DOJ Data Security Program

The National Security Division (“NSD”) of the U.S. Department of Justice (“DOJ”) has issued its Final Rule to implement Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”  The Department of Justice’s Data Security Program (“DSP”) regulations became effective on April 8, 2025. 

This is a national security measure to prohibit or restrict transactions to transfer bulk U.S. sensitive personal data to “covered persons” that are affiliated with six “countries of concern”: China (including Hong Kong and Macau, but excluding Taiwan), Cuba, Iran, North Korea, Russia, and Venezuela.  

“Covered persons” include among others: 
(1) universities in countries of concern;
(2) foreign corporations organized under the laws of a country of concern; 
(3) individuals who are employees or contractors of such corporations; or 
(4) foreign persons who are primarily a resident of a country of concern.  

If UMB faculty or staff are asked to engage in transactions to provide access to bulk U.S. sensitive personal data to any country of concern or covered person, you should seek legal advice on whether this might be a prohibited or restricted transaction by emailing UMBCounsel@umaryland.edu.

As the National Security Division of the Department of Justice has explained: “countries of concern can use their access to government-related data or Americans’ bulk U.S. sensitive personal data to engage in malicious cyber-enabled activities and malign foreign influence activities and to track and build profiles on U.S. individuals, including members of the military and other Federal employees and contractors, for illicit purposes such as blackmail and espionage.”

The Department of Justice may seek civil penalties of up to $368,136 or twice the amount of the transaction involved, whichever amount is greater.  Willful violations can lead to criminal fines up to one million dollars ($1,000,000) and up to 20 years imprisonment.

Here is a link to the U.S. Department of Justice’s Final Rule.  The Department of Justice has also issued official Frequently Asked Questions and a Compliance Guide.  Additionally, you may always contact the Office of University Counsel at  umbcounsel@umaryland.edu.

Any of these categories of sensitive personal data of U.S. humans above the respective “bulk” thresholds as follows:

Human genomic data 100 U.S. persons
Epigenomic 1,000 U.S. persons
Proteomic 1,000 U.S. persons
Transcriptomic 1,000 U.S. persons
Biometric identifiers 1,000 U.S. persons
Precise geolocation data 1,000 U.S. persons
Personal health data 10,000 U.S. persons

“Personal health data” is defined broadly to include virtually all protected health information related to human patients.  The official definition is: “health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.” 28 CFR § 202.241.

The regulations bar covered data transactions with a country of concern or covered person that involves human biospecimens from which bulk human ‘omic data could be derived.  Given the low threshold for genomic data (100 persons), even relatively low numbers of biospecimens could potentially fall within the regulations.  The definition of biospecimen does, however, exclude biospecimens “intended by a recipient solely for use in diagnosing, treating, or preventing any disease or medical condition.”  28 CFR § 202.223(b).

If there are separate data transfers between UMB and the covered person, the numbers are combined over each preceding 12 months to see if they meet the bulk thresholds.  The regulations state that the term bulk “means any amount of sensitive personal data that meets or exceeds the…. thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person….”  28 CFR § 202.205.

No.  The prohibitions and restrictions apply to bulk U.S. sensitive personal data, in any format, 
regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.  As the Department of Justice explained, “advances in technology, combined with access by countries of concern to large datasets, increasingly enable countries of concern that access this data to re-identify or de-anonymize data, allowing them to reveal exploitable sensitive personal information on U.S. persons.”

No.  The DSP is a national security measure aimed at preventing the six countries of concern from misusing sensitive personal data of U.S. persons.   As such, it does not encompass data of citizens of African or European nations when they are residing in their home country.  It could, however, theoretically include a U.S. citizen or LPR holder who is currently residing in Africa or Europe.

No.  The DSP again is concerned about the misuse of sensitive personal data of U.S. persons.

The DSP defines “U.S. persons” broadly to include: (1) a United States citizen, national, or lawful permanent resident; (2) any corporate entity organized solely under the laws of the United States or any jurisdiction within the United States; or (3) any person in the United States.  

