Companies processing personal information in other countries, including through service providers or employees, should be aware of updates relating to onward transfers. Recently, the Department of Justice (DOJ) issued a final rule (the “Rule”) relating to prior Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Under the Rule, certain data transactions that may impose data security risks are prohibited or restricted, specifically involving countries with cited concerns of security risks. Still the new administration has been reviewing and repealing prior executive orders, and the legal landscape in this area is still evolving.
Cited Countries of Concern
The DOJ has so far identified six countries of concern falling under the Rule: China, Cuba, Iran, North Korea, Russia, and Venezuela. However, the list is evolving and new countries may be added if they have:
- “Engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of U.S. persons.”
- “Posed a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons."1
Covered Data
For covered companies, two categories of data are now regulated with the Rule: U.S. sensitive personal data and U.S. government-related data.
With the Rule, there are now sensitive bulk thresholds for these data categories, which mark how much data can be seized before becoming subject to scrutiny. Some data types include:
- Covered personal identifiers
The Rule also breaks down what transactions are prohibited, restricted, and exempt, which are issues summarized below.
Prohibited Transactions
- Data brokerage involving covered data with covered persons or countries of concern
- U.S. companies knowingly transferring bulk sensitive personal data to countries of concern
- Transactions involving bulk human 'omic data or biospecimens with covered persons
The Rule outlines that any foreign person entering a transaction with a U.S. entity and involving bulk sensitive personal data or U.S. government-related data must be contractually required to "refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person; and [to report] any known or suspected violations of this contractual requirement" to the DOJ.2
Restricted Transactions
However, if a U.S. person seeks to engage in a covered data transaction with matters such as employment agreements, vendor agreements, or investor agreements with a country or person of concern, the Rule provides security requirements that must be followed.
Specifically, starting October 6, 2025, all U.S. persons and businesses orchestrating restricted transactions must establish a robust data compliance program that includes:
- Procedures for verifying all data flows
- Organized logs of the type and volume of data being transferred, including the ownership and identity of the parties involved
- System to verify and confirm the identity of all vendors
- A comprehensive written data compliance policy that thoroughly describes the implementation of the security requirements
- An annual audit that holds the security measures accountable on its efficacy and how it can continue to improve
Exempt Transactions
Transactions exempt of the Rule include the following:3
- Interpersonal communications
- Official business of the U.S. Government
- Corporate group transactions
- Transactions required or authorized by U.S. federal law or international agreements, or necessary for compliance with federal law
- Investment agreements subject to CFIUS action
- Telecommunications services
- Drug, biological product and medical authorizations
- Other clinical investigations and post-marketing surveillance data
Failure to comply with the Rule by not implementing and following the required security measures may lead to potential legal action or steep fines.
Summary
The Rule implements a stringent compliance and enforcement framework for data transactions by incorporating due diligence measures, annual audits, reporting requirements, and both civil and criminal penalties for any violations. This movement highlights the DOJ's strong stance on addressing these data security risks and holding businesses to certain standards. This is also just one of many updates involving heightened data privacy and security measures in the U.S. on various issues. Companies processing personal information, including those transferring data to certain countries or collecting sensitive data, should seek legal counsel to address any issues.
Kronenberger Rosenfeld, LLP regularly advises clients regarding data and privacy compliance. Contact our firm using our online case submission form.