<RULE>
DEPARTMENT OF JUSTICE
<CFR>28 CFR Part 202</CFR>
<DEPDOC>[Docket No. NSD 104]</DEPDOC>
<RIN>RIN 1124-AA01</RIN>
<SUBJECT>Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons</SUBJECT>
<HD SOURCE="HED">AGENCY:</HD>
National Security Division, Department of Justice.
<HD SOURCE="HED">ACTION:</HD>
Final rule.
<SUM>
<HD SOURCE="HED">SUMMARY:</HD>
The Department of Justice is issuing a final rule to implement Executive Order 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), by prohibiting and restricting certain data transactions with certain countries or persons.
</SUM>
<EFFDATE>
<HD SOURCE="HED">DATES:</HD>
This rule has been classified as meeting the criteria under 5 U.S.C. 804(2) and is effective April 8, 2025. However, at the conclusion of the Congressional review, if the effective date has been changed, the Department of Justice will publish a document in the
<E T="04">Federal Register</E>
to establish the actual date of effectiveness or to terminate the rule. The incorporation by reference of certain material listed in this rule is approved by the Director of the Federal Register as of April 8, 2025.
</EFFDATE>
<FURINF>
<HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD>
Email (preferred):
<E T="03">NSD.FIRS.datasecurity@usdoj.gov</E>
. Otherwise, please contact: Lee Licata, Deputy Chief for National Security Data Risks, Foreign Investment Review Section, National Security Division, U.S. Department of Justice, 175 N Street NE, Washington, DC 20002; Telephone: 202-514-8648.
</FURINF>
<SUPLINF>
<HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD>
<HD SOURCE="HD1">Table of Contents</HD>
<EXTRACT>
<FP SOURCE="FP-2">I. Executive Summary</FP>
<FP SOURCE="FP-2">II. Background</FP>
<FP SOURCE="FP-2">III. Rulemaking Process</FP>
<FP SOURCE="FP-2">IV. Discussion of Comments on the Notice of Proposed Rulemaking and Changes From the Proposed Rule</FP>
<FP SOURCE="FP1-2">A. General Comments</FP>
<FP SOURCE="FP1-2">1. Section 202.216—Effective Date.</FP>
<FP SOURCE="FP1-2">B. Subpart C—Prohibited Transactions and Related Activities</FP>
<FP SOURCE="FP1-2">1. Section 202.210—Covered Data Transactions</FP>
<FP SOURCE="FP1-2">2. Section 202.301—Prohibited Data-Brokerage Transactions; Section 202.214—Data Brokerage</FP>
<FP SOURCE="FP1-2">3. Section 202.201—Access</FP>
<FP SOURCE="FP1-2">4. Section 202.249—Sensitive Personal Data</FP>
<FP SOURCE="FP1-2">5. Section 202.212—Covered Personal Identifiers</FP>
<FP SOURCE="FP1-2">6. Section 202.234—Listed Identifier</FP>
<FP SOURCE="FP1-2">7. Section 202.242—Precise Geolocation Data</FP>
<FP SOURCE="FP1-2">8. Section 202.204—Biometric Identifiers</FP>
<FP SOURCE="FP1-2">9. Section 202.224—Human `Omic Data</FP>
<FP SOURCE="FP1-2">10. Section 202.240—Personal Financial Data</FP>
<FP SOURCE="FP1-2">11. Section 202.241—Personal Health Data</FP>
<FP SOURCE="FP1-2">12. Section 202.206—Bulk U.S. Sensitive Personal Data</FP>
<FP SOURCE="FP1-2">13. Section 202.205—Bulk</FP>
<FP SOURCE="FP1-2">14. Section 202.222—Government-Related Data</FP>
<FP SOURCE="FP1-2">15. Section 202.302—Other Prohibited Data-Brokerage Transactions Involving Potential Onward Transfer to Countries of Concern or Covered Persons</FP>
<FP SOURCE="FP1-2">16. Section 202.303—Prohibited Human `Omic Data and Human Biospecimen Transactions</FP>
<FP SOURCE="FP1-2">17. Section 202.304—Prohibited Evasions, Attempts, Causing Violations, and Conspiracies</FP>
<FP SOURCE="FP1-2">18. Section 202.215—Directing</FP>
<FP SOURCE="FP1-2">19. Section 202.230—Knowingly</FP>
<FP SOURCE="FP1-2">C. Subpart D—Restricted Transactions</FP>
<FP SOURCE="FP1-2">1. Section 202.401—Authorization To Conduct Restricted Transactions</FP>
<FP SOURCE="FP1-2">2. Section 202.258—Vendor Agreement</FP>
<FP SOURCE="FP1-2">3. Section 202.217—Employment Agreement</FP>
<FP SOURCE="FP1-2">4. Section 202.228—Investment Agreement</FP>
<FP SOURCE="FP1-2">D. Subpart E—Exempt Transactions</FP>
<FP SOURCE="FP1-2">1. Section 202.502—Information or Informational Materials</FP>
<FP SOURCE="FP1-2">2. Section 202.504—Official Business of the United States Government</FP>
<FP SOURCE="FP1-2">3. Section 202.505—Financial Services</FP>
<FP SOURCE="FP1-2">4. Section 202.506—Corporate Group Transactions</FP>
<FP SOURCE="FP1-2">5. Section 202.507—Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance With Federal Law</FP>
<FP SOURCE="FP1-2">6. Section 202.509—Telecommunications Services</FP>
<FP SOURCE="FP1-2">7. Section 202.510—Drug, Biological Product, and Medical Device Authorizations</FP>
<FP SOURCE="FP1-2">8. Section 202.511—Other Clinical Investigations and Post-Marketing Surveillance Data</FP>
<FP SOURCE="FP1-2">9. Exemptions for Non-Federally Funded Research</FP>
<FP SOURCE="FP1-2">E. Subpart F—Determination of Countries of Concern</FP>
