Information on Department of Justice Bulk Data Transfer Rule

If the phrase Department of Justice Bulk Data Transfer Rule sounds like something drafted by lawyers in a windowless room with bad coffee, that is because it mostly is. But it is also one of the most important new U.S. data-security rules for companies that buy, sell, analyze, host, outsource, or otherwise touch large volumes of sensitive personal data.

The short version is this: the U.S. Department of Justice created a rule to stop certain foreign adversaries from getting access to Americans’ bulk sensitive personal data and certain government-related data through commercial deals. In plain English, this is Washington saying, “Maybe we should not let hostile actors shop for sensitive U.S. data like it is on clearance.”

The official framework is broader than a simple “transfer” ban. It is part of the DOJ’s Data Security Program, and it regulates not only outright sales, but also certain vendor relationships, employment arrangements, and investment deals that could give a country of concern or a covered person access to sensitive data. That is why this rule matters far beyond data brokers. It reaches into ad tech, life sciences, software development, HR outsourcing, cloud services, healthcare, fintech, telecom, and any business that moves data across teams, tools, and borders.

What Is the DOJ Bulk Data Transfer Rule, Exactly?

The phrase “bulk data transfer rule” is the nickname most businesses use. The formal rule is the DOJ’s final rule implementing Executive Order 14117, and it now sits in 28 C.F.R. Part 202. The program’s basic mission is national security: stop countries of concern and covered persons from obtaining access to bulk U.S. sensitive personal data or U.S. government-related data through commercial transactions.

That means this is not a traditional consumer privacy law in the style of California’s CCPA, and it is not a classic export-control rule in the style of semiconductor restrictions. It is something in between. Many lawyers now describe it as a kind of export control for data. That description fits, because the DOJ focuses on who gets access, what data is involved, how much of it is involved, and whether the transaction creates a real security risk.

The six countries of concern under the rule are:

• China, including Hong Kong and Macau
• Cuba
• Iran
• North Korea
• Russia
• Venezuela

The rule also applies to certain covered persons. That includes not only entities located in those countries, but also certain individuals or entities owned by, controlled by, or acting on behalf of them. So a company does not get a free pass just because the counterparty has a European mailing address and a very polished website.

Why the Rule Exists

The DOJ’s reasoning is straightforward. Bulk data can reveal much more than one isolated record ever could. Large datasets can be used to build detailed profiles, identify government personnel, map routines, trace device movements, support blackmail, improve cyber targeting, or feed AI systems used for espionage and surveillance. In other words, the concern is not just privacy harm. It is intelligence value.

That is why the rule focuses on both volume and access. A single health record is serious. Ten thousand health records, linked with identifiers, geolocation, or financial data, become a strategic asset. The U.S. government has made it clear that it sees these data flows as part of the national-security landscape, not just a compliance footnote for privacy teams.

What Data Is Covered?

The DOJ rule covers two broad buckets of information: bulk U.S. sensitive personal data and U.S. government-related data.

1. Bulk U.S. Sensitive Personal Data

The rule identifies six categories of sensitive personal data:

• Covered personal identifiers
• Precise geolocation data
• Biometric identifiers
• Human ’omic data
• Personal health data
• Personal financial data

This is where things get interesting. “Bulk” does not mean one giant spreadsheet with a skull-and-crossbones icon in the file name. It means the data meets or exceeds certain thresholds over the previous 12 months. The main thresholds are:

• More than 100 U.S. persons for human genomic data
• More than 1,000 U.S. persons for other covered human ’omic data
• More than 1,000 U.S. persons for biometric identifiers
• More than 1,000 U.S. devices for precise geolocation data
• More than 10,000 U.S. persons for health or financial data
• More than 100,000 U.S. persons for certain covered personal identifiers

And no, companies cannot escape by saying the data is anonymized, de-identified, pseudonymized, or encrypted. The rule explicitly reaches data in those forms too. DOJ’s position is that bulk datasets can still be exploited or re-identified when combined with other information.

2. U.S. Government-Related Data

This category gets special treatment because the bulk thresholds do not apply. If the data is government-related, even a smaller amount can trigger the rule.