Accordingly, any UMB faculty or staff member who is a U.S. citizen or legal permanent resident, or who primarily resides and works in the United States, is a U.S. person.  International students or visiting scholars who primarily reside and study at UMB in the United States are U.S. persons.   (Note: if a noncitizen or non-LPR holder student or scholar leaves the United States, they are no longer a U.S. person.)

Example 1. An individual is a citizen of a country of concern and is in the United States.  The individual is a U.S. person.   

Example 2. An individual is a dual citizen of the United States and a country of concern.  The individual is a U.S. person, regardless of location.

Example 3. A company is organized under the laws of a country of concern and has a branch in the United States. The company, including its U.S. branch, is a foreign person. 

Example 4. A parent company is organized under the laws of a country of concern and has a subsidiary organized under the laws of the United States. The subsidiary is a U.S. person regardless of the degree of ownership by the parent company; the parent company is a foreign person.

A “covered person” is an individual or entity who may be prohibited or restricted from being involved in commercial transactions that provide them access to bulk U.S. sensitive personal data.

A “covered person” defined as an individual or entity that either falls into one of the four categories of covered persons below, or that the NSD has specifically designated as a covered person.   The four categories of covered persons, which exclude U.S. persons, are:
(1) foreign entities headquartered in or organized under the laws of a country of concern;
(2) foreign entities 50% or more owned by a country of concern or covered person; 
(3) foreign individuals primarily resident in a country of concern; and 
(4) foreign individuals who are employees or contractors of a covered person entity or a country of concern.

In addition, NSD may also choose to publicly designate some covered persons in those categories on its Covered Persons List.  Designated covered persons remain covered persons even when located in the United States.

A covered data transaction is any transaction that involves access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.  

Data brokerages with countries of concern or covered persons are prohibited.  The other covered data transactions—vendor agreements, employment agreements, and investment agreements—are restricted transactions subject to certain reporting, data security, and auditing requirements.

The term “data brokerage” means the “sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.”  28 CFR § 202.214.

Example 1. A U.S. organization maintains a database of bulk U.S. sensitive personal data and offers annual memberships for a fee that provide members a license to access that data. Providing an annual membership to a covered person that includes a license to access government-related data or bulk U.S. sensitive personal data would constitute prohibited data brokerage.

No.  The regulations define “U.S. persons” to include “any person in the United States” regardless of citizenship or visa status.  UMB employees who reside and work in the United States are not covered persons.

Generally, no.  The DSP does not address purely domestic data transactions between U.S. persons—such as the collection, maintenance, processing, or use of data by U.S. persons within the United States—except to the extent that such U.S. persons are designated as covered persons.

In general, a covered person can access bulk sensitive U.S. data or U.S. government-related data while the person is residing in the United States.  Upon leaving the United States, the covered person can no longer access this data.  However, there are some important exceptions. If an individual has been specifically designated by the Department of Justice as a “covered person”, they are prohibited from accessing bulk sensitive U.S. data or U.S. government-related data wherever they are located.  In addition, any attempt to evade the regulations’ prohibitions, such as by having a covered person temporarily enter the United States with the intent to receive bulk U.S. sensitive personal data, could constitute evasion and a violation of the regulations.

The regulations also prohibit the following: “Any transaction on or after the effective date that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions set forth in this part is prohibited. Any conspiracy formed to violate the prohibitions set forth in this part is prohibited.”  

Example 1. A U.S. data broker seeks to sell bulk U.S. sensitive personal data to a foreign person who primarily resides in China.  With knowledge that the foreign person is a covered person and with the intent to evade the regulations, the U.S. data broker invites the foreign person to travel to the United States to consummate the data transaction and transfer the bulk U.S. sensitive personal data in the United States. After completing the transaction, the person returns to China with the bulk U.S. sensitive personal data. The transaction in the United States is not a covered data transaction because the person who resides in China is a U.S. person while in the United States (unless that person was individually designated as a covered person pursuant to §202.211(a)(5), in which case their covered person status would remain, even while in the United States, and the transaction would be a covered data transaction). However, the U.S. data broker has structured the transaction to evade the regulation’s prohibitions on covered data transactions with covered persons. As a result, this transaction has the purpose of evading the regulations and is prohibited.

