The DOJ’s New Data Rule: What Every Company Touching US Personal Data Needs to Know
A sweeping January 2025 rule from the US Department of Justice draws a hard line around sensitive American data and its reach extends far beyond US borders.
The United States government has made its position clear: certain categories of American personal data are a matter of national security, and the era of unrestricted data ;ows to adversarial nations is over. In January 2025, the US Department of Justice issued a final rule under Executive Order 14117, establishing a formal prohibition and restriction regime on what it calls "covered data transactions." For any business, wherever incorporated, that handles sensitive US personal data, this rule demands immediate attention. I attended the IAPP's dedicated webinar on this rule, and what follows is a clear-eyed breakdown of the framework: who it catches, what it prohibits, and what companies need to do now.
"It is not a data privacy rule. It is a national security instrument, and it carries criminal teeth."
It is not a data privacy rule. It is a national security instrument, and it carries criminal teeth.
The rule targets transactions that transfer or provide access to bulk US sensitive personal data or US government-related data to a "covered person", an individual or entity with a material connection to a "country of concern." The current countries of concern include China, Russia, Iran, North Korea, Cuba, and Venezuela.
The rule distinguishes between two categories of regulated activity:
PROHIBITED TRANSACTIONS
These are outright banned. They involve the direct transfer of bulk sensitive personal data, including human genomic data, biometric identifiers, geolocation data, and personal health data to covered persons. No exemption applies. No compliance programme saves you. The transaction simply cannot happen.
RESTRICTED TRANSACTIONS
These are permitted, but only with security measures in place. They include vendor agreements (SaaS, data storage, cloud services), employment agreements, and investment agreements. Critically, the rule applies to both pseudonymised and anonymised data, a point that will surprise many compliance teams who assumed de-identication offered a clean escape route.
Who Does It Catch? The DOJ's Three-Part Checklist
The rule applies where you can tick all three boxes:
▸ A US Person is a party, any individual located in the United States, or any entity organised under US law.
▸ A Covered Person is involved, someone with a material connection to a country of concern. This includes Chinese nationals living in China, Chinese-owned companies, and any entity where covered persons own more than 50% of the stakes.
▸ The transaction involves bulk sensitive personal data that meets or exceeds the defined data thresholds (see below).
A Chinese national residing in the United States is explicitly excluded from the definition of "covered person", an important carve-out that reflects the rule's geopolitical rather than ethnic framing.
The Data Thresholds: What Counts as "Bulk"?
The rule only activates once a transaction involves data at a certain scale. These thresholds are calculated on a rolling 12-month basis, meaning past transfers within the preceding year count towards your exposure.
The genomic and epigenomic thresholds are strikingly low, just 100 individuals. For life sciences companies, clinical research organisations, and health-tech platforms operating at scale, these thresholds will be crossed quickly and, in many cases, retrospectively.
Data Brokerage: A Separate and Absolute Line
The rule introduces a standalone prohibition on data brokerage with covered persons or covered entities. Data brokerage is defined as the sale of sensitive data that you have not sourced yourself, i.e., data acquired from third parties for resale or onward transfer. This prohibition applies regardless of volume thresholds. There is no de minimis carve-out.
The Sanctions Regime: Criminal and Civil
This is where the rule distinguishes itself sharply from conventional data protection frameworks like the GDPR. Non-compliance is not a regulatory fine matter, it is a criminal and civil enforcement matter. The DOJ has authority to pursue criminal prosecution alongside civil penalties. Companies should not approach this as a data privacy compliance exercise. It is a sanctions compliance exercise.
The rule also covers onward transfers. If a permitted transaction results in data being transferred downstream to a covered person, the original party retains liability. This has significant implications for contractual frameworks, particularly in supply chains and vendor relationships.
Exemptions: Where the Rule Does Not Apply
The rule carves out two principal exemptions worth knowing:
▸ Regulatory and post-market surveillance: Transactions required for data approval regulatory needs, including post-market surveillance obligations, are exempt. This is critical for pharmaceutical and medical device companies with ongoing compliance obligations to global regulators.
▸ Passive investment: Where a covered person holds a passive investment of less than 10% in a company, with no additional rights beyond a standard minority shareholding, the investment is exempt. The key word is "passive." Board seats, information rights, or veto provisions will destroy this exemption.
What Companies Need to Do Now!
1. Map your data flows. Identify all transfers of sensitive US personal data, including through SaaS tools, cloud storage, vendor relationships, and employment arrangements. Apply the DOJ's three-part checklist to each.
2. Audit your counterparties. Assess whether any vendors, investors, or business partners constitute "covered persons." Pay particular attention to entities with Chinese, Russian, or Iranian ownership structures exceeding the 50% threshold.
3. Apply the rolling 12-month window. Do not assess thresholds at a point in time. The rule looks back 12 months — you mayalready be in scope without knowing it.
4. Do not rely on anonymisation alone. The rule explicitly applies to pseudonymised and anonymised data. Technical de-identiOcation does not remove you from its scope.
5. Implement security measures for restricted transactions. Where transactions are restricted rather than prohibited, the DOJ has published guidance on the security requirements that must be met. These must be embedded into contracts with vendors and partners.
6. Review investment structures. If a covered person holds any equity stake, verify whether it is genuinely passive and below 10%. Any additional rights, even informal ones , may trigger the prohibition.
The Bigger Picture
This rule is part of a broader and accelerating trend: the weaponisation of data law as an instrument of geopolitical strategy. The EU has DORA for financial sector resilience. The US now has a DOJ enforcement regime for sensitive personal data.
Neither is going away. For privacy professionals, the lesson is clear. Data governance can no longer be siloed from national security considerations. The question "where does this data go?" now carries consequences that no privacy policy or DPIA has traditionally been designed to address. Bridging that gap is the work of the next decade, and it starts now.
Source note: This analysis is based on notes taken during an IAPP webinar covering the DOJ's final rule issued under Executive Order 14117 (January 2025). It is intended as an informational overview and does not constitute legal advice. Readers should consult the DOJ's published guidance and seek specialist counsel for their specific circumstances.
Type your paragraph here
