On January 8, 2025, the DOJ issued a new final rule to prohibit or restrict transfers of bulk sensitive personal data and certain U.S. government-related data to countries of concern.
The final rule regulates not only data brokerage transactions, but also vendor, employment, and investment agreements.
Most of the regulation’s obligations take effect on April 8, 2025.
IHEs should move quickly to assess their data transactions for potentially regulated transactions and begin to plan for compliance.
IHEs with entities in China (ROs and WFOES) and cooperative education programs in China should carefully review the data they make accessible to faculty and staff in China with an eye toward identifying regulated transactions.
On January 8, 2025, the Department of Justice (“DOJ”), National Security Division issued a final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” prohibiting or otherwise restricting U.S. persons from knowingly (with actual or constructive knowledge) engaging in certain transactions that might result in countries of concern gaining access to U.S. government-related data or bulk U.S. sensitive personal data and requiring U.S. persons to report any offer to engage in certain prohibited transactions. Coinciding with the publication of the DOJ regulations, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published the Security Requirements for Restricted Transactions. Most of the regulation’s obligations become effective on April 8, 2025, though data compliance program and certain audit and reporting requirements will take effect on October 6, 2025.
Institutions of higher education that engage in data transactions with foreign persons or receive offers to engage in such transactions are potentially subject to the rule and should begin to assess their compliance obligations now.
I. Background
On February 28, 2024, President Biden issued Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” which invokes the executive authority under the International Emergency Economic Powers Act (IEEPA) and the National Emergencies Act (NEA) to establish a national security program within the DOJ to regulate and restrict transactions in bulk U.S. sensitive personal data and U.S. government-related data.
II. Countries of Concern and Covered Persons
A. Countries of Concern
The regulations provide that the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce, may designate countries as “countries of concern” based on certain criteria. The countries of concern currently designated in the regulation are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
B. Covered Persons
The final rule’s definition of “covered persons” aligns with the Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) 50-percent rule. It includes five categories:
Foreign entities that are 50 percent or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern.
Foreign entities that are 50 percent or more owned by a covered person.
Foreign employees or contractors of countries of concern or entities that are covered persons.
Foreign individuals primarily resident in countries of concern.
Any person designated by the Attorney General, regardless of location, as (1) actually or likely to be owned, controlled, or under the jurisdiction of a country of concern; (2) acting or likely to act for a country of concern or covered person; or (3) having acted knowingly or likely to act knowingly to bring about a violation of the regulation.
III. Prohibited and Restricted Transactions
A. Prohibited Transactions
The primary prohibitions in the regulation are as follows:
Data brokerage. No U.S. person may knowingly engage in a transaction involving data brokerage of covered data with a country of concern or covered person. Data brokerage includes the sale of data, licensing of access to data, or similar commercial transaction involving a transfer of data to a recipient that was not involved in the collection of the data. For example, data brokerage includes a U.S. IHE using tracking pixels on its website when such tracking pixels transfer or otherwise provide access to data to a third party for targeted advertising. Data brokerage transactions may also include certain sponsored research transactions, particularly non-federally funded research.
Onward transfers. When a U.S. person knowingly engages in a transaction involving data brokerage of covered data with any foreign person, the regulation aims to prevent the onward transfer of covered data from the foreign person to a country of concern or covered person. To this end, the regulation prohibits any U.S. person from knowingly engaging in a data brokerage transaction involving access to covered data by any foreign person (i.e., any person located outside the U.S. who is not a U.S. citizen, national, lawful permanent resident, or any entity that is not organized solely under the laws of the U.S. or any jurisdiction within the U.S.) unless the U.S. person (1) contractually requires the foreign person to refrain from engaging in a subsequent transaction involving data brokerage of the same covered data with a country of concern or covered person, and (2) fulfills certain reporting obligations, as discussed below.
Human ‘omic and human biospecimens. The regulation categorically prohibits any data brokerage transaction, vendor agreement, employment agreement, or investment agreement involving access by a country of concern or covered person to bulk U.S. sensitive personal data that includes bulk human ‘omic data or human biospecimens from which bulk human ‘omic data could be derived. Note that unlike other transactions involving bulk sensitive data discussed below, these prohibited transactions are not permitted even if the U.S. person implements the CISA security measures that the regulation requires to conduct restricted transactions.
The regulation also prohibits any transaction aimed at evading or avoiding, causing a violation of, or attempting to violate these prohibitions, as well as any conspiracy to violate these prohibitions.
B. Restricted Transactions
U.S. persons are also prohibited from knowingly engaging in any vendor agreement, employment agreement, or investment agreement that involves access to covered data by a country of concern or a covered person (including access by vendors’ subcontractors) unless the U.S. person complies with the CISA Security Requirements for Restricted Transactions. Except, as noted above, such agreements involving bulk human ‘omics data or human biospecimens from which such data can be derived are entirely prohibited.
