Publication
Restricting Bulk Data Transfers: Insights into the Final Rule
By Tony Caldwell and CJ Utter
A new U.S. federal rule restricts bulk sharing of sensitive personal information and governmental information with certain countries, for some key industries. In December 2024, the Department of Justice issued a comprehensive Final Rule (the Final Rule) to operationalize and implement President Biden’s Executive Order 14117 titled, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Final Rule was published in the Federal Register on January 8, 2025, and is in effect as of April 8, 2025.
Application
The Final Rule applies to any U.S. persons and business that shares bulk amounts of sensitive personal information or governmental information to any of the “Countries of Concern,” as enumerated in the Executive Order.
Impact
The Final Rule will have a large impact on U.S. persons and businesses that process, share or send bulk amounts of sensitive personal information or U.S. Government information with any ”Countries of Concern” or ”Covered Persons.” “Countries of Concern” refer to the People’s Republic of China, including the Special Administrative Regions of Hong Kong and Macau, the Russian Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Republic of Cuba, and the Bolivarian Republic of Venezuela. “Covered Person” means any individual, entity, or organization defined under the Final Rule, including but not limited to entities that are located in a Country of Concern, organized or chartered under the laws of a Country of Concern, have a principal place of business in a Country of Concern, or are more than fifty percent (50%) owned by a Country of Concern or an individual who qualifies as a Covered Person. The Final Rule prohibits these types of transactions with the Countries of Concern or Covered Persons based upon bulk data thresholds for a given transaction.
The Final Rule likely will have the greatest impact on the health and financial sectors, as the sensitive data that is covered by the Final Rule focuses on biometric, health, genomic, financial, and personal identifiers. The bulk limit for the transfers ranges anywhere from 100 persons in the case of genomic data to 100,000 persons in the case of personal identifiers. U.S. persons that engage in these types of data transfers and transactions had to cease doing so as of April 8, 2025.
Prohibited Transactions
Data broker transactions involving covered data with Covered Persons or to Countries of Concern is expressly prohibited. Data brokerage in the Final Rule is defined as “the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” (See §202.214).
Restricted Transactions
There are further requirements for any U.S. person or business sending covered data regarding an employment, vendor or investor agreement to a Country of Concern or a Covered Person. This is considered a restricted transaction, and the U.S. person must apply the Final Rule’s due diligence and security requirements in connection with such potential transfer.
U.S. persons and businesses conducting restricted transactions must have a data compliance program in place that examines data flows, logging, identities of recipients and a written, comprehensive data compliance policy. There are also audit and reporting requirements. Such reports must be retained for ten (10) years. The security requirements that must be implemented have been issued by CISA (Cybersecurity and Infrastructure Security Agency).
Exempted Transactions
Certain transfers are exempted from the Final Rule prohibitions.
The categories of exempted transactions from the Final Rule include personal communications, travel, corporate group transactions, telecommunications, clinical investigations and official business of the U.S. Government.
Violations
Violations of the Final Rule can lead to significant consequences, including civil penalties of $377,700 or twice the value of the transaction that formed the violation. In the case of a willful violation of the Final Rule, criminal penalties may be imposed, including a fine up to $1,000,000, imprisonment for up to 20 years, or both.
Prior to initiating any bulk sharing of sensitive personal information and governmental information, U.S. persons and businesses should consider the requirements of the Final Rule.
Snell & Wilmer will continue to monitor the evolution of the Final Rule and any enforcement or regulatory actions.
About Snell & Wilmer
Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 17 locations throughout the United States and in Mexico, including Los Angeles, Orange County, Palo Alto and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.