<FP SOURCE="FP1-2">1. Section 202.601—Determination of Countries of Concern</FP>
<FP SOURCE="FP1-2">F. Subpart G—Covered Persons</FP>
<FP SOURCE="FP1-2">1. Section 202.211—Covered Person</FP>
<FP SOURCE="FP1-2">2. Section 202.701—Designation of Covered Persons</FP>
<FP SOURCE="FP1-2">G. Subpart H—Licensing</FP>
<FP SOURCE="FP1-2">H. Subpart I—Advisory Opinions</FP>
<FP SOURCE="FP1-2">1. Section 202.901—Inquiries Concerning Application of This Part</FP>
<FP SOURCE="FP1-2">I. Subpart J—Due Diligence and Audit Requirements</FP>
<FP SOURCE="FP1-2">1. Section 202.1001—Due Diligence for Restricted Transactions</FP>
<FP SOURCE="FP1-2">2. Section 202.1002—Audits for Restricted Transactions</FP>
<FP SOURCE="FP1-2">J. Subpart K—Reporting and Recordkeeping Requirements</FP>
<FP SOURCE="FP1-2">1. Section 202.1101—Records and Recordkeeping Requirements</FP>
<FP SOURCE="FP1-2">2. Section 202.1102—Reports To Be Furnished on Demand</FP>
<FP SOURCE="FP1-2">3. Section 202.1104—Reports on Rejected Prohibited Transactions</FP>
<FP SOURCE="FP1-2">K. Subpart M—Penalties and Finding of Violation</FP>
<FP SOURCE="FP1-2">L. Coordination With Other Regulatory Regimes</FP>
<FP SOURCE="FP1-2">M. Severability</FP>
<FP SOURCE="FP1-2">N. Other Comments</FP>
<FP SOURCE="FP-2">V. Regulatory Requirements</FP>
<FP SOURCE="FP1-2">A. Executive Orders 12866 (Regulatory Planning and Review) as Amended by Executive Orders 13563 (Improving Regulation and Regulatory Review) and 14094 (Modernizing Regulatory Review)</FP>
<FP SOURCE="FP1-2">B. Regulatory Flexibility Act</FP>
<FP SOURCE="FP1-2">1. Succinct Statement of the Objectives of, and Legal Basis for, the Rule</FP>
<FP SOURCE="FP1-2">2. Description of and, Where Feasible, an Estimate of the Number of Small Entities to Which the Rule Will Apply</FP>
<FP SOURCE="FP1-2">3. Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Rule</FP>
<FP SOURCE="FP1-2">4. Identification of All Relevant Federal Rules That May Duplicate, Overlap, or Conflict With the Rule</FP>
<FP SOURCE="FP1-2">C. Executive Order 13132 (Federalism)</FP>
<FP SOURCE="FP1-2">D. Executive Order 13175 (Consultation and Coordination With Indian Tribal Governments)</FP>
<FP SOURCE="FP1-2">E. Executive Order 12988 (Civil Justice Reform)</FP>
<FP SOURCE="FP1-2">F. Paperwork Reduction Act</FP>
<FP SOURCE="FP1-2">G. Unfunded Mandates Reform Act</FP>
<FP SOURCE="FP1-2">H. Congressional Review Act</FP>
<FP SOURCE="FP1-2">I. Administrative Pay-As-You-Go Act of 2023</FP>
</EXTRACT>
<HD SOURCE="HD1">I. Executive Summary</HD>
Executive Order 14117 of February 28, 2024, “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“the Order”), directs the Attorney General to issue regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“transaction”), where the transaction: involves United States Government-related data (“government-related data”) or bulk U.S. sensitive personal data, as defined by final rules implementing the Order; falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because it may enable access by countries of concern or covered persons to government-related data or Americans' bulk U.S. sensitive personal data; and meets other criteria specified by the Order.
<SU>1</SU>
<FTREF/>
<FTNT>
<SU>1</SU>
E.O. 14117, 89 FR 15421 (Feb. 28, 2024).
</FTNT>
On March 5, 2024, the National Security Division of the Department of Justice (“DOJ” or “the Department”) issued an Advance Notice of Proposed Rulemaking (“ANPRM”) seeking public comment on various topics related to implementation of the Order.
<SU>2</SU>
<FTREF/>
On October 29, 2024, the Department issued a Notice of Proposed Rulemaking (“NPRM”) to address the public comments received on the ANPRM, set forth a proposed rule to implement the Order, and seek further public comment.
<SU>3</SU>
<FTREF/>
The Department is now issuing a final rule that addresses the public comments received on the NPRM and that implements the Order. The rule identifies classes of prohibited and restricted transactions; identifies countries of concern and classes of covered persons with whom the regulations prohibit or restrict transactions involving government-related data or bulk U.S. sensitive personal data; establishes a process to issue (including to modify or rescind) licenses authorizing otherwise prohibited or restricted transactions and to issue advisory opinions; and addresses recordkeeping and reporting of transactions to inform invest
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Preview showing 10k of 910k characters.
Full document text is stored and available for version comparison.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
This text is preserved for citation and comparison. View the official version for the authoritative text.