Vendor agreements are “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.”
Employment agreements are “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration on a board or committee, executive-level arrangements or services, and employment services at an operational level.”
Investment agreements are agreements or arrangements “in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests or rights” relate to real estate in the U.S. or a U.S. legal entity.
While most IHEs have limited direct interactions with most of the countries of concern listed in the new regulation, IHEs should also be aware of how vendors, employees, and other parties transfer or otherwise allow access to covered data such parties receive from IHEs, as IHEs may engage in a restricted or prohibited transaction by knowingly allowing such parties to process the covered data using subcontractors in countries of concern. For example, an IHE may engage in a restricted vendor agreement by storing covered data with a U.S.-based service provider if its terms of use or other agreement provide that the covered data may be stored or otherwise processed by subcontractors located in a country of concern.
Additionally, as explained further below, IHEs with academic programs or other collaborations in countries of concern, such as China, should closely examine the types and volumes of data accessible to partner institutions and employees in such countries.
C. “Knowingly” Standard
Throughout the regulation, the Department specifies a “knowingly” standard to the conduct that is prohibited or restricted by the regulation. “Knowingly” is defined to mean “that a person has actual knowledge, or reasonably should have known, of the conduct, the circumstance, or the result.”
D. Civil and Criminal Penalties
A civil penalty may be imposed up to $368,136 or twice the amount of the transaction that is the basis of the violation, whichever is greater. Criminal penalties may include a fine of up to $1,000,000, imprisonment for up to 20 years, or both.
IV. Covered Data
The heart of this regulation is the aim of preventing countries of concern and covered persons from engaging in transactions that would give them access to bulk levels of U.S. sensitive personal data (as defined by the thresholds discussed below) or any level of certain U.S. government-related data.
A. Sensitive Personal Data
The new rule defines U.S. sensitive personal data to include “covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof” relating to U.S. persons or devices, subject to some limited exceptions. Notably, “covered personal identifiers” include a variety of data that traditionally have not been designated as sensitive data, such as U.S. students’ or employees’ demographic or contact data provided in combination with their college or university account usernames.
B. Human ‘Omic Data
Of particular note in this regulation is “human ‘omic data,” which is one of the six categories of U.S. sensitive personal data. The final rule regulates four categories of human ‘omic data: human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data. This grouping, though, excludes pathogen-specific data embedded in human ‘omic data sets.
C. Bulk Thresholds
The new rule regulates any data brokerage transaction, vendor agreement, employment agreement, or investment agreement involving access by a country of concern or covered person to U.S. sensitive personal data that meets the following thresholds.
Category | Bulk Threshold |
Human genomic data | More than 100 U.S. persons |
Human ‘omic data | More than 1,000 U.S. persons |
Biometric identifiers | More than 1,000 U.S. persons |
Precise geolocation data | More than 1,000 U.S. devices |
Personal health data | More than 10,000 U.S. persons |
Personal financial data | More than 10,000 U.S persons |
Covered personal identifiers | More than 100,000 U.S. persons |
D. U.S. Government-Related Data
The regulation also restricts two groupings of data related to the U.S. government no matter what the quantity. First, the regulation includes latitude/longitude coordinates defining over 700 sites controlled by the federal government that the Department has determined may be exploited by a country of concern. Second, the regulation also restricts transfers of any U.S. sensitive personal data that is marketed as linked or linkable to current or recent former employee or former senior officials of the government regardless of volume.
V. Exempt Transactions
The final rule also exempts transactions in 11 different areas. Several key exemptions for research institutions include limited exemptions related to drug, biological product, and medical devices authorizations; clinical investigations and post-marketing surveillance; and the conduct of grantees and contractors acting pursuant to a federally funded grant, federal contract, or other agreement entered into with the U.S. government. Importantly, transactions involving these kinds of data will still be subject to certain recordkeeping and reporting requirements.
VI. Compliance Requirements
A. Due Diligence—Data Compliance Programs
By October 6, 2025, organizations engaging in any restricted transactions must have in place a data compliance program. The regulations specify that this program must, at a minimum, include the following four elements:
Risk-based procedures to verify and log in an auditable manner: (i) the types and volumes of covered data involved in the transaction; (ii) the identity of the transaction parties, including any ownership of entities or citizenship or primary residence of individuals; and (iii) the end-use of the data and the method of data transfer.
Risk-based procedures for verifying the identity of vendors, where restricted transactions involve vendors.
A written policy that (i) describes the compliance program and (ii) is certified annually by an officer or executive responsible for compliance.
