MENU

New Bulk Data Transfer Rule Limits Personal Information U.S. Companies Can Share with Countries Deemed Foreign Adversaries, Including China

Jun 27, 2025 | Blog
Partner

U.S. companies with offices and/or interests abroad, particularly in China (including Hong Kong and Macau) and Russia, should be aware of the latest data protection regulation going into effect on July 8, 2025. Specifically, this Rule impacts entities that share categories of information frequently collected by websites and other means (such as digital advertising) and shared with employees, vendors, and customers in the specified jurisdictions. Entities that share such information should study the Rule’s mandates and begin their efforts to meet them now.

Executive Order 14117 (the “Bulk Data Transfer Rule”) is a new regulation by the Department of Justice (DOJ) that will impact businesses that exchange data with certain “Countries of Concern.” More specifically, the Rule restricts the transfer of certain categories of sensitive U.S. data above specified thresholds to China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

In a press release issued by the DOJ, it called the program a step towards preventing “foreign adversaries from using commercial activities to access and exploit U.S. government-related data and Americans’ sensitive personal data.”

The Rule’s “covered persons” include residents of the Countries of Concern and entities more than 50% owned by covered persons or entities in a Country of Concern. For the purposes of this Rule, “Sensitive Data” comprises the categories below. Additionally, the data transfer thresholds for application of the Rule are quite low:

  • Personal Financial Data – including purchase and payment history (threshold of 10,00 persons)
  • Personal Identifiers – including IP addresses (threshold of 100,000 persons)
  • Personal Health Data – defined broadly using almost the identical definition as the Health Insurance Portability and Accountability Act (HIPAA); information regarding past/present/future medical conditions or treatment (threshold of 10,00 persons)
  • Precise Geolocation Data – within 1,000 meters (threshold of 1,000 U.S. devices)

This Rule will impact most U.S. companies who have business partners, vendors/subcontractors, and customers in the designated countries and who share the above categories of data. Many U.S. companies of all sizes routinely collect these types of data from their websites through tracking technologies and share it with entities in Countries of Concern.

For example, a U.S. clothing or toy retailer may send its U.S. customers’ purchase and payment histories to its manufacturer in China to tweak product lines for redesign in order to increase sales in accordance with contemporary trends. Another example might be if an investment target company tracks Sensitive Data through pixels on its website and then shares this with entities overseas during investment due diligence.

It’s important to note that the Rule does not outright prohibit these data transfers (with the exception of data brokerage transfers or the transfer of certain genetic information). Rather, the Rule requires the U.S. entity that is transferring the data to draft or update its cybersecurity controls and policies to meet the requirements of the Cybersecurity and Infrastructure Security Agency (CISA); to document such compliance; and to implement risk assessment and monitoring information systems to assure continued compliance with these controls.

Additional elements of compliance will include updated data inventory and data flow analyses to ascertain data that may be shared with Countries of Concern (including through pixels, cookies, and other website tracking technologies); revision of vendor agreements with security representations and appendices to align the vendor’s cybersecurity controls with CISA; and training for the workforce to recognize data transfers and potential transfers that may be covered by the Rule and how to bring those transfers into compliance.

Most data regulations include exemptions for data that is encrypted or anonymized—this Rule, however, does not. The exemptions the Rule does allow for include:

  • Personal communications
  • Information or informational materials, as defined within the Rule
  • Travel
  • Official business of the United States Government
  • Certain Financial Services and transactions
  • Corporate group transactions (e.g., HR payroll, etc.)
  • Transactions required or authorized by Federal law or international agreements, or necessary for compliance with Federal law
  • Investment agreements subject to a Committee on Foreign Investment in the United States (CFIUS) action
  • Telecommunications services
  • Drug, biological product, and medical device authorizations, as defined within the Rule
  • Other clinical investigations and post-marketing surveillance data

While the Rule debuted as a Biden-era Notice of Proposed Rulemaking in December 2024, the Trump administration’s DOJ has embraced it as a national security imperative, making robust enforcement appear likely. Penalties for violation of the Rule include fines of up to $368,136 or half the value of the subject transactions, whichever is greater.

The Rule takes full effect on July 8, 2025, and enforcement will begin on October 6, 2025. The DOJ has offered additional guidance in the form of an FAQ sheet.

If you have any questions regarding the new Rule and guidance for your company’s compliance initiative, please contact Kenneth Rashbaum.
Key Contacts
Kenneth N. Rashbaum Kenneth N. Rashbaum
Email
212.885.8836
Related Practices
Barton LLP
Privacy Overview

Our website uses certain cookies to enhance site navigation, analyze website usage, and assist in marketing efforts that may collect your personal information. You can accept or reject these cookies.