Access to U.S. Sensitive Personal Information and Government Related Data by Countries of Concern or Covered Persons Subject to New, Potentially Far-Reaching Restrictions

The Department of Justice (“DOJ”) published its final regulations on “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (the “Final Rule”). The Final Rule is in response to Executive Order 14117 issued by former President Biden on February 28, 2024. The Final Rule is currently scheduled to take effect April 8, 2025, with compliance with certain requirements not mandated until October 6, 2025. These dates could slip, however, depending on the approach the Trump administration decides to take given President Trump’s recent executive order directing all government agencies to consider a 60-day delay for any pending regulations not yet in effect.

The Final Rule prohibits certain data brokerage transactions and restricts certain vendor, employment, and investment agreements involving access to certain government-related data (including precise geolocation data collected from individuals in 736 identified geographic areas), as well as “bulk” transfers of sensitive personal data about U.S. persons. Prohibited data brokerage transactions are not limited to the sale of personal data, but also apply to licensing (or even access) as part of commercial transactions. Further, the Final Rule is not limited to access by the governments of countries of concern (i.e., China (including Hong Kong and Macau), Russia, Cuba, Iran, North Korea, and Venezuela), it also applies to many individuals and businesses in those countries, as well as foreign businesses owned by such persons, or others that are specifically designated by the attorney general (i.e., “covered persons”). There are a number of exceptions, and the Final Rule includes processes for the DOJ to grant general and specific licenses. The preamble accompanying the Final Rule makes clear that it was drafted from a national security perspective. While the Final Rule has privacy and data transfer implications, the DOJ declined requests either to address particular privacy issues or to make changes to align the Final Rule with U.S. privacy laws.

Covered Persons Under the Final Rule

Covered persons encompasses both legal and natural persons, including:

  1. a foreign person who is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
  2. a foreign person who is an employee or contractor of a country of concern or of an entity that is covered person;
  3. a foreign person who is primarily a resident in the territorial jurisdiction of a country of concern;
  4. an entity that is 50% or more owned, directly or indirectly, by any of the foregoing or a designated covered person; or
  5. any person, wherever located, as designated by the attorney general.

Categories of Data Subject to the Final Rule

The DOJ specifically provides that U.S. sensitive personal data and government-related data are subject to the Final Rule. With respect to U.S. sensitive personal data, six categories are enumerated and rely on various “bulk” threshold numbers (ranging from 100 to 100,000 in a 12-month period) in order to be captured by the rule. Such categories include covered personal identifiers, precise geolocation data, biometric identifiers, personal health information, personal financial data, and human ‘omic data. Data in these categories continues to be covered even if it has been anonymized, pseudonymized, de-identified, or encrypted.

With respect to government-related data, restrictions on access apply regardless of volume. Government-related data includes:

  1. any precise geolocation data (i.e., within 1,000 meters) for any location located in any of the listed 736 areas of geolocation coordinates for sensitive facilities of the federal government or federal contractors; and
  2. any sensitive personal data marketed by the transacting party as being linked or linkable to current or recent former employees, contractors, or senior officials of the U.S. government.

Categories of Transactions Subject to the Final Rule

The Final Rule prohibits data brokerage transactions between U.S. persons and countries of concern or covered persons involving “bulk U.S. sensitive personal data” or “government-related data.” For purposes of the Final Rule, a data brokerage transaction is the sale of data, licensing of data, access to data, or similar commercial transactions involving the transfer of any data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from individuals linked or linkable to the collected or processed data.

In addition, the Final Rule includes three categories of restricted transactions involving bulk U.S. sensitive personal data or government-related data:

  1. vendor agreements (including, among others, technology services agreements and cloud agreements);
  2. employment agreements; and
  3. investment agreements.

Except as otherwise authorized by the Final Rule, no U.S. person would be permitted to engage in covered data transactions involving a vendor agreement, employment agreement, or investment agreement with a country of concern or a covered person unless the U.S. person complies with the Final Rule’s security requirements and all other applicable requirements. The risks posed by restricted transactions can be mitigated through appropriate security-related safeguards.

Exceptions, Compliance, Recordkeeping, and Penalties

The Final Rule requires U.S. persons engaging in any transaction subject to the Final Rule to keep a full and accurate record of each transaction. There are also requirements to report certain events to the DOJ (e.g., certain rejected transactions and certain persons engaging in restricted transactions involving cloud computing). The Final Rule also requires U.S. persons engaging in restricted transactions (vendor, employment, and investment agreements) to implement a compliance program and implement certain auditing and recordkeeping requirements.

Exceptions are addressed in detail in the Final Rule and should be carefully considered in the context of particular transactions and commercial activities, especially because they are narrow in scope and are activity based, rather than entity based. Lastly, the Final Rule provides a range of potential civil penalties for noncompliance. Willful violations or aiding or abetting a violation could result in a fine of not more than $1 million or, if a natural person, imprisonment of not more than 20 years, or both.

For additional details, please click here.

To discuss these issues, please contact AGG Privacy & Cybersecurity attorneys Kevin Coy, Jackie Cooney, Erin Doyle, or Kelley Chandler.