This post is one in a series where we discuss the US Department of Justice’s (DOJ’s) bulk sensitive data rule (rule), which prohibits individuals or entities from certain foreign countries, including China, from accessing certain types of sensitive data, and imposes onerous privacy and cybersecurity obligations for accessing other types of data. In April 2025, we discussed the rule from a life sciences perspective. In light of the DOJ’s recent guidance in its Frequently Asked Questions and Compliance Guide, this post addresses the rule more broadly and:

  • Describes what is a “covered data transaction” under the rule. Summarizes the two kinds of covered data transactions subject to the rule – those that are prohibited versus merely restricted.
  • Summarizes the two kinds of covered data transactions subject to the rule – those that are prohibited versus merely restricted.
  • Describes the rule’s privacy and cybersecurity requirements for restricted transactions, which are numerous and challenging to implement.
  • Includes a checklist of next steps for companies to assess their exposure to the rule and resulting compliance obligations.

For quick reference, this flowchart can help assess if a transaction might be subject to the rule.

The rule took effect on April 8, 2025, but was recently deprioritized for enforcement in a temporary reprieve by the DOJ that expires July 8, 2025. This deadline is rapidly approaching, and companies should promptly assess whether they have any current or anticipated covered data transactions. If so, they should not delay implementing the rule’s privacy and cybersecurity requirements, which will take time, as well as both legal and technical resources. Violating the rule can be severe because the rule has teeth. Violations entail civil penalties (fines the greater of $368,136 or twice the value of the transaction) and also can incur criminal penalties (fines of up to $1,000,000 and 20 years in prison). 

What transactions are covered by the DOJ’s bulk sensitive data rule? 

The rule applies to “covered data transactions,” which may be either prohibited or restricted depending on the type and quantity of data and processing involved. 

A covered data transaction is a transaction that involves access by a country of concern or covered person to bulk US sensitive personal data or government-related data, and that involves a data brokerage, investment agreement, employment agreement or vendor agreement. Exempt transactions avoid much of the rule. We discuss the bolded terms below. 

Access

Access is defined broadly under the rule to mean any logical or physical access without regard to whether security measures, such as access controls, actually deny access.  For example, this means that a person located in China, who has access to a database containing bulk US sensitive personal data but for whom access controls prevent them from actually accessing the data, is still considered to have “access” to the data for purposes of determining whether the rule applies.  

Country of concern or covered person

  • Countries of concern include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela. 
  • Covered persons include entities and individuals in four categories:
    • Foreign individuals primarily resident in countries of concern.
    • Foreign entities that are 50% or more owned (directly or indirectly) by a country of concern, organized under the laws of a country of concern or have their principal place of business in a country of concern (including, potentially, a foreign subsidiary of a US company).
    • Foreign entities that are 50% or more owned (directly or indirectly) by a covered person.
    • Foreign employees or contractors of countries of concern, or of entities that are covered persons.

Bulk US sensitive personal data and government-related data

  • Bulk US sensitive personal data is sensitive data of certain thresholds depending on the type of data, regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted:   
    • Human genomic data on more than 100 US persons. Other human ‘omic data on more than 1,000 US persons. Biometric identifiers on more than 1,000 US persons. Precise geolocation data on more than 1,000 US devices. Personal health data on more than 10,000 US persons. Personal finance data on more than 10,000 US persons.
  • Government-related data includes certain types of data related to certain sensitive locations (such as relating to national security or intelligence), military installations, or current or former government employees or contractors.      

Investment agreement, employment agreement, vendor agreement and data brokerage

  • Investment agreements involve agreements in which a person or entity obtains direct or indirect ownership rights in US real estate or a US legal entity, with some exceptions for passive investments.
  • Employment agreements involve typical workforce arrangements.
  • Vendor agreements involve arrangements where a person or entity provides goods or services to another for payment or other consideration.
  • Data brokerage means selling (or licensing access to) data, where the recipient of the data did not collect the data directly from the individuals associated with the data. 

Do any exemptions apply to the DOJ’s bulk sensitive data rule?

Even if a transaction is a covered data transaction as described above, it may nevertheless be exempt from certain obligations in the rule if it falls within one or more exemptions. Exemptions include:

  • Personal communications. Data transactions such as postal and telephonic communications, provided the communication does not transfer anything of value.
  • Informational materials. Data transactions that involve importing or exporting information or informational materials to or from any country.
  • Travel. Data transactions that are ordinarily incident to travel between countries for personal purposes.
  • Financial services. Data transactions ordinarily incident to financial services, such as those provided by financial institutions (e.g., banking, capital markets and financial-insurance services), the transfer of personal financial data incidental to the purchase and sale of goods, the provision of payments or funds transfers involving personal financial data or covered personal identifiers, and the provision of investment management services that manage or provide advice on investments for compensation.
  • Corporate group transactions. Data transactions between US companies and subsidiaries or affiliates located in countries of concern that are ordinarily incident to business operations, such as human resources, payroll, risk management and customer support. This exemption is narrower than it sounds as it is limited to transactions that are incidental to standard business operations.  
  • Investment agreements subject to a Committee on Foreign Investment in the United States (CFIUS) agreement or condition to resolve a national security risk.
  • Telecommunication services. Data transactions ordinarily incident to and part of providing telecommunications services.  
  • Certain exemptions relevant to life sciences companies, such as exemptions for data transactions that are part of clinical investigations, involve regulatory approval data and/or are conducted pursuant to federally funded research, are discussed in more detail in our previous post on the rule.

