DOJ Rule Implementing Executive Order 14117 Regulating Cross-Border Data Transfers Takes Effect

In January the U.S. Department of Justice published a final rule to implement Executive Order 14117, Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, which was issued under the prior administration. Effective April 8, 2025, all U.S. persons¹ are restricted and, in some instances, prohibited from engaging in certain categories of data transactions with China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela (“Countries of Concern”) and certain people and entities subject to coercion by those countries (“Covered Persons”). 

Also, effective October 6, 2025, all U.S. persons involved in restricted transactions must implement compliance programs based on their individualized risk profiles.  The following provides a general overview of the final rule.

Covered Persons

Covered Persons include:

• Foreign entities that are 50 percent or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern.

• Foreign entities that are 50 percent or more owned by a covered person. 

• Foreign employees or contractors of countries of concern or entities that are covered persons. 

• Foreign individuals primarily resident in countries of concern.

• Public list of individuals and entities designated by the DOJ as covered persons. 

• Third parties designated by the DOJ, regardless of location. The DOJ can determine a given person to be, or to have been, controlled by or under the jurisdiction of a country of concern or a covered person, or who acts, has acted, or is likely to act on behalf of such entities, or who knowingly causes or is likely to cause a violation of this part, as a covered person.

Sensitive Personal Data Covered by the Rule

The rule considers the following to be sensitive personal data:

• Certain covered personal identifiers (e.g., names linked to device identifiers, social security numbers, driver’s license, or other full or truncated government identification numbers);

• Precise geolocation data (e.g., GPS coordinates); 

• Biometric identifiers (e.g., facial images, voice prints and patterns, and retina scans);

• Human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic);

• Personal health data (e.g., height, weight, vital signs, symptoms, test results, diagnosis, digital dental records, and psychological diagnostics); and 

• Personal financial data (e.g., information related to an individual’s credit, debit cards, bank accounts, and financial liabilities, including payment history).

Bulk Sensitive Personal Data Thresholds and U.S. Government-Related Data

“Bulk” refers to any amount of sensitive personal data, whether the data is anonymized, pseudonymized, de-identified, or encrypted, that exceeds certain thresholds in the aggregate over the preceding 12 months before a “covered data transaction.” 

The rule establishes the following bulk thresholds: 

• Human genomic data on over 100 U.S. persons, and the three other covered categories of human ‘omic data on over 1,000 U.S. persons (Omics data refers to data generated from high-throughput technologies used to study the various "omes" of an organism, such as the genome (all the genetic material), transcriptome (all the RNA molecules), proteome (all the proteins), metabolome (all the small molecules), and interactome (all the interactions).

• Biometric identifiers on over 1,000 U.S. persons.

• Precise geolocation data on over 1,000 U.S. devices.

• Personal health data and personal financial data on over 10,000 U.S. persons.

• Certain covered personal identifiers on over 100,000 U.S. persons, or 

• Any combination of these data types that meets the lowest threshold for any category in the dataset. 

Government-related data (which are regulated regardless of the volume), include the following:

• Data on the locations of government activities. The rule treats any precise geolocation data within geographic areas listed on the Department’s public Government-Related Location Data List as government-related data.
• Data on U.S. government personnel. The final rule treats any sensitive personal data marketed as linked to current or recent former U.S. government employees or contractors (including the military and intelligence community) as government-related data.

Excluded Categories of Data

• Public or nonpublic data that do not relate to an individual (e.g., trade secrets and proprietary information) and:
• Data that is already lawfully publicly available from government records or widely distributed media, and personal communications and certain informational materials. 

Prohibited Transactions:

Prohibited transactions include permitting access to any government-related data or bulk U.S. sensitive personal data in the following transactions:

• Sale, licensing of access to the data, or similar commercial transactions.
• Covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data can be derived. The final rule defines human ‘omic data as human genomic, human epigenomic, human proteomic, and human transcriptomic data.
• Knowingly directing any covered data transaction that is prohibited if conducted by a U.S. person.
• Transactions designed to evade the regulations.
• Transactions that cause or attempt to cause a violation of the regulations.
• Conspiracies to violate the regulations.
• Data-brokerage transactions involving potential onward transfer to countries of concern or covered persons.

Restricted Transactions

The regulations prohibit U.S. companies from permitting access to any government-related data or bulk U.S. sensitive personal data to covered persons through the following types of transactions unless the U.S. company complies with burdensome due diligence, audit, reporting, and recordkeeping obligations:

• Sale, licensing of access to the data, or similar commercial transactions;
• A vendor agreement;

• An employment agreement; or

• Non-passive investment agreements. 

Restricted transactions with countries of concern or covered persons are permitted if certain security requirements of the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) are met.  

Exempt Transactions

Exempt transactions include the following: 

• Personal communications that do not transfer anything of value, including the import or export of informational materials involving expressive materials, and travel information, including data about personal baggage, living expenses, and travel arrangements. 

• Official U.S. Government activities. 

• Financial services if they involve transactions ordinarily incident to and part of providing financial services. 

• Corporate group transactions between a U.S. person and its foreign subsidiary or affiliate, if they are ordinarily incident to and part of routine administrative or business operations, such as human resources, payroll, taxes, permits, compliance, risk management, travel, and customer support. 

• Transactions required or authorized by federal law or international agreements. This are ordinarily incident to and part of compliance with federal law and regulations. 

• Investment agreements after they have become subject to certain mitigation or other action taken by the Committee on Foreign Investment in the United States (CFIUS), if CFIUS explicitly designates them as exempt. 

• Transactions that are ordinarily incident to and part of the provision of telecommunications services. 

• Data transactions with countries of concern or covered persons involving drug, biological product, device, or combination product approvals or authorizations if the data transactions involve “regulatory approval data” necessary to obtain or maintain regulatory approval.

• Transactions data that is lawfully publicly available from government records or widely distributed media (like freely available, open-access repositories), and metadata that is ordinarily associated with expressive materials, or that is reasonably necessary to enable the transmission or dissemination of expressive materials (such as geolocation data embedded in digital photographs).

Compliance Obligations

U.S. persons engaged in a restricted transaction are expected to develop and implement compliance programs based on their individualized risk profiles. These affirmative compliance obligations for restricted transactions include implementing a comprehensive compliance program, which would include:

• Risk-based procedures to verify and log data flows.
• Sensitive personal and government-related data types and volume, transaction parties’ identities, data end-use and transfer methods, and vendor identities.
• Written policies on data security and compliance that are certified annually by a responsible officer or employee.
• Retaining the results of an annual audit by an internal or external independent auditor to verify compliance with the security requirements established by CISA.

Maintaining and certifying the accuracy of records for 10 years documenting data transfer methods, transaction dates, agreements, licenses, advisory opinions, and any relevant documentation received or created in connection with the transactions.

Reporting Requirements.

U.S. persons need to report in the following cases:

• U.S. persons engaged in restricted transactions involving cloud computing services, if they are 25 percent or more owned, directly, or indirectly, by a country of concern or covered person need to provide an annual report.
• U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage.
• U.S. persons engaged in a covered data transaction involving data brokerage with a foreign non-covered person if the U.S. person knows or suspects that the foreign counterparty is violating the restrictions on resale and onward transfer to countries of concern or covered persons; and
• U.S. persons invoking the exemption for certain data transactions that are necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern. 

Audits

U.S. persons may use existing audits, reports, and other compliance practices if they meet the requirements of the rule, and thus there is no need to create duplicative or separate systems or reports. Such individuals may use either internal or external audits so long as they are independent and meet the other requirements of the rule. Audits for restricted transactions need only examine a U.S. person’s restricted transactions (not all data transactions) and only relevant (not all) policies, personnel, and systems. 

Licensing

The DOJ can issue general licenses to authorize certain categories of otherwise prohibited or restricted transactions under specified conditions.

Enforcement and Penalties

The DOJ can conduct investigations, hold hearings, examine, and depose witnesses, and issue subpoenas for witnesses and documents related to any matter under investigation. If a violation occurs, the Department will consider the adequacy of the compliance program in any enforcement action.

Violations can result in civil and criminal penalties. Civil penalties can be up to $368,136 or twice the amount of the transaction involved, whichever amount is greater. Willful violations can lead to criminal fines up to one million dollars ($1,000,000) and up to 20 years' imprisonment.

Next steps and recommendations for employers

Employers can take the following steps in light of the new rule:

• Conduct Data Mapping & Inventory Review. This process includes identifying where employees, customers, and independent contractors reside, determining whether any bulk data transfers involve covered data or countries of concern, and assessing data flows across HR systems, payroll, benefits vendors, and third-party service providers.

• Review Vendor and Service Provider Agreements. Employers can check for cross-border data access, processing, or storage by vendors located in or owned/controlled by entities in countries of concern; renegotiate or terminate contracts where necessary; and incorporate representations and warranties on data handling and cross-border restrictions.

• Implement or Strengthen Internal Data Transfer Policies.  Steps to strengthen such policies include creating or updating policies governing cross-border access to sensitive data; limiting employee access to covered data from prohibited jurisdictions; and using geofencing, IP restrictions, and role-based access control to enforce these limitations.

• Establish a Governance Process for Covered Transactions. Employer can do so by implementing an internal review and approval mechanism for any “covered transaction” under the rule; determining when a transaction might require DOJ notification or could be prohibited; and working with counsel to monitor for exemptions and potential licenses.

• Evaluate Third-Party Risk Exposure. Employers can evaluate ownership and control of foreign entities they partner with; determine whether third parties are affiliated with or controlled by entities in countries of concern; and reassess relationships with offshore payroll providers, benefits administrators, and IT outsourcing firms. 

• Prepare for Enforcement and Regulatory Scrutiny. Finally, in order to prepare for the rule’s enforcement, employers can document data transfers decisions and compliance measures; create internal training and awareness programs for HR, legal, and IT stakeholders; and monitor DOJ guidance updates and prepare for potential audits or investigations.