Does the DOJ Rule Apply?

in ,

By Hansenard Piou and Sam Castic

This is the first in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”).  It provides a high-level overview of the kinds of cross-border data transfers that are regulated by the DOJ Rule. Future blog posts will more closely examine the DOJ Rule, its requirements, potential impacts, and strategies to address compliance.

On January 8th, 2025, the Department of Justice issued final national security regulations under Executive Order 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). This post refers to these regulations as the DOJ Rule, which is codified at title 28, part 202, of the Code of Federal Regulations. As national security regulations, the DOJ Rule has different objectives than data privacy or data security laws or regulations. It also applies to many different types of companies and organizations in the United States. This blog post focuses on how to determine if a company or organization is in scope for the DOJ Rule.

Key Questions for Transactions In Scope

The questions below can help determine if a data transaction is in-scope for the DOJ Rule.  This post explores each of these questions and how they can help determine if the DOJ Rule applies.

  1. Is there a data transaction?

  2. Is the transferring entity or person a U.S. person?

  3. Does the transfer involve bulk U.S. sensitive personal data?

  4. Does the transfer involve government-related data?

  5. Does the transfer involve human biospecimens?

  6. Is the transfer to a vendor, employee, or investor?

  7. Does the transfer involve data brokerage?

  8. Does the transfer involve human ‘omic data or human biospecimens?

  9. Is the transfer recipient a foreign person, covered person, or country of concern?

1. Is there a data transaction?

The DOJ Rule applies to data transactions that involve “access” to certain types of data.  Access is a broad concept under the DOJ Rule, and includes:

logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software. For purposes of determining whether a transaction is a covered data transaction, access is determined without regard for the application or effect of any security requirements.

Under this broad definition, access occurs when a person or entity receives data, or has the ability to access data remotely. Security measures like encryption or pseudonymization to protect data are not relevant to determining whether there is data access. 

2. Is the transferring entity or person a U.S. person?

The DOJ Rule applies to data transactions between U.S. persons and non-U.S. persons (i.e., a foreign person). A U.S. person includes any entity organized solely under the laws of the United States or any jurisdiction within the United States. This would include a publicly traded or privately held corporation incorporated in a U.S. state. It would also include a corporation incorporated in a U.S. state that is a subsidiary of a business entity incorporated outside of the United States or in a country of concern like China. 

A U.S. person also includes the following individuals:

  • A United States citizen, national, or lawful permanent resident;

  • An individual admitted to the United States as a refugee or under asylum; and

  • A person in the United States.

For corporations and business entities, the place of incorporation is critical to understanding applicability of the DOJ Rule. Examples 5 and 8 to the definition of U.S. person makes this clear:

Example 5. A company is organized under the laws of the United States and has a foreign branch in a country of concern. The company, including its foreign branch, is a U.S. person.

Example 8. A parent company is organized under the laws of a country of concern and has a subsidiary organized under the laws of the United States. The subsidiary is a U.S. person regardless of the degree of ownership by the parent company; the parent company is a foreign person.

Under the definition and as illustrated by the examples above, the ownership of the U.S. incorporated entity is not relevant. If the entity is incorporated in the U.S., it and its branches outside of the U.S. all count as a U.S. person.

For individuals, any person in the U.S. is also a U.S. person under the DOJ Rule, regardless of their citizenship or country of residence. As a result, individuals traveling to the United States, even if temporarily, may be in scope of the DOJ Rule and should be mindful of any data transactions they make while in the U.S.

3. Does the transfer involve bulk U.S. sensitive personal data?

Bulk U.S. sensitive personal data consists of sensitive personal data that meets bulk volume amounts designated in the DOJ Rule.

There are six types of sensitive personal data: (1) covered personal identifiers, (2) precise geolocation data, (3) biometric identifiers, (4) human `omic data, (5) personal health data, and (6) personal financial data. It also includes combinations of those types of data.

