Login
  • Client Advisory
  • E. Brian Alexander

DOJ Final Rule on Transfers of Bulk U.S. Sensitive Personal Data to Countries and Persons of Concern Is Now Effective: Major Implications for Companies that Provide Third Parties Access to Personal Data

Print Article
SHARE

The U.S. Department of Justice’s (DOJ) final rule implementing Executive Order 14117 (Final Rule) went into effect on April 8, 2025. The Final Rule establishes sweeping prohibitions and restrictions on access to sensitive U.S. personal data and government data by countries of concern and covered persons as defined in the rule.  On April 11, DOJ published a release with answers to FAQs and guidance on enforcement of the Final Rule for the first 90 days.  Current countries of concern listed in the Final Rule are China (including Hong Kong and Macao), Cuba, Iran, North Korea, Russia, and Venezuela.  Covered persons generally include entities owned by countries of concern or other covered persons, as well as individuals who are employees or contractors of those entities or who reside in a country of concern.

Covered Data Transactions

The Final Rule prohibits or restricts “covered data transactions” with a country of concern or covered person. A covered data transaction is a transaction in which a country of concern or covered person is provided any access to bulk U.S. sensitive personal or government data under a data brokerage, vendor agreement, employment agreement, or investment agreement.  

Covered data transactions involving data brokerage, regardless of the contract vehicle, are prohibited with a country of concern or covered person unless the transaction is exempt or authorized under licensing provisions of the Final Rule.  Transactions with a country of concern or covered person involving bulk U.S. human ‘omic data (i.e., genomic and other ‘omic data) are prohibited. The Final Rule also prohibits transactions with any foreign person that is not covered when a company knows there is potential for onward transfer of covered data to a country of concern or covered person.

Restricted transactions include any covered data transaction with a country of concern or covered person involving a vendor, employment or investment agreement.  Restricted transactions are permitted only under an exemption or if a license is issued by the DOJ. Restricted transactions also require implementation of a compliance program, performance of audits and compliance with Cybersecurity and Infrastructure Agency (CISA) security requirements. Specific reporting and recordkeeping requirements are included for restricted transactions.

What Counts as “Sensitive” or “Covered” Data?

The Final Rule regulates “bulk U.S. sensitive personal data,” which includes:

  • Genomic data on more than 100 U.S. persons (or other ‘omic data on more than 1,000 persons).
  • Biometric identifiers on more than 1,000 U.S. persons.
  • Geolocation data on more than 1,000 U.S. persons.
  • Health data on more than 10,000 U.S. persons.
  • Financial data on more than 10,000 U.S. persons.
  • Personal identifiers on more than 100,000 U.S. persons.
  • Combinations of the data listed above (at the lowest threshold for any data type in the combination).

Covered personal identifiers include “listed identifiers” in the Final Rule when used in combination with other covered data

Listed identifiers include:

  • Full or partial government identification numbers.
  • Financial account numbers or personal identification numbers.
  • Device-based hardware identifiers, including International Mobile Equipment Identity (IMEI), Media Access Control (MAC) address, or Subscriber Identity Module (SIM) card number.
  • Demographic or contact data.
  • Advertising identifiers (e.g., Google Advertising ID, Apple ID for Advertisers and other mobile advertising IDs (MAID).
  • Account-authentication data.
  • Network-based identifiers, including IP address and cookie data.
  • Dial-detail data, including Customer Proprietary Network Information (CPNI).

Importantly, the DOJ rejected proposals to exclude anonymized, de-identified or pseudonymized data from the definition of covered personal identifiers.  DOJ comments on the Final Rule noted that anonymization alone is not sufficient because, “anonymized data is rarely, if ever, truly anonymous” and adversarial AI can use “cross-referenced and layered” data sets to re-identify individuals or infer personal information.

Significant Implications for Companies Providing Third-Party Accss to Bulk U.S. Sensitive Personal Data

The Final Rule has major implications for any company engaged in data brokerage of bulk U.S. sensitive personal data or government data. Such transactions are prohibited unless otherwise compliant with all the provisions of the Final Rule. Companies are required to consider downstream access to bulk U.S. sensitive personal data. Companies may only provide countries of concern or covered person access to covered data under a vendor, employment or investment agreement if the transaction is exempt or a license has been issued. 

The Final Rule lists exempt transactions, such as specific telecommunications services, financial services, and corporate group transactions.  If no exemption applies, companies must adhere to a licensing framework for restricted transactions that will likely be time consuming and involve significant scrutiny. Companies engaged in any restricted transactions must also implement a data compliance program, conduct compliance audits and adhere to reporting and record keeping requirements.

