In addition to those countries of concern, the Final Rule establishes a process that enables the attorney general to designate any person as a “covered person.”¹ The names of covered persons will be published in the Federal Register and incorporated into the National Security Division’s Covered Persons List.² The restrictions found in the Final Rule relate to countries of concern and covered persons.

Covered data transactions and restricted transactions

Covered data transactions

An important new restriction in the Final Rule relates to a “covered data transaction.” A covered data transaction involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data that involves a data brokerage,³ vendor agreement,⁴ an employment agreement,⁵ or an investment agreement.⁶

Critically, the definition of a covered data transaction incorporates government-related data and bulk U.S. sensitive personal data.⁷

“Government-related data” is any precise geolocation data, regardless of volume, for any location within the enumerated areas within the government-related location data list in section 202.1401 of the Final Rule.⁸

The Final Rule establishes “bulk U.S. sensitive personal data” by way of threshold categories, whereby if a potential transaction meets the criteria of one of the categories, then such transaction will be considered a covered data transaction and subject to the restrictions set forth in the Final Rule. The thresholds are triggered if at any point in the preceding 12 months – whether through a single covered data transaction or aggregated across multiple covered data transactions – the same U.S. person and the same foreign person or covered person transfer the following types and amounts of data:

• Human Genomic Data⁹ on over 100 U.S. persons, and the three other covered categories of human ‘omic data¹⁰ on over 1,000 U.S. persons;
• Biometric identifiers¹¹ on over 1,000 U.S. persons;
• Precise geolocation data¹² on over 1,000 U.S. devices;
• Personal health data¹³ and personal financial data¹⁴ on over 10,000 U.S. persons;
• Certain covered personal identifiers¹⁵ on over 100,000 U.S. persons; or
• Any combination of these data types that meets the lowest threshold for any category in the data set.

Covered personal identifiers

As noted above, one of the thresholds is for covered personal identifiers. It is crucial to understand this definition when complying with the Final Rule. In essence, “covered personal identifiers” covers any listed identifier (defined below) that is combined with (1) another listed identifier or (2) other data to the extent the listed identifier is linkable to other listed identifiers or other sensitive personal data.¹⁶

“Listed identifiers” means any data in the following fields:

• Government identification or account numbers, such as social security numbers, driver’s license, or passport numbers
• Full financial account numbers or personal identification numbers associated with a financial institution or financial services company
• Device-based or hardware-based identifier
• Demographic or contact data
• Advertising identifier
• Account-authentication data
• Network-based identifier
• Call-detail data¹⁷

If a company utilizes two or more of those listed identifiers in a proposed transaction, then it is considered a covered personal identifier. If the number of such covered personal identifiers under the proposed transaction(s) is over 100,000, then such a transaction is a restricted transaction subject to the Final Rule.

Restricted transactions

The Final Rule prohibits a “U.S. person”¹⁸ from knowingly engaging in a covered data transaction involving a vendor agreement,¹⁹ employment agreement,²⁰ or investment agreement²¹ with a country of concern or a covered person.²² In other words, if a proposed transaction or transfer of data includes data and the amount of data from the thresholds above, and such data is part of a vendor, employment, or investment agreement, then it is a restricted transaction.

Prohibited transactions

In addition to restricted transactions, there are two types of transactions that the Final Rule outright prohibits. First, a U.S. person cannot engage in a covered data transaction involving a data brokerage with a country of concern or a covered person.²³ In addition, no U.S. person can engage in a covered data transaction with a country of concern or covered person that involves access to either ‘omic data of more than 1,000 U.S. persons or human biospecimens (as defined under the Final Rule).²⁴ For purposes of this article, together, these are defined as “prohibited transactions.”

Exceptions to restricted transactions and prohibited transactions

The Final Rule contains exceptions for restricted transactions and prohibited transactions as outlined below. Note that this is not an exhaustive list but outlines the exceptions most likely to apply to potential businesses impacted by the Final Rule. These exceptions may not apply to all prohibited transactions.

Security restrictions: The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) concurrently published security requirements. If the U.S. person complies and adheres to those CISA security requirements, then the transaction may occur.²⁵ Note that this exception does not apply to prohibited transactions.

