Are You Ready For The Department Of Justice’s Bulk Data Transfer Rule?

On July 8, 2025, the Department of Justice (“DOJ”) is set to lift its self-imposed pause on enforcing certain violations of its Rule Preventing Access to US Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “Bulk Data Rule” or “DOJ Rule”), 28 CFR Part 202.  The Bulk Data Rule, which took effect on April 8, 2025, implemented Biden-era Executive Order 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” which the Trump administration kept in force after taking office.

The goal of both EO 14117 and DOJ’s Bulk Data Rule is to prevent U.S. person data from being obtained by countries of concern to harm Americans and to undermine U.S. national security.[1]  Depending on transaction type, DOJ’s Rule prohibits or restricts “bulk” transfers of Americans’ sensitive personal data to specified “countries of concern” – currently, China (including Hong Kong), Russia, Iran, Cuba, North Korea, and Venezuela – and to individuals and entities under their control.  Importantly, the Rule potentially applies to any form of transaction with companies or individuals subject to the jurisdiction or control of these “countries of concern” – including vendor relationships, employment or contractor relationships, customer agreements, or affiliate/intercompany activities.

The DOJ Rule is implemented and enforced by DOJ’s National Security Division.  On April 11, DOJ announced it was providing a 90-day “grace period” during which time it would “not prioritize civil enforcement actions” against organizations working towards compliance in good faith.  This window closes on July 8, 2025.  A second grace period follows, in which companies obligated to build out a new “Data Security Program” for certain types of restricted transactions have until October 6, 2025 to do so.

While few organizations do business with Iran, Cuba, North Korea, or Venezuela due to global sanctions regimes, Russia and particularly China and Hong Kong stand apart as a significant market for many U.S. businesses.  DOJ’s Bulk Data Rule casts a relatively wide net for “covered data transactions.”  The data the Rule treats as “sensitive” is not what has traditionally been seen as sensitive – such as email tied to an IP address.  “Bulk” thresholds are relatively low in terms of data volumes that typically are processed by large organizations.

The DOJ is readying for civil enforcement of the Bulk Data Rule, but there is still time to take meaningful steps toward compliance.  By July 8, 2025, companies should have compliance around “data brokerage” transactions.  By October 6, 2025, organizations that engage in “restricted” transactions must build a “Data Security Program” – including by implementing certain CISA-mandated cybersecurity controls for systems accessed by “covered persons” from “countries of concern.”

Below is a summary of the key provisions, exemptions, the extension on enforcement, and compliance action items.

Key Provisions

Weighing in a 350+ pages, the Bulk Data Rule is a hefty regulation with fourteen subparts and hundreds of sections and subsections.  To help individuals and organizations wade through it all, DOJ issued a “Compliance Guide” and a set of FAQs on April11, 2025.  Key terms in the Rule are the following:

Countries of Concern.  As stated above, the Bulk Data Rule’s ultimate purpose is to prevent U.S. person data from being obtained by “countries of concern.”  Currently, these are: China (including Hong Kong and Macau), Russia, Iran, Cuba, North Korea, and Venezuela.  For most companies, China, Hong Kong, and Russia will be of most relevance.

Covered Persons.  To achieve its purpose, the Bulk Data Rule generally views persons subject to the jurisdiction or control of “countries of concern” as “covered persons” – then restricts U.S. companies’ ability to transact with them.  A “covered person” is generally any of the following:

• Individual covered persons are (a) residents of China, Hong Kong, Russia, or other countries of concern, or (b) employees of the corporate “covered persons” described below (regardless of residence); and
• Corporate covered persons are (a) foreign entities incorporated, headquartered, or located in China, Hong Kong, Russia, or other country of concern, or (b) foreign entities that are 50% or more owned by the foregoing.

DOJ can also specifically designate further individuals or companies as “covered persons.”  To date, DOJ has not made any such designations.

Covered Data.  There are two main categories of covered data:

• U.S. person sensitive personal data, which includes six types, including personal identifiers, personal health data, personal financial data, human ‘omic data,[2] human biospecimens, biometric identifiers, and precise geolocation data; and
• U.S. government-related data, defined as (a) precise geolocation data for any specifically designated area, such as military installations and intelligence facilities, and (b) any sensitive personal data linkable to current or former U.S. government employees or officials.