A written policy that (i) describes the implementation of the required security requirements (discussed below) and (ii) is certified annually by an officer or executive responsible for compliance.
B. Audits for Restricted Transactions
By October 6, 2025, organizations that engage in any restricted transactions must have an audit conducted by a qualified and independent auditor that covers the organization’s restricted transactions over the preceding 12 months and that covers the organization’s compliance program, required records, and security requirements. Such audits must be conducted annually, and the resulting report must be retained for at least 10 years.
C. Reporting
To ensure compliance and to assist the Department in safeguarding national security, the final rule establishes several reporting requirements.
Suspected violations of covered data transactions. Effective April 8, 2025, organizations engaged in data brokerage transactions involving access to covered data by foreign persons must (1) contractually require those foreign persons to refrain from further transactions involving data brokerage of that covered data and any country of concern or covered person and (2) report any known or suspected violations of this contractual requirement within 14 days.
Rejected prohibited data brokerage transactions. Effective October 6, 2025, an organization that receives and affirmatively rejects an offer to engage in a prohibited transaction involving a data brokerage must report the rejected transaction within 14 days.
On demand. Effective April 8, 2025, any person or entity engaging in a covered data transaction, regardless of whether the transaction is covered by a license or exemption, must furnish complete information regarding any covered transaction “from time to time or at any time as may be required by the Department.” The Department’s Fact Sheet on the final rule highlights that these reports will be relevant for those invoking exemptions for “data transactions that are necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern.”
Annual reports. Effective October 6, 2025, any person or entity “engaged in a restricted transaction involving cloud-computing services, and that has 25% or more of the U.S. person’s equity interest owned (directly or indirectly through any contract, arrangement, understanding, relationship, or otherwise) by a country of concern or covered person” must file an annual report that includes details of the transaction and copies of relevant documentation. These reports must be filed annually by March 1 for transactions engaged in as of December 31 of the previous year.
D. Recordkeeping
The new regulation requires that an organization engaging in any restricted transaction must keep full and accurate records in an auditable form of each such transaction for at least 10 years. The regulation further outlines 11 kinds of documents subject to this recordkeeping requirement.
VII. Security Requirements
Coinciding with the publication of the final rule by the DOJ, CISA also released the Security Requirements for Restricted Transactions that must be applied in instances of restricted transactions. This publication contains requirements not only for the handling of the restricted data, but also requirements pertaining to information systems and the organization as a whole. The publication notes that these organization-level requirements are “necessary to validate that the organization has the technical capability and sufficient governance structure to appropriately select, successfully implement, and continue to apply the covered data-level security requirements in a way that addresses the risks identified by DOJ for the restricted transactions.” Meeting these requirements will involve measures and capacities that are above and beyond those entailed in the compliance obligations of the DOJ final rule itself.
VIII. Impact on Chinese Programs and Activities
U.S. IHEs with entities in China (such as representative offices, or ROs, or wholly foreign owned enterprises, or WFOEs) and/or engaged in cooperative education programs with Chinese institutions (or institutions in other countries of concern) should carefully review the types and volumes of data the U.S. IHE shares with, or otherwise makes accessible to, faculty and staff in China, including faculty and staff employed by the Chinese institution as well as any globally or locally recruited faculty and staff employed by the US institution.
For example, a U.S. IHE may engage in a restricted transaction by allowing a Chinese institution’s faculty members to use a learning management system through which they could potentially access a database that includes bulk U.S. sensitive data, or by granting the U.S. IHE’s non-U.S. citizen employees in China access to the U.S. IHE’s enterprise resource planning system (e.g., Banner) if such access permits such employees to view bulk U.S. sensitive data.
IX. Implications for IHEs
With the April 8, 2025 effective date of the regulation rapidly approaching, institutions should move quickly to assess their potential exposure and prepare to fulfil applicable compliance obligations.
Institutions should strongly consider:
Developing a strategy to identify and review existing agreements related to countries of concern, particularly vendor agreements, employment agreements, and sponsored research agreements;
Reviewing these existing transactions to determine whether any involve transfers of covered data that might render the transaction restricted or prohibited;
Reviewing potentially implicated transactions to determine whether an exemption might apply;
Preparing to implement contractual requirements for potentially prohibited data brokerage transactions and security requirements for restricted transactions;
Reviewing data security practices and capacities and preparing to implement controls and mature institutional capacities, if necessary;
Reviewing due diligence practices related to proposed transactions and the potential recipients of covered data;
Reviewing recordkeeping and ensuring that the institution is prepared for potential reporting and audit obligations; and
Building awareness among internal stakeholders of the new requirements, including especially the obligation to report rejected transactions.