Client Alert: Bulk Data Transfer Rule

On April 8, 2025, the US Department of Justice’s Final Rule “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (“Final Rule”) took effect. The Final Rule outlines when large transfers of sensitive personal or US government data to countries of concern or covered persons are allowed, restricted, or banned.  

What is the purpose? 

To protect Americans’ sensitive personal data from being misused by foreign powers and state-sponsored actors.  

What are the countries of concern?  

The Final Rule has identified the following as countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 

Who are covered persons?  

The five types of covered persons consist of:

1. Foreign entities that are 50 percent or more owned, directly or indirectly, by, organized under the law of, or have their principal place of business in a country of concern;  
2. Foreign entities that are 50 percent or more owned, directly or indirectly, individually or in the aggregate, by covered persons; 
3. Foreign individuals who are non-US residents working as employees or contractors of a country of concern or of a covered person; 
4. Foreign individuals primarily residing in countries of concern; or 
5. Any person that the attorney general designates as a covered person.  

This broad definition means businesses must look beyond country borders to the ownership, affiliations, and activities of their partners, vendors, and even employees. For example, a US company may face issues if its foreign supplier’s parent company is 50 percent owned by a Chinese entity, even if the supplier itself seems neutral. 

What is covered data?  

The Final Rule regulates transactions involving six categories of sensitive personal data and two categories of government-related data:  

1. “Bulk” amounts of sensitive personal data are defined as meeting or exceeding the thresholds below. These thresholds are calculated by determining whether, in the preceding twelve months, through a single covered data transaction or aggregated across covered data transactions involving the same US person and same foreign person or covered person, the thresholds were satisfied. 
   1. Certain covered personal identifiers (e.g., names linked to media access control (MAC) addresses from devices and first and last name linked to an email and IP address) on over 100,000 US persons;
   2. Precise geolocation data on over 1,000 US devices;
   3. Biometric identifiers on over 1,000 US persons;
   4. Human genomic data on over 100 US persons;
   5. Personal health data on over 10,000 US persons; and
   6. Personal financial data on over 10,000 US persons.
2. Government-related data, regardless of processing volume, includes:  
   1. Precise geolocation data of certain sensitive government locations or geographical areas identified in the Government-Related Location Data List (e.g., duty stations, military installations, and embassies); and
   2. Sensitive personal data that is linked or linkable to current or former employees or contractors of the US government.  

What is a prohibited transaction? 

The Final Rule prohibits US persons from knowingly engaging in the following:

1. Data brokerage of bulk US sensitive personal data or any covered government-related data, and transfer of bulk human biometric data or human biospecimens to covered persons;
2. Data brokerage with foreign parties that are not a covered person unless contractual obligations are in place that restrict onward transfer of the data to covered persons by the receiving parties; and
3. Transactions designed to circumvent the Final Rule (e.g., using a “strawman”). 

What is a restricted transaction? 

The Final Rule restricts US persons from knowingly engaging in certain transactions involving vendor, employment, or investment agreements with a covered person unless certain conditions are satisfied. The Final Rule imposes due diligence, data security, auditing, and reporting requirements as conditions for companies to engage in restricted transactions. 

What penalties will US businesses face for violations? 

Starting on July 8, 2025, violations may result in: (a) civil penalties (up to the greater of $368,136 or two times the amount of transaction involved) and/or (b) criminal penalties (up to twenty years of imprisonment and/or criminal fines of up to $1 million). 

What immediate steps should US businesses take? 

Organizations should conduct thorough evaluations of their data management practices and domestic and international interactions. Key steps include:

1. Identify Covered Data Transactions
   1. Identify and map covered data transactions: Determine whether your organization engages with countries of concern or covered persons in their vendor, employment, or investment agreements in relation to covered data.
   2. Review Third-Party and Employment Relationships: Closely monitor your information technology or other supplier engagements, merger and acquisition transactions, real estate transactions, employment arrangements, and investment partnerships to ensure compliance with the Final Rule. 
2. Develop and Build a Robust Data Compliance Program by October 6, 2025. 
   1. Establish risk-based procedures for verifying regulated data flows; conduct due diligence on transaction counterparties, vendors, employees, and investors to verify compliance; and establish written policies describing security requirements that meet certain standards. 
   2. Conduct an annual audit regarding the program’s compliance under the Final Rule. 
   3. Comply with reporting and recordkeeping requirements, including documenting their due diligence and maintaining the results of annual audits that verify compliance with the security requirements. 
3. Seek Expertise 
   1. Legal and tech advisors are essential to navigate compliance with the Final Rule alongside other regulatory frameworks. BRG’s Privacy and Data Compliance team can help your organization understand the Final Rule, assess your current practices, and move into full compliance. 

What does this mean? 

The Final Rule will have a substantial effect on a wide range of US organizations. Companies with international operations, especially those handling sensitive data, will need to reassess their data transfer protocols and contractual agreements to ensure compliance. For example, employment agreements involving foreign nationals residing in countries of concern may need to be further analyzed. Businesses may need to reconsider partnerships and collaborations with entities in countries of concern, potentially impacting global business strategies and market access. The Final Rule introduces a new layer of regulatory oversight that will require companies to stay vigilant and proactive in their compliance efforts.