Frequently Asked Questions - DOJ Rule
What type of data is covered by the DOJ Rule?
The DOJ Rule prohibits or restricts various categories of transactions involving U.S. bulk sensitive personal data or government-related data between U.S. persons and the Countries of Concern or covered persons.
What is covered data?
The DOJ Rule covers the following categories of transactions:
- Prohibited Transactions – include any covered "data brokerage" transactions involving covered data with covered persons and any data transaction with a covered person that involves access to bulk human omic data or to human biospecimens from which such data could be derived. Unless exempt or otherwise authorized by a general or specific license, U.S. persons may not knowingly engage in a data transaction involving data brokerage with a covered person; and
- Restricted Transactions – include any covered data transaction involving an employment agreement, vendor agreement, or investor agreement with a Country of Concern or a covered person. U.S. persons can only engage in any restricted transactions if it complies with: (1) Cybersecurity and Infrastructure Agency (CISA) security requirements; (2) all Data Compliance Program development and implementation requirements; (3) the obligation to conduct audits; and (4) the recordkeeping requirements.
What are the bulk data thresholds?
Any of these categories of sensitive personal data of U.S. humans above the respective “bulk” thresholds as follows:
- Human Genomic data - 100 U.S. persons
- Human Epigenomic data - 1,000 U.S. persons
- Human Proteomic data - 1,000 U.S. persons
- Human Transcriptomic data - 1,000 U.S. persons
- Biometric identifiers - 1,000 U.S. persons
- Precise geolocation data - 1,000 U.S. persons
- Personal health data - 10,000 U.S. persons
- Personal financial data - 10,000 U.S. persons
- Covered personal identifiers - 10,000 U.S. persons
*A transaction is considered “bulk” if it meets or exceeds the thresholds at any point in the preceding 12 months.
* There is no “bulk” threshold for U.S. government-related data.
What if the transaction includes multiple types of data listed on the bulk thresholds list?
If the data transfer includes multiple types of data included on the bulk thresholds list, the lowest threshold of the data type included applies to all of the data transferred.
What are the countries of concern?
- China (including Hong Kong and Macau)
- Cuba
- Iran
- North Korea
- Russia
- Venezuela
*The above list of countries also includes individuals and entities under their control.
What is a covered person?
The term “covered person” means:
- Foreign entities that are organized under the laws of a country of concern, have their principal place of business in a country of concern, or are 50% or more owned by a country of concern.
- Entities that are 50% or more owned by another covered person.
- Foreign individuals who are:
-
Primarily a resident in a country of concern, or
-
Employed by or acting on behalf of a covered entity.
- Any individual specifically designated by the U.S. Department of Justice as subject to the direction or control of a country of concern or another covered person.
What are the penalties for violations?
The Department of Justice may seek civil penalties of up to $368,136 or twice the amount of the transaction involved, whichever amount is greater. Willful violations can lead to criminal fines up to one million dollars ($1,000,000) and up to 20 years imprisonment.
What is personal health data?
“Personal health data” is defined broadly to include virtually all protected health information related to human patients. The official definition is: “health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.” 28 CFR § 202.241.
How are human biospecimens counted?
The regulations bar covered data transactions with a country of concern or covered person that involves human biospecimens from which bulk human ‘omic data could be derived. Given the low threshold for genomic data (100 persons), even relatively low numbers of biospecimens could potentially fall within the regulations. The definition of biospecimen does, however, exclude biospecimens “intended by a recipient solely for use in diagnosing, treating, or preventing any disease or medical condition.” 28 CFR § 202.223(b).
How are the bulk data thresholds counted over a 12-month period?
If there are separate data transfers between the University and the covered person, the numbers are combined over each preceding 12 months to see if they meet the bulk thresholds. The regulations state that the term bulk “means any amount of sensitive personal data that meets or exceeds the…. thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person….” 28 CFR § 202.205.
If the data has been anonymized, de-identified, or aggregated, is it outside the regulations?
No. The prohibitions and restrictions apply to bulk U.S. sensitive personal data, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. As the Department of Justice explained, “advances in technology, combined with access by countries of concern to large datasets, increasingly enable countries of concern that access this data to re-identify or de-anonymize data, allowing them to reveal exploitable sensitive personal information on U.S. persons.”
What covered data transactions are prohibited?
- Selling, licensing, or providing access to bulk U.S. sensitive personal data or U.S. government-related data that are accessible to a country of concern or covered person;
- Vendor agreements, employment agreements, or investment agreements involving bulk U.S. human genomic, epigenomic, proteomic, or transcriptomic data (or human biospecimens from which such data may be derived) that are accessible to a country of concern or covered person; and
- Data brokerage transactions involving any type(s) of bulk U.S. sensitive personal data or U.S. government-related data that are accessible to a foreign person who is not a country of concern or covered person, but who then shares it with a country of concern or covered person (onward transfer).
The Data Security Program also prohibits a U.S. person from (1) directing a transaction that the U.S. person knows or should know is a prohibited or restricted transaction and (2) evading or avoiding, causing a violation of, or conspiring to evade any of its prohibitions.
How does the DOJ Rule and the National Institutes of Health (NIH) Policy on Enhancing Security Measures for Human Biospecimens align?
NIH now prohibits the distribution of NIH-supported U.S. person biospecimens to institutions or parties in designated “Countries of Concern,” except under limited and documented circumstances, further limiting access to NIH-controlled data repositories. The policy applies whenever NIH funds are involved in the collection, processing, storage, use, or distribution of human clinical and research biospecimens obtained from U.S. persons regardless of identifiability, NIH funding level, or NIH funding mechanism.
Both the NIH policy and the DOJ Rule also extend to collaborations with data or specimen access involving individuals who are no longer employed by, enrolled at, or formally affiliated with the University (including visiting scholars and postdoctoral researchers) who are residing in or employed by an institution in a Country of Concern. Continued access to covered biospecimens, derived cell lines, or associated data by such individuals is not permitted unless an applicable exception under the NIH policy or DOJ Rule applies and the activity has been reviewed and cleared by Export Control & Research Security.
What about individuals from countries of concern who are lawfully present in the United States?
Any individual, including an individual from a country of concern, can access covered data while lawfully present in the United States, unless such individual is named on the DOJ’s Covered Persons List maintained by the National Security Division.
However, when an individual who is primarily a resident of a country of concern, or who is an employee or contractor of a covered person or country of concern, leaves the United States, even for a brief period of time such as to attend a conference or visit family overseas, that individual will become a covered person upon exiting the United States. Additionally, that individual may no longer have access to covered data.
Any attempt to avoid the regulation’s prohibitions, such as by having a covered person enter the United States to receive covered data, could constitute evasion and a violation of the regulation.
How does the DOJ Rule impact material transfer agreements (MTA) and data use agreements (DUA)?
- Prohibits onward transfer to Countries of Concern
- Requires recipients to obtain prior written approval for any subcontracting or rerouting
- Strict research security and export control requirements
- Transfer of tangible research materials is governed by a Material Transfer Agreement (MTA) at UIUC, UIC, and UIS.
- Data transfer and use agreements (DTUA) or DUAs involve sharing data with an outside party or receiving data from an outside party and are processed on each University campus in accordance with the guidance provided: UIUC, UIC, and UIS. An agreement is needed regardless of the identifiability of the data/specimens.