

What Are the Most Important Takeaways?

The Final Rules will apply to all transactions—e.g., grants of access to data—after the effective date of April 8, 2025, even if a transaction occurs under a commercial agreement that was entered into before that date. As a result:

The agreements subject to the Final Rules include 1) agreements that involve the commercial use of data through “data brokerage” (e.g., sale or licensing). The Final Rules also cover agreements with 2) vendors, 3) investors, and 4) employees that may lead to those parties’ ability to review, receive, or affect those data holdings, regardless of the security measures employed.
When establishing agreements of those four types, a U.S. business will need to confirm both a) that the contractual counterparty is not a “covered person”¹ associated with a country of concern (such as the PRC or Russia) and b) that no data brokerage is taking place. In agreements where data brokerage is occurring, U.S. persons are obligated to bind any foreign counterparty not to transfer covered data onward to covered persons, even if the contractual counterparty is not a covered person.
In addition, the Final Rules may require U.S. persons to revisit any of the four types of agreements covered by those rules that they (or foreign entities they control) may be already party to, in order to ensure exchanges of data under those agreements are compliant. This may include, for example:
- revisiting existing licensing agreements involving a wide range of datasets ranging from databases of consumers using adtech to clinical trial subjects;
- revisiting vendor agreements that grant data access to vendors;
- revisiting IT access to systems that employees or contractors from countries of concern use if those systems contain covered types of data; and
- revisiting intra-company transfers of data with foreign affiliates that are covered.
While the Final Rules contain a number of exemptions such as those to facilitate obtaining regulatory approval for, e.g., facilitating intra-corporate HR data sharing or permitting U.S. pharmaceutical companies to pursue foreign regulatory approval, those exemptions generally are narrow.
In addition, the Final Rules only prohibit “knowingly” engaging in prohibited transactions, or “knowingly” engaging in restricted transactions without implementing required security controls. However, the term “knowingly” is defined to include circumstances in which a person “reasonably should have known” that the transaction was prohibited or restricted. The Final Rules do not provide specific guidance on what facts entities are “reasonably” expected to know, or what level of due diligence would be sufficient.

How Do I Determine If the Final Rules Apply to My Transaction?

The Final Rules are complex, containing multilayered definitions of, and ambiguities regarding, inter alia:

which U.S. persons are covered and when;
the types of data that are covered;
the nature of the transactions that give rise to controls;
which parties U.S. persons may have restrictions on interacting with;
the exemptions to those otherwise prohibited and restricted transactions; and
the security controls that will be required to engage in restricted transactions.

Below, we provide a five-step test for use in assessing whether a transaction is a “covered data transaction” giving rise to obligations under the Final Rules.

Step 1: Is there a U.S.-related party subject to the rules?

Type of Party	Circumstances in which the party is subject to the Final Rules:
U.S. person party to the agreement	United States citizen, national, or lawful permanent resident; U.S. refugee or asylee; Any entity organized solely under the laws of the United States or a U.S. jurisdiction; or Any person located in the United States.
U.S. person directing the data transaction	U.S. person (see above) that “knowingly directs” any covered data transaction by any third party that would be prohibited or restricted if the third party were a U.S. person

Step 2: Is there a dataset subject to the rules?

Type of Dataset	Circumstances in which the data in the dataset is subject to the Final Rules:
Government-related data	Any precise geolocation data, regardless of volume, for certain locations enumerated on the Government-Related Location Data List; or Any “sensitive personal data,” regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government.
Bulk U.S. sensitive personal data (‘sensitive personal data’ as used here and above does include all datasets shared over the aggregate of covered transactions over the prior 12 months, and applies regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted; but does not include data that is lawfully publicly available or not related to an individual)	Data on 100+ U.S. persons	Human genomic data Human biospecimens from which ‘omic data may be derived The results of any individual’s genetic test or genetic sequencing
	Data on 1,000+ U.S. persons	Human epigenomic, proteomic, or transcriptomic data (excluding pathogen-specific data) Biometric identifiers Precise geolocation data (i.e., data that identifies physical location with a precision of greater than 1,000 meters)
	Data on 10,000+ U.S. persons	Personal health data (i.e., data that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual) Personal financial data (i.e., data about an individual’s credit, charge, or debit card, or bank account, including e.g., purchase history)
	Data on 100,000+ U.S. persons	Covered personal identifiers, including e.g., any pairing of 1) government ID numbers, 2) financial account numbers, 3) device identifiers, 4) demographic or contact data, 5) advertising IDs, 6) account authorization data, 7) network identifiers (such as IP address), or 8) call detail information.
	Combined datasets	For datasets combining more than one of the types of data above, apply the lowest applicable numerosity threshold

Step 3: Is there a transaction subject to the rules?