Personal communications: If the transaction involves any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything valuable, then the transaction may occur, and it is not considered a restricted transaction.²⁶

Information or informational materials: It is not a restricted transaction if the data involves importation or exportation to any country, whether commercial or otherwise, regarding any information or informational materials as defined by the Final Rule.²⁷

Travel: It is not considered a restricted transaction if the data transaction is for ordinary travel to or from any country, maintenance within any country, including payment for living expenses, or for the arrangement or facilitation of such travel.²⁸ 

Financial services: It is not considered a restricted transaction to the extent the data transaction involves the provision of financial services including:

• Banking, capital markets, or financial insurance services;
• A financial activity authorized for national banks according to U.S. law;
• An activity that is “financial in nature or incidental to such financial activity” as set forth under U.S. law;
• The transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services;
• Processing of payments or funds involving the transfer of personal financial data or covered personal identifiers; or
• Provision of invest-management services that manage or provide advice on investment portfolios or individual assets for compensation or services ancillary to such investment-management services.²⁹

Corporate group transactions: It is not a restricted transaction if the data transaction is between a U.S. person and its subsidiary or affiliate located in a country of concern and such data is used for the administrative or ancillary business operations, including operations such as human resources, payroll, sharing data with professional services, paying taxes or fees, risk management, travel, or employee benefits.³⁰

Investment agreements subject to the Committee on Foreign Investment in the United States (CFIUS): It is not a restricted transaction if the data involved is subject to a CFIUS action.³¹

Telecommunications services: It is not a restricted transaction if the data involved is part of the provision of telecommunications services.³²

Drug, biological product, or medical device authorization: It is not a restricted transaction if the data transaction regards regulatory approval data, as defined by the Final Rule, and the data is necessary for regulatory authorization.³³

Transfers of data to foreign persons

The Final Rule prohibits a U.S. person from knowingly engaging with any foreign person (regardless if that person is in a country of concern or a covered person) in any transaction that involves access to government-related data or bulk U.S. sensitive personal data and a data brokerage unless the U.S. person: (1) contractually prohibits that foreign person from engaging in a subsequent covered data transaction of the same data to a country of concern or to covered persons and (2) reports any known or suspected violations of this contractual requirement.³⁴

In other words, if a U.S. person is arranging a transaction and this transaction includes (1) government-related data or bulk U.S. sensitive personal data, (2) a data brokerage, and (3) a foreign person as a party to the proposed transaction, then additional contracting language must be included in the transaction contract.

Licensing

The Final Rule authorizes the Justice Department to issue licenses permitting transactions that would be otherwise restricted or prohibited by the Final Rule.³⁵ The licenses may be general or specific licenses, and the Final Rule outlines overall provisions governing the licensing system.³⁶

Due diligence, audits, and record keeping

Any U.S. person engaging in a restricted transaction must develop and implement a “data compliance program.”³⁷ This data compliance program must include procedures for verifying data flows, data retention schedules, and written policies addressing security requirements, among other items.³⁸

In addition, the U.S. persons engaging in a restricted transaction must allow an auditor to review the company systems and data compliance program.³⁹ The Final Rule details whom the auditor may be and the audit scope.⁴⁰ Moreover, the U.S. person must keep a full and accurate record of each restricted transfer, as well as the records as described by the Final Rule, for 10 years after the date of such transaction.⁴¹

Penalties

Violations of the Final Rule cannot exceed the greater of $368,136 or an amount that is twice the transaction amount that forms the basis of the violation.⁴² A person who willfully commits, attempts to commit, or aids in a violation of the Final Rule may be fined up to $1 million or, if a natural person, imprisoned for up to 20 years.⁴³ Violations of the Final Rule may also implicate penalties under other applicable laws.⁴⁴

Conclusion and consequences

The Final Rule impacts companies that conduct business in one of the countries of concern, with a particular focus on China. Companies active in China will face significant compliance challenges, especially in the sectors of pharma/biotech, financial, social media, high-tech, consumer brands, and other data-driven industries. Companies should evaluate their data flows to and from China and analyze whether any data flow is a restricted transaction. Companies that conduct a restricted transaction should analyze whether one of the exceptions applies and, if so, should implement a data compliance program, record retention rules, and audit and reporting requirements.

