On April 8, 2025, the U.S. Department of Justice (DOJ) enacted a landmark regulation titled the “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” Rule (“the Rule”). This measure followed an Executive Order issued by President Biden on February 28, 2024, which tasked the DOJ with addressing national security risks arising from foreign access to large-scale U.S. personal and governmental data. The rule marks a significant development in the U.S. government’s efforts to counter foreign exploitation of domestic data assets.
I. Legislative BackgroundThe Rule emerges from heightened concerns over foreign governments—especially the People’s Republic of China (PRC)—gaining unauthorized or indirect access to sensitive U.S. data. Federal security agencies have consistently emphasized that access to large volumes of personal or government-related data by adversarial nations can facilitate surveillance, AI development for military use, and social engineering operations.
In contrast to prior mechanisms focused primarily on foreign investment (e.g., CFIUS), the Rule targets commercial data transactions, thereby expanding regulatory reach into routine business practices involving data sharing, processing, and analytics.
II. Key Provisions
The Rule establishes a broad and mandatory regulatory framework governing cross-border data transactions. The key provisions include:
1. Prohibited TransactionsThe Rule prohibits any U.S. person or entity from participating in, assisting with, or facilitating the transfer of “covered data” to “covered persons,” whether directly or indirectly. Prohibited conduct includes, but is not limited to:1) Sale, lease, license, or transfer of data;2) Outsourced data hosting or processing services;3) Granting access via data platforms, APIs, or cloud service interfaces;4) Data sharing through joint ventures, research collaborations, or other commercial arrangements;5) Backend systems integration or embedded access involving foreign entities.6) Even if the data does not ultimately end up with a country of concern, involvement by an intermediary connected to such a country may still constitute a violation.
2. Definition of “Covered Persons” and “Countries of Concern”Covered Persons: Refers to individuals or entities with direct or indirect ties to a country of concern. This includes:1) Entities owned, funded, or regulated by a government of concern;2) Organizations subject to foreign national intelligence laws requiring data disclosure;3) Individuals or institutions designated by the DOJ as posing a national security risk.4) Countries of Concern: Currently includes China, Russia, Iran, and North Korea. This list is maintained and updated by the DOJ and the National Security Council.
3. Scope of Covered DataThe Rule clearly defines two categories of covered data:
1) Sensitive Personal Data, including: Precise geolocation information; Financial account and payment data; Health and medical records (e.g., EHRs, diagnostics, treatment history); Biometric identifiers (e.g., fingerprints, facial scans, iris patterns); Genetic and genomic data; Citizenship and immigration records; Online behavioral patterns or device usage history; Combinations of demographic data that could enable re-identification.2) Government-Related Data, including: Personal information of current or former federal, state, or local government employees; Sensitive records tied to government contract execution; Personnel data related to military, defense, intelligence, law enforcement, or critical infrastructure sectors; Metadata from government communications, travel, or access logs involving diplomatic or sensitive roles.
4. Volume and Scale ThresholdsGenerally applies to data sets involving 1 million or more U.S. individuals;
Smaller-scale transactions may still be subject to scrutiny if the data is especially sensitive or poses “aggregation risk.”
5. Licensing and Exemption Mechanisms1) Certain transactions may proceed following DOJ review or conditional licensing;2) Applications must disclose details including transaction structure, data type, relationship with covered persons, and technical safeguards;3) The DOJ may approve with conditions, recommend revisions, or prohibit the transaction outright;4) Limited exemptions may apply to categories such as national security-related collaboration or data sharing mandated by specific statutes.
6. Due Diligence and Compliance ObligationsU.S. entities engaged in cross-border data transfers are required to conduct “reasonable due diligence”, best practices include establishing: Systems to identify and screen covered persons; Audits of data use and access pathways; Risk classification frameworks and automated alerts; Formal documentation of employee training and data governance policies.
A failure to implement adequate due diligence—even without willful misconduct—can still result in civil or criminal penalties.
7. Enforcement and PenaltiesThe DOJ has investigative and enforcement authority for suspected violations, penalties may include: Substantial financial fines (potentially millions per violation); Disqualification from federal contracting or grant programs; Criminal prosecution of individual executives or officers; Orders to suspend or unwind covered transactions.
III. Impact for U.S. businesses that operate within China or maintain commercial relationships with Chinese entities
1. Data Sharing ConstraintsCollaborative projects involving Chinese research institutions, suppliers, or analytics firms may be restricted if sensitive U.S. data is involved. The Rule may inhibit the sharing of customer datasets, behavioral analytics, or R&D findings, even when such transfers are common in joint ventures or strategic partnerships.
