Bulk data transfer limits are coming: What’s my exposure?

The issue

US restrictions on bulk transfers of sensitive data to foreign “countries of concern” will soon take effect. Beginning April 8, 2025, multinationals around the world will have to comply with a Department of Justice (DOJ) rule that prohibits certain transactions outright and permits others only if they meet security requirements or fall below specified bulk data thresholds.

The DOJ rule aims to eliminate “front door” access by foreign rivals to bulk sensitive personal data on US persons, as well as certain US government-related data. It complements existing defenses against illegal data-gathering schemes by preventing bad actors from accessing the same data through legitimate business transactions.

The rule differs from most data-protection regulations, meaning it will require new compliance strategies. Its low thresholds, unique definitions and strict compliance requirements may push US multinationals to adopt holistic data inventories like those already used in Europe and China. Affected companies need to understand their exposure, including knowing where their sensitive data is located, where it’s going and who has access to it.

For many organizations, this new rule means adding three initiatives to their 2025 agendas: holistic data inventories, global business-process change management and implementing new security requirements.

The regulator’s take

The DOJ rule implements a Biden-era executive order, EO 14117, the first directive of its kind to address risks stemming from the commercial sale or transfer of sensitive US data to certain foreign entities and their affiliates. Taken together, the EO and its implementing rule seek to strengthen privacy protections and protect national security by setting strict limits and oversight mechanisms on the collection, processing and cross-border transfer of bulk sensitive data. The data in question includes sensitive personal information about US individuals — health, financial, geolocation, biometric and genomic data — as well as government-related data.

The goal is to counter the economic espionage efforts of “countries of concern” — China, Russia, Iran, North Korea, Cuba and Venezuela.

Affected entities and transactions. The DOJ rule applies to entities that are based in or controlled by a country of concern, or that are controlled by a person who’s a resident, employee or contractor of such a country. It also applies to individuals who are a resident, employee or contractor of such a country.

Given the vastness of trade relations between the US and China, businesses would do well to consider their Chinese/Hong Kong owned or based suppliers, as well as suppliers employing Chinese/Hong Kong personnel for certain business processes subject to the rule. The DOJ conducted extensive analysis of the US population to identify those most vulnerable to foreign espionage efforts. At the top of the list are those associated with “covered data transactions” (defined in §202.210) that are also accessible by “covered persons” (defined in §202.211).

For affected entities, the rule prohibits certain data transfers outright and permits others only if they meet certain security requirements.

Prohibited transactions. If a data transfer involves covered data in a prohibited transaction (described in Part C), businesses must stop the transaction. Prohibited transactions include data brokerage, onward data brokerage by foreign persons and transactions involving bulk human ‘omic (genomic, epigenomic, proteomic or transcriptomic) data. For global business processes, this means separating or replacing the “country of concern” aspects of the people, processes and technologies.
Restricted transactions. If a data transfer involves covered data in a restricted transaction (described in Part D), the rule requires a significant security drill before the transaction can go forward. The Cybersecurity and Infrastructure Security Agency (CISA) has established specific security requirements for these use cases. Examples include:
- Organizational-level measures including regular risk assessments, policies and access controls
- Data-level measures including data minimization, masking, encryption and privacy-enhancing technologies
- Compliance measures including an annual independent audit, record-keeping and reporting

Bulk personal data and thresholds. The term “bulk US sensitive personal data” means a collection of sensitive personal data relating to US persons, in any format, regardless of whether it’s anonymized, de-identified or encrypted, where the data exceeds certain thresholds at any point in the preceding 12 months.

Data type	Threshold
Human genomic data	100 US persons
Human epigenomic, proteomic and transcriptomic data	1,000 US persons
Biometric identifiers	1,000 US persons
Precise geolocation data	1,000 US devices
Personal health and personal financial data	10,000 US persons
Covered personal identifiers	100,000 US persons

Exempted transactions. The rule exempts certain transactions (described in Subpart E) considered lower risk, allowing multinational corporations to maintain operations within countries of concern provided they implement stringent security controls to limit access to sensitive data. Exempt transactions include:

Person-to-person communications
Travel-related data transfers
Payment processing
Regulatory and compliance-related transactions
Financial services
Telecommunication services
Drug and medical device approvals
Intra-entity transactions incidental to business operations such as HR, payroll, taxes, permits, customer support and internal communications

Compliance deadlines. Covered entities need to be aware of two key dates.

April 8, 2025: Most aspects of the DOJ rule become enforceable. Restricted transactions on or after this date will have to comply with CISA cybersecurity requirements adopted separately but referenced in the DOJ rule (at §202.248).
October 6, 2025: Due diligence and audit requirements (under Subpart J) and reporting and recordkeeping requirements (under Subpart K) become enforceable.

Note, however, that the Trump administration has imposed a blanket freeze on all pending regulations ― including this one ― to allow it time to review and potentially reconsider them. While this creates some uncertainty for the DOJ rule, the rule’s objectives align generally with the Trump administration’s posture toward China. Moreover, the fact that new administration hasn’t rescinded the underlying EO, like so many other Biden-era directives, is an indication of that alignment.

