Sensitive data protections expand under sweeping new DOJ rules

In a bold step squarely intended to defend U.S. national security interests, the U.S. Department of Justice (DOJ) will implement a significant new regulation on April 8, Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. The new regulation represents the most sweeping federal effort to date to block foreign adversaries from gaining access to the sensitive personal and government-related data of Americans by limiting access to bulk personal data sold by data brokers.

Unlike traditional data privacy laws that aim to protect consumers from misuse or unauthorized access of personal data or export controls that regulate physical goods and defense technologies, the new DOJ regulations are designed to address a specific and growing threat to national security. The U.S. government has concluded that certain countries are using commercially available data to profile, track, influence, or coerce U.S. citizens and government personnel. The rules create a framework to prevent such access by categorically prohibiting or restricting specific types of data transactions.

The rules apply broadly to commercial transactions that involve the transfer of sensitive data either directly or indirectly to entities linked to six “countries of concern:” China, Russia, Iran, North Korea, Cuba, and Venezuela. They also cover individuals and organizations determined to be acting on behalf of, or under the direction of, those governments – so-called “covered persons.”

At the heart of this regulatory framework is the recognition that large-scale data flows – particularly in digital advertising, biotechnology, finance, and health care sectors – can be exploited by adversaries. With the rise of AI and big data analytics, countries like China have been able to purchase or otherwise acquire troves of American data through commercial brokers or vendor relationships. These datasets, when combined and analyzed, can reveal sensitive and potentially compromising information about individual behavior, military operations, intelligence assets, and even secret government facilities.

The types of data covered under the new rules include not only obviously sensitive information like biometric identifiers and human genomic material, but also data points that might seem benign in isolation. This includes precise geolocation data, personal health information, financial data, and even certain types of identifiers that can link individuals to broader behavioral profiles.

When such data is collected in bulk – defined by DOJ using volume thresholds as low as 100 or 1,000 individuals depending on the category – it becomes a national security asset, and its transfer or exposure is now subject to strict federal control.

For example, data involving the biometric identifiers of more than 1,000 U.S. persons, precise geolocation data from more than 1,000 U.S. devices, or personal health or financial data from more than 10,000 U.S. individuals, is now considered “covered data” under the rule. Additionally, any data that can be linked to current or former federal employees, contractors, or senior officials regardless of volume is also subject to restriction.

These thresholds are designed to capture commercial datasets that, though collected legally, could be used for purposes such as surveillance, blackmail, or profiling.

One of the most significant implications of the rules is their impact on the data brokerage industry. DOJ defines “data brokerage” broadly to include any sale, license, or commercial transfer of data from one entity to another when the recipient did not directly collect the data. This includes scenarios where third-party data aggregators license access to information gathered through mobile applications, wearable devices, or online tracking tools. Under the new framework, such transactions may be prohibited if there is a risk that covered person or countries of concern could gain access.

DOJ has divided applicable data transactions into two categories: prohibited and restricted. Prohibited transactions are banned outright due to their high risk to national security. These include data transfers to entities in countries of concern that involve government-related geolocation or bulk sensitive personal data.

Restricted transactions, on the other hand, may still occur, but only under stringent security requirements designed to ensure that adversaries cannot gain access to the data. These requirements may include encryption, access controls, audit logs, and data localization.

Companies that assume existing compliance programs such as those designed to meet Europe’s General Data Protection Regulation, the Health Insurance Portability and Accountability Act, or even export control rules will cover them under the new regulations may be in for a rude awakening. DOJ has emphasized that these rules are different in structure and intent. They are grounded in national security law, including the International Emergency Economic Powers Act. The penalties for noncompliance reflect the seriousness of that mandate.

Indeed, civil penalties can reach up to $368,136 per violation or twice the value of the transaction, whichever is greater. Criminal penalties can include fines up to $1 million per violation and imprisonment for up to 20 years. Because these penalties apply on a per-violation basis, the potential financial exposure for companies engaged in regular data brokerage or analytics activity could be enormous.

