Bulk Sensitive Data Access Rule
The US Department of Justice (DOJ) issued a Final Rule, effective April 8, 2025, to implement Executive Order 14117 Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which was issued on February 28, 2024. More information can be found in DOJ’s Frequently Asked Questions.
DOJ Rule 28 CFR Part 202
The new regulations impose requirements on U.S. persons and entities that provide access to bulk U.S. sensitive personal data or U.S. government-related data to “covered persons” that are affiliated with a “country of concern.”
“Countries of Concern” include
- China (including Hong Kong and Macau)
- Russia
- Iran
- North Korea
- Venezuela
- Cuba
A “United States Person” or “U.S. Person” is any:
- U.S. citizen, national, lawful permanent resident, asylee, or refugee;
- Entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches)
- Any person in the United States (regardless of citizenship or status, physically located in the U.S.)
- Any person who is not a U.S. Person is a “Foreign Person.”
A “Covered Person” is a Foreign Person that
- Is 50% or more owned by a Country of Concern;
- Is organized or chartered under the laws of a Country of Concern;
- Has its primary place of business in a Country of Concern;
- Is 50% or more owned by Covered Persons;
- Is a contractor of a Country of Concern or Covered Person; or
- Is primarily resident in a Country of Concern.
- The Attorney General can also designate any person, whether U.S. or foreign, as a Covered Person.
Determining Who Has Access