2. Contractual and Legal RevisionsMany cross-border agreements—particularly in sectors such as biotech, fintech, and cloud services—require reassessment. Contracts may need to incorporate data control clauses, national security representations, and termination rights in cases of regulatory non-compliance.
3. Operational Delays and Compliance CostsCompliance with the Rule demands robust internal controls and potentially complex screening of counterparties. U.S. entities may need to invest in third-party vetting mechanisms, legal review processes, and data localization strategies to prevent inadvertent breaches.
4. Supply Chain RestructuringThe Rule may disrupt data flows within multinational supply chains, particularly when vendors or subcontractors based in China require access to personal or logistical information tied to U.S. citizens or government contracts.
5. Heightened Regulatory RiskThe Rule broadens the scope of legal exposure. Even indirect data transfers through intermediaries or cloud platforms may trigger liability if appropriate safeguards are not in place. This creates significant legal risk for companies with distributed IT environments or global service architectures.
IV. Strategic and Legal ConsiderationsThe Rule represents a strategic pivot in U.S. regulatory policy—from focusing on foreign ownership to targeting access and influence over data ecosystems. For businesses with exposure to China, the implications are both practical and geopolitical. Several challenges are likely to emerge:1) Ambiguity in Definitions: Terms such as “indirect access,” “covered person,” and “reasonable due diligence” are broad and may be subject to interpretation in enforcement actions.2) Lack of Precedent: As a novel regulatory instrument, the Rule’s application lacks judicial or administrative precedent, making future enforcement outcomes difficult to predict.3) Potential Chilling Effect on Innovation: Research-intensive industries such as pharmaceuticals, AI, and precision medicine may face increased barriers to global collaboration, including with reputable Chinese academic or private-sector partners.4) Data Infrastructure Implications: U.S. entities may need to reassess the geographic location of data storage, processing, and cloud resources to prevent inadvertent exposure to foreign jurisdictions deemed high-risk.
[Comment]
The DOJ’s new Rule restricting access to U.S. sensitive and government-related data by countries of concern marks a fundamental shift in U.S. data governance and national security policy. For companies doing business in or with China, this Rule introduces significant compliance obligations, legal risks, and operational friction. As the U.S. government continues to tighten controls on foreign data access, businesses must adapt to ensure compliance while preserving the integrity and viability of international operations.
I. Legislative BackgroundThe Rule emerges from heightened concerns over foreign governments—especially the People’s Republic of China (PRC)—gaining unauthorized or indirect access to sensitive U.S. data. Federal security agencies have consistently emphasized that access to large volumes of personal or government-related data by adversarial nations can facilitate surveillance, AI development for military use, and social engineering operations.
In contrast to prior mechanisms focused primarily on foreign investment (e.g., CFIUS), the Rule targets commercial data transactions, thereby expanding regulatory reach into routine business practices involving data sharing, processing, and analytics.
II. Key Provisions
The Rule establishes a broad and mandatory regulatory framework governing cross-border data transactions. The key provisions include:
1. Prohibited TransactionsThe Rule prohibits any U.S. person or entity from participating in, assisting with, or facilitating the transfer of “covered data” to “covered persons,” whether directly or indirectly. Prohibited conduct includes, but is not limited to:1) Sale, lease, license, or transfer of data;2) Outsourced data hosting or processing services;3) Granting access via data platforms, APIs, or cloud service interfaces;4) Data sharing through joint ventures, research collaborations, or other commercial arrangements;5) Backend systems integration or embedded access involving foreign entities.6) Even if the data does not ultimately end up with a country of concern, involvement by an intermediary connected to such a country may still constitute a violation.
2. Definition of “Covered Persons” and “Countries of Concern”Covered Persons: Refers to individuals or entities with direct or indirect ties to a country of concern. This includes:1) Entities owned, funded, or regulated by a government of concern;2) Organizations subject to foreign national intelligence laws requiring data disclosure;3) Individuals or institutions designated by the DOJ as posing a national security risk.4) Countries of Concern: Currently includes China, Russia, Iran, and North Korea. This list is maintained and updated by the DOJ and the National Security Council.
