New U.S. Regulations Impose Significant Restrictions on Cross-Border Data Flows

The Department of Justice adopted a final Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons that takes effect on April 8, 2025.  This sweeping Rule will prohibit a number of cross-border personal data flows to people and entities with certain connections to China, Cuba, Iran, North Korea, Russia, or Venezuela, including individuals and entities in those countries, entities with ownership stakes by people in those countries, and other connections explored below.  This post summarizes the types of transactions and data flows that are prohibited and restricted, obligations for restricted transactions, exceptions, and examples of types of U.S. companies and business practices that may be impacted.  Finally, we offer some next steps to consider in order to help assess whether a U.S. company is in-scope.

Key Defined Terms in the Rule 

There are a few defined terms in the Rule that are necessary to understand its scope and applicability.  First, the Rule uses the terms covered persons, U.S. persons, and foreign persons, to distinguish between types of people and entities.  In summary, these defined terms are:  

  • Covered person is an individual or entity that has specified connections to one or more countries of concern. The types of connections that make an individual or entity a covered person include: 

  1. An entity foreign person organized or chartered under the laws of a country of concern; with principal place of business in a country of concern; or 50% or more owned (directly or indirectly, individually or in aggregate) by countries of concern or persons in (2) below;

  2. An entity foreign person 50% or more owned (directly or indirectly, individually or in aggregate) by persons in (1) above or (3), (4), or (5) below; 

  3. An individual foreign person employed by or contracting for a country of concern or an entity in (1) or (2) above, or (5) below; 

  4. An individual foreign person who resides in a country of concern; and 

  5. Any person, wherever located, that the Attorney General determines to be a covered person. 

The interrelation between the ownership triggers in (a) and (b) mean that direct and indirect ownership structures of foreign entities (e.g., any entities based or incorporated in any non-U.S. jurisdiction) will need to be carefully examined to determine if the entity is a covered person.  

  • U.S. person is “any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee or under asylum; any entity organized solely under the laws of the United States or any jurisdiction within; or any person in the United States.”

  • Foreign person is any person that is not a U.S. person under the definition above. This means entities organized under the laws of non-US jurisdictions are foreign persons. This would extend to subsidiaries and affiliates too.  For example, a U.S. entity’s subsidiary incorporated under foreign laws is a foreign person, but a China based entity’s subsidiary incorporated under U.S. law is a U.S. person. 

Second, there are defined terms for data types, including for sensitive personal data, bulk U.S. sensitive personal data, and government-related data.  The definition of sensitive personal data is broad, and includes a number of types of data that are not generally classified as sensitive personal data under U.S. law.  In summary, these defined terms are: 

  • Sensitive personal data includes “covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.”  Each of those data types are further defined in the Rule, and in summary include: 

    • Covered personal identifiers—any listed identifier in combination with (i) another listed identifier or (ii) other data disclosed in the transaction such that it is linked or linkable to other listed identifiers or sensitive personal data.  Listed identifiers include: 

      • Full or truncated government identification or account numbers (e.g., SSN, driver’s license or state identification number, passport number, Alien Registration Number); 

      • Full financial account numbers or PINs associated with a financial institution or financial services company; 

      • Device-based or hardware based identifiers (e.g., IMEI, MAC address, SIM card number); 

      • Demographic or contact data (e.g., name, birthdate, birth place, ZIP code, address, phone number, email address, or similar public account identifiers);  

      • Advertising identifiers (e.g., Google Advertising ID, Apple ID for Advertisers, or mobile advertising ID); 

      • Account-authentication data (e.g., username, account password, or security question answer); 

      • Network-based identifier (e.g., IP address or cookie data); and 

      • Call-detail data (e.g., CPNI). 

  • Covered personal identifiers exclude: demographic or contact data that is only linked to other demographic or contact data; and network-based identifiers, account-authentication data, and call-detail data that is only linked to other such data as necessary to provide telecommunications, networking, or similar services. 

    • Precise geolocation data— “data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.” 

    • Biometric identifiers— “measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.”

    • Human ‘omic data—A catchall term covering human genomic, epigenomic, proteomic, and transcriptomic data. 

    • Personal health data—“health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition …; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare... This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.” 

    • Personal financial data— “data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report” or FCRA consumer report. 