Government-related data includes:

• Precise geolocation data tied to listed sensitive government locations
• Sensitive personal data marketed as linked to current or recent former U.S. government employees, contractors, military personnel, or intelligence-community personnel

That second category matters more than many businesses realize. If a company markets a dataset as useful for targeting federal workers, defense personnel, or other government-affiliated populations, it is stepping onto very thin regulatory ice.

What Transactions Are Actually Regulated?

The rule does not ban every international data flow. It regulates covered data transactions. A transaction becomes covered when it involves access by a country of concern or covered person to covered data through one of four deal structures:

• Data brokerage
• Vendor agreements
• Employment agreements
• Investment agreements

Data Brokerage

This is the headline-grabber. Data brokerage includes the sale of data, licensing of access to data, or a similar commercial transaction where the recipient did not collect the data directly from the individuals. That captures both first-party and third-party brokerage. So if a company directly collects user data and then licenses a dataset to someone else, that can still be data brokerage. Nice try, but the loophole fairy has left the building.

Vendor, Employment, and Investment Agreements

This is where the rule becomes operationally serious. A company may not think of outsourcing software development, using offshore customer support, hiring remote staff, or taking foreign investment as “data transfers.” DOJ does. If those arrangements allow access to covered data by a covered person or country of concern, the rule may apply.

That is why the DOJ rule is not just about selling data. It is about access pathways.

Prohibited vs. Restricted Transactions

The cleanest way to understand the rule is to split it into two buckets.

Prohibited Transactions

These are deals you generally cannot do.

The main prohibited categories include:

• Data brokerage with a country of concern or covered person
• Certain data-brokerage transactions with other foreign persons unless contract restrictions and reporting obligations are in place for onward transfers
• Transactions involving access to bulk human ’omic data or related biospecimens by a country of concern or covered person
• Evasion, conspiracy, or knowingly directing prohibited activity

The human ’omic piece is especially tough. If a vendor, employee, or investor deal involves bulk human genomic data or biospecimens from which that data can be derived, it may move out of the “restricted” bucket and straight into the “prohibited” bucket. For biotech, health research, digital health, and genomics companies, that is a giant flashing compliance sign.

Restricted Transactions

These are not automatically banned, but they are allowed only if the U.S. person satisfies strict conditions. Restricted transactions generally involve vendor, employment, or non-passive investment agreements with a country of concern or covered person.

To make those transactions lawful, companies must comply with the DOJ’s requirements, including the CISA Security Requirements for Restricted Transactions. Those requirements operate at the organizational, system, and data level. The goal is to prevent access to linkable, identifiable, unencrypted, or decryptable covered data using commonly available technology.

In practice, that means compliance is not just a contract exercise. It is technical, operational, and governance-heavy. Think data mapping, access controls, vendor diligence, segmentation, encryption design, written procedures, and independent audits.

Important Exemptions Businesses Should Know

Not every cross-border data movement is a compliance disaster waiting to happen. The rule contains several exemptions, including for certain:

• Personal communications
• Informational materials
• Travel-related activity
• Official U.S. government business
• Financial services activity ordinarily incident to those services
• Corporate group transactions tied to administrative or ancillary operations
• Transactions required or authorized by federal law or international agreements
• Certain CFIUS-covered situations
• Telecommunications services
• Certain drug, biological product, and medical device regulatory activities

That said, “exempt” does not mean “do whatever feels fun.” Most exemptions are narrow and tied to activity that is ordinarily incident to the exempt function. Selling sensitive telecom geolocation data for targeted ads is not magically saved because a phone company was involved somewhere in the story.

Effective Dates and Enforcement

The final rule took effect in substantial part on April 8, 2025. DOJ then announced a short implementation-and-enforcement grace period through July 8, 2025 for good-faith compliance efforts. But that was not a hall pass for reckless behavior. DOJ made clear that willful violations, evasion, or criminal conduct were still very much on the table.

Additional affirmative obligations, including due diligence, audits, annual reporting for certain transactions, and reports on rejected prohibited transactions, began in October 2025. So by late 2025, the rule had shifted from “better start planning” to “hope your contracts, systems, and governance are already ready.”

Penalties can be steep because the rule sits under the International Emergency Economic Powers Act. In practical terms, companies should treat this as serious national-security compliance, not a polite regulatory suggestion.

Who Should Be Paying Close Attention?