Type of Transaction or Agreement	Circumstances in which the transaction or agreement is subject to the Final Rules:
Entry into a covered agreement with a country of concern or covered person that may provide “access” (the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form) to covered datasets	Data brokerage	Any agreement for the sale or licensing of data, including the sale or licensing of access to data, not originally collected by the recipient (excludes vendor, investment, and employment agreements, see below) PROHIBITED: All types of covered data
	Vendor	Any agreement to acquire or provide goods or services PROHIBITED: Human ‘omic data or biospecimens from which bulk human ‘omic data could be derived RESTRICTED: All other kinds of covered data
	Investment	Any agreement to obtain direct or indirect ownership interests in U.S. real estate or legal entities PROHIBITED: Human ‘omic data or biospecimens from which bulk human ‘omic data could be derived RESTRICTED: All other kinds of covered data
	Employment	Any agreement in which an individual performs work for consideration PROHIBITED: Human ‘omic data or biospecimens from which bulk human ‘omic data could be derived RESTRICTED: All other kinds of covered data
Any transaction that provides access to covered datasets under one of the types of agreements mentioned above, or that is an attempt to evade the prohibitions	Any “transaction” (e.g., exchange involving property in which a foreign person has an interest) to exchange data under an agreement of the listed types is subject to the same levels of control as entry into that agreement would have been, even if the agreement was entered into before the Final Rules applied Any transaction that has the purpose of evading or avoiding the Final Rules is prohibited
*Entry into a data brokerage agreement with any foreign person* involving access to covered datasets**	Such a transaction requires the U.S. person to obtain contractual promises from the foreign party not to provide onward data brokerage of the related data to covered persons, and to report any known or suspected violations of the Final Rules as if they applied to that foreign party
Recipients of requests to enter into a prohibited data brokerage agreement	Starting October 6, 2025, any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage must file a report with the DOJ

Step 4: Is there a counterparty to the transaction that is covered? NOTE: As noted in the prior Step, for “data brokerage” transactions, any foreign person will be a sufficient trigger.

Type of Counterparty	Circumstances in which the party is subject to the Final Rules:
Country of concern	The PRC + Hong Kong and Macau, Russia, Cuba, Venezuela, North Korea, or Iran;
Covered person	Any foreign entity that is organized or chartered under the laws of or that has its principal place of business in a “country of concern”; Any foreign person primarily resident in a country of concern; Any person determined by the Attorney General to be acting on behalf of a country of concern in certain respects; Any foreign person that is an employee or contractor of a country of concern or any of the aforementioned entities; and Any foreign entity that is directly or indirectly 50 percent or more owned in the aggregate by any of the aforementioned entities.

Step 5: Is there an applicable exemption?

The Most Useful Exemptions	Brief description of the exemption and its application to the Final Rules:
Personal communications	Exempts personal communications that do not involve the transfer of anything of value
Financial services	Exempts transactions ordinarily incident to and part of the provision of financial services, including banking services, the sales of goods and services, payment processing, investment management, etc.
Corporate group transactions	Exempts transactions between a U.S. person and a foreign subsidiary or affiliate that are ordinarily incident to business operations, including HR, payroll, paying taxes, customer support, facilitating employee communications, etc.
Telecommunications services	Exempts transactions that are ordinarily incident to and part of the provision of telecommunications services
Drug, biological product, and medical device authorizations	Exempts the sharing of ‘‘regulatory approval data” (sensitive personal data that has been de-identified consistent with U.S. Food and Drug Administration (FDA) standards and is used for regulatory approval reasons) that is necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product. Requires the U.S. person to comply with the recordkeeping requirements for restricted transactions in order to leverage the exemption.
Clinical investigations and post-marketing surveillance	Exempts the sharing of data ordinarily incident to and part of a) clinical investigations regulated by FDA to support an FDA application for research or marketing permits for drugs, biological products, devices, combination products, or infant formula; or b) the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data, subject to de-identification consistent with FDA standards.

How Will the Final Rules Be Enforced?

The DOJ will be responsible for enforcing the Final Rules. The DOJ’s enforcement authority will be consistent with its authority to enforce other rules—e.g., certain rules relating to economic sanctions and export controls—which have been implemented under the International Emergency Economic Powers Act, 50 U.S.C. § 1701 et seq. The Final Rules establish a maximum civil penalty not to exceed the greater of $368,136, or twice the amount involved in the violative transaction, for each transaction in violation of the Final Rules. In the case of “willful” violations, which would require “willfulness” in addition to actual knowledge of a violation, the Final Rules provide for criminal penalties of up to 20 years in prison, up to $1,000,000 per violation, or both.

How Should I Proceed If the Final Rules Apply to My Transaction?

If your U.S. business has access to a covered dataset and may be engaged in any of the prohibited or restricted transactions discussed above after April 8, 2025, there are a few key steps to take right now:

Assess whether the transaction is prohibited, restricted, or merely subject to new requirements. For example, data brokerage transactions with covered persons are fully barred. However, employment or vendor agreements are merely “restricted transactions” under the Final Rules, and so permissible as long as security requirements (see next bullet) are followed. Meanwhile, data brokerage transactions with non-covered foreign persons may require new contractual language but are not considered either prohibited or restricted.
If considering restricted transactions with covered persons, understand the new security requirements associated with the Final Rules. U.S. persons who wish to pursue restricted transactions must comply with a set of separately published security requirements for protecting their datasets established by the Cybersecurity and Infrastructure Agency. Such U.S. persons must also establish a data security compliance program and conduct audits of that program. In addition, they must maintain records with respect to their restricted transactions. In certain cases, U.S. persons must affirmatively report on selected transactions annually, while in others, they’re merely obligated to provide the records upon DOJ request.
Watch for further developments. In the Final Rules, the DOJ signaled that it may release additional guidance in the near term, such as a) a mechanism for the voluntary self-disclosure of violations; b) a possible general or wind-down license to facilitate implementation of the regulations (e.g., to allow the amendment of existing contracts); and c) additional compliance and enforcement guidelines.
- Perhaps more importantly, the Trump administration has signaled that it intends to comprehensively review regulations issued at the tail end of the Biden administration, and that it may attempt to rescind and/or delay enforcement of regulations the Trump team deems unnecessary. While the Trump team has generally expressed less skepticism of Biden-era national security rules than those in other regulatory arenas, there is still a chance that a new team may mean one more chance to reconsider this dramatic and far-reaching new ruleset.

[1] For more detail, see the breakdown of the definition of “covered person” in step 4 of the chart below.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.