Sensitive personal data does not include: (i) data that does not relate to an individual, (ii) data lawfully made available to the public from government records or in widely distributed media, (iii) personal communications (e.g., mail, phone, or other personal communications that don’t transfer anything of value), and (iv) information or informational materials (e.g., certain expressive material including publications, films, etc., as further defined in the Rule) and certain related metadata. 

  • Bulk U.S. sensitive personal data is “a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds” these thresholds at any point in the preceding 12 months: 

    • Human ‘omic data of more than 1,000 U.S. persons or genomic data of more than 100 U.S. persons; 

    • Biometric identifiers of more than 1,000 U.S. persons; 

    • Precise geolocation data of more than 1,000 U.S. devices; 

    • Personal health data of more than 10,000 U.S. persons; 

    • Personal financial data of more than 10,000 U.S. persons; 

    • Covered personal identifiers of more than 100,000 U.S. persons; or  

    • Combined data that contains more than one of the categories above or any listed identifier linked to categories above, where any individual data type meets the threshold number of persons or devices in the aggregate for the lowest number of U.S. persons or devices in that category of data. 

The thresholds noted above apply whether they’re met through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person. 

  • Government-related data is precise geolocation data that relates to locations designated in the Rule’s Government-Related Location Data List (e.g., relating to national security matters); and sensitive personal data marketed as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government.  

Third, the Rule has defined terms necessary to understand activities that it prohibits or restricts.  Summaries of these defined terms are: 

  • Covered data transaction, which is “any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves: (1) Data brokerage; (2) A vendor agreement; (3) An employment agreement; or (4) An investment agreement.”  The Rule also contains definitions for vendor, employment, and investment agreements.  Under this definition, many types of common business activities will be covered data transactions where a country of concern or covered person is involved.   

  • Data brokerage, which is broadly defined to include “the sale of data, licensing of access to data, or similar commercial transactions . . . involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.”  The definition excludes data transfers in connection with employment, investment, or vendor agreements, each as defined in the Rule.  Under this definition—and differing from the approach many state laws take—licensing or selling first party data that a company collects directly from data subjects can be data brokering.  

Prohibited Transactions Under the Rule 

There are three types of transactions that the Rule generally prohibits U.S. persons from knowingly engaging in.  These include: 

  • Data brokerage transactions with countries of concern or covered persons. Specifically, covered data transactions involving data brokerage with a country of concern or covered person are prohibited.  This prohibition may have significant impacts for companies acting as data brokers or offering personal data related products and services, as many existing and prospective customers may be covered persons under the Rule.   

  • Certain data brokerage transactions with foreign persons.  Any transaction involving access by a foreign person to government-related data or bulk U.S. sensitive personal data that involves data brokerage with any foreign person (that is not a covered person) is prohibited.  This prohibition does not apply if the U.S. person engaging in the transaction: (1) contractually prohibits the foreign person from engaging in any covered data transaction involving data brokerage of the data with a country of concern or covered person; and (2) reports known or suspected violations of the contractual requirement to the Department of Justice per the Rule’s requirements (including within 14 days of becoming aware).  This prohibition will require many companies that act as data brokers or offer personal data related products and services to amend agreements with non-U.S. customers within a relatively short timeframe, or to stop serving those customers.  Companies providing these types of products and services to non-US customers will also need to develop processes for internally routing and reporting suspected contractual violations to the Justice Department. 

  • Certain human ‘omic data and biospecimen transactions with countries of concern and covered persons. The Rule prohibits covered data transactions with a country of concern or covered person that involves access to: (A) bulk US sensitive personal data including bulk human ‘omic data, or to (B) human biospecimens from which bulk human ‘omic data could be derived.  Human biospecimens include certain tissue, blood, urine, or other human-derived material.  This prohibition may have the most significant impact for companies in genetic testing, diagnostic, research, and life sciences spaces. 

U.S. persons that receive and reject offers to engage in prohibited transactions involving data brokerage (e.g., from existing or potential customers in connection with data products or services) have mandatory 14 day reporting requirements detailed in the reporting requirements section below.   

The Rule prohibits transactions that have the purpose or effect of evading, avoiding, causing a violation, or attempting to violate any of the prohibitions above.  U.S. persons are also prohibited from directing transactions that would violate the prohibitions above, or restrictions below, if those transactions were engaged in by a U.S. person. 

Restricted Transactions and Security, Diligence, Audit, and Recordkeeping Requirements 

The Rule restricts U.S. persons from knowingly engaging in covered data transactions involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless the U.S. person complies with specified security, diligence and audit, and recordkeeping requirements. 