Sensitive personal data does not include: data that does not relate to an individual such as trade secret data; information lawfully available to the public from government records or widely distributed media; personal communications; and certain information or informational materials and related metadata.

The bulk volumes in the DOJ Rule are calculated on a rolling 12 month basis “whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person.” The bulk volumes specified in the DOJ Rule are:

  • 100 U.S. persons – human genomic data;

  • 1,000 U.S. persons – human ‘omic data, or biometric identifiers;

  • 1,000 U.S. devices – precise geolocation data;

  • 10,000 U.S. persons – personal health data, or personal financial data; or

  • 100,000 U.S. persons – covered personal identifiers.

It also includes data combinations from the categories above where the combined data meets the lowest bulk threshold listed above.

The types of sensitive personal data sweep in many types of personal data that have not traditionally been regulated as sensitive personal data under U.S. privacy or data security laws. For example “covered personal identifiers” generally refers to two or more data types from any of the following types of “listed identifiers” (though there are some exceptions):

  • Full or truncated government identification or account number (e.g., SSN, driver's license, State identification number, passport number, or Alien Registration Number); 

  • Full financial account numbers or PINs associated with a financial institution or financial-services company; 

  • Device- or hardware-based identifiers (e.g., IMEI, MAC, SIM); 

  • Demographic or contact data (e.g., first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers); 

  • Advertising identifiers (e.g., MAID, Google AD ID);

  • Account-authentication data (e.g., account username, account password, or an answer to security questions);

  • Network-based identifiers (e.g., IP address, cookie data); or 

  • Call-detail data (e.g., CPNI).

4. Does the transfer involve government-related data?

Government-related data includes two types of data.

First, any precise geolocation data for a location within an area listed on the Government-Related Location Data List is government-related data. With more than 700 locations included on this Government-Related Location Data List, and some encompassing entire cities and regions of states, it’s likely that companies collecting precise geolocation data in the United States will be dealing with government-related data.

Second, sensitive personal data, regardless of volume, that a transacting party “markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community” is government-related data. This includes sensitive data that is marketed as linked or linkable to such individuals even if it includes other data types or data about other types of people. The DOJ Rule gives a few examples of such marketing, where a U.S. company “advertises the sale of a set of sensitive personal data as belonging to “active duty” personnel, “military personnel who like to read,” “Department of Defense” personnel, “government employees,” or “communities that are heavily connected to a nearby military base.”

5. Does the transfer involve human biospecimens?

Human biospecimens include tissue, blood, urine, or other human-derived material, including any material classified under the following 10-digit Harmonized System-based Schedule B numbers:

(1) 0501.00.0000 Human hair, unworked, whether or not washed or scoured; waste of human hair

(2) 3001.20.0000 Extracts of glands or other organs or of their secretions

(3) 3001.90.0115 Glands and other organs, dried, whether or not powdered

(4) 3002.12.0010 Human blood plasma

(5) 3002.12.0020 Normal human blood sera, whether or not freeze-dried

(6) 3002.12.0030 Human immune blood sera

(7) 3002.12.0090 Antisera and other blood fractions, Other

(8) 3002.51.0000 Cell therapy products

(9) 3002.59.0000 Cell cultures, whether or not modified, Other

(10) 3002.90.5210 Whole human blood

(11) 3002.90.5250 Blood, human/animal, other, or

(12) 9705.21.0000 Human specimens and parts thereof.

Human biospecimens do not include any such biospecimens that are “intended by a recipient solely for use in diagnosing, treating, or preventing any disease or medical condition.”

6. Is the transfer to a vendor, employee, or investor?

The DOJ Rule applies to data transactions that involve access to bulk U.S. sensitive personal data or government-related data by certain vendors, employees, or investors. If any such vendor, employee, or investor is a country of concern or a covered person under the DOJ Rule, then the data transaction will be a restricted transaction.

