On January 8, 2025, the Department of Justice (DOJ) published in the Federal Register a Final Rule, "Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Countries of Concern or Covered Persons," which concluded the rulemaking process started in March 2024. This Final Rule follows President Biden's Executive Order (EO) 14117, which has a stated purpose of restricting "access by countries of concern" to Americans' personal data and sensitive government data. The EO prompted the DOJ to release an Advance Notice of Proposed Rulemaking in March 2024 and a Notice of Proposed Rulemaking (NPRM) in October 2024, both addressing the EO's directive to the DOJ to establish a framework prohibiting certain data transactions with certain foreign countries and entities controlled by them.
For additional analysis, background, and context for the overview of select key clarifications made in the Final Rule, please read our prior summary of the NPRM. While the structure of the Final Rule is largely similar to that of the NPRM (prohibiting certain data brokerage activity and restricting other transactions that result in access to covered data), it does include some revisions to certain definitions and additional examples for clarity regarding application of the Final Rule. Additionally, we've linked to the relevant section of our summary of the NPRM for each item discussed below.
Highlights of Key Clarifications
1. Covered Person
The Final Rule, like the NPRM, defines and provides specific examples of covered persons. DOJ updated the "50 percent or more owned" definition of "covered person" to align, in DOJ's view, more closely with the Treasury Department's Office of Foreign Assets Control's (OFAC) regulations addressing the same concept. DOJ stated that it intends the two definitions to be generally applied in a similar manner.
DOJ indicated that amending the definition to include the term "directly or indirectly, individually or in the aggregate" helps ensure that entities with 50% or more ownership by a covered person will be considered covered persons under this new framework, capturing indirect ownership in complex structures. DOJ stated that it intends to capture, as the OFAC rule seeks to do, situations where two covered persons collectively own 50% or more of an entity. If their combined minority ownership stakes reach the 50% threshold, the entity will be considered a covered person.
2. Knowledge Standard
The DOJ clarified that when it comes to applying the standard of whether a U.S. person has acted "knowingly" in violation of the Final Rule's requirements, U.S. persons are "not responsible for conduct, circumstances, or results that they could not reasonably have known about." The DOJ continued to emphasize that a company's risk-based compliance program would be a factor when determining if a company acted in a "knowing" manner with regard to the rule's requirements.
3. Government Locations
The DOJ greatly expanded the number of locations on the Government-Related Location Data list of GPS locations that are considered government-related data (adding Department of Defense sites and installations, such as bases, camps, posts, stations, yards, centers, or homeport facilities for any ship, ranges, and training areas in the United States and its territories). The list now includes over 700 specific locations where data related to defined locations would be prohibited from being disclosed to covered persons, regardless of the volume of data involved in the transaction.
4. Potential Wind-down License Period
The DOJ clarified that the Final Rule applies to covered data transactions occurring "on or after the effective date," regardless of whether they are conducted under preexisting agreements. For preexisting agreements that would fall under the Final Rule's requirements, the DOJ signaled its consideration of a wind-down license that would permit a country of concern or a covered person to access bulk U.S. sensitive personal data or government-related data for a set period of time after the rule's effective date, while amendments are made to the preexisting agreements and transactions.
5. Sensitive Personal Data
The DOJ clarified definitions of the sensitive personal data categories based on public comments. For example, the DOJ explicitly clarified that publicly available data, including precise geolocation data, is excluded from each category of sensitive personal data. The DOJ also clarified that IP addresses are treated as listed identifiers rather than precise geolocation data, even though IP addresses could be used to identify some location data. Therefore, a transaction involving only one listed identifier, such as an IP address alone, does not qualify as sensitive personal data. However, as was previewed in the NPRM, an IP address in combination with another listed identifier (e.g., advertising IDs) would qualify as sensitive personal data and be subject to the bulk data restrictions.
6. Data Brokerage with Non-Covered Foreign Persons
The Final Rule continues to require entities that engage in data brokerage of covered data with non-covered entities in foreign countries to restrict the potential for those third parties to resell such data to covered persons. DOJ stated that it anticipates that it will provide sample contractual language in future guidance for entities engaged in data brokerage to include in contracts to help meet those requirements.
What's Next for Implementation?
Despite requests from commenters for more time to comply with the new rule, the DOJ determined that "in light of the need to expeditiously address the increasingly urgent national security threat," a longer implementation timeline was not appropriate. Accordingly, because the Final Rule was published on January 8, 2025, the rule is slated to take effect on April 8, 2025, with certain due diligence, reporting, and other requirements coming into effect on October 5, 2025.
Companies that may engage in covered transactions should prepare compliance programs to meet the rule's requirements, at a minimum identifying potential data transactions that may be covered, assessing how the rule may apply to those transactions, and assessing how it will determine when a data recipient may be covered by these restrictions.
About Venable
Venable's Privacy and Data Security Practice Group has extensive experience counseling clients on obligations as data brokers or those using data broker services. Please feel free to reach out to us if you would like to learn more about federal or state privacy legislation, applicability to your organization, or what you can do to assess your compliance posture with respect to new laws or regulations.