An employment agreement is defined as “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.” 28 CFR § 202.217.  Here are examples of restricted employment agreements:

Example 1. A U.S. financial-services company seeks to hire a data scientist who is a citizen of a country of concern who primarily resides in that country of concern and who is developing a new artificial intelligence-based personal assistant that could be sold as a standalone product to the company’s customers. The arrangement retaining the data scientist would be an employment agreement. As part of that individual’s employment, the data scientist would have administrator rights that allow that individual to access, download, and transmit bulk quantities of personal financial data not ordinarily incident to and part of the company’s underlying provision of financial services to its customers. The data scientist’s employment would be a restricted transaction.

Example 2. A U.S. company sells goods and collects bulk personal financial data about its U.S. customers. The U.S. company appoints a citizen of a country of concern, who is located in 
a country of concern, to its board of directors. This director would be a covered person, and the arrangement appointing the director would be an employment agreement. In connection with the board’s data security and cybersecurity responsibilities, the director could access the bulk personal financial data. The director’s employment would be a restricted transaction.

A vendor agreement is defined as “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.”  28 CFR § 202.258.

Example 1.  A U.S. person engages in a vendor agreement with a covered person involving access to bulk U.S. sensitive personal data. The vendor agreement is a restricted transaction. To comply with the CISA security requirements, the U.S. person, among other things A U.S. person engages in a vendor agreement with a covered person involving access to bulk U.S. sensitive personal data. The vendor agreement is a restricted transaction. To comply with the CISA security requirements, the U.S. person, among other things, uses data-level requirements to mitigate the risk that the covered person could access the data.

An investment agreement is defined as “agreements or arrangements whereby a person gains direct or indirect ownership of a U.S. legal entity or real estate located in the United States.”  28 CFR § 202.228.

Example 1.   A U.S. company intends to build a data center located in a U.S. territory. The data 
center will store bulk personal health data on U.S. persons. A foreign private equity fund located in a country of concern agrees to provide capital for the construction of the data center in exchange for acquiring a majority ownership stake in the data center. The agreement that gives the private equity 
fund a stake in the data center is an investment agreement. The investment agreement is a restricted transaction.

The provisions regulating restricted transactions are intended to prevent access to all bulk U.S. sensitive personal data by covered persons or countries of concern.  UMB would have to comply with, among other requirements, the Cybersecurity & Infrastructure Security Agency’s (CISA) “Security Requirements for Restricted Transactions.”  Available at: https://www.cisa.gov/sites/default/files/2025-01/Security_Requirements_for_Restricted_Transaction-EO_14117_Implementation508.pdf.

Given the complexity of these requirements, before entering into any restricted transaction, please contact the Office of University Counsel at umbcounsel@umaryland.edu.

So long as there is no “data brokerage” or a similar commercial transaction to supply bulk U.S. sensitive personal data to a covered person, a purely academic collaboration with another researcher in a country of concern does not fall within the regulations.  However, the U.S. faculty member must be very careful not to accept any money or other valuable consideration as part of the study.

Example 1.  A U.S. researcher shares bulk human ‘omic data on U.S. persons with a researcher in a country of concern (a covered person) with whom the U.S. researcher is drafting a paper for submission to an academic journal. The two researchers exchange country of concern and bulk U.S. human ‘omic data over a period of several months to analyze and describe the findings of their research for the journal article. The U.S. person does not provide to or receive from the covered person or the covered person’s employer any money or other valuable consideration as part of the authors’ study. The U.S. person has not engaged in a covered data transaction involving data brokerage, because the transaction does not involve the sale of data, licensing of access to data, or similar commercial transaction involving the transfer of data to the covered person

The Final Rule has an exemption for “data transactions to the extent that they are for the conduct of the official business of the United States Government by its employees, grantees, or contractors or transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States Government.” 28 C.F.R. § 202.504 (“Official Business of the United States Government.”).

