Tag: identifiers

Modified on March 5, 2026 to remove the “subscribe” option. This blog has been retired and replaced by the S.P.I.R.I.T. newsletter.

Eager to skip ahead to today’s content?

Jump to the Table of Contents.

• LinkedIn
• Mail
• Bluesky
• Facebook

Good morning, good afternoon, and good evening, Compliance Rockstars, Clinical Research Professionals, Ethics Enthusiasts, Legal Experts, and Investigators!

330+ subscribers and counting!

Can’t believe we are already through November! As much as this year has gone slow for me, it also feels unbelievably fast…

For now though, I will do my best to keep up with these changes in this evolving landscape! It truly lifts my spirits to spread knowledge to the research compliance community.

Did anyone attend CITI Program’s webinar that discussed the DOJ Bulk Data Transfer Rule last month?

I thought the presentation was fabulous! The speaker was informative and had great slides to explain this rule. If you weren’t able to attend, I’m really glad you’re here! For today’s post let’s learn about DOJ’s Bulk Data Transfer Rule. Specifically, I’d like to touch on:

• What is this rule?
• When is the rule effective?
• Why is this rule necessary?
• What resources are available to better understand this rule?

Please note that I will NOT be sharing presentation slides or describing the presentation verbatim. Though it gave me background on this topic, I have spent quite some time researching this rule myself. I always want to provide my readers a comprehensive overview of any topic I write about!

As a general reminder, these are my own interpretations. Any legal information discussed within this post should be discussed with your institution.

Table of Contents:

1. DOJ Rule Matrix
2. DOJ Rule Timeline
   1. EO 14117: Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern
   2. CISA Publication: Security Requirements for Restricted Transactions
   3. Key Dates and Actions
3. DOJ Rule Applicability
   1. Data Types Defined Under the DOJ Rule
      1. Biometric Identifiers
      2. Covered Personal Identifiers
      3. Goverment-related Data
      4. Human Biospecimens
      5. Human’omic Data
      6. Personal Financial Data
      7. Personal Health Data
      8. Precise Geolocation Data
   2. Data Transactions Defined Under the DOJ Rule
      1. Transaction
      2. Exempt Transactions
      3. Prohibited Transactions
      4. Restricted Transactions
   3. Other Important Definitions Under the DOJ Rule
      1. Bulk U.S. Sensitive Personal Data
      2. Covered Data Transaction
         1. Access
         2. Countries of Concern
         3. Covered Person
         4. Data Brokerage
         5. Vendor Agreement
         6. Employee Agreement
         7. Investment Agreement
   4. Piecing it Together: Applying the DOJ Rule

---

DOJ Rule Matrix

The DOJ Rule Matrix provides key highlights of the final rule.

• In general, this rule prohibits and restricts certain sensitive health, genomic, and personal data transactions with certain countries or persons.
• This rule heavily relies on understanding definitions to determine appropriate applicability and compliance.
• The rule was finalized in January 2025 with two effective dates (which will be discussed in the subsequent sections).
• Each resource listed within the matrix will also be described in the subsequent sections.

(Back to Contents)

DOJ Rule Timeline

The timeline for rule creation and implementation stemmed from EO 14117 in February 2024.

EO 14117: Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern

• The purpose of this EO was to restrict access by countries of concern to Americans’ bulk sensitive personal data and U.S. government-related data when such access would pose an unacceptable risk to the national security of the U.S.
• The EO was issued based on the following EOs:
  • EO 13873: Securing the Information and Communications Technology and Services Supply Chain
  • EO 14034: Protecting Americans’ Sensitive Data From Foreign Adversaries

(Back to Contents)

CISA Publication: Security Requirements for Restricted Transactions

• As directed by EO 14117, CISA developed security requirements to apply to classes of restricted transactions identified in the DOJ regulation.
• The security requirements require that U.S. persons engaging in restricted transactions comply with organizational-, system-, and data-level requirements to prevent covered persons and countries of concern from accessing covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology.