DOJ has made it clear that enforcement will be robust and immediate. And given the national security risks involved, DOJ is not expected to offer long grace periods or leniency for companies that are unprepared, putting pressure on organizations – especially those handling high volumes of user data or operating in sectors like health care, defense contracting, cloud services, and fintech – to evaluate their risk exposure and adopt compliance measures swiftly.

DOJ hinted that a good first step for many companies will be to conduct a full-scope review. This means examining whether any of their data activities fall within the definitions of “covered data transactions,” and whether their data is being accessed – directly or indirectly – by foreign nationals or organizations from countries of concern. Companies may need to revise contracts, restructure vendor relationships, or impose new security protocols to mitigate risks and comply with the new rules.

The urgency behind the regulation stems from mounting evidence that foreign adversaries are actively collecting sensitive American data through both legal and illegal means. Using legally obtained advertising metadata, it has been shown that the movements of U.S. military personnel, intelligence contractors, and even political leaders have been able to be tracked. In one case, 3.6 billion geolocation data points collected from smartphones were used to create “movement profiles” of individuals working at high-security government facilities, including locations where nuclear weapons are believed to be stored.

One academic study explained that “[f]oreign and malign actors could use location datasets to stalk or track high-profile military or political targets,” revealing “sensitive locations such as visits to a place of worship, a gambling venue, a health clinic, or a gay bar which again could be used for profiling, coercion, blackmail, or other purposes.” The study further explained that location datasets could reveal “U.S. military bases and undisclosed intelligence sites” or “be used to estimate military population or troop buildup in specific areas around the world or even identify areas of off-base congregation to target.”

Other reports have revealed that insiders at Chinese telecom and tech companies were being paid to sell access to citizens’ personal data, including call logs, hotel bookings, flight records, and bank information. Still more disturbing was the discovery that even fitness apps used by presidential security teams were leaking real-time location data of U.S. and foreign heads of state. These examples, DOJ said, illustrate the extent to which the data economy has become a battleground for global intelligence and coercion.

Technological advances have amplified these risks. AI, high-performance computing, and machine learning enable foreign governments to process vast datasets rapidly, automate target identification, and deploy cyber operations at scale. The 2024 National Counterintelligence Strategy explicitly called out foreign interest in biometric, genomic, health, financial, and behavioral data, noting that such data could be weaponized for surveillance, influence, or blackmail. Countries like China are particularly aggressive in acquiring such data to support their AI-driven ambitions and state surveillance apparatus.

The strategy, which was issued by the Office of the Director of National Intelligence, seeks to provide strategic direction for the federal government and counterintelligence (CI) community to counter foreign intelligence threats and align CI priorities with the National Security Strategy.

Despite the severity of the threat, no existing federal framework previously provided the authority to categorically block or condition such transactions. While entities like the Committee on Foreign Investment in the United States review certain transactions involving foreign investments, their jurisdiction is limited to specific business activities and is applied on a case-by-case basis. Prior executive orders on information and communication technologies and services and connected software applications also did not cover the full range of commercial data transfers now implicated.

The new DOJ rules are meant to fill this gap by offering a forward-looking, comprehensive regulatory regime. They provide clarity and certainty to the private sector while reinforcing the government’s broader effort to secure the data ecosystem. Importantly, the rules are not retroactive, they are meant to prevent future transfers and exposures of sensitive data that could endanger U.S. national security.

DOJ issued an Advance Notice of Proposed Rulemaking in March 2024 and a Notice of Proposed Rulemaking in October 2024, receiving comments from dozens of stakeholders across industries, academia, and civil society. DOJ also engaged directly with businesses, trade associations, advocacy groups, and foreign partners to ensure a thorough understanding of the rule’s intent and implications.

Despite requests to extend the comment period, DOJ declined, citing the urgency of the national security threat and the ample opportunities already provided for feedback. More than 800 stakeholders were consulted during the process, and most of the core elements of the final rule remained consistent with the initial proposal. This consistency underscores DOJ’s view that delay would only widen the window for exploitation of U.S. data by foreign adversaries.

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  data  |  data protection  |  Department of Justice  |  national security  |  U.S. Government