Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

CybersecurityCybersecurity Law & StrategyFeatures

DOJ Issues New Rule Regulating Handling of Bulk Sensitive Personal Data

By Craig Heeren and Mollie Sitkowski and Angela Lam
December 01, 2024

By Craig R. Heeren, Mollie D. Sitkowski and Angela Lam

The Department of Justice (DOJ) has proposed a rule that would regulate certain transactions involving bulk sensitive personal data. Public comments are due in 30 days from the notice date.
The rule would implement a complex regulatory framework, with civil and criminal enforcement, that is similar to sanctions and export licensing regimes. It also implicates federal cybersecurity requirements, government contracting and CFIUS actions.
Businesses that handle significant amounts of sensitive personal data, as well as those that handle any amount of certain U.S. government data, should ensure they are prepared for these significant new potential regulations.
On Oct. 21, 2024, the National Security Division of the Department of Justice (DOJ NSD) issued a notice of proposed rulemaking (NPRM) that would establish a comprehensive regulatory framework to prevent and restrict the transfer of “bulk sensitive personal data” to countries and entities that are deemed a risk to U.S. national security. As explained in a prior insight regarding an advance notice of proposed rulemaking on this issue, the DOJ is issuing this rule after the Biden administration directed federal agencies to issue regulations to respond to the concern of misuse of sensitive data that could impact national security. The NPRM addresses comments provided through the advance notice process, details the proposed rule, and provides for an additional 30-day comment period. As discussed below, the proposed rule is a significant effort to regulate data through civil and criminal enforcement mechanisms akin to sanctions and export control regulations. Businesses potentially subject to its reach should carefully consider how to handle the rule’s implementation.

Summary of the Rule

The DOJ NSD rule would prohibit or restrict the transfer of “bulk sensitive personal data” or “government-related data” to certain “countries of concern” and “covered persons,” unless the transaction meets certain cybersecurity requirements or a license permitting the transaction is provided by the Department of Justice. Certain transactions are exempt from this rule. Some of the key provisions include the following:

  • Countries of Concern. The six countries of concern are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela, but it can be amended by the Attorney General to remove or add additional countries.
  • Covered Persons. A “covered person” is defined as one of four classes of entities or individuals that are connected to the countries of concern in some fashion, or otherwise added to a “Covered Persons List” by the Attorney General.
  • “Bulk” Data and Government-Related Data. The rule defines “bulk” data as sensitive personal data relating to U.S. persons, whether the data is anonymized, pseudonymized, de-identified, or encrypted, that exceeds certain aggregate thresholds in the 12 months before a covered transaction. Government-related data consists of certain types of sensitive location data and sensitive personal data — in any amount — related to current or recent former government employees, officials or contractors.
  • Prohibited Transactions. Transactions with a country of concern or covered person involving “data brokerage” and access to bulk human genomic data or biospecimens are prohibited.
  • Restricted Transactions & Cybersecurity Requirements. Vendor, employment, and non-passive investment agreements with countries of concern or covered persons may be conducted, provided the U.S. entity involved in the transaction meets cybersecurity requirements developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), which were concurrently released for public comment.
  • Exempt Transactions. The proposed rule exempts eleven categories of transactions, including personal communications, certain telecommunications services, certain financial services transactions, certain FDA-regulated data, and certain investment agreements subject to the Committee on Foreign Investment in the United States (CFIUS) actions.
  • License Requirements. DOJ would have the ability to issue both “general” licenses (a license that permits an entity to engage in repeated transactions) and “specific” licenses (a license to engage in a particular transaction) to authorize otherwise prohibited or restricted transactions.
  • Civil and Criminal Enforcement Mechanisms. Promulgated under the International Economic Emergency Powers Act (IEEPA), the government would be authorized to conduct investigations, issue civil penalties of up to $368,136 or twice the amount of the transaction, whichever is greater, and pursue criminal prosecutions for willful violations that can lead to fines of up to $1 million and 20 years imprisonment. As explained in a prior insight, the statute of limitations for civil and criminal violations of IEEPA was recently extended from five years to 10 years.

What Does This Mean?

The Rule Is Broad and Complex

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.

From DeepSeek to Distillation: Protecting IP In An AI World Image

Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.