Digital lock on a globe representing data protection.

DOJ’s New Rule Aims to Protect Sensitive Data from Foreign Threats

by

The Department of Justice (DOJ) has issued a final rule aimed at safeguarding sensitive personal data from foreign adversaries. This regulation, effective April 8, 2025, prohibits and restricts the transfer of bulk sensitive personal data to certain countries deemed a national security risk, including China, Russia, and Iran.

Key Takeaways

  • The rule targets data transactions with countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela.
  • It establishes thresholds for what constitutes "bulk" data based on the number of U.S. persons involved.
  • Compliance provisions will be enforced starting October 6, 2025.
  • The rule aims to mitigate risks associated with foreign adversaries using sensitive data for espionage and AI development.

Overview of the Rule

On December 27, 2024, the DOJ implemented this rule as part of Executive Order 14117, which focuses on preventing access to Americans’ sensitive personal data by foreign entities. The rule is a response to growing concerns about foreign governments exploiting U.S. data for malicious purposes, including espionage and the enhancement of artificial intelligence capabilities.

Scope and Requirements

The rule categorizes transactions involving sensitive personal data and U.S. government-related data. It defines specific types of data and establishes bulk thresholds:

  1. Human ‘Omic Data: Includes genomic, epigenomic, proteomic, and transcriptomic data, with a bulk threshold of over 1,000 U.S. persons.
  2. Biometric Identifiers: Such as facial images and fingerprints, also with a threshold of over 1,000 U.S. persons.
  3. Precise Geolocation Data: Identifying locations within 1,000 meters, with a threshold of over 1,000 devices.
  4. Personal Health Data: Covers a wide range of health-related information, with a threshold of over 10,000 U.S. persons.
  5. Personal Financial Data: Includes credit and bank account information, with a threshold of over 100,000 U.S. persons.
  6. Covered Personal Identifiers: Any combination of the above data types, with a threshold of over 100,000 U.S. persons.

Prohibited and Restricted Transactions

The rule outlines specific transactions that are prohibited or restricted:

  • Prohibited Transactions: Includes data brokerage involving covered data with countries of concern. For example, a U.S. company transferring sensitive data to a foreign social media app for advertising purposes would be prohibited.
  • Restricted Transactions: U.S. persons engaging in transactions with covered persons must comply with security requirements, including establishing a data compliance program and conducting annual audits.

Compliance and Enforcement

The DOJ emphasizes robust compliance measures, including:

  • Establishing a data compliance program by October 6, 2025.
  • Conducting annual independent audits to assess compliance and identify vulnerabilities.
  • Potential civil penalties for violations can reach up to $377,700 or double the transaction value, with criminal penalties for willful violations including fines and imprisonment.

Conclusion

The DOJ’s final rule represents a significant step in protecting U.S. sensitive personal data from foreign threats. By establishing clear guidelines and compliance requirements, the rule aims to balance national security with legitimate commercial activities, ensuring that sensitive data is safeguarded against exploitation by adversarial nations.

Sources