This is part of a series from Nelson Mullins' AI Task Force. We will continue to provide additional insight on both domestic and international matters across various industries spanning both the public and private sectors.

On Jan. 8, 2025, the U.S. Department of Justice (DOJ) published its final rule implementing Executive Order 14117, (the “Rule”) aimed at preventing “countries of concern”— which currently include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela —from accessing sensitive personal data of U.S. persons. The Rule establishes a new regulatory framework known as the Data Security Program (DSP), to be administered by the DOJ’s National Security Division.

This framework introduces significant restrictions on the transfer of certain categories of data and imposes substantial compliance obligations on U.S. businesses. 

Key Dates

• April 8, 2025: The DOJ's Data Security Program (DSP) takes effect
• July 8, 2025: End of the 90-day leniency period for civil enforcement
• Oct. 6, 2025: Full compliance required, including due diligence, audit, and reporting obligations

Key Definitions Under the DOJ’s Rule on Sensitive Data Transfers

Covered Data
“Covered data” includes a broad range of personal information that could be exploited to identify or profile U.S. individuals, particularly when transferred to foreign entities. The Rule organizes covered data into the following categories:

1. Covered Personal Identifiers
These are specific data elements that, alone or in combination, may be used to identify individuals. Covered personal identifiers include:

• Full or truncated government ID or account numbers (e.g., SSN, passport number, driver’s license)
• Full financial account or personal ID numbers
• Device- or hardware-based identifiers (e.g., IMEI, MAC address, SIM number)
• Advertising identifiers (e.g., Google Advertising ID, Apple IDFA)
• Account authentication credentials (e.g., usernames, passwords, security question answers)
• Network-based identifiers (e.g., IP addresses, cookies)
• Call-detail data (e.g., Customer Proprietary Network Information or CPNI)
• Demographic or contact data, only when linked to the above or other sensitive identifiers (e.g., name and address linked to device ID)

Exclusion: Demographic/contact data and network/account-authentication data not linked to other sensitive elements are excluded if used solely for telecommunication/network functionality.

2. Sensitive Personal Data
The Rule identifies six specific types of sensitive data that are especially protected:

• Precise Geolocation Data: Real-time or historical data pinpointing an individual’s or device’s location within 1,000 meters.
• Biometric Identifiers: Unique physical/behavioral traits used to identify individuals, including facial images and voiceprints.
• Human ‘Omic Data: Genetic information including nucleic acid sequences and other biological process indicators.
• Personal Health Data: Information indicating an individual’s physical/mental condition, care received, or payment for care.
• Personal Financial Data: Data on accounts, transactions, assets, liabilities, and credit or consumer report information.
• Covered Personal Identifiers (as detailed above)

Exclusion: Publicly available government records, trade secrets, metadata from expressive materials, and data that does not relate to individuals are not considered sensitive personal data under this Rule.

Bulk U.S. Sensitive Personal Data

This refers to large-scale collections of sensitive personal data about U.S. persons. Whether data is anonymized, pseudonymized, de-identified, or encrypted is irrelevant. The Rule defines the following volume thresholds:
 

Government-Related Data

This includes:

• Precise geolocation data for specific sensitive U.S. locations (the appendix lists 736 geographic areas).
• Any sensitive personal data marketed as linked to U.S. government personnel (including intelligence, military, or contractors).

Covered Person

A “covered person” includes any foreign entity or person who is:

• Owned, controlled by, or subject to the direction of a country of concern;
• Organized under the laws of a country of concern;
• A citizen or permanent resident of a country of concern;
• Located in or operating out of a country of concern;
• On the Entity List or subject to certain U.S. national security-related sanctions

Key Prohibitions & Requirements

Prohibited Transaction
The rule establishes five categories of prohibited transactions:

1. *Data Brokerage with Countries of Concern: U.S. persons are prohibited from engaging in data brokerage transactions involving SPD with countries of concern or covered persons.
2. *Human Genomic and Other 'Omic Data or Human Biospecimens: Prohibits transactions involving bulk human genomic, epigenomic, proteomic, or transcriptomic data, or human biospecimens from which such data can be derived, with countries of concern or covered persons.
3. *Knowingly Directing a Transaction Out of Compliance: U.S. persons are prohibited from directing transactions that would violate the rule if carried out by a U.S. person.
4. *Data Brokerage or Government-Related Data Transactions without Contractual Restrictions: Requires U.S. persons to contractually restrict foreign persons from reselling or providing access to data to countries of concern or covered persons.
5. *Evasion Activities and Conspiracies: Prohibits efforts to evade the rule's restrictions or enter into conspiracies to do so.

Restricted Transaction
Restricted transactions involve vendor, employment, or investment agreements that transfer SPD to countries of concern or covered persons. These transactions must comply with specific security rules and compliance requirements, including:

• Implementing a Data Compliance Program
• Conducting due diligence and risk assessments.
• Maintaining detailed records for at least 10 years.
• Submitting annual reports to the DOJ.

Key Guidance & Resources

To assist with compliance, the DOJ's National Security Division (NSD) issued guidance on April 11, 2025, including:

• An overarching implementation and enforcement policy for the program ("Enforcement Policy") through the next 90 days.
• A 21-page Compliance Guidance.
• A 45-page guide to frequent answers and questions ("FAQ").

Follow Nelson Mullins' Idea Exchange for more thought leadership from our AI Task Force, or click here to subscribe to emails from the Nelson Mullins AI Task Force blog.