Please note that this exemption is more complicated when there are limitations on the federal grant, or there is mixed funding between federal and private grants.  Here are some examples:

Example 1. A U.S. hospital receives a Federal grant to conduct human genomic research on U.S. persons. As part of that federally funded human genomic research, the U.S. hospital contracts with a foreign laboratory that is a covered person, hires a researcher that is a covered person, and gives the laboratory and researcher access to the human biospecimens and human genomic data in bulk. The contract with the foreign laboratory and the employment of the researcher are exempt transactions but would be prohibited transactions if they were not part of the federally funded research

Example 2. A U.S. research institution receives a Federal grant to conduct human genomic research on U.S. and foreign persons. The Federal grant directs the U.S. research institution to publicize the results of its research, including the underlying human genomic data, via an internet-accessible database open to public health researchers with valid log-in credentials who pay a small annual fee to access the database, including covered persons primarily resident in a country of concern. The Federal grant does not cover the full costs of the authorized human genomic research or creation and publication of the database.  The U.S. research institution obtains funds from private institutions and donors to fund the remaining costs. The human genomic research authorized by the Federal grant and publication of the database at the direction of the Federal grant would constitute a ‘‘transaction[] conducted pursuant to a grant, contract, or other agreement entered into with the United States Government.’’ The U.S. research institution must still comply with any requirements or prohibitions on sharing bulk U.S. sensitive personal data with countries of concern or covered persons required by the Federal grantmaker.

Example 3.  Same as Example 2, but the Federal grant is limited in scope to funding the U.S. research institution’s purchase of equipment needed to conduct the human genomic research and does not include funding related to publication of the data. The Federal grant does not direct or authorize the U.S. research institution to publicize the human genomic research or make it available to country of concern or covered person researchers via the database for which researchers pay an annual fee to access, or otherwise fund the conduct of the human genomic research. The U.S. research institution contracts with a foreign laboratory that is a covered person and gives the laboratory access to the bulk human genomic data. The contract with the foreign laboratory is not an exempt transaction because that transaction is not within the scope of the Federal grant.

There is an exemption for data transactions to the extent that those transactions are:     
(1) Ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration (‘‘FDA’’) under sections 505(i) and 520(g) of the Federal Food, Drug, and 
Cosmetic Act (‘‘FD&C Act’’) or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products, or infant formula; or 
(2) Ordinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA, provides the data is de-identified or pseudonymized consistent with the standards of 21 CFR 314.80.

There is an exemption for a data transaction that: 
(1) Involves ‘‘regulatory approval data’’ as defined in paragraph (b) of this section and 
(2) Is necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product, provides that the U.S. person 
complies with the recordkeeping and reporting requirements set forth in 
§§202.1101(a) and 202.1102 with respect to such transaction.
(b) Regulatory approval data. For purposes of this section, the term regulatory approval data means sensitive personal data that is de-identified or pseudonymized consistent with the standards of 21 CFR 314.80 and that is required to be submitted to a regulatory entity, or is required by a regulatory entity to be submitted to a covered person, to obtain or maintain authorization or approval to research or market a drug, biological product, device, or combination product, including in relation to post-marketing studies and post-marketing product surveillance activities, and supplemental product applications for additional uses. The term excludes sensitive personal data not reasonably necessary for a regulatory entity to assess the safety and effectiveness of the drug, biological product, device, or combination product.