The exemptions are informed by examples in the rule and the DOJ’s FAQs. Commentary from the DOJ suggests that the exemptions are viewed narrowly. Given the rule’s novelty, the breadth of these exemptions in practice remains to be seen.

Is a covered data transaction prohibited or restricted?

A covered data transaction is prohibited if it involves a US person engaging in a transaction that involves:

  • Data brokerage with covered persons or countries of concern.
  • Data brokerage with foreign parties that are not covered persons or countries of concern, unless there are certain contractual protections in place.
  • Access to bulk human ‘omic data (including genomic, epigenomic, proteomic or transcriptomic data) or human biospecimens from which bulk human ‘omic data can be derived. 

A prohibited transaction means just that: It is simply prohibited. 

A covered data transaction is restricted (rather than prohibited) if it involves the following:    

  • An employment agreement.
  • A vendor agreement, wherein a covered person or a country of concern is providing goods or services to a US person in exchange for compensation.
  • An investment agreement.

See the above section on which transactions are covered by the rule for more details on these types of agreements.

Restricted transactions are allowed to proceed under the rule, so long as the company implements privacy and cybersecurity measures. 

In determining coverage by the rule, companies are prohibited by the rule from making arrangements that have the purpose of evading or avoiding the rule. 

What are the compliance requirements for restricted transactions?

As noted above, restricted transactions are permitted so long as the company engaging in such transactions implements a rigorous data compliance program and the security requirements issued by the Cybersecurity and Infrastructure Security Agency (CISA).  An overview of each component is provided below. 

CISA security requirements

  • Organizational- and system-level requirements:
    • Implement basic organizational cybersecurity policies, practices and requirements.
    • Implement logical and physical access controls.
    • Conduct an internal data risk assessment.
  • Data-level mitigation involving a combination of the following that, when taken together, prevents access to covered data that is linkable, identifiable, unencrypted or decryptable using commonly available technology by covered persons and/or countries of concern:
    • Apply data minimization and data masking strategies.
    • Apply encryption techniques.
    • Apply privacy enhancing technologies.
    • Configure identity and access management techniques.

Data compliance program requirements  

A data compliance program must include:

  • Risk-based procedures for verifying data flows in restricted transactions and the identity of vendors.
  • A written policy describing the program, certified annually by the senior employee responsible for compliance.
  • A written information security policy (including description of implementation of the CISA security requirements), certified annually by the senior employee responsible for compliance.

Recordkeeping and audit requirements

  • Recordkeeping under the rule requires records/documentation of the following to be kept for at least 10 years:
    • The written data compliance program and information security policy.
    • Results of the annual restricted transaction compliance audit.
    • Due diligence.
    • Transfer details. 
    • Licenses or advisory opinions.
    • An annual certification of the completeness and accuracy of such records by the senior employee responsible for compliance.
  • Audit
    • An audit must be conducted by an independent individual and use a reliable method that examines all restricted transactions, the data compliance program, required recordkeeping and the implementation of the CISA security requirements.
    • The audit must result in a written report that is retained for at least 10 years.

What should all companies do now to address the DOJ’s bulk sensitive data rule?

Companies should first assess whether they have any current or anticipated transactions subject to the rule, which may not be an easy task given that a “transaction” is loosely and broadly defined. Next, companies should determine whether their transactions are simply prohibited under the rule, or merely restricted. Companies also should see if they can take advantage of any exemptions to mitigate exposure under the rule. Finally, companies with restricted transactions should promptly implement the privacy and cybersecurity measures required under the rule. Contact a member of Cooley’s cyber/data/privacy team to leverage our guidance across different industries and existing compliance materials to help you get ahead of the rule. 

  1. Conduct diligence to determine whether you currently and/or expect to engage in covered data transactions. For example:
    • Analyze a data map to determine the types and quantity of data handled and whether they meet the rule’s thresholds.
    • Analyze data flows and recipients to determine whether a country of concern or covered person has access to such data.
    • Analyze contractual arrangements with corporate affiliates/subsidiaries, partners and vendors to determine if a transaction involves a data brokerage, investment agreement, employment agreement or vendor agreement.
  2. Consider ways to mitigate exposure to the rule, such as by applying exemptions or recharacterizing/revising data flows, but without violating the rule’s prohibition on acts designed to evade the rule.
  3. Determine whether the covered data transactions are prohibited or restricted. Undertake a review of any data brokerage, vendor, employment and investment agreements to determine whether the rule may apply to such transactions.
  4. Implement a data compliance program. Draft or update a written information security plan, including supporting policies and procedures for understanding data flows and downstream recipients of data, as well as vendor management.  Designate a senior employee responsible for such program. 
  5. Implement CISA’s security requirements. Identify stakeholders, conduct a risk assessment and work with technical personnel to implement organizational-, system- and data-level security measures and policies.
  6. Prepare to comply with recordkeeping requirements, including records on restricted transactions and their details, results of compliance audits and annual certification.
  7. Prepare to comply with audit requirements, including identifying an independent auditor and determining a methodology to conduct an audit by reference to the company’s data compliance and security requirements.
Authors

Michael Egan

Christian Lee

Emma Plankey

Posted by Jenna Moore

All Posts