Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons
Overview
The U.S. Department of Justice (DOJ) issued a Final Rule, effective April 8, 2025, to implement Executive Order 14117 Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which was issued on February 28, 2024.What are the new regulations?
The new regulations impose requirements on U.S. persons and entities that provide access to bulk U.S. sensitive personal data or U.S. government-related data to “covered persons” that are affiliated with a “country of concern.”
- “Countries of Concern” include
- China (including Hong Kong and Macau)
- Russia
- Iran
- North Korea
- Venezuela
- Cuba
- A “United States Person” or “U.S. Person” is any:
- U.S. citizen, national, lawful permanent resident, asylee, or refugee;
- Entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches)
- Any person in the United States (regardless of citizenship or status, physically located in the U.S.)
- Any person who is not a U.S. Person is a “Foreign Person.”
- A “Covered Person” is a Foreign Person that
- Is 50% or more owned by a Country of Concern;
- Is organized or chartered under the laws of a Country of Concern;
- Has its primary place of business in a Country of Concern;
- Is 50% or more owned by Covered Persons;
- Is a contractor of a Country of Concern or Covered Person; or
- Is primarily resident in a Country of Concern.
The Attorney General can also designate any person, whether U.S. or foreign, as a Covered Person.
What type of data is covered under the new regulations?
Bulk U.S. Sensitive Personal Data
The rule applies to data transactions involving U.S. sensitive personal data that exceeds a certain “bulk threshold” based on the thresholds below. If the thresholds are met for the data category, the rule’s prohibitions and restrictions on data transactions apply regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. A data set that contains more than one category is subject to the lowest threshold that applies to any category the data set contains.
|
Data Category |
Bulk Threshold |
|
100,000 U.S. persons |
|
|
10,000 U.S. persons |
|
|
10,000 U.S. persons |
|
|
1,000 U.S. devices |
|
|
1,000 U.S. persons |
|
|
Human 'Omic Data (not Genomic) |
1,000 U.S. persons |
|
Human Genomic Data |
100 U.S. persons |
Government-related data is regulated regardless of volume and includes:
- Precise geolocation data for locations in any area enumerated in a government-published list; or
- Sensitive personal data marketed as linked or linkable to current or former U.S. Government employees, high-level officials, or contractors.
What type of data is covered under the new regulations?
The rule applies to instances where bulk U.S. sensitive data or U.S. government-related data is accessed by a Country of Concern or Covered Person that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement (“Covered Data Transaction”). The rule does not apply when a U.S. person is given access to U.S. sensitive data or U.S. government-related data by a Covered Person.
How does this impact researchers?
If you are dealing with U.S. government-related data or bulk U.S. sensitive data meeting the volume thresholds and plan to disclose or make the data accessible to an external entity, contact the Research Security Office (FI-DataTransfer@utah.edu) prior to proceeding.