If your company handles bulk sensitive data and uses global vendors, overseas staff, foreign-parent support, offshore engineering, ad networks, or cross-border analytics, you should assume the rule deserves a careful review.

The most obviously affected sectors include:

• Ad tech and mobile app ecosystems
• Healthcare and digital health
• Biotech and genomics
• Financial services and fintech
• Cloud and SaaS providers
• HR platforms and outsourced support
• Telecom and location-data businesses
• Data analytics, AI, and model-development operations
• M&A and private investment deal teams

The broad lesson is simple: if foreign access to sensitive data is part of your operating model, the DOJ bulk data transfer rule is no longer someone else’s problem.

What Smart Compliance Looks Like

The best response is not panic. It is disciplined data governance.

A practical compliance checklist

• Map what sensitive data you hold and how much of it you hold
• Identify whether it meets DOJ bulk thresholds
• Review whether any data is government-related
• Inventory foreign vendors, employees, contractors, investors, and affiliates with access
• Screen counterparties for country-of-concern and covered-person risk
• Separate prohibited data brokerage from potentially restricted transactions
• Implement CISA-driven technical controls where restricted transactions continue
• Update contracts for onward-transfer restrictions and reporting obligations
• Build a written, risk-based data compliance program
• Prepare for audits, recordkeeping, and reporting obligations

The DOJ’s own compliance message can be boiled down to three words: know your data. That sounds obvious until a company realizes its geolocation feed, app SDK, outsourced QA team, foreign engineering environment, and analytics license all touch the same data lake in different ways. Then the room gets quiet.

Real-World Experiences: What This Rule Feels Like in Practice

For many organizations, the DOJ bulk data transfer rule has not felt like one dramatic compliance event. It has felt more like discovering that your business has been quietly held together by shared drives, inherited vendor contracts, optimistic assumptions, and one very overworked privacy manager named Chris.

Take a common scenario in ad tech. A U.S. app company collects device data, precise geolocation, and identifiers for analytics and advertising. For years, the workflow looked normal: collect user data, share selected fields with an ad exchange, pass campaign performance data to another vendor, and let various software development kits do their thing in the background. After the DOJ rule arrived, that same workflow suddenly demanded uncomfortable questions. Who exactly receives the data? Did they collect it directly from the user? Are they acting as a vendor, or is this actually data brokerage? Could one downstream party be a covered person? The data did not change, but the legal meaning of access definitely did.

In healthcare and biotech, the experience has been even more intense. Teams that were used to talking about HIPAA, de-identification, clinical workflows, and research collaboration had to add a national-security layer to the conversation. That meant people who usually live in compliance, legal, security, procurement, and research administration all had to sit at the same table and translate each other’s language. The security team wanted architecture diagrams. Legal wanted contract terms. Researchers wanted the study to keep moving. Procurement wanted to know whether the vendor could still be used without blowing up the timeline. Nobody loved the meeting, but everybody suddenly had a reason to attend.

Another common experience has been the “vendor reality check.” Many companies believed they had a simple vendor relationship, only to learn that the vendor used subcontractors, affiliate support teams, offshore developers, or remote maintenance staff in ways that created access paths no one had documented well. The painful part was not always the rule itself. It was realizing the business did not fully understand its own data flows in the first place.

There is also a cultural side to this. Some executives hear “bulk data transfer rule” and assume the issue belongs entirely to the legal department. In practice, the organizations handling this best treat it as a shared operating issue. The companies moving fastest are the ones that connect privacy, cyber, contracts, data governance, HR, engineering, and business leadership before there is a problem. The ones moving slowly are still debating whose spreadsheet is the official spreadsheet.

So the lived experience of this rule is not just regulatory stress. It is operational maturity under pressure. Businesses that use the moment to clean up data inventories, tighten access, rationalize vendors, and document decisions may grumble now, but they often come out stronger. Not because regulators are charming, but because disciplined data management turns out to be useful even when DOJ is not standing in the doorway.

Conclusion

The Department of Justice Bulk Data Transfer Rule is a major shift in how the United States treats sensitive data risk. It is no longer enough to ask whether a data transfer is disclosed in a privacy policy or technically permitted by contract. Companies now have to ask whether the transfer, access arrangement, or commercial relationship creates a national-security problem under the DOJ’s Data Security Program.

That makes this rule bigger than a niche issