DOJ Sensitive Data Rule

Department of Justice Final Rule Relating to U.S. Sensitive Personal Data and Government-Related Data

Earlier this year, the Department of Justice issued the Data Security Program (Rule), to implement , “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This Rule functions like an export control: it restricts and sometimes prohibits transferring to certain countries and entities large amounts of Americans’ sensitive personal and government-related data. Specifically, the Rule restricts individuals from engaging in  with  that are affiliated with , including China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 

Who is a Covered Person?
means:

  • Foreign entities that are organized under the laws of a Country of Concern, have their principal place of business in a Country of Concern, or are 50% or more owned by a Country of Concern.
  • Entities that are 50% or more owned by another Covered Person.
  • Foreign individuals who are:
    • Primarily a resident in a Country of Concern, or
    • Employed by or acting on behalf of a covered entity.  
  • Any individual specifically designated by the U.S. Department of Justice as subject to the direction or control of a country of concern or another covered person.

What Data is Covered?
The regulations cover two primary types of data:

  • : this includes data on  that exceeds specific thresholds, and applies to biospecimens to the extent this data can be derived from such samples. The regulations apply even if the data has been anonymized or encrypted. The categories of data covered, along with their bulk thresholds are:
    • : The personal financial data of 10,000 or more U.S. persons.
    • : The precise geolocation data of 1,000 or more U.S. persons
    • : The biometric identifiers of 1,000 or more U.S. persons
    • : The personal health data of 10,000 or more U.S. persons.  
      • Genomic Data: The data of 100 or more U.S. persons
      • Epigenomic, Proteomic, and Transcriptomic Data: The data of 1,000 or more U.S. persons
    • : Personal identifiers (such a full name, physical address, phone number, and Social Security number) of 100,000 or more U.S. Persons.
  • : This includes precise geolocation data near U.S. government facilities or sensitive personal data that is marketed as linkable to U.S. government personnel, regardless of volume.  

What is a Covered Data Transaction?
A is any transaction that involves access by a Country of Concern or Covered Person to any Bulk U.S. Sensitive Personal Data or Government-Related Data and that involves:

  • An 
  • An 

Activities that are not restricted by the Rule
The following activities are not prohibited by the Rule:

  • A Covered Person can access bulk U.S. sensitive personal data or U.S. government-related data while located in the United States. Upon leaving the United States, the Covered Person can no longer access this data.  
  • Access provided by Covered Persons: The rule does not apply when a U.S. person (including U.S. institutions) receives data from a Covered Person.
  • Data transactions with Countries of Concern or Covered Persons involving drug, biological product, device, or combination product approvals or authorizations if the data transactions involve  necessary to obtain or maintain regulatory compliance.

Note that the above activities may trigger additional reporting requirements. Other exemptions may apply.

What are the consequences of non-compliance?

Non-compliance can lead to:

  • Civil or criminal penalties
  • Sanctions
  • Reputational damage to the affiliated individual and institution

Next Steps:
This announcement provides an overview.  Stakeholders in offices and departments must conduct a preliminary review using the questions below. If the answers reveal activities that may be covered by the Rule, the stakeholder must contact the Office of the General Counsel.

  1. Are there any employees in the office/department who have partial residence in one of the Countries of Concern?
  2. Are there any vendor or professional arrangements with Covered Persons or involving Countries of Concern? *It is crucial to assess whether a party, by virtue of its location or affiliations, could fall within a restricted category.
  3. Are there any research projects that involve Covered Transactions at or above the numerical threshold? Does the research involve:
    1. Accessing or sharing covered data;
    2. Collaborating with foreign entities or researchers from Countries of Concern; or
    3. Utilizing data platforms or services that may be subject to restrictions.

Additional Information:

The Rule is complex and extensive. More information can be found in the DOJ’s  and in the DOJ’s . For a brief, one-page overview, see .

Popular Searches

Campus Map
Bookstore
Clubs & Orgs
Majors & Minors
Study Abroad
Working at Oxy