Enforcement and penalties. The DOJ has broad powers to enforce the rule (described in Subpart M), including through audits as well as civil and criminal enforcement. It can impose civil penalties for violations up to the greater of $368,136 or twice the value of the unlawful transaction. In cases of willful violations, criminal penalties can be severe, including a fine of up to $1 million, imprisonment for up to 20 years, or both.

Sectors most impacted. We evaluated the types of businesses with operations that typically match the footprint outlined in the decision-tree above and ― given the unique importance of the Chinese market ― identified the top 10 outbound US-to-China and China-to-US sectors likely to experience significant compliance challenges.

US-based companies doing business in China	China-based companies doing business in the US
Technology, media and telecommunications: Cloud computing and AI	Technology, media and telecommunications: Hardware
Industrial products: Semiconductors	Technology, media and telecommunications: Social media
Health industries: Pharmaceuticals and life sciences	Technology, media and telecommunications: Cloud computing and AI
Financial services: Payment processors	Health industries: Pharmaceuticals and life sciences
Industrial products: Automotive	Consumer markets: Retail and e-commerce
Technology, media and telecommunications: Consumer platforms	Industrial products: Automotive
Consumer markets: Retail and e-commerce	Industrial products: Semiconductors
Technology, media and telecommunications: Cybersecurity	Financial services: Payment processors
Not-for-profit: Education and research institutions	Industrial products: Smart home and IoT devices
Industrial products: Logistics and supply chain	Consumer markets: Entertainment and gaming

Your next move

The rule isn’t your typical data-protection regulation by any measure, so coming into compliance will require new thinking. The DOJ is a law enforcement authority, not a data privacy regulator, with a broader mandate and more resources. The rule contains several unique definitions and lower thresholds, and it addresses hard-to-find data transactions involving a small array of very different target countries.

Compliance can be a heavy lift for some organizations. A typical compliance journey can look like the following:

	Readiness assessment (ASAP)	Remediation (April – October 2025)	Ongoing (2026+)
Objective	Determine the size of the problem	Address requirements for prohibited and restricted transactions	Maintain compliance through greenfield processes
Deliverables & outcomes	EO 14117 readiness assessment	Prohibited transactions: business-process change Restricted transactions: compliance measures	EO 14117 data inventory capability Enhanced third-party risk-management due diligence EO 14117 reporting capabilities Annual CISA audits
Key activities	Identify and prioritize impacted business processes Identify systems and vendors within high-impact processes Classify and quantify data transactions relative to EO thresholds Classify transactions into "likely prohibited" and "likely restricted" Estimate remediation activities by business process and system Communicate draft remediation plan to stakeholders Review CISA mandated security and data controls	Conduct risk assessment as required by CISA Develop and present a consolidated funding request Establish project management office and cross-functional task force Establish change-management plan Prohibited transactions workstream: coordinate LOB data localization and business-process change Restricted transactions workstream: establish initial CISA audits and reports; coordinate LOB security remediation Data inventory workstream: establish requirements for ongoing capability	Synchronize EO 14117 data-inventory requirements with existing GDPR and PIPL requirements and capabilities and make necessary tool changes or enhancements Provide requirements to the TPRM process and coordinate their implementation Assign reporting and audit responsibilities and include EO 14117 in the 2026 audit plan

How can companies fulfill their compliance obligations without over-allocating resources and “boiling the ocean?” We recommend taking these steps.

Conduct a readiness assessment. How does the rule impact your business? You’ll need to start identifying the processes and data flows that are directly affected. Taking a proactive approach will help you establish confidence with executive leadership and the board while demonstrating compliance readiness to regulators.
Lean into the exemptions. Understand the rule’s many exemptions and how they may apply to your situation. The rule includes sample scenarios illustrating exempted, lower-risk data transfers incidental to normal business activities and services. Knowing whether your data transfers qualify for an exemption can be a critical step in managing legal risk.
Take a knock-out approach based on business processes. It would be tempting to begin data discovery at the system level, looking for in-scope data transactions, but it’ll save more time in the long run to eliminate entire business processes that qualify for one of the exemptions or inherently have nothing to do with the in-scope criteria. Then you can proceed to systems.
Use a variety of data-discovery tools. Once you’ve identified the potential in-scope business processes, think like the DOJ. Set your risk tolerance very low. Using just one tool and dozens of interviews like you did for GDPR or PIPL probably won’t meet that standard. The rule’s thresholds are very low relative to the large population of China and therefore easy to hit.
Dig into your supply chain. Even if you operate an advanced approach to third-party risk management, you probably haven’t been capturing country-specific metadata relative to third- and fourth-party data transfers, either in your due diligence questionnaires or data-protection addendums. You should look under these rocks.
Redesign and greenfield your record of data-processing activities (RoPA). You may have run data-mapping processes previously, but the DOJ rule contains data classifications and metadata you haven’t seen before. Most likely, your company doesn’t even operate a RoPA for the US market to the extent it does for Europe and China. This will be a new capability you’ll need to maintain on an ongoing basis, fully integrated with your new-vendor onboarding process.
Enhance your data de-identification capabilities. Once you’ve run to the end of your twin workstreams for prohibited transactions and restricted transactions and you begin to apply CISA’s criteria, you’ll face some high-impact business decisions regarding altering business processes. Data de-identification is a control that may enable you to continue restricted transactions.