Each type of sensitive data has its own “bulk” threshold.  Once a record set reaches a “bulk” number of U.S. person records, it is considered in principle to be subject to the DOJ Rule.  Bulk thresholds vary based on the sensitivity DOJ assigned to each type of U.S. person data:

• Personal identifiers, such as name, email, IP address, cookie information, device data, and the like, were viewed as the least sensitive type of U.S. person data. Their “bulk” threshold is 100,000 US person records.
• Personal health information and personal financial information were viewed as more sensitive. Their “bulk” threshold is 10,000 U.S. person records.
• Biometric data and certain types of ‘omic data (other than genetic data) were viewed as more sensitive; this data is considered “bulk” as soon as 1,000 U.S. person records are impacted. U.S. person genetic data is in “bulk” from 100 records upwards.
• U.S. person biospecimens and certain U.S. government-related data was viewed as the most sensitive data types. A single U.S. person record in these categories can trigger application of the DOJ Rule.

Given the prevalence and commercial value of much larger and diverse datasets, these are relatively low thresholds making it more likely that a dataset could be classified as being “bulk” and subject to the Bulk Data Rule.

Unlike most U.S. state privacy laws, the Bulk Data Rule does not contain a blanket exclusion for anonymized, pseudonymized, deidentified or encrypted data.  DOJ’s rationale for this: “even anonymized data, when aggregated, can be used by countries of concern and covered persons to identify individuals and to conduct malicious activities that implicate the risk to national security [that EO 14117] was intended to address.”

Covered Data Transactions: Combining the above concepts, a “covered data transaction” is any transaction between a U.S. company and a “covered person” that involves “bulk” amounts of data.  The Bulk Data Rule applies to two main kinds of “covered data transactions:” prohibited transactions and restricted transactions.[3]

• A prohibited transaction includes “data brokerages” transactions with covered persons. We particularly note that the term “data brokerage” is very broad and includes any “sale of data, licensing of access to data, or similar commercial transaction” that involves the transfer of U.S. person data to a company that did not originally collect or process it.”  Said another way, DOJ’s position is that companies can “broker” their own first-party data, and doing so triggers application of the Rule’s “data brokerage” provisions.  In DOJ’s own words, this means “activities that may not be thought of in ordinary parlance as data brokerage may nonetheless constitute data brokerage under the [Rule].”
  • Additionally, prohibited transactions include any transaction that makes (a) bulk human ‘omic data or (b) U.S. persons’ biospecimens accessible to covered persons. These rules can be particularly relevant for biotech, pharmaceutical, life sciences, or healthcare companies, if significant portions of operations or vendor populations are located in China or Hong Kong.
  • If a transaction falls into the “prohibited” category, the U.S. company is prohibited from engaging in it without a license from DOJ. Alternatively, the U.S. company could evaluate whether one of the DOJ Rule’s exclusions permits the transaction to go forward.
• A restricted transaction is any covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or a covered person.
  • Examples of these transactions include: (a) engaging a Chinese or Hong Kong vendor to provide services for a U.S. company; (b) a U.S. company engaging a Hong Kong-based individual as employee or contractor; or (c) a U.S. company entering into a joint venture agreement with a Chinese or Hong Kong-based individual or company.
  • Restricted transactions are not prohibited but rather permitted if certain “restrictions” are in place. Specifically, these transactions can only proceed if:

1. 1. 1. certain net-new cybersecurity controls issued by the Cybersecurity and Infrastructure Security Agency (CISA) are implemented for systems accessed by covered persons;
      2. new recordkeeping procedures are established for each “restricted” transaction the U.S. organization engages in;
      3. the U.S. organization establishes a new written “Data Compliance Program” designed to maintain compliance with the DOJ Rule; and
      4. the U.S. organization annually audits its Data Compliance Program, and an officer or executive annually certifies compliance.

Exceptions

There are ten exemptions to the Bulk Data Rule based on the type of transaction and not the industry or type of entity.[4]  Some of the notable exceptions relate to the following:

• Financial services transactions that are “ordinarily incident to and part of the provision of financial services”[5] – this provision recognizes the cross-border nature of many financial services, such as payment processing and settlements, and enables their operational aspects to continue.
• Telecommunication services, including voice and data communications regardless of format such as IP, voice, cable, wireless, fiber, or other types of broadband; [6]
• Drug, biologics, and medical device authorizations that involve regulatory approval data or other U.S. Federal Drug Administration clinical investigations.[7]
• Transactions that are ordinarily incident to clinical investigations regulated by the Food and Drug Administration (FDA) or support applications to the FDA for research of marketing permits, or that are ordinarily incident to the collection of clinical care data or post-marketing surveillance data necessary to support or maintain FDA authorizations.[8]

The Bulk Data Rule further exempts transactions involving personal communications, informational materials, travel, official U.S. government business, or compliance with federal law.