The DOJ stated in a release that enforcement of some provisions of the Final Rule will be delayed for 90 days. When fully enforced, violations of the Final Rule can result in substantial civil and criminal penalties. Civil penalties can range up to the greater of $368,136 or an amount twice the value of the subject transaction.  Willful violations of the Final Rule can result in criminal fines up to $1,000,000 and a maximum imprisonment of 20 years.   

Telecom Sector Implications

For telecommunications providers, including resellers and MVNOs, the rule introduces compliance obligations for network-based identifiers and call-detail information, even if the service provider is not directly collecting other personal data listed data in the Final Rule. Data transactions qualify for an exemption, “to the extent that they are ordinarily incident to and part of the provision of telecommunication services.”  Telecommunications companies must closely review data transactions involving countries of concern or covered persons, including whether downstream parties may gain access to covered data in violation of the Final Rule. Companies must ensure that the telecommunications services or another exemption applies or comply with requirements covering prohibited and restricted transactions.

Additionally, telecom providers that rely on foreign software vendors, cloud analytics, or AI-based customer engagement tools must carefully assess whether such arrangements expose covered data to countries of concern or covered persons.

AI & Analytics Sector Implications

Artificial intelligence developers, customer engagement platforms, and data analytics providers are directly affected, especially those who train models on datasets that include listed identifiers. If your business model relies on commercial data acquisition or vendor relationships involving bulk U.S. sensitive personal data, and any portion of your stack includes foreign investment or infrastructure linked to countries of concern, this rule may prohibit transactions and severely limit your company operations.

Next Steps for Clients

  1. Evaluate Exposure: Identify whether your business handles covered data types, which is particularly important for companies operating in telecommunications, financial services, healthcare, life sciences, and technology services, and any company developing AI or collecting covered data.
  2. Map Data Flows & Third-Party Access: Determine if your vendors, investors, or partners could qualify as covered persons or if data is routed through countries of concern.
  3. Review Vendor Agreements: Contractual restrictions may not be enough to avoid liability. The Final Rule applies a broad definition of access, including any logical or physical access to view or receive covered data in any form. Access is determined without regard to security requirements and contractually barring access by a covered person is not sufficient.
  4. Telecommunications Carveouts: Assess whether your services qualify as exempt telecommunications services under 28 CFR 202.509. This may affect resellers and VoIP providers differently depending on how they collect and process CDRs or device data.
  5. Implement Compliance Plans: Prepare for potential audits and enforcement actions by documenting internal compliance procedures and risk assessments.

The CommLaw Group Can Help

If your company operates in telecommunications, technology, AI, or any data-driven space and needs help navigating the new DOJ restrictions transactions involving bulk U.S. sensitive personal data, we are here to guide you. Our team can help:

  • Review company exposure to covered data transactions.
  • Assess company vendor agreements and telecommunications services exemption eligibility.
  • Draft compliance documentation and licensing submissions.
  • Advise on enforcement risks and mitigation strategies.

Contact:

Susan Duarte – sfd@commlawgroup.com

Diana James – daj@commlawgroup.com

Brian Alexander – bal@commlawgroup.com

Sign Up To Receive Our Advisories and Compliance Alerts
Marashlian & Donahue, The CommLaw Group

1430 Spring Hill Road, Suite 310
Tysons, Virginia 22102
(703) 714-1300

Linkedin-in Envelope
Important Links
News

FTC’s 2025 Amendments to the Children’s Online Privacy Protection Rule (COPPA): What Operators Must Do Now

FTC Sues Uber for Deceptive Billing and Cancellation Practices

You’re Invited: Susan Duarte Speaking on AI Compliance at SOCAP Retail Summit 2025

Fifth Circuit Invalidates FCC Forfeiture Order Against AT&T Based on SEC v. Jarkesy Precedent—Implications for FCC Enforcement and Telnyx’s $4.5M NAL Dispute

Resources
Proud Member of:
Cloud Communications Alliance

Copyright 2024 Marashlian & Donahue, PLLC | Disclaimers | Privacy Policy | Terms and Conditions

Ask An Attorney

Disclaimer: Please be advised that contacting our law firm through this contact form does not establish an attorney-client relationship. While we appreciate your interest in our services, we cannot guarantee the confidentiality of any information shared until an attorney-client relationship has been formally established. Therefore, we kindly request that you refrain from submitting any confidential or sensitive information through this form. Any information provided through this form will be treated as general inquiries and not as privileged or confidential communications. Thank you for your understanding.