Key Developments and Implications
Key Developments and Implications
On April 22, 2025, FTC Commissioner Melissa Holyoak emphasized the importance of vigorously enforcing privacy laws while warning against stretching the FTC’s authority under Section 5 of the FTC Act. Her remarks come as a major regulatory development is unfolding. On April 8, the U.S. Department of Justice (DOJ) issued its final rule implementing Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”
The final rule targets six countries: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, as well as entities and individuals under their control. It establishes the first national security-focused restrictions on the transfer or export of sensitive personal and government-related data to designated foreign adversaries. Additional due diligence and compliance requirements will be phased in through October 6, 2025. The rule defines “bulk” data as sensitive personal data, such as geolocation, health, financial, and biometric data, that exceeds specific thresholds in the aggregate over a 12-month period, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. Key Categories and Thresholds
The final rule regulates two broad categories of data: U.S. sensitive personal data and U.S. government-related data. Six categories of U.S. sensitive personal data are covered, each with a specific threshold defining what constitutes “bulk” data. These thresholds are based on the volume of data collected or maintained across transactions involving the same U.S. person and foreign entity in a 12-month period. Covered Personal Identifiers: Includes data like names linked to social security numbers, email addresses, and device identifiers. The bulk threshold for this category is 100,000 U.S. persons. Precise Geolocation Data: Data that tracks the real-time or historical location of a device or individual within a 1,000-meter accuracy. The threshold is 1,000 U.S. devices. Biometric Identifiers: Physical characteristics such as facial images, fingerprints, or voice prints used for identity verification. The threshold for this category is 1,000 U.S. Human ‘Omic Data: Data about human genomics, proteomics, epigenomics, or transcriptomics. The bulk threshold for human ‘omic data is 1,000 U.S. persons, or 100 U.S. persons for genomic data. Personal Health Data: Information related to an individual’s physical or mental health, including medical records, test results, or treatment history. The threshold for this data is 10,000 U.S. Personal Financial Data: Data on credit or bank accounts, financial transactions, and credit reports. The threshold for this category is 10,000 U.S. U.S. Government-Related Data
The rule also regulates certain types of U.S. This includes:
Geolocation Data: Specific areas identified by the Attorney General as sensitive, such as military sites or intelligence facilities, where data could be exploited by a country of concern. Sensitive Personal Data: Any personal data marketed as linked to current or former U.S. government employees, including military or intelligence personnel, regardless of volume. Prohibitions, Restrictions, and Exemptions
The rule governs transactions involving covered data, establishing prohibitions, restrictions, and exemptions. Prohibited Transactions
The final rule outlines two primary categories of prohibited transactions:
Data Brokerage with Countries of Concern or Covered Persons: This includes any data brokerage transaction involving access to bulk U.S. government-related data by a country of concern or a covered person. Foreign Access to Sensitive Data Without Safeguards: Transactions that provide a foreign person (who is not a covered person) with access to bulk U.S. government-related data, in connection with data brokerage, are also prohibited unless the foreign party agrees to specific contractual safeguards. Restricted Transactions
The rule classifies transactions into three categories: vendor agreements, employment agreements, and investment agreements. Except for exempt transactions, as discussed below, U.S. persons engaging in these restricted transactions must adhere to the rule’s security requirements. Exempt Transactions
The final rule provides exemptions for certain types of transactions, as long as specific requirements are met. These exemptions apply to personal communications, information or informational materials (including expressive content), and travel-related data. Additionally, transactions involving the official business of the U.S. Government, certain financial services, and ordinary financial transactions are also exempt. Potential Liability
The final rule imposes significant penalties for violations. Civil penalties can reach up to $377,700 (adjusted for inflation) or twice the value of the transaction involved, whichever is greater. For willful violations, criminal penalties can include fines up to $1,000,000, imprisonment for up to 20 years, or both. Guidance and Resources
The DOJ’s National Security Division (NSD) has released several important documents to assist entities in complying with the final rule. These documents provide crucial guidance on compliance strategies, enforcement expectations, and the specific legal requirements under the final rule. The key documents include:
Data Security Program (DSP) Compliance Guide: This guide offers practical advice for entities seeking to meet the requirements of the final rule. It includes recommendations on contractual safeguards for data brokerage transactions, as well as security safeguards, including cybersecurity risk assessments, vendor due diligence, and employee training. Frequently Asked Questions (FAQ) Document: The FAQ document provides clarity on the scope and purposes of the Data Security Program. It addresses specific compliance concerns related to various data transactions, the interaction of the DSP with other regulatory regimes (like CFIUS), and how entities can navigate the compliance process. NSD will periodically update this document to offer further guidance as needed. Implementation and Enforcement Policy: This policy outlines how the NSD will enforce compliance with the DSP during the first 90 days following the final rule’s effective date. It includes a grace period (April 8 to July 8) during which entities making good faith efforts to comply will not face civil enforcement actions. After this period, full compliance will be expected, and NSD will pursue enforcement for violations. The final rule introduces critical protections for sensitive personal and government-related data against foreign adversaries. By restricting data transfers to certain countries, the rule addresses significant personal data and national security risks. With compliance deadlines upon us, U.S. companies must ensure they follow strict due diligence and security protocols, particularly for data brokerage and transactions with designated “countries of concern.” The DOJ has provided helpful guidance to assist entities in navigating these requirements, with penalties for non-compliance being substantial. Staying compliant will be key for businesses to avoid legal and financial risks.