The DOJ Bulk Data Transfer Rule: Are You Subject to It and What Does It Require?
Takeaways
- The “Bulk Data Transfer Rule” prohibits or restricts sending sensitive data to “countries of concern” or certain persons located in or associated with them, including vendors and contractors.
- Those covered by the rule must maintain certain data security requirements.
- The DOJ has released guidance documents.
Related links
- Final Rule at 28 CFR Part 202
- DOJ “Compliance Guide”
- DOJ “Frequently Asked Questions”
- Federal Register: Executive Order 14117
- Federal Register: Notice of Availability of Security Requirements for Restricted Transactions Under Executive Order 14117
Article
The lengthy and complex “Bulk Data Transfer Rule,” more formally known as the “Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” may apply to organizations even if they are not tech giants or data brokers. The wide-ranging federal rule establishing data transfer restrictions regarding sensitive U.S. personal data prohibits certain data transfers and permits others only if they meet certain security requirements.
The Department of Justice (DOJ) has released a “Compliance Guide” and “Frequently Asked Questions” on the Rule. Violations of the Rule may result in civil and, in some cases, criminal penalties.
The DOJ Rule implements Executive Order 14117.
Bulk Data Transfer Rule: General
Like many similar regulatory frameworks, the Bulk Data Transfer Rule is filled with defined terms, many variations on a general rule, all of which are subject to a long list of exceptions. The general rule, however, uniquely provides that U.S. persons may be prohibited from, or restricted with respect to, making certain types of data relating to U.S. persons accessible to “countries of concern” or to persons or businesses associated with those countries, including vendors and contractors.
Navigating the Rule’s Application
The Bulk Data Transfer Rule’s application is driven by a set of key terms:
U.S. Person. Any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee or granted asylum; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.
Covered Persons and Countries of Concern. The Bulk Data Transfer Rule focuses on limiting access by “countries of concern” to sensitive information related to U.S. persons. The current “countries of concern” are China, Cuba, Iran, North Korea, Russia, and Venezuela. The Rule also limits access by “covered persons,” meaning (i) individuals who either reside in “countries of concern” or are controlled by entities in those countries, or (ii) entities that are organized or chartered under the laws of, or have their principal place of business in, a country of concern, or are owned 50% or more by such entities.
Covered Data Transaction. Any transaction that involves (1) access by a country of concern or covered person to either (i) government-related data or (ii) bulk U.S. sensitive personal data, and (2) either a data brokerage transaction or a vendor, employment, or investment agreement. Here is an example:
A U.S. person [U.S.-based company] engages in a vendor agreement [such as an administrative services or data processing agreement] with a covered person [a technology company that is 50% or more owned, directly or indirectly, individually or in the aggregate, by an individual who is primarily resident of China or another country of concern] involving access to bulk U.S. sensitive personal data [see description below].
Whether a transaction involves “bulk” U.S. sensitive personal data depends on the type of data collected or maintained at any point in the preceding 12 months, whether through one or more transactions involving the same U.S. person and the same foreign person or covered person. The specific thresholds are as follows:
| Data Type | Threshold |
| Human `omic data | > 1,000 U.S. persons, or > 100 U.S. persons for human genomic data |
| Biometric identifiers | > 1,000 U.S. persons |
| Precise geolocation data | > 1,000 U.S. devices |
| Personal health data | > 10,000 U.S. persons |
| Personal financial data | > 10,000 U.S. persons |
| Covered personal identifiers | > 100,000 U.S. persons |
Each of these categories has specific definitions. For example, “biometric identifiers” means:
measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.
Additionally, a special rule applies if more than one of the above categories are combined.
In short, U.S. persons need to consider whether they are engaging in “covered data transactions” with “covered persons” that involve “bulk” amounts of covered data.
Prohibited and Restricted Transactions
Covered data transactions can be considered prohibited transactions or restricted transactions.