Violations

Violations of the Bulk Data Rule can result in civil and, in some cases, criminal penalties, which can be substantial. The legal support for this penalty power under the Bulk Data Rule is the International Emergency Economic Powers Act (IEEPA), which provides for a maximum civil penalty not to exceed the greater of $368,136 or an amount that is twice the amount of the violative transaction.  A person who willfully commits, attempts or conspires to commit, or aids or abets a violation can be fined not more than $1,000,000, or if a natural person, be imprisoned for not more than 20 years, or both.[9]

Currently, there are efforts within the administration to make China an enforcement focus.  For example, the Federal Trade Commission (FTC) is already investigating potential violations of the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), a statute that is conceptually similar to the Bulk Data Rule (albeit with far narrower scope).  The FTC also recently announced it will assist DOJ’s National Security Division with investigating and enforcing against violations of the Bulk Data Rule.  Companies can potentially expect the Bulk Data Rule to be an enforcement focus for the Trump administration.

Enforcement Pause Until July 8, 2025

As part of its guidance on April 11, 2025, the DOJ issued an Implementation and Enforcement Policy, which established a 90-day window during which time the DOJ stated the National Security Division “will not prioritize civil enforcement actions against any person for violations of the DSP [Rule] that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP [Rule] during that time.”  This stay of enforcement naturally does not apply to criminal or willful or egregious violations of the Bulk Data Rule.

Examples of good faith efforts are provided in the DOJ’s Implementation and Enforcement Policy, including the following:

• Conducting internal access reviews to sensitive personal data, including whether transactions constitute a “data brokerage;”
• Reviewing datasets to determine if they are covered;
• Renegotiating vendor agreements or negotiating contracts with new vendors;
• Conducting due diligence on potential new vendors;
• Adjusting employee work locations, roles or responsibilities; and
• Implementing CISA Security Requirements.

Compliance Action Items

The Compliance Guide is a good blueprint that describes what the DOJ calls “best practices” for complying with the Bulk Data Rule, including the elements of a robust data compliance program.  The DOJ notes, however, that “[w]hether a Data Compliance Program complies with the DSP’s requirements is a holistic inquiry that depends on the facts and circumstances.”  Consistent with the good faith efforts above, below are some immediate action items that covered organizations should implement to comply with the Bulk Data Rule:

• Conduct internal assessments to identify any potential “covered data transactions” engaged in by the company;
• Identify covered vendors, and assess whether their work results in “covered data transactions” – if so, the company has until October 6 to implement CISA cyber controls and a new “Data Compliance Program”;
• Identify covered employees and contractors, and assess whether their work results in “covered data transactions” – if so, the company has until October 6 to implement CISA cyber controls and a new “Data Compliance Program”;
• Amend vendor contracts to include model contract language. Also consider updating vendor onboarding procedures to help the company avoid “knowing” violations of the Bulk Data Rule;
• Amend customer contracts to include model contract language directed towards the Bulk Data Rule. If no customer “KYC”-style program yet exists, consider establishing a customer screening/credentialing program to help avoid “knowing” violations of the Rule; and
• Develop and issue employee training programs to ensure understanding and compliance with the Bulk Data Rule.

As the clock winds down, organizations should make sure that they are not covered by the Bulk Data Rule, which can be a difficult process given complex data flows and transactions.  Or, if an organization is or might be covered, it should take action towards implementing the items in the DOJ’s Compliance Guide and develop an effective compliance program.

_______________________________________________________________________________________

[1] See Alston & Bird Privacy, Cyber & Data Strategy Blog: Article: White Paper on Clarifying Definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024.

[2] Human ‘omic data includes human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data.  These are further defined in the FAQs.

[3] 28 CFR §202.210(a).

[4] 28 CFR Pt. 202, Subpart E (§§ 202.501 -202.511).

[5] Id. §202.505.

[6] Id. §202.509; FAQs Number 77.

[7] Id. §202.510.

[8] Id. §202.511.

[9] Id. Subpart E (§§ 202.1301 -202.1306).