When companies review their data transfer activities under the Final Rule from the U.S. law perspective, it is equally important to take into account the Chinese compliance requirements applicable to cross-border data transfers. In the past several years, China has implemented a series of laws and regulations on transferring personal data and important data out of the country; business organizations need to follow the required legal mechanisms and procedures when transferring China-collected data overseas. It is crucial for companies to carefully navigate the maze of data compliance challenges under the applicable laws in both countries and to be cognizant of similar requirements originating from other countries of concern.

1. Final Rule section 202.701(a).
2. Final Rule section 202.701(c).
3. Data brokerage “means the sale of data, licensing of access to data or similar commercial transactions… involving the transfer of data from any person to another person, where the recipient did not collect or process the data directly from the individual” (Final Rule section 202.214).
4. Vendor agreement is “any agreement or arrangement…in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment” (Final Rule section 202.258).
5. Employment agreement means “any agreement whereby an individual that is not an independent contractor performs work or job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive level services, and employment services at an operational level” (Final Rule section 202.217).
6. Investment agreement means “an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) Real estate located in the United States; or (2) a U.S. legal entity” (Final Rule section 202.228(a)).
7. Final Rule section 202.210(a)).
8. Final Rule section 202.222(a)(1)).
9. Human genomic data is data representing the nucleic acid sequences that constitutes the entire set or subset of the genetic instructions found in a human, including the result or results of an individual’s genetic text and any related human genetic sequencing data (Final Rule section 202.224(a)(1)).
10. Besides human genomic data, the Final Rule contains three other categories of human ‘omic data, including human epigenomic data, human proteomic data, and human transcriptomic data, all of which are defined in detail in the Final Rule (Final Rule section 202.224(a)(2-4)).
11. Biometric identifiers means “measures physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in biometric system and the templates created by the system (Final Rule section 202.204).
12. Precise geolocation data “means data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters” (Final Rule section 202.242).
13. Personal health data means health information that indicates, reveals, or describes, the past, present, or future physical or mental health or condition of an individual, provision of healthcare to an individual, or the past, present, or future payments for the provision of healthcare to an individual,” including physical measurements, health attributes, treatment history, test results, logs of exercise data, data on reproductive and sexual health, or data on the purpose of prescribed medications (Final Rule section 202.241).
14. Personal financial data “means data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history, data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a ‘consumer report’” (Final Rule section 202.240).
15. Covered personal identifiers means (1) listed identifiers in combination with any other listed identifier; and (2) listed identifiers in combination with other data that is disclosed by a transacting party pursuant to the transaction, such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data (Final Rule section 202.212).
16. Sensitive personal data means covered personal identifiers, precise geolocation, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof; see also Final Rule section 202.212.
17. Final Rule section 202.234(a)-(h).
18. Under the Final Rule, a “U.S. person” is considered any U.S. citizen, national, or lawful permanent resident, or any entity that is organized within the United States, including foreign branches of companies (Final Rule section 202.256(a)).
19. Vendor agreement “means any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration” (Final Rule section 202.258(a)).
20. Employment agreement “means any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level” (Final Rule section 202.217(a)).
21. Investment agreement “means an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to [real estate located in the United States or a U.S. legal entity.]” Note that the definition excludes several types of “passive” investments (Final Rule section 202.228(a-b)).
22. Final Rule section 202.401(a).
23. Final Rule section 202.301(a).
24. Final Rule section 202.303(a).
25. Final Rule section 202.401(a).
26. Final Rule section 202.501.
27. Final Rule section 202.502; information or informational materials refers to “expressive material and includes publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds. It does not include data that is technical, functional, or otherwise non-expressive” (Final Rule section 202.226(a)).
28. Final Rule section 202.503.
29. Final Rule section 202.505(1)-(6).
30. Final Rule section 202.506(a).
31. Final Rule section 202.508.
32. Final Rule section 202.509.
33. Final Rule section 202.510.
34. Final Rule section 202.301(a).
35. Final Rule sections 202.801(a), 202.802(a).
36. Final Rule section 202.803.
37. Final Rule section 202.1001(a).
38. Final Rule section 202.1001(b).
39. Final Rule section 202.1002(a).
40. Final Rule section 202.1002(b)-(f).
41. Final Rule section 202.1101.
42. Final Rule section 202.1301(a)(2). Note that violations are governed by section 206 of the International Emergency Economic Powers Act, 50 U.S.C. section 1705.
43. Final Rule section 202.1301(a)(3).
44. Final Rule section 202.1301(e).

In-depth 2025-095