United States of America: Implemented DOJ rule on Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern

On 8 April 2025, the US Department of Justice’s (DOJ) Rule on Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern enters into force. The Rule implements the Executive Order 14117. The rule addresses the processing of sensitive US personal and government-related data by foreign adversaries, specifically targeting six countries of concern, namely China, Cuba, Iran, North Korea, Russia, and Venezuela. The rule does not propose a generalised data localisation requirement to store sensitive data in the US, nor does it prohibit US persons from engaging in commercial transactions. The rule imposes prohibitions and restrictions on data transactions that pose national security risks, including data brokerage, employment agreements, and investment agreements, among others. Exceptions are permitted for specific data exchanges, including personal communications, federally authorised research, and data necessary for regulatory approvals, provided they meet stringent security and privacy protocols. The regulations introduce definitions for sensitive personal data categories, including biometric data, financial data, genomic data, and precise geolocation data, along with thresholds for what constitutes "bulk" sensitive data. The rule mandates compliance protocols, including due diligence, audit requirements, and recordkeeping for restricted transactions. Furthermore, it establishes licensing mechanisms for transactions that might otherwise be prohibited or restricted.