The types of agreements noted are broad and may cover many types of contracts and arrangements that businesses enter into to operate and perform necessary business functions.   

  • Vendor agreements are any agreements or arrangements where goods or services (including cloud-computing services) are provided for payment or other consideration.   

  • Employment agreements include agreements or arrangements where individuals perform work or job functions for payment or other consideration.  They include employment on a board or committee, executive-level arrangements and services, and operational level employment services; they do not include independent contractor arrangements.   

  • Investment agreements are agreements or arrangements where a person, for payment or other consideration, obtains direct or indirect ownership interests or rights relating to real estate in the U.S., or a U.S. legal entity.  Investment agreements don’t include certain passive investments, like those made in publicly traded securities, in SEC-registered investment company offered securities, in regulated business development company offered securities, or as a limited partner in certain fund types subject to other conditions in the Rule.  To be an excluded passive investment, the investment must also give less than 10% in total voting and equity interest in a U.S. person, and cannot give rights beyond standard minority shareholder protections. 

Security requirements for restricted transactions 

The security requirements are the Cybersecurity and Infrastructure Agency (“CISA”) Security Requirements for Restricted Transactions. The requirements include ones that are based on the NIST Cybersecurity Framework, NIST Privacy Framework, and CISA Cross-Sector Cybersecurity Performance Goals.  They include detailed requirements in the areas summarized below. 

  • Organizational- and system-level requirements for covered systems including for: 

    • Asset inventories, updated monthly for IT assets; 

    • CISO or other responsible individuals for cybersecurity and governance, risk, and compliance functions (GRC); 

    • Known exploited vulnerability remediation obligations within 45 days; 

    • Documentation of all vendor/supplier agreements for covered systems (inclusive of cybersecurity requirements); 

    • Network diagrams and topologies; 

    • Approval protocols before hardware or software is deployed on covered systems, and maintenance of an allowlist for approved hardware and software on covered systems; 

    • Incident response plan(s) applicable to covered systems, with annual reviews; 

    • Logical and physical access controls to prevent covered persons or countries of concern from gaining access to covered data; 

    • Multifactor authentication (MFA) on all covered systems or specified password length requirements where MFA is not possible; 

    • Promptly revoking (e.g., on day of departure or within a risk-informed timeframe) any credentials/access to covered systems on individual termination or role change; 

    • Logging access and security events for covered systems; 

    • Configuring covered systems to deny connections by default unless explicitly allowed for system functionality; 

    • Issuing and managing identities and credentials for authorized users, services, and hardware; and 

    • Conducting an internal data risk assessment that evaluates whether and how the overall approach sufficiently prevents access to covered data by covered persons or countries of concern. 

  • Data-level requirements for restricted transactions use a combination of the following mitigations that together prevent access to covered data by covered persons or countries of concern: 

    • Designated data minimization and data masking strategies; 

    • Encryption and key management techniques during the course of restricted transactions; 

    • Privacy enhancing technologies; and  

    • Configuration of identity and access management techniques. 

Diligence and audit requirements for restricted transactions 

By October 5, 2025, U.S. persons engaged in restricted transactions must address the following due diligence and audit requirements. 

  • Due diligence addressed through implementation of a data compliance program that includes: 

    • Risk-based procedures for verifying data flows involved in any restricted transaction, including verifying and logging in an auditable manner: 

    • Types and volumes of government-related data and bulk U.S. sensitive personal data involved; 

    • The transaction parties including ownership of entities or citizenship or primary residence of individuals; and 

    • The end-use of the data and the method of data transfer; 

    • For restricted transactions that involve vendors, risk-based procedures for verifying the identity of vendors; 

    • Written policies that describe the program and how security requirements are implemented, and that are annually certified by an officer, executive, or other employee responsible for compliance; and 

    • Any other information that the Attorney General may require. 

  • Audit requirements including conducting an audit that

    • Is performed by a qualified independent auditor (who is not a covered person or a country of concern); 

    • Is performed once per calendar year during which the U.S. person engages in restricted transactions; 

    • Covers the prior 12 months; 

    • Has a scope including examination of the restricted transactions, security requirements, data compliance program and implementation, required records; and 

    • Results in a written report that covers a number of matters detailed in the Rule (audit reports must be maintained for 10 years). 