3. Scope of Covered DataThe Rule clearly defines two categories of covered data:
1) Sensitive Personal Data, including: Precise geolocation information; Financial account and payment data; Health and medical records (e.g., EHRs, diagnostics, treatment history); Biometric identifiers (e.g., fingerprints, facial scans, iris patterns); Genetic and genomic data; Citizenship and immigration records; Online behavioral patterns or device usage history; Combinations of demographic data that could enable re-identification.2) Government-Related Data, including: Personal information of current or former federal, state, or local government employees; Sensitive records tied to government contract execution; Personnel data related to military, defense, intelligence, law enforcement, or critical infrastructure sectors; Metadata from government communications, travel, or access logs involving diplomatic or sensitive roles.
4. Volume and Scale ThresholdsGenerally applies to data sets involving 1 million or more U.S. individuals;
Smaller-scale transactions may still be subject to scrutiny if the data is especially sensitive or poses “aggregation risk.”
5. Licensing and Exemption Mechanisms1) Certain transactions may proceed following DOJ review or conditional licensing;2) Applications must disclose details including transaction structure, data type, relationship with covered persons, and technical safeguards;3) The DOJ may approve with conditions, recommend revisions, or prohibit the transaction outright;4) Limited exemptions may apply to categories such as national security-related collaboration or data sharing mandated by specific statutes.
6. Due Diligence and Compliance ObligationsU.S. entities engaged in cross-border data transfers are required to conduct “reasonable due diligence”, best practices include establishing: Systems to identify and screen covered persons; Audits of data use and access pathways; Risk classification frameworks and automated alerts; Formal documentation of employee training and data governance policies.
A failure to implement adequate due diligence—even without willful misconduct—can still result in civil or criminal penalties.
7. Enforcement and PenaltiesThe DOJ has investigative and enforcement authority for suspected violations, penalties may include: Substantial financial fines (potentially millions per violation); Disqualification from federal contracting or grant programs; Criminal prosecution of individual executives or officers; Orders to suspend or unwind covered transactions.
III. Impact for U.S. businesses that operate within China or maintain commercial relationships with Chinese entities
1. Data Sharing ConstraintsCollaborative projects involving Chinese research institutions, suppliers, or analytics firms may be restricted if sensitive U.S. data is involved. The Rule may inhibit the sharing of customer datasets, behavioral analytics, or R&D findings, even when such transfers are common in joint ventures or strategic partnerships.
2. Contractual and Legal RevisionsMany cross-border agreements—particularly in sectors such as biotech, fintech, and cloud services—require reassessment. Contracts may need to incorporate data control clauses, national security representations, and termination rights in cases of regulatory non-compliance.
3. Operational Delays and Compliance CostsCompliance with the Rule demands robust internal controls and potentially complex screening of counterparties. U.S. entities may need to invest in third-party vetting mechanisms, legal review processes, and data localization strategies to prevent inadvertent breaches.
4. Supply Chain RestructuringThe Rule may disrupt data flows within multinational supply chains, particularly when vendors or subcontractors based in China require access to personal or logistical information tied to U.S. citizens or government contracts.
5. Heightened Regulatory RiskThe Rule broadens the scope of legal exposure. Even indirect data transfers through intermediaries or cloud platforms may trigger liability if appropriate safeguards are not in place. This creates significant legal risk for companies with distributed IT environments or global service architectures.
IV. Strategic and Legal ConsiderationsThe Rule represents a strategic pivot in U.S. regulatory policy—from focusing on foreign ownership to targeting access and influence over data ecosystems. For businesses with exposure to China, the implications are both practical and geopolitical. Several challenges are likely to emerge:1) Ambiguity in Definitions: Terms such as “indirect access,” “covered person,” and “reasonable due diligence” are broad and may be subject to interpretation in enforcement actions.2) Lack of Precedent: As a novel regulatory instrument, the Rule’s application lacks judicial or administrative precedent, making future enforcement outcomes difficult to predict.3) Potential Chilling Effect on Innovation: Research-intensive industries such as pharmaceuticals, AI, and precision medicine may face increased barriers to global collaboration, including with reputable Chinese academic or private-sector partners.4) Data Infrastructure Implications: U.S. entities may need to reassess the geographic location of data storage, processing, and cloud resources to prevent inadvertent exposure to foreign jurisdictions deemed high-risk.
[Comment]
The DOJ’s new Rule restricting access to U.S. sensitive and government-related data by countries of concern marks a fundamental shift in U.S. data governance and national security policy. For companies doing business in or with China, this Rule introduces significant compliance obligations, legal risks, and operational friction. As the U.S. government continues to tighten controls on foreign data access, businesses must adapt to ensure compliance while preserving the integrity and viability of international operations.