You are currently viewing US Companies Face New Requirements Under Final Rule
Representation image: This image is an artistic interpretation related to the article theme.

US Companies Face New Requirements Under Final Rule

The US Department of Justice’s final rule, implementing the Biden-era Executive Order 14117, restricting the transfer of sensitive personal data and US government-related data to countries of concern, came into force on April 8, 2025. The rule imposes new requirements on US companies when transferring certain types of personal data to designated countries of concern or covered persons.

Scope of the Final Rule

The key elements determining the applicability and scope of the Final Rule include:

  • Countries of Concern
  • Covered Persons
  • Sensitive Personal Data

US companies must be aware of the six countries designated as countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela. Additionally, the Final Rule defines four classes of covered persons, which include:

  1. Foreign entities that are 50% or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern;
  2. Foreign entities that are 50% or more owned by a covered person;
  3. Foreign employees or contractors of countries of concern or entities that are covered persons;
  4. Foreign individuals primarily resident in countries of concern.

The Final Rule regulates transactions involving six categories of sensitive personal data:

  1. Certain covered personal identifiers;
  2. Precise geolocation data;
  3. Biometric identifiers;
  4. Human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic);
  5. Personal health data;
  6. Personal financial data.

Prohibited or Restricted Transactions?

The type of transaction under which the data is being transferred will inform whether the transaction is restricted, prohibited, or exempt from scrutiny. US companies are required to assess the type of transaction to determine the level of compliance required.

Restricted transactions include:

  • Data brokerage;
  • Covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data can be derived.

The Final Rule prohibits data brokerage agreements with countries of concern and requires US persons to contractually ensure that data brokerage transactions with other foreign persons do not enable the transfer of sensitive personal data to countries of concern under subsequent arrangements.

Compliance Obligations

US companies must comply with the new requirements, which include:

  • CISA requirements detailing cybersecurity, data retention, encryption, and anonymisation policies;
  • Implementation of a data compliance program, including comprehensive policies, procedures, and record-keeping surrounding data involved in a restricted transaction;
  • Completion of third-party audits to monitor compliance with the Final Rule;
  • Reporting requirements.

FAQs, Compliance Guide, and Enforcement Policy

The Department of Justice published answers to Frequently Asked Questions, a Compliance Guide, and issued an Implementation and Enforcement Policy for the first 90 days of the Final Rule.

The Compliance Guide provides general information to assist individuals and entities when complying with the Data Security Program (DSP) established by the Department of Justice’s National Security Division. The Policy states that during the first 90 days, enforcement will be limited to allow US persons to continue implementing the necessary changes to comply with the DSP.

Next Steps

While certain due diligence, auditing, and reporting obligations will not become effective until October 2025, preparation for effective oversight and compliance with the CISA requirements can begin now.

Leave a Reply