Example 1. A U.S. pharmaceutical company seeks to market a new drug in a country of 
concern. The company submits a marketing application to the regulatory entity in the country of concern with authority to approve the drug in the country of concern. The marketing application includes the safety and effectiveness data reasonably necessary to obtain regulatory approval in that country. The transfer of data to the country of concern’s regulatory entity is exempt from the prohibitions in this part. 

Example 2. Same as Example 1, except the regulatory entity in the country of concern requires that the data be de-anonymized. The transfer of data is not exempt under this section, 
because the data includes sensitive personal data that is identified to an individual.

The term “foreign person” means any person that it not a U.S. person.  This could include universities, corporations, or individuals, from other countries such as: Canada, Denmark, France, Germany, Sweden, Switzerland, the U.K., India, Kenya, Japan, South Korea, etc.  The regulations often differentiate “foreign persons” from “covered persons” in the six counties of concern. 

UMB must obtain two contractual promises from the “foreign person” (i.e., any non-U.S. corporation that is not a covered person): (1) the foreign person will not resell the data to a country of concern or covered person; and (2) the foreign person will report suspected violations.  DOJ has suggested some variation of this language below:

“U.S. person] provides [foreign person] with a non-transferable, revocable license to access the [data subject to the brokerage contract].  [Foreign person] is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in the following:  (a) selling, licensing of access to, or other similar commercial transactions, [such as reselling, sub-licensing, leasing, or transferring in return for valuable consideration,] the [data subject to the brokerage contract] or any part thereof, to countries of concern or covered persons, as defined in 28 CFR part 202;  Where [foreign person] knows or suspects that a country of concern or covered person has gained access to [data subject to the brokerage contract] through a data brokerage transaction, [foreign person] will immediately inform [U.S. person].  Failure to comply with the above will constitute a breach of [data brokerage contract] and may constitute a violation of 28 CFR part 202.” 

The above language is just an example.  UMB may craft language that satisfies the DSP’s requirements and that makes sense for the particular transaction and business operations. 

With multisite clinical trials, UMB faculty and staff must carefully screen and control who is being granted access to bulk U.S. sensitive personal data and on what terms.  UMB should be cautious not to engage in any commercial transaction or fees to provide access to the data to a covered person.  Here is an example:

Example 1.  A U.S. organization maintains a database of bulk U.S. sensitive personal data and offers annual memberships for a fee that provide members a license to access that data. Providing an annual membership to a covered person that includes a license to access government-related data or bulk U.S. sensitive personal data would constitute prohibited data brokerage.

UMB faculty and staff should be particularly cautious before accepting a research grant from any university or corporation organized under the laws of a country of concern.  If the grant requires UMB researchers to share bulk U.S. sensitive personal data with a covered person, this would be a prohibited “data brokerage.”  Here is an example:

Example 1.  A U.S. researcher receives a grant from a university in a country of concern to study bulk personal health data and bulk human ‘omic data on U.S. persons. The grant directs the researcher to share the underlying bulk U.S. sensitive personal data with the country of concern 
university (a covered person). The transaction is a covered data transaction because it involves access by a covered person to bulk U.S. sensitive personal data and is data brokerage because it involves the transfer of bulk U.S. sensitive personal data to a covered person in return for a financial benefit.

Please note that other federal and state laws may be involved as well.  For example, participation in a “Malign Foreign Talent Recruitment Program” is barred by the John S. McCain National Defense Authorization Act, and it is strictly prohibited by UMB Policy III-11.00.  Available at: https://www.umaryland.edu/policies-and-procedures/library/academic-affairs/policies/iii--1100.php. For questions about this policy, please contact Sponsored Programs Administration (SPA) at spa@umaryland.edu.

It depends.   If UMB faculty are expected to share bulk U.S. sensitive personal data as part of the overseas presentation, then accepting honoraria, travel expenses, or reimbursement for expenses from a covered person could be considered prohibited “data brokerage” under the regulations.

For any questions about how the Department of Justice’s Data Security Program may apply to a particular situation, please contact the Office of University Counsel at umbcounsel@umaryland.edu.