Key Takeaways: On February 28, 2024, President Biden signed Executive Order 14117, titled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government Related Data by Countries of Concern." The Order addresses significant national security threats posed by the commercial acquisition and exploitation of sensitive U.S. data by foreign adversaries, specifically targeting China, Russia, Iran, North Korea, Cuba, and Venezuela. As of July 8, 2025, the rule is in effect, following the U.S. Department of Justice’s 90-day discretionary enforcement period.

Key Directives of the Executive Order:

The Department of Justice (“DOJ”) must promulgate regulations establishing robust protections for Americans’ sensitive personal data, preventing access and exploitation by countries of concern. This includes safeguards for genomic data, biometric data, personal health data, geolocation data, personal financial data, and specific personal identifiers.

• The DOJ will issue additional regulations to further protect sensitive government related data, encompassing measures to secure geolocation information on sensitive government sites and military members.
• The DOJ and Department of Homeland Security will collaborate to establish strict security standards, with the primary objective of preventing the countries of concern from accessing Americans’ data through various commercial channels.
• The Assessment of Foreign Participation Committee will consider the threats to Americans’ sensitive personal data in its review of submarine cable licenses.
• The Order clarifies that these activities should not impede necessary information exchanges for financial services or impose measures that separate trade relationships between the United States and other countries.

Advanced Notice of Proposed Rulemaking and Notice of Proposed Rulemaking Published by the Department of Justice

In connection with the Executive Order, the Department of Justice released an Advanced Notice of Proposed Rulemaking (“ANPRM”) with a 45-day public comment period and a Notice of Proposed Rulemaking (“NPRM”) with a 31-day public comment period. The Department received approximately 140 comments in total on the ANPRM and NPRM, and engaged with hundreds of stakeholders representing thousands of companies and organizations to solicit feedback.

Timeline

On January 8, 2025, the Department of Justice (DOJ) published final regulations implementing the Executive Order, triggering the official compliance timeline. These prohibitions and restrictions became effective on April 8, 2025. Following a 90-day discretionary enforcement period, full enforcement commenced on July 8, 2025, with the exception of the affirmative compliance obligations set forth in Subpart J (related to due diligence and audit requirements for restricted transactions), § 202.1103 (related to reporting requirements for certain restricted transactions), and § 202.1104 (related to reports on rejected prohibited transactions), which are scheduled to take effect beginning on October 6, 2025. During the enforcement grace period, the DOJ’s National Security Division (NSD) issued extensive compliance support, including a comprehensive Compliance Guide, over 100 Frequently Asked Questions (FAQs), and access to a public inquiry email channel. Throughout this period, companies were strongly encouraged to proactively implement compliance measures, such as conducting internal data assessments, renegotiating relevant contractual agreements, instituting third-party vendor controls, and incorporating cybersecurity protocols consistent with guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Regulated Data

The DOJ has identified categories of highly sensitive data transactions that are entirely prohibited as well as categories of restricted transactions that may proceed on the condition that they comply with specific security requirements to mitigate access to the data by countries of concern.

As previewed in the ANPRM and NPRM, the final rule identifies two categories of prohibited transactions between U.S. persons and countries of concern or covered persons: 1) data-brokerage transactions, and 2) genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived. Three categories of transactions are permitted only where specific security requirements are met: 1) vendor agreements involving the provision of goods and services (including cloud-service agreements); 2) employment agreements; and 3) non-passive investment agreements. The specific security requirements, established by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, include, but are not limited to, cybersecurity measures such as basic organizational cybersecurity policies and practices, physical and logical access controls, data masking and minimization, encryption, and the use of privacy-enhancing techniques.

The final rule includes several exemptions from its restrictions on data transactions, many of which were previewed in the ANPRM and NPRM and refined based on public comments and stakeholder engagement. Exemptions include:

• Personal communications that do not involve the transfer of value;
• Expressive informational materials;
• Travel-related data such as baggage and living expenses;
• Official U.S. government activities and financial services that are part of ordinary banking and investment operations;
• Transactions within corporate groups, such as those related to HR, payroll, or compliance, if they occur between a U.S. entity and its foreign subsidiary or affiliate;
• Transactions required or authorized by federal law or international agreements, including those under treaties with countries of concern;
• Certain investment transactions reviewed and mitigated by CFIUS;
• Telecommunications services, regardless of format or delivery method;
• Regulatory approval data and clinical investigation data involving drugs, biological products, devices, or combination products, provided such data is de-identified or pseudonymized per FDA regulations; and
• Publicly available data and metadata tied to expressive content, such as geolocation embedded in digital photos.

