/>iOn October 6, 2025, the “Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Countries or Concern or Covered Persons” Rule released by the U.S. Department of Justice (DOJ) (DOJ Rule) will be fully in force. Is your organization ready?
During the first half of 2025, numerous clients reached out to find out if they are in scope for the DOJ Rule. Therefore, we developed, refined and applied a step-by-step process for assessing whether and when the DOJ Rule applies. As we applied this process, we learned that many clients operating only in the U.S. were surprised to learn that the DOJ Rule applies to their operations. U.S. clients operating internationally were less surprised, and many had started compliance efforts and/or were planning steps to modify their business operations to minimize or eliminate prohibited transactions. Clearly, businesses operating in both “countries of concern” and in the U.S. face the biggest compliance uplift and have been the most active.
This is the first in a series of posts about the DOJ Rule. While this first post focuses on the basics, future posts will dive into our collection of FAQs about exclusions, exemptions, vendor management, and compliance program requirements, among other topics.
A Brief History of the DOJ Rule
The DOJ Rule originates from national security concerns: in February 2024, President Biden issued the Executive Order (EO) 14117 for the purpose of restricting access by “countries of concern” to Americans’ “bulk sensitive personal data” and “U.S. Government-related data” when the access is deemed to pose an unacceptable risk to the national security of the U.S.
EO 14117 directed the DOJ to create the DOJ Rule, which was issued a few weeks before Donald Trump’s Inauguration with an effective date of April 8, 2025. As we previously reported, the Trump Administration issued a flurry of Executive Orders within hours after the swearing-in, including one directing federal agencies to not propose or issue any new federal rule and to withdraw any non-final rule. The DOJ Rule was already finalized but whether it would enter into force as planned was not entirely clear.
Clarity arrived on April 11, 2025, in the form of an Enforcement Policy, 100 FAQs and a Compliance Guide issued by the DOJ. The Enforcement Policy also announced a welcome compliance grace period through July 8, 2025, for parts of the DOJ Rule that were effective on April 8, 2025.
An Overview: What is Regulated by the DOJ Rule
The DOJ Rule is long and labyrinthine: 117 pages and 59 defined terms. In simplest terms, the DOJ Rule regulates a “transaction” (actual and purported transaction inside or outside the U.S.) that involves:
- At least one of the two main categories of data: bulk U.S. sensitive personal data or government-related data
- A U.S. person (individual or entity) on one side of the transaction
- A “U.S. person” is any of the following: a U.S. citizen, national, or lawful permanent resident; any individual admitted to the U.S. as a refugee or asylee; any entity organized solely under the laws of the U.S. or any jurisdiction within the U.S. (including foreign branches); or any individual or entity in the U.S.
- Either a covered person (individual or entity) or a country of concern on the other side of the transaction
A “covered person ” which is any of the following: a foreign entity that is 50% or more owned by a country of concern; or organized under a country of concern’s laws; or has a principal place of business in a country of concern; or is 50% or more owned (directly or indirectly) by another covered person; a foreign employee/contractor of a country of concern or covered person entity; or a foreign individual who resides primarily in a country of concern.
A “country of concern”, which means China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia or Venezuela.
The DOJ also has the power to designate a legal or natural person as a covered person and to designate new countries of concern.
Getting Started: Whether the DOJ Rule Applies
The Parties to the Data Transaction
The DOJ Rule applies when a U.S. person “knowingly” engages in a data transaction with a covered person or a country of concern.
A transaction is “knowingly” engaged in when the U.S. person has actual knowledge, or reasonably should have known, of the conduct, the circumstance, or the result. The term “engage” is not defined but is interpreted broadly based on the DOJ Rule’s Background, Discussion and numerous examples.
The Data in the Data Transaction
The DOJ Rule regulates transactions involving two categories of data:
i. sensitive personal data (SPD) relating to U.S. persons that meets or exceeds the specified bulk threshold (bulk SPD). The seven categories of SPD and the associated bulk thresholds are presented in the table below.
The bulk threshold is measured by the amount of SPD collected or maintained at any time within the preceding 12 months. A threshold can be met through a single data transaction or aggregated across two or more data transactions involving the same U.S. person and the same counterparty.
ii. government related data (GRD), which means (i) precise geolocation data, regardless of volume, for any location within any area on the Government-Related Location Data List (which contains nearly 3000 latitude/longitude coordinates of geofenced areas) or (ii) any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees, contractors, or senior officials of the U.S. government.
Bulk SPD has exclusions (to be covered in future posts) but GRD does not.
The DOJ Rule’s SPD categories are broader than the sensitive data categories familiar to U.S. businesses subject to the 20 (currently) state consumer privacy laws. The state consumer privacy laws generally exclude personal data that meets the definition of “de-identified,” whereas the DOJ Rule includes SPD that meets the bulk threshold regardless of whether that data is anonymized, pseudonymized, de-identified, or encrypted.
The Type of Data Transaction
Data transactions covered by the DOJ Rule – known as “covered data transactions” – are divided into two categories: prohibited transactions or restricted transactions. A U.S. person’s compliance obligations are based on whether the transaction is prohibited or restricted. The parts of the DOJ Rule that enter into force on October 6, 2025, primarily relate to restricted transactions.
