Preventing Access to Americans’ Bulk Sensitive Data: What the U.S. Federal Bulk Data Transfer Rule Means for Companies

The U.S. Department of Justice (“DOJ”) recently finalized its bulk data transfer rule under Executive Order 14117 (the “Rule”), significantly reshaping how organizations must safeguard certain categories of data. The Rule, issued under the International Emergency Economic Powers Act (IEEPA), is aimed at mitigating national security risks tied to the sale, transfer, or access of bulk U.S. data by “countries of concern,” such as China, Russia, Iran, and North Korea.

Under the Rule, U.S. persons that sell, license, or make available bulk U.S. sensitive personal data or government-related data must assess whether they are engaging in covered data transactions that permit access to such data by covered persons or countries of concern. Compliance is critical: the DOJ can impose civil fines up to the greater of $368,136 or twice the value of the transaction per violation, and criminal violations can incur up to $1 million in fines and 20 years imprisonment for responsible individuals.

While the Rule took effect in April 2025, the majority of compliance requirements become enforceable on October 6, 2025. With this deadline fast approaching, companies that collect or handle data covered by the Rule should take steps to ensure compliance.

Legal Framework at a Glance

• Executive Order 14117 directs agencies to prevent access by “countries of concern” to Americans’ bulk sensitive personal data and U.S. government‑related data[1]
• The DOJ has published rules at 28 CFR Part 202 to operationalize the Executive Order[2]
• In April 2025, the DOJ released security program FAQs, a compliance guide, and an implementation and enforcement policy to help organizations understand their compliance obligations[3][4][5]
• The U.S. Cybersecurity and Infrastructure Agency (“CISA”) published baseline security requirements for “restricted transactions,” setting technical and organizational safeguards companies must implement to proceed with certain activity[6]

Covered Data

The Rule focuses on protecting bulk sensitive personal data and U.S. government data. “Sensitive personal data” is defined broadly to include the following categories:

• Covered personal identifiers includes datasets that contain combinations of direct or pseudonymous personal data, such as government ID numbers, financial account numbers, device IDs (such as MAC address or SIM card number), demographic or contact data (such as name, DOB, birthplace, zip code, mailing address, phone number, email, or public account identifiers), advertising IDs (such as Google advertising IDs, Apple IDs, or MAIDs), account authentication data (such as usernames, passwords, or answers to security questions), IP addresses and other network-based IDs, and call-detail data (CPNI).
• Precise geolocation data.
• Biometric identifiers, such as voice prints, fingerprints, facial prints, etc.
• Human ‘omic data, such as genomic, epigenomic, proteomic, or transcriptomic data.
• Personal health data.
• Personal financial data.

To be covered, the sensitive personal data transferred must meet the “bulk” volume thresholds set forth in the Rule, which vary by category. For example, the transfer must involve covered personal identifiers of 100,000 U.S. persons, but the threshold is lower for the other categories. For example, genomic data of only 100 U.S. persons will trigger requirements under the Rule.

The Rule also covers U.S. government data, which includes precise geolocation data associated with certain U.S. government locations and any sensitive personal data of current or former government actors, regardless of volume.

Covered Transactions

Any transaction that gives a country of concern or covered person access to covered data will be covered by the Rule, including:

• Data brokerages, which is the selling or licensing of covered data to a party that did not originally collect it. This includes providing access through cookies, tracking pixels, software development kits, or similar technology.
• Vendor agreements, such as service or vendor contracts.
• Employment agreements, where the role involves access to covered data.
• Investment agreements, where an investor is given access to covered data including by virtue of ownership or board rights.

A “covered person” includes any person or foreign entity with links to “countries of concern” identified by the DOJ, which currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. This includes entities headquartered or with a principal place of business in a country of concern, residents or employees of a country of concern, or entities with majority ownership by a covered person.

Identifying Restricted vs. Prohibited Transactions

Under the Rule, certain transactions are not outright prohibited but may proceed only if the company implements CISA’s required security measures, contractual controls, and ongoing monitoring to prevent access or onward transfer to covered persons. These are called “restricted” transactions any require the implementation of a compliant Data Security Program that includes the CISA safeguards, a written compliance program, annual audits, contractual safeguards, and various recordkeeping and reporting requirements.

Other transactions that involve high‑risk transfers are banned outright under the Rule. For example, data brokerage transactions involving bulk sensitive data must be rejected by U.S. persons and companies must file a report of the rejected transaction with the DOJ within 14 days.

Practical Takeaways

Companies and other organizations engaging in potential covered transactions can take steps now to assess the Rule’s applicability to their business and begin screening vendors and other transaction counterparties. These steps include:

1. Data Mapping: Prepare a data map to identify whether the organization is processing data that is covered by the Rule.
2. Screening: Implement a screening process for all counterparties to covered data transactions, including vendors, data licensees and other partners, employees, contractors, and investors to determine whether the counterparty is a “covered person” under the Rule.
3. Classification of Transactions: Develop a process for classifying transactions as permitted, restricted, or prohibited.
4. Implementing Required Compliance Programs: Implement required compliance measures in relation to restricted transactions and transactions with foreign parties.
5. Recordkeeping: The Rule generally requires documentation to be retained for ten (10) years, along with additional recordkeeping requirements for restricted transactions.
6. Reporting: Ensure an internal reporting chain is established to ensure that any notices required to be filed with the DOJ are completed in a timely manner.
7. Ongoing Monitoring: Engage in ongoing monitoring of transaction counterparties, whether manual (i.e., questionnaires, requesting certifications) or automatic (i.e., screening software).

If you need assistance navigating the data privacy landscape and legislation or if you have any questions, please reach out to KO partner Erin Locker.

Erin Locker is a commercial partner whose practice focuses on privacy, cybersecurity and data protection. She helps companies at every stage navigate the rapidly evolving landscape of global privacy regulation and develop strategic approaches to compliance. Erin counsels clients on a range of data privacy and protection issues involving product design and development, digital marketing and advertising, compliance programs, and data licensing transactions.