The US Department of Justice’s final rule, implementing the Biden-era Executive Order 14117, restricting the transfer of sensitive personal data and US government-related data to countries of concern, came into force on April 8, 2025. The rule imposes new requirements on US companies when transferring certain types of personal data to designated countries of concern or covered persons.
Scope of the Final Rule
The key elements determining the applicability and scope of the Final Rule include:
- Countries of Concern
- Covered Persons
- Sensitive Personal Data
US companies must be aware of the six countries designated as countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela. Additionally, the Final Rule defines four classes of covered persons, which include:
- Foreign entities that are 50% or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern;
- Foreign entities that are 50% or more owned by a covered person;
- Foreign employees or contractors of countries of concern or entities that are covered persons;
- Foreign individuals primarily resident in countries of concern.
The Final Rule regulates transactions involving six categories of sensitive personal data:
- Certain covered personal identifiers;
- Precise geolocation data;
- Biometric identifiers;
- Human genomic data and three other types of human βomic data (epigenomic, proteomic, or transcriptomic);
- Personal health data;
- Personal financial data.
Prohibited or Restricted Transactions?
The type of transaction under which the data is being transferred will inform whether the transaction is restricted, prohibited, or exempt from scrutiny. US companies are required to assess the type of transaction to determine the level of compliance required.
Restricted transactions include:
- Data brokerage;
- Covered data transactions involving access to bulk human βomic data or human biospecimens from which such data can be derived.
The Final Rule prohibits data brokerage agreements with countries of concern and requires US persons to contractually ensure that data brokerage transactions with other foreign persons do not enable the transfer of sensitive personal data to countries of concern under subsequent arrangements.
Compliance Obligations
US companies must comply with the new requirements, which include:
- CISA requirements detailing cybersecurity, data retention, encryption, and anonymisation policies;
- Implementation of a data compliance program, including comprehensive policies, procedures, and record-keeping surrounding data involved in a restricted transaction;
- Completion of third-party audits to monitor compliance with the Final Rule;
- Reporting requirements.
FAQs, Compliance Guide, and Enforcement Policy
The Department of Justice published answers to Frequently Asked Questions, a Compliance Guide, and issued an Implementation and Enforcement Policy for the first 90 days of the Final Rule.
The Compliance Guide provides general information to assist individuals and entities when complying with the Data Security Program (DSP) established by the Department of Justice’s National Security Division. The Policy states that during the first 90 days, enforcement will be limited to allow US persons to continue implementing the necessary changes to comply with the DSP.
Next Steps
While certain due diligence, auditing, and reporting obligations will not become effective until October 2025, preparation for effective oversight and compliance with the CISA requirements can begin now.
news is a contributor at gdprIQ. We are committed to providing well-researched, accurate, and valuable content to our readers.
