Department of Justice (DOJ) National Security Regulation Regarding Bulk U.S. Sensitive Personal Data

In implementing Executive Order 14117, the U.S. Department of Justice (DOJ) issued a Final Rule (28 C.F.R. Part 202) effective April 8, 2025 titled Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (DOJ Rule). This DOJ Rule establishes the Data Security Program (DSP), which functions similarly to export controls by imposing compliance requirements and prohibiting or restricting the transfer of bulk U.S. sensitive personal data and government-related data to six “Countries of Concern”: China (including Hong Kong and Macau, but excluding Taiwan), Cuba, Iran, North Korea, Russia, and Venezuela, as well as transactions that could expose U.S. sensitive data to  foreign entities or individuals with certain connections to Countries of Concern.

The DOJ Rule defines Covered Person, Covered Data Transactions, Sensitive Personal Data, Human Biospecimens, Data Brokerage, and Government-Related Data, among other terms.

Impacts include but are not limited to:

  • International collaborations
  • Data transfer and use agreements
  • Vendor contracts
  • Employment contracts
  • Research involving restricted and prohibitive datasets
  • Investment agreements

Resources:

IAPP Cheat Sheet

U.S. Department of Justice Compliance Guide

U.S. Department of Justice FAQs

Data Security Program FAQ

NIH: NOT-OD-25-160, NOT-OD-25-159, NOT-OD-24-157, NOT-OD-14-124, NOT-OD-25-083

Contact:

For questions regarding the DOJ Rule please contact complianceoffice@uillinois.edu

Frequently Asked Questions

Last item for navigation