Department of Justice (DOJ) National Security Regulation Regarding Bulk U.S. Sensitive Personal Data
In implementing Executive Order 14117, the U.S. Department of Justice (DOJ) issued a Final Rule (28 C.F.R. Part 202) effective April 8, 2025 titled Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (DOJ Rule). This DOJ Rule establishes the Data Security Program (DSP), which functions similarly to export controls by imposing compliance requirements and prohibiting or restricting the transfer of bulk U.S. sensitive personal data and government-related data to six “Countries of Concern”: China (including Hong Kong and Macau, but excluding Taiwan), Cuba, Iran, North Korea, Russia, and Venezuela, as well as transactions that could expose U.S. sensitive data to foreign entities or individuals with certain connections to Countries of Concern.
The DOJ Rule defines Covered Person, Covered Data Transactions, Sensitive Personal Data, Human Biospecimens, Data Brokerage, and Government-Related Data, among other terms.
Impacts include but are not limited to:
- International collaborations
- Data transfer and use agreements
- Vendor contracts
- Employment contracts
- Research involving restricted and prohibitive datasets
- Investment agreements
Resources:
IAPP Cheat Sheet
U.S. Department of Justice Compliance Guide
U.S. Department of Justice FAQs
Data Security Program FAQ
NIH: NOT-OD-25-160, NOT-OD-25-159, NOT-OD-24-157, NOT-OD-14-124, NOT-OD-25-083
Contact:
For questions regarding the DOJ Rule please contact complianceoffice@uillinois.edu