Overview
The US Department of Justice’s (DOJ’s) Final Rule on preventing access to US sensitive personal data, published in the Federal Register on January 8, 2025, will prohibit or significantly restrict the transfer of or other access to bulk US sensitive personal data and US government-related data through certain data transactions to countries of concern, which are countries or entities the US government deems high-risk, as well as certain covered persons as defined in the final rule. Currently, the countries of concern are China (including Hong Kong and Macao), Cuba, Iran, North Korea, Russia, and Venezuela.
While the final rule aims to safeguard data crucial to national security, its broad scope will likely create substantial compliance challenges for entities far beyond those operating in the critical infrastructure or national security sectors. Businesses across various sectors will need to reassess their data-handling practices; carefully evaluate certain vendor, employment, and investment agreements; adhere to new recordkeeping requirements; and implement enhanced security measures if they elect to proceed with any restricted transactions. The final rule will significantly impact healthcare, global business structures, and virtually any entity handling US sensitive personal data that operates in or has connections to countries of concern or covered persons.
The final rule implements President Biden’s February 2024 Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” EO 14117 was driven by concerns about certain countries accessing Americans’ sensitive personal data and other US government-related data, largely stemming from the potential for artificial intelligence (AI) to analyze bulk data and reveal insights into Americans’ everyday behaviors. EO 14117 focused on the national security risks posed by those countries using “advanced technologies, including AI, to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States.”
The final rule takes effect on April 8, 2025, with most audit, recordkeeping, and reporting requirements taking effect on October 6, 2025. Below, we outline the final rule’s requirements and key questions companies should consider when evaluating whether data flows are prohibited or restricted.