Prohibited transactions are those involving access by a country of concern or covered person that is subject to certain prohibitions generally involving “data brokerage” (broadly defined to include selling, leasing access to, or otherwise transferring or providing any category of covered data to a third party as part of a commercial transaction). These transactions are further described in the DOJ FAQs #16 and the following example:
Example 1. A U.S. subsidiary of a company headquartered in a country of concern develops an artificial intelligence chatbot in the United States that is trained on the bulk U.S. sensitive personal data of U.S. persons …. [T]he chatbot is capable of reproducing or otherwise disclosing the bulk U.S. sensitive personal health data that was used to train the chatbot when responding to queries. The U.S. subsidiary knowingly licenses subscription-based access to that chatbot worldwide, including to covered persons such as its parent entity …. [T]he U.S. subsidiary knows or should know that the license can be used to obtain access to the U.S. persons’ bulk sensitive personal training data if prompted. The licensing of access to this bulk U.S. sensitive personal data is data brokerage because it involves the transfer of data from the U.S. company (i.e., the provider) to licensees (i.e., the recipients), where the recipients did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. Even though the license did not explicitly provide access to the data, this is a prohibited transaction because the U.S. company knew or should have known that the use of the chatbot pursuant to the license could be used to obtain access to the training data, and because the U.S. company licensed the product to covered persons.
Unless an exemption applies or an appropriate license is obtained, engaging in a prohibited transaction could trigger substantial penalties.
A restricted transaction is one subject to the restrictions in subpart D of the Rule. In general, U.S. persons may not knowingly engage in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless the U.S. person complies with certain data security requirements referenced in § 202.248, namely the Cybersecurity and Infrastructure Agency Security Requirements for Restricted Transactions E.O. 14117 Implementation, January 2025.
Bulk Data Transfer Rule Applies, Now What?
The Bulk Data Transfer Rule became effective April 8, 2025, with enforcement authority resting with the National Security Division of the DOJ. The DOJ implemented a 90-day grace period through July 8, 2025, for persons engaged in good faith compliance. A narrower grace period applied through Oct. 6, 2025, for companies developing a program to meet the data security requirements related to restricted transactions (see above).
The Rule requires that covered U.S. persons develop, implement, and update compliance programs based on the person’s individualized risk profile and considering a range of factors, including size and sophistication, products and services, customers and counterparties, and geographic locations.
According to the Division’s Compliance Guide, the Rule also
imposes an affirmative requirement on all U.S. persons engaged in restricted transactions to develop, implement, and routinely update an individualized, risk-based, written Data Compliance Program. This program should be designed to prevent, detect, and remediate breaches in company procedures and violations of the DSP [Data Security Program]. The failure to adopt and maintain adequate data compliance policies and procedures is potentially a violation of the DSP and may be an aggravating factor in any enforcement action.
The Data Compliance Program (DCP) must meet several minimum requirements outlined in the Compliance Guide. The Guide also includes broader suggestions about how to design and implement a more robust DCP. The minimum requirements include:
- Due diligence concerning risk analysis, data flows, and vendor management;
- Maintaining a document that describes the DCP;
- Training;
- Auditing the effectiveness of DCP controls; and
- Recordkeeping and reporting.
Importantly, the Bulk Data Transfer Rule includes several exempt transactions, such as certain financial services, corporate-group transactions, and telecommunications services.
In the case of corporate-group transactions, transactions that would otherwise qualify as covered data transactions are excluded if they are:
- Between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and
- Ordinarily incident to and part of administrative or ancillary business operations (such as sharing employees’ covered personal identifiers for human resources purposes; payroll transactions, such as the payment of salaries and pensions to overseas employees or contractors; paying business taxes or fees; purchasing business permits or licenses; sharing data with auditors and law firms for regulatory compliance; and risk management).
Penalties for Noncompliance
Violations of the Rule may result in civil and, in some cases, criminal penalties, which can be substantial. The maximum civil penalty cannot exceed the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed. In the case of willful violations, fines of not more than $1,000,000 may apply, or, if the violation is perpetrated by a natural person, imprisonment of not more than 20 years, or both.
* * *
Please contact a Jackson Lewis attorney if you have questions about the Rule.
© Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.
Focused on employment and labor law since 1958, Jackson Lewis P.C.’s 1,000+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged and stable, and share our clients’ goals to emphasize belonging and respect for the contributions of every employee. For more information, visit https://www.jacksonlewis.com.