Background
In recent years, it has become increasingly complex for multinational companies to navigate the maze of data compliance challenges. On April 8, 2025, the U.S. Department of Justice (“DOJ”) issued a final rule (“Final Rule”) implementing Executive Order 14117, entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Entities and individuals were expected to fully comply with the Final Rule starting October 6, 2025, and companies conducting restricted transactions were required to establish data compliance programs and conduct an annual independent audit by this deadline.
The Final Rule imposes new data compliance requirements on U.S. companies when transferring certain types of personal data to designated countries of concern or covered persons, setting out the conditions under which the bulk transfer of sensitive data will be permitted, restricted, or prohibited. This impacts a wide range of data-driven sectors, including high-tech, health research, social media, and financial services, sending the message that data transfers pose a variety of national security concerns in areas such as counterintelligence and the race for AI supremacy.
Scope of the Final Rule
The Final Rule limits the ability of U.S. persons to engage in a covered data transaction with countries of concern or covered persons. Certain key definitions are as follows:
- A “U.S. person” includes U.S. nationals wherever they are located, U.S.-based companies and their foreign branches, and anyone physically present in the U.S.
- A “country of concern” includes China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
- A “covered person” includes, among other things, (1) a foreign entity that is 50% or more owned by one or more countries of concern or persons, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern; (2) a foreign entity that is 50% or more owned by a country of concern; (3) a foreign individual who is an employee or contractor of a country of concern or of an entity identified above; or (4) an individual who is primarily a resident in the territorial jurisdiction of a country of concern.
- “Covered data” involves six categories of U.S. sensitive personal data, each of which has a defined “bulk” threshold, including (1) human ‘omic data; (2) biometric identifiers; (3) precise geolocation data; (4) personal health data; (5) personal financial data; or (6) covered personal identifiers.
The Final Rule prohibits certain covered data transactions, including data brokerage, human ‘omic data, and human biospecimen with a country of concern or a covered person, while restricting transactions involving a vendor agreement, employment agreement, or investment agreement. Failure to comply with the requirements under the Final Rule risks civil and criminal liability under the International Emergency Economic Powers Act and other applicable laws.
Compliance obligations and guidance
The Final Rule authorizes the DOJ to issue licenses permitting transactions. An enhanced due diligence exercise is also expected when any U.S. person engages in a restricted transaction. Key features of the compliance requirements under the Final Rule include the implementation of a data compliance program, the completion of third-party audits, keeping a full and accurate track of the restricted transfer, and reporting to the DOJ.
On April 11, 2025, the DOJ also provided guidance for companies to comply with the Final Rule, including the Compliance Guide and a list of Frequently Asked Questions. As with any complicated regulatory enforcement framework, the Data Security Program (“DSP”) contains numerous potential pitfalls that may not be immediately obvious without a close reading of the rules. The regulation provides illustrative examples that attempt to clarify which types of transactions fall, and do not fall, within the scope of the DSP. For example, a U.S. company might think that it could contract with a Chinese cloud computing company to store its customers’ financial information, so long as the data was fully encrypted. However, the DSP regulation makes clear that it is irrelevant whether sensitive personal data “is anonymized, pseudonymized, de-identified, or encrypted,” and that such a vendor agreement would still fall within the scope of a restricted transaction.
Conclusion and future look
The Final Rule impacts companies that conduct business in one of the countries of concern, with a particular focus on China. Companies active in China will face significant compliance challenges and should evaluate their data flows to and from China and analyze whether any data flow is a prohibited or restricted transaction. When those companies review their bulk data transfer activities under the U.S.’s Final Rule, they shall also consider the Chinese data compliance requirements applicable to cross-border data transfers. On March 22, 2024, the Cyberspace Administration of China published the Provisions on Promoting and Regulating Cross-border Data Flows to implement China’s Cybersecurity Law, Digital Security Law, and Personal Information Protection Law. Notably, on September 9, 2025, China’s National Cyber and Information Security Information Notification Center, under the Ministry of Public Security, announced an administrative penalty against French fashion brand Dior over a data breach incident. The company transmitted its users’ personal information to its headquarters in France without conducting a security assessment for data export and adopting security technical measures. This is the first time that China has imposed an actual penalty on a foreign company for violating its cross-border data transfer rules. Therefore, it is crucial for companies to carefully follow not only the Final Rule, but also the legal procedures in China and other countries of concern when transferring relevant data overseas.