As of July 9, the U.S. Department of Justice has begun full enforcement of a sweeping new data regulation known as the Sensitive Data Rule, or “SDR.” Implemented under President Biden’s Executive Order 14117, the SDR marks a fundamental shift in how the United States regulates the cross-border flow of sensitive personal and government-related data—not just as a privacy concern, but also as a matter of national security.
A central component of the SDR is the Bulk Data Rule, which establishes specific volume thresholds for regulated data types and prohibits or restricts cross-border transfers of such “bulk data” to covered persons and countries of concern.
A new era in data regulation
Signed by President Biden on February 28, 2024, Executive Order 14117 directed the DOJ to prevent foreign adversaries from acquiring bulk quantities of sensitive personal and government-related data that could be used to threaten U.S. national security. The DOJ’s Final Rule, issued in April 2025 and effective as of April 8, introduced the Data Security Program, a comprehensive framework for restricting certain data transactions involving sensitive U.S. information. The grace period for enforcement ended July 9, and entities are expected to be in full compliance by October 6 (additional details regarding enforcement and requirements are provided below in a Compliance Timeline).
Individuals and entities should understand that, unlike traditional data privacy laws, the U.S. Sensitive Data Rule is focused on transactional access to data, even if the data is not sold. The intent is to limit how and with whom sensitive data is shared, particularly when the data sharing or access involves entities and individuals associated with foreign nations considered hostile to U.S. interests.
“Countries of concern” and covered persons
The SDR targets data transactions involving “countries of concern,” defined as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
However, it also applies to a wide range of “covered persons,” including the following:
- Entities that are based in a country of concern, or for which a country of concern owns 50 percent or more of the entity.
- Individuals who live in those countries.
- Employees, agents, or contractors acting on behalf of covered persons.
- Any person the DOJ designates as subject to the SDR based on their conduct or affiliations.
What data is regulated?
The Sensitive Data Rule defines two major data categories: Sensitive Personal Data and Government-Related Data.
Sensitive Personal Data. This category includes data that, if obtained in bulk, could be exploited by foreign adversaries.
Under the Bulk Data Rule, “bulk” consists of thresholds tied to specific data types and must involve more than the following amounts to be subject to regulation:
- Covered identifiers (for example, names with Social Security Numbers or device IDs): 100,000 U.S. persons
- Geolocation data: 1,000 U.S. devices
- Biometric data (for example, facial images, retina scans): 1,000 U.S. persons
- Genomic data: 100 U.S. persons
- Other “’omic” data (epigenomic, proteomic, transcriptomic): 1,000 U.S. persons
- Health data: 10,000 U.S. persons
- Financial data: 10,000 U.S. persons
Notably, the SDR applies even to anonymized, pseudonymized, or encrypted data.
Government-Related Data. Categories under this type of data are regulated, regardless of volume, and include precise geolocation information tied to government activities or facilities, as well as personal data about current or former U.S. government employees, including military and intelligence personnel.
Restricted or prohibited transactions
Prohibited transactions under the SDR include the following: (1) data brokerage involving covered sensitive personal data, and covered persons or countries of concern; and (2) any access to bulk human genomic, epigenomic, proteomic, or transcriptomic data (“human ‘omic data”) or human biospecimens by covered persons. Many of these restrictions, particularly those involving human ‘omic data and biospecimens, fall squarely under the Bulk Data Rule, which treats access to large datasets of sensitive biological information as a high-risk transaction.
Additionally, restricted transactions apply to vendor, employment, or investment agreements that allow access to covered data. These are permitted only if stringent Cybersecurity and Infrastructure Security Agency-level standards are implemented (for example, encryption, access controls, and audit logs).
Compliance Timeline: What’s required, and when
Prohibitions and restrictions take effect: April 8, 2025
Covered entities were required to comply with the Data Security Program’s prohibitions and restrictions. (Affirmative obligations will not take effect until October 6.)
Grace period: April 8 – July 8, 2025
The DOJ said that it would not prioritize civil enforcement during this grace period but nevertheless expected good-faith compliance efforts, including the following:
- Reviewing internal data access and potential data brokerage.
- Identifying covered datasets and data types.
- Conducting due diligence on agreements involving covered persons or countries of concern.
- Beginning implementation of CISA-level cybersecurity standards.
