Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

DOJ Final Rule on National-Security Risks Posed by Countries’ of Concern and Covered Persons’ Access to U.S. Sensitive Data

Data Privacy 24 January 2025

On December 27, 2024, the U.S. Department of Justice (DOJ) issued the Final Rule setting up a national-security program within the DOJ's National Security Division.  The Rule implements President Biden's February 28, 2024 Executive Order 14117 "Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" and addresses various inputs and stakeholder comments to the March 5, 2024 Advance Notice of Proposed Rulemaking (ANPRM) and the October 29, 2024 Notice of Proposed Rulemaking (NPRM) (see our briefings here and here).

The Rule regulates certain data transactions with "countries of concern" and covered persons involving U.S. bulk sensitive data or government-related data.  The Rule: (1) prohibits certain highly sensitive transactions in their entirety; and (2) restricts certain categories of transactions that would be prohibited, unless they comply with predefined security requirements developed by the Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA).

Who Does the Rule Apply To?

  • Entities in Scope.  The Rule applies to any U.S. person that accesses covered data (both terms are defined broadly), as well as any U.S. person that does so on behalf of third parties, including data brokers.  Such persons will face restrictions, and in certain cases, prohibitions, when either "knowingly engaging" in or "directing" transactions with countries of concern and/or covered persons.   The Rule also applies to non-U.S. persons in certain scenarios.  For example, non-U.S. persons cannot cause or conspire to cause U.S. persons to violate the Rule and are prohibited from engaging in transactions that have the purpose of evading the Rule. 
  • U.S. Persons.  U.S. persons include any: (1) United States citizen, national, or lawful permanent resident; (2) individual admitted to the United States as a refugee or granted asylum; (3) entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or (4) person in the United States.
  • Countries of Concern.  Consistent with the NPRM, the Rule designates the following countries of concern: (1) China (inclusive of Macau and Hong Kong); (2) Cuba; (3) Iran; (4) North Korea; (5) Russia; and (6) Venezuela.  The DOJ can identify additional countries that pose "long-term" or "serious instances of conduct" adverse to U.S. national security or pose a "significant risk of exploiting" bulk sensitive personal data or government-related data. 
  • Covered Persons.  The Rule retains the NPRM's definition of a “covered person,” but supplements it to align with the Department of the Treasury’s Office of Foreign Assets Control’s "50-percent rule."  It defines four classes of “covered persons”: (1) foreign entities that are at least 50% owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern; (2) foreign entities that are at least 50% owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; and (4) foreign individuals primarily resident in countries of concern. The DOJ can supplement these classes by a public list of individuals or entities designated as "covered persons".

What Does the Rule Apply To?

  • Covered Data. The Rule covers transactions involving access by countries of concern or covered persons to: (1) bulk sensitive personal data; and (2) government-related data.  There are six categories of "sensitive personal data" that a country of concern or a covered person could exploit to harm U.S. national security: (1) certain covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human 'omic data, comprised of human genomic, epigenomic, proteomic and transcriptomic data; (5) personal health data; and (6) personal financial data.  The Rule's prohibitions and restrictions are triggered when such data exceeds certain bulk volume thresholds over the preceding 12 months.  The thresholds, set out in the Rule, vary by data category.  For example, for human genomic data, the threshold is "over 100 U.S. persons" and for personal health data and personal financial data, the threshold is "over 10,000 U.S. persons."  The thresholds do not apply to transactions involving government-related data, which are regulated regardless of data volume. 
  • Prohibitions and Restrictions.  The Rule: (1) prohibits two categories of transactions: data brokerage and covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data was derived; and (2) restricts three categories of transactions: vendor, employment and non-passive investment agreements.  Restricted transactions with countries of concern and/or covered persons and involving covered data can proceed only if they meet CISA's organizational, system-level and data-level requirements. 

Are There Any Exemptions?

Consistent with the ANPRM and the NPRM, the Rule exempts the following nine distinct categories of data transactions (with additional nuance, in each case, articulated in the Rule): (1) personal communications, the import or export of informational materials and travel-related information; (2) official U.S. government activities; (3) ordinary course of business financial services; (4) ordinary course of business corporate group transactions between a U.S. person and its foreign subsidiary or affiliate; (5) transactions required or authorized by federal law or international agreements; (6) investment agreements; (7) transactions ordinarily incident to and part of the provision of telecommunications services; (8) data transactions with countries of concern or covered persons involving drug, biological, product, device or combination  product approvals or authorizations; and (9) other clinical investigations and post-marketing surveillance data transactions.   The Rule also exempts transactional data that is lawfully publicly available and metadata ordinarily associated with expressive materials or reasonably necessary for their dissemination.

What are the Compliance Requirements?

The DOJ expects that in-scope entities will develop individualized compliance programs given their specific risk profiles. Should violations occur, the DOJ will review the adequacy and sophistication of these programs to determine the appropriate enforcement action.  Components of such programs can include licensing, reporting, due diligence, audit and recordkeeping parameters.  The Rule does establish affirmative compliance obligations as conditions for U.S. persons engaged in restricted transactions, including a comprehensive compliance program, written policies on data security and compliance that are certified annually, an annual audit and records certification.  In addition, the Rule contains certain reporting requirements to ensure compliance with the Rule, including certain annual reports as well as reports by U.S. persons invoking an exemption.

Are There Other Key Requirements?

As previewed in the ANPRM and the NPRM, the Rule authorizes the DOJ to issue: (1) general licenses for certain categories of otherwise prohibited or restricted transactions, as well as specific licenses for specific transactions; and (2) advisory opinions as well as general public guidance to address common issues and questions. 

Are There Possible Penalties?

Violations of the Rule can result in civil penalties of up to $368,136 or twice the amount of the transaction (whichever is greater).  Willful violations of the Rule can result in criminal charges of up to $1,000,000 in fines or 20 years of imprisonment.

When Does the Rule Take Effect?

The Rule takes on April 8, 2025.

Toolkits & Client Log-in