(Back to Contents)

Key Dates and Actions

• January 8, 2025:
  • Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule was issued.
• April 8, 2025:
  • Compliance with DOJ Rule is expected except with the following:
    • Subpart J: Due Diligence and Audit Requirements
    • Section 202.1103: Annual Reports
    • Section 202.1104: Reports on Rejected Prohibited Transactions
  • The National Security Division’s Data Security Program is in effect:
    • This program addresses the national-security risks posed by the continued efforts of foreign adversaries to use commercial activities to access and exploit U.S. Government-related data and Americans’ bulk sensitive personal data.
    • It was issued under the International Emergency Economic Powers Act and EO 14117 addressing the national emergency declared via EO 13873
    • The following resources can be reviewed with respect to this program:
      • Data Security Program: Implementation and Enforcement Policy Through July 8, 2025
      • Data Security Program: Compliance Guide
      • Data Security Program: FAQ
• April 18, 2025:
  • Pertaining To Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule was issued.
    • This rule rectifies incorrect cross-referencing from the originally published rule.
  • This rule was not mentioned within the matrix and timeline in the sections above.

(Back to Contents)

Now, we have a better background as to why this rule was created. Further, we’ve reviewed supporting publications prior to the issuance of the DOJ rule. In the final section, we will dive into:

• Key terms that will help us understand when the rule applies
• Rule applicability

(Back to Contents)

DOJ Rule Applicability

There are many terms we need to work through prior to applying this rule.

Data Types Defined Under the DOJ Rule

Note that “Sensitive Personal Data” will be described in the next section as it is based off many terms.

Biometric Identifiers

• Measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system

Covered Personal Identifiers

• Any listed identifier:
  • In combination with any other listed identifier; or
  • In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data.
• There are also several exclusions and examples listed within this term within the rule

Goverment-related Data

• Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in § 202.1401 which the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there; and
• Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community

Human Biospecimens

• Means a quantity of tissue, blood, urine, or other human-derived material, including such material classified under any of the following 10-digit Harmonized System-based Schedule B numbers

Human’omic Data

• Represents the following human data types:
  • Genomic data
  • Epigenomic data
  • Proteomic data
  • Transcriptomic data
• Excludes pathogen-specific data embedded in human `omic data sets

Personal Financial Data

• Data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report”

Personal Health Data

• Health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

Precise Geolocation Data

• Includes data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters

(Back to Contents)

Data Transactions Defined Under the DOJ Rule

Note that “Covered Data Transaction” will be described in the next section as it is based off many terms.

Transaction

• Any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest.

Exempt Transactions

• A data transaction that is subject to one or more exemptions described in subpart E of this part.
• This will be described in the last section.

Prohibited Transactions

• A data transaction that is subject to one or more exemptions described in subpart C of this part.
• This will be described in the last section.

Restricted Transactions

• A data transaction that is subject to one or more exemptions described in subpart D of this part.
• This will be described in the last section.

(Back to Contents)

Other Important Definitions Under the DOJ Rule

Bulk U.S. Sensitive Personal Data

• As notated in the rule, “bulk” is equivalent to a sensitive personal data threshold.
  • There are seven thresholds:
    • Human `omic data
    • Biometric identifiers
    • Precise geolocation data
    • Personal health data
    • Personal financial data
    • Covered personal identifiers
    • Combination of all data types above

Covered Data Transaction

Note that the following terms have been defined:

• Transaction,
• Government-related data, and
• Bulk U.S. sensitive personal data

Access

• Logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software
  • For purposes of determining whether a transaction is a covered data transaction, access is determined without regard for the application or effect of any security requirements

Countries of Concern

• Cuba, Venezuela, Russia, North Korea, China, and Iran are countries of concern
• From the rule, these are any foreign government that, as determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce:
  • Has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons; and
  • Poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons

Covered Person

• There are five types listed within this definition along with their associated examples within the rule
• From the webinar, a covered person can be anyone who is from any of the countries of concern (resident, national, official) and also could mean a corporate person/entity from these countries
  • Considering this person’s affiliation is crucial

Data Brokerage

• The sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.

Vendor Agreement

• Any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.

Employee Agreement

• Any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.

Investment Agreement

• An agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to:
  • Real estate located in the United States; or
  • A U.S. legal entity.

(Back to Contents)

Piecing it Together: Applying the DOJ Rule

Though this was shared earlier in this post, the following resource is recommended to review to ensure compliance and understanding of this rule: Data Security Program: Compliance Guide

• In general, you should complete an inventory of your data
  • You should review the type of data in question and where it is being transferred to, so rule applicability can be assessed
• Subparts C-E are critical in understanding data transactions as some of these data transactions are exempt from this rule
• The guide and rule itself should be reviewed for specific reporting, record keeping, and auditing requirements

(Back to Contents)

---

I hope this article helped you better understand the DOJ’s Bulk Data Transfer Rule! If you did attend the CITI Program webinar, then this post should have been a nice resource to complement what you learned.