Note: Willful or egregious violations may still be enforced.
Enforcement Begins: July 9, 2025
After the limited grace period, entities should prioritize key actions in preparation for expanded enforcement and the coming “full compliance” date in October:
- Evaluate current transactions for compliance and remediate where required (or otherwise develop a defensible remediation plan).
- Confirm that counterparties are not covered persons or from countries of concern.
- For current and future restricted transactions, implement CISA security requirements, establish compliance procedures, conduct annual audits, and maintain records for at least 10 years.
- Incorporate the DOJ’s model contract language, where applicable.
Full Compliance: October 6, 2025
Once full compliance takes effect, entities must meet the affirmative obligations of the Sensitive Data Rule, including the following:
- Conduct due diligence and auditing for restricted transactions. Entities engaging in any restricted transactions are required to conduct annual audits that are comprehensive, independent, and objective (however, certain audits completed for other purposes may be used to comply with the Data Security Program, provided that they satisfy the requirements set forth in Section 202.1002).
- Submit reports on restricted transactions and rejected prohibited transactions. Entities engaged in restricted data transactions are required to file annual reports by March 1 describing the transactions engaged in during the prior calendar year. In particular, reports are required if the transaction involves cloud-computing services and if 25 percent or more of the U.S. company’s equity interest is owned by a country of concern or covered person.
- Submit annual compliance certifications. An officer, executive, or other employee responsible for compliance is expected to sign an annual certification of (1) the company’s Data Compliance Program implementation and due diligence efforts; (2) the company’s implementation of any applicable security requirements; and (3) the completeness and accuracy of recordkeeping documenting the company’s due diligence, as supported by an audit.
Penalties for non-compliance
Penalties for non-compliance can be severe. U.S. persons must report any known or suspected violation of contractual requirements within 14 days of suspecting or becoming aware of a violation.
Civil penalties may reach up to $368,136—or twice the value of the transaction—per violation. Willful violations may also result in criminal penalties, including fines of up to $1 million and imprisonment for up to 20 years.
Industry Impact and Recommendations
The Sensitive Data Rule is expected to have a significant impact on organizations that process or share large volumes of sensitive data, including entities in health care and the life sciences, financial services, and technology and cloud computing, as well as government contractors. Industries that routinely handle large datasets should pay close attention to the Bulk Data Rule because its thresholds could apply even to aggregated or anonymized information.
Steps to take now
In an effort to help organizations achieve compliance, the DOJ published a Compliance Guide and Frequently Asked Questions. Between now and the October 6 full compliance date, individuals and entities can take the following steps:
- Know your data: Identify what sensitive personal and government-related data you collect, store, or share.
- Vet your relationships: Ensure that your business partners and vendors aren’t covered persons or tied to countries of concern.
- Secure your data: Implement cybersecurity controls that meet or exceed CISA recommendations.
- Update policies and contracts: Include specific provisions addressing compliance with the Sensitive Data Rule.
- Train employees: Educate staff on new compliance risks and DOJ guidance.
- Prepare for audit: Maintain documentation that demonstrates compliance readiness.
Organizations should also be prepared to actively stay up to date on new developments. With the expiration of the grace period, organizations should monitor the types of enforcement actions the DOJ pursues, as well as how broadly the DOJ exercises its latitude to designate who is subject to the Sensitive Data Rule based on their conduct or affiliations. Additionally, the DOJ’s Compliance Guide notes that Section 202.901 creates a mechanism for the National Security Division within the DOJ to provide further information on the applicability of the Data Security Program in the form of written advisory opinions which would represent the present enforcement intentions of the NSD. Furthermore, the manner in which organizations are expected to comply may also shift, because many aspects of the rules refer to CISA standards. However, with major staffing cuts at CISA and anticipated revisions to related regulations, such as the Cybersecurity Incident Reporting for Critical Infrastructure Act, organizations will need to remain vigilant to fully understand their obligations.
The U.S. Sensitive Data Rule, and its implementation through the Data Security Program, marks a new chapter in data governance. The new Rule redefines how organizations must approach data sharing, access, and compliance—not just for privacy or ethics, but also for national security. Companies and institutions operating across various sectors should act now to assess their exposure, strengthen their compliance infrastructure, and prepare for a more tightly controlled data environment.