Recordkeeping requirements for restricted transactions 

By October 5, 2025, U.S. persons engaging in restricted transactions must keep records of each restricted transaction for 10 years after each transaction.  In addition to ones noted above, records that need to be maintained in an auditable manner include: 

  • Documentation of the due diligence conducted to verify the data flow involved in any restricted transaction; 

  • Documentation of the method of data transfer; 

  • Documentation of the dates the transaction began and ended;  

  • Copies of any agreements associated with the transaction; 

  • A copy of any relevant documentation received or created in connection with the transaction; and  

  • An annual certification by an officer, executive, or other employee responsible for compliance of the completeness and accuracy of the records documenting due diligence. 

Exempt Transactions 

Some types of transactions are exempt from the Rule, including:   

  • Personal communications, including “any postal, telegraphic, telephonic, or other personal communication” that transfers nothing of value; 

  • Information or Informational materials, including expressive material like publications, films, posters, photographs, CDs, art, and news wire feeds, including certain associated metadata; 

  • Travel transactions “ordinarily incident to travel to or from any country” including for transporting baggage, acquiring goods or services for personal use, and making travel arrangements; 

  • Official business of the United States Government including when conducted by employees, grantees, or contractors; 

  • Financial services transactions are exempt to the extent that they are “ordinarily incident to and part of the provision of financial services, including:” 

    • Banking, capital-markets, or financial insurance services; 

    • A financial activity authorized for national banks; 

    • An activity that is “financial in nature or incidental to such financial activity” or “complementary to a financial activity” under the Bank Holding Company Act of 1956; 

    • The transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services; 

    • The provision or processing of payments or funds transfers; or 

    • The provision of investment-management services; 

  • Corporate group transactions are exempt to the extent that they are between a U.S. person and its subsidiary or affiliate and ordinarily incident to and part of administrative or ancillary business operations (as further specified in the Rule); 

  • Transactions required or authorized by federal law or international agreements; 

  • Investment agreements that are subject to a Committee on Foreign Investment in the US action; 

  • Telecommunications services related data transactions (other than data brokerage) if ordinarily incident to and part of the provision of telecommunications services; 

  • Regulatory approval data for drug, biological, product, or device regulatory approvals where the transaction is necessary to obtain or maintain the approval; 

  • Clinical investigation data for clinical investigations regulated by the FDA or that support applications to the FDA, or clinical care data to monitor real-world performance or safety or post-marketing surveillance data that is or necessary to support and maintain an authorization by the FDA; and 

  • Data in public records, including government records or widely distributed media. 

Reporting Requirements  

Any U.S. person that receives and rejects (even via automated means) an offer to engage in a prohibited transaction involving data brokerage on or after October 6, 2025 must report it within 14 days to the Department of Justice.  The report must include details noted in the Rule. 

The Rule details annual reporting requirements for U.S. persons that engage in restricted transactions involving cloud computing services on or after October 6, 2025 if the U.S. person has 25% or more ownership (directly or indirectly) by a country of concern or covered person.   

The Rule empowers the Department of Justice to request reports, under oath, at any time about transactions or covered data transactions.   

Penalties 

Violations of the Rule can face a civil penalty up to the greater of $368,136 or twice the amount of the violating transaction.  Willful violations can face a fine of up to $1,000,000, up to 20 years in prison, or both. 

Effective Dates 

The Rule is effective April 8, 2025, with the diligence, audit, and recordkeeping requirements for restricted transactions becoming effective on October 5, 2025. 

Companies and Business Practices That May Be Impacted 

The Rule will have impacts for a number of companies and company practices, as illustrated by the requirements summarized above and numerous illustrative examples in the Rule itself.  For example, there will be impacts for U.S. companies: 

  • With websites or mobile applications that use pixels, SDKs, or other methods to share data for targeted advertising purposes, like most companies do.  Companies will need to ensure none of the third parties they share this data with are “covered persons” (such as companies based in China or with 50% ownership by people residing in China).  Examples in the Rule highlight this scenario, and notes that they can be prohibited data brokerage transactions when the third parties are covered persons.   

  • With parents or affiliates in China or countries of concern.  These companies may need to restrict access or transfers of sensitive personal data to these affiliated corporate entities, such as in connection with research, product development, and certain other use cases.  Some corporate group transactions are exempt from the Rule when part of administrative or ancillary business operations, but others are not.  For example, the Rule notes that if an IT company operating an autonomous driving platform shared U.S. car geolocation with a parent company in a country of concern for AI/ML development, this would be prohibited data brokerage.   

  • Licensing or developing generative AI solutions trained on bulk U.S. sensitive personal data, when the solutions are capable of reproducing or disclosing the training data.  The Rule includes an example of an AI chatbot with such capabilities, and notes that licensing it to customers in countries of concern is a prohibited data brokerage transaction.  Companies with such AI solutions should confirm that their licensed solutions were not trained on bulk U.S. sensitive personal data, or if they were, that they’re not capable of disclosing the training data.   

  • Offering personal data as a product or service, or acting as data brokers.  Companies may be prohibited from providing those services to a number of types of customers.  This is the case where bulk U.S. sensitive personal data is shared, and surprising combinations of data can meet this standard.  For example, if the data shared includes names, email addresses, or ZIP codes, along with IP addresses, online advertising identifiers, or account usernames, then it’s sensitive personal data; sharing such data about more than 100,000 U.S. people with customers with certain ties to countries like China is prohibited. Enhanced customer vetting procedures may be needed before services can start, and services to certain existing customers may need to stop.  Relatedly, if the customer is any non-U.S. entity or person, such data can’t be shared unless the governing contract has the Rule-required restrictions, and the companies comply with the DOJ reporting requirements for suspected contract violations. 

  • Employing people or using contractors in China or countries of concern.  If these people have access to data constituting bulk U.S. sensitive personal data, companies may be engaging in covered data transactions under the Rule, and unless an exemption applied, would need to implement address the required security, diligence, audit, and recordkeeping requirements.  Companies with personnel in these jurisdictions should confirm that there is no ability to access U.S. sensitive personal data, or implement the required controls and processes. 

  • Using vendors in China or countries of concern that will have access to bulk U.S. sensitive personal data will be engaging in covered data transactions.  These companies will either need to cease use of these vendors, prevent access to U.S. sensitive personal data, or address the Rule’s required security, diligence, audit, and recordkeeping requirements.  New diligence protocols may be needed before vendors are onboarded to confirm whether they are covered persons, and existing vendors should be reviewed to see if any are covered persons. 

What Should Companies Do Now? 

The Rule is complex and has implications that may not be immediately apparent.  Below are steps to help assess whether a U.S. company engages in prohibited or restricted transactions.  

Identifying prohibited transactions 

Consider these steps to help identify whether a U.S. company engages in prohibited transactions: 

  1. Identify if personal data is disclosed to or accessed by people or entities that are not employees/contractors, investors, or vendors.  If so, this may be data brokerage. 

  2. Assess if it’s sensitive personal data about U.S. people.   

  3. Determine if the people or entities are entities incorporated outside the U.S., or are individuals outside the U.S.  If so, they may be foreign people or covered people under the law. 

  4. Evaluate whether the transactions are exempt.   

  5. For any non-exempt transactions, the transactions may be prohibited with covered people or countries of concern, and with any other foreign people unless the contract and reporting requirements are addressed. 

Identifying restricted transactions 

Consider these steps to help identify whether a U.S. company engages in restricted transactions: 

  1. Identify where the company stores and transfers sensitive personal data about U.S. people, considering the broad definition of the term.   

  2. Focus on sensitive personal data storage and transfers that meet the volume thresholds for bulk U.S. sensitive personal data. 

  3. Determine if any employees, contractors, or investors in countries of concern receive or can access this sensitive personal data.  If so, it may be a covered data transaction. 

  4. Determine if any vendors incorporated outside the U.S. receive or can access this sensitive personal data.  If so, these vendors are foreign persons. 

  5. Assess whether any of the identified foreign person vendors are incorporated or based in countries of concern, or have 50% or more ownership by people or entities in countries of concern.  If so, the sensitive personal data shared with these vendors may be covered data transactions. 

  6. Evaluate whether the transactions with any of the identified employees, contractors, investors, or vendors are exempt transactions.   

  7. For non-exempt transactions, these may be restricted transactions that require work to address the security, diligence, audit, and recordkeeping requirements in the Rule. 

For some companies, the steps above may make sense to evaluate in a different sequence—for example, identifying whether employees are in countries of concern may be easier than identifying where sensitive personal data is stored.  These steps may help to get a sense of whether a company is in-scope, but may not catch all transactions that are in-scope for the Rule.  Whether using the steps above or approaching in another manner, with an effective date that’s just months away, U.S. companies should quickly evaluate how the Rule applies to their business practices.   

Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.

Hansenard “Hansy” Piou is an Associate at Hintze Law PLLC. Hansy has experience with global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.  

 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.