The DOJ Rule does not restrict or prohibit data transactions by U.S. persons that do not involve access by a country of concern or covered person to bulk US SPD or GRD because they are not covered data transactions.
Prohibited Transactions: Five types of covered data transactions are prohibited transactions – unless exempted or a DOJ-approved license applies.
The five types of prohibited transactions are:
- Data brokerage between a U.S. person and a covered person or country of concern
- Data brokerage between a U.S. person and a “foreign person” (which means not a U.S. person) that is not a covered person unless the U.S. person
- contractually requires that the foreign person refrain from an onward data transaction with a covered person or country of concern and
- reports any known or suspected violations of the contractual requirement within 14 days after becoming aware of a known or suspected violation following the requirements in § 202.302
- A covered data transaction that involves access by a covered person or country of concern to bulk human ‘omic data (or to human biospecimens from which bulk human ‘omic data could be derived)
- Any data transaction with the purpose of evading or avoiding, that causes a violation of, or attempts to violate the DOJ Rule or any “conspiracy formed to violate” the DOJ Rule
- A U.S. person knowingly directing any covered data transaction that would be a prohibited transaction or unauthorized restricted transaction if engaged in by a U.S. person
As above, two of the five prohibited transactions relate to “data brokerage.” The DOJ Rule defines data brokerage as the sale, licensing, or similar commercial transaction that involves the transfer of covered data (bulk SPB or GRD) from any person (‘provider’) to any other person (‘recipient’) if the recipient did not collect or process the covered data directly from the individuals linked or linkable to the collected or processed data. This definition seems to borrow from the data broker laws enacted in Vermont (2018) and California (2019), which focus on the absence of a relationship between the data broker and the consumers to whom the personal information relates. Data brokerage specifically excludes the three types of restricted transactions (a vendor, employment or investment agreement) described below.
Restricted Transactions: A restricted transaction must fit into one of these three types:
- Vendor agreement – a person or entity provides goods or services to another person for payment/other consideration
- Employment agreement – an individual performs work for a person or entity in exchange for payment or other consideration
- Investment agreement – a person or entity, in exchange for payment/other consideration, obtains direct or indirect ownership interests in or rights in relation to U.S. real estate or a U.S. legal entity
Or, one of the 11 exemptions – the broadest of which is the corporate group transaction exemption – or a DOJ-approved license must apply.
A restricted transaction can become a prohibited transaction if a U.S. person fails to fully comply with the requirements in Subpart J and Subpart K of the DOJ Rule, which are security requirements (at the organizational, system and data level), data compliance program and audit requirements, and recordkeeping and annual reporting requirements. An additional annual reporting requirement applies for U.S. person engaged in a restricted transaction involving cloud-computing services that has 25% or more of the U.S. person’s equity interests owned (directly or indirectly) by a covered person or country of concern.
If a restricted transaction does not strictly adhere to these requirements, the U.S. person may face hefty penalties, including civil penalties of up to the greater of $368,136 or twice the value of each violative transaction and, for a willful violation, imprisonment of up to 20 years and a $1,000,000 fine.
* * * * *
Many clients seeking support on DOJ Rule compliance are focused on vendors, wondering whether new provisions are needed for vendor contracts and how far down the supply chain vendor diligence obligations apply (e.g., to a vendor’s sub-contractors? a vendor’s sub-sub contractors?) Others are focused on whether an employee’s access to data (regardless of security requirements) triggers the DOJ Rule. The applicability of the corporate group transaction also has been a common inquiry. We will explore these issues in subsequent posts.
We recommend organizations with operations in countries of concern take action to understand whether the DOJ Rule applies and focus on addressing compliance measures required by this new data protection regime while time remains to do so.
* * * * *
SPD Categories and Bulk Thresholds
| SPD Category | Definition | Bulk Threshold |
|---|---|---|
| (a) human `omic data | human genomic data, human epigenomic data, human proteomic data, human transcriptomic data | 100 U.S. persons for genomic data 1,000 U.S. persons for other sub-categories |
| (b) biometric identifiers | measurable physical characteristics or behaviors used to recognize or verify the identity of an individual. | 1,000 U.S. persons |
| (c) precise geolocation data | data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters | 1,000 U.S. devices |
| (d) personal health data | health information that indicates, reveals or describes the past, present or future physical or mental health of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to the individual. | 10,000 U.S. persons |
| (e) personal financial data, | data about an individual’s credit, charge or debit card, or bank account, including purchases and payment history; data in a bank, credit or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or consumer report | 10,000 U.S. persons |
| (f) covered personal identifiers | any listed identifier in combination with (i) any other listed identifier; or (ii) other data disclosed by a transacting party pursuant to the transaction if the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data | 100,000 U.S. persons |
| (g) Combined data | data set that contains more than one U.S. SPD category or that contains any listed identifier linked to U.S. SPD category that in the aggregate meets the lowest bulk threshold | Lowest applicable threshold of U.S. persons or U.S. devices for any U.S. SPD category |
The authors are grateful to Mary Aldrich, Paralegal (New York) for her contributions to this content.