Data transactions pursuant to a vendor agreement can be in scope for the DOJ Rule. These include agreements where one party provides goods or services, including cloud-computing services, to another in exchange for payment or other consideration.

Data transactions pursuant to an employment agreement can also be in scope for the DOJ Rule. Employment agreements include those where an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration. 

Finally, data transactions involving an investment agreement can be subject to the DOJ Rule. Investment agreements include those where a person obtains direct or indirect ownership interests in or rights in relation to U.S. real estate or a U.S. legal entity, in exchange for payment or other consideration. 

7. Does the transfer involve data brokerage?

​The DOJ Rule can apply to data transactions involving data brokerage of bulk U.S. sensitive personal data or government-related data. If the person or entity receiving the data in a data brokerage transaction is a country of concern, covered person, or foreign person, the transaction is prohibited by the DOJ Rule. The data brokerage transaction with a foreign person is not prohibited if: (i) the foreign person is not a covered person; (ii) there is a contract that prohibits the foreign person from engaging in a subsequent data brokerage transaction involving the same data and a country of concern or covered person; and (iii) known or suspected violations of the contractual requirement are reported to the DOJ.

Data brokerage is a broad concept under the DOJ Rule. It includes “the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.”  Examples in the DOJ make clear that data brokerage includes:

  • Maintaining a database of bulk U.S. sensitive personal data and licensing access to that data;

  • Operating a mobile app and transmitting bulk U.S. sensitive personal data to an advertising exchange to sell ad space;

  • Transmitting bulk U.S. sensitive personal data via third-party tracking pixels on a website for targeted advertising;

  • Transmitting bulk U.S. sensitive personal data via third-party SDKs in a mobile app for targeted advertising;

  • Selling or licensing bulk U.S. sensitive personal data to a parent company to develop AI/ML capabilities; and

  • Transmitting bulk health data and human ‘omic data on U.S. persons from a research grant recipient researcher to its grantmaking organization.

These examples illustrate that the DOJ Rule has broader than common definitions of data brokerage.

8. Does the transfer involve human ‘omic data or human biospecimens?

The DOJ Rule prohibits transactions that allow countries of concern or covered persons to access bulk U.S. sensitive personal data that involves bulk human ‘omic data, or human biospecimens from which bulk human `omic data could be derived.

9. Is the transfer recipient a foreign person, covered person, or country of concern?

To identify if a data transaction is restricted transaction, you must assess if the vendor, employee, or investor is a covered person or country of concern. To identify if it is a prohibited transaction, you need to know if it involves covered persons, countries of concern, or foreign persons. 

Countries of concern include China, Cuba, Iran, North Korea, Russia, and Venezuela.

Foreign persons include any individual or entity that is not a U.S. person. This includes any entity incorporated outside of the U.S.

Covered persons are any individual or entity that is one of the following:

(1) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in paragraph (2) below; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;

(2) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in paragraphs (1) above, or (3), (4), or (5) below;

(3) A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in paragraphs (1) or (2) above, or (5) below;

(4) A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or

(5) Any person, wherever located, when designated by the Attorney General.

An exploration of an entity’s operations, corporate structure, and ownership may be needed to determine if an entity is a covered person.

The DOJ Rule is a complex set of regulations, and assessing whether it applies is not straight-forward. Companies should start by assessing whether they have entities that are U.S. persons under the DOJ Rule. If so, it’s then important to understand what data types those entities deal with to identify if any are in-scope for the DOJ Rule. If any are, the nature of the vendors, employees, investors, and others that the company permits to access such data will determine whether any of the access is restricted or prohibited by the DOJ Rule. Consider these types of questions to determine whether the DOJ Rule applies to your company.

Consider the questions in this blog post, or the alternate version in this document, to help assess whether your company or organization is in-scope for the DOJ Rule.

As noted above, we will dive deeper into the DOJ Rule in subsequent blog posts.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.  

Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.