The final rule implements volume-based thresholds to determine when restrictions apply to transactions involving sensitive personal data, defining “bulk” as any amount of such data, whether anonymized, pseudonymized, de-identified, or encrypted, that exceeds specified thresholds within a 12-month period before a covered transaction. These thresholds include: human genomic data from over 100 U.S. persons; other types of 'omic data from over 1,000 U.S. persons; biometric identifiers from over 1,000 individuals; precise geolocation data from more than 1,000 devices; personal health and financial data from over 10,000 individuals; and certain personal identifiers from more than 100,000 people. The thresholds also apply to any combination of these categories that reaches the lowest threshold for any included data type. These limits are based on a risk-based analysis considering threats and vulnerabilities tied to both human and machine data characteristics. Importantly, transactions involving U.S. government-related data are regulated regardless of volume. The rule categorizes this data as either precise geolocation information within sensitive government locations or sensitive personal data linked to current or recently separated U.S. government employees or contractors, including those in the military and intelligence community.

Covered Countries and Persons

The final rule designates six countries as countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela, due to their long-standing or serious actions that are significantly adverse to U.S. national security or the safety of U.S. persons, and their high risk of exploiting bulk sensitive personal and government-related data. In defining “covered persons,” the rule adopts the scope proposed in the NPRM with modifications to align more closely with the Treasury Department’s OFAC 50-percent rule. The 50-percent rule states that any entity that is owned 50% or more, individually or in the aggregate, by one or more persons or entities on OFAC's Specially Designated Nationals (“SDN”) List is also considered blocked, even if it is not itself listed. Specifically, a covered person includes: (1) foreign entities that are 50% or more owned by, organized under the laws of, or principally based in a country of concern; (2) entities 50% or more owned by another covered person; (3) foreign employees or contractors of countries of concern or covered entities; and (4) individuals primarily resident in countries of concern. The rule also allows for the designation of additional individuals or entities on a public list, and provides the DOJ authority to designate any person, regardless of location, as a covered person. This authority is discretionary, and may be exercised if the person or entity is determined to be controlled by, acting as an agent of, or likely to cause a violation through association with a country of concern or another covered person.

Licenses and Advisory Opinions

The final rule authorizes the Department of Justice to issue both general and specific licenses to permit certain transactions that would otherwise be prohibited or restricted. General licenses allow for categories of transactions, such as orderly wind-downs, to proceed without further authorization, provided they meet specified conditions. Specific licenses, on the other hand, are granted on a case-by-case basis to parties who submit detailed applications disclosing the nature of the proposed transactions. The rule outlines the procedures and requirements for obtaining either type of license, including the process for seeking reconsideration of a denied specific license based on new information. In addition to licensing, the Department may also issue general public guidance to address frequently asked questions and recurring compliance issues. It may further provide advisory opinions that interpret how the regulations apply to specific, real-world transactions, though it will not offer opinions on hypothetical scenarios.

Enforcement and Penalties

With full enforcement now active, companies must rigorously comply with all regulatory obligations or face significant civil and potentially criminal penalties. While affirmative obligations under Subpart J (due diligence, audits, and recordkeeping) and reporting obligations (§§202.1103 and 202.1104) do not go into effect until October 6, 2025, the prohibitions and general restrictions on sensitive data transactions are enforceable immediately.

Penalties for non-compliance can be severe, with civil fines potentially exceeding $368,136 or double the transaction amount involved. Criminal penalties for willful violations can result in fines up to $1,000,000 and imprisonment for up to 20 years.

Next Steps

October 6, 2025: Deadline for compliance with affirmative obligations, including due diligence, auditing, and reporting.

DOJ will publish a "Covered Persons List," explicitly identifying entities and individuals under foreign control to assist businesses in compliance efforts.

DOJ will continue updating compliance tools and FAQs to address emerging challenges identified by the regulated community.

Koley Jessen will continue to monitor developments related to international transfers of sensitive data. As new information becomes available, we will provide guidance accordingly. If you have questions regarding your business’s use or transfer of sensitive data, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for support.

^{*Special thanks to summer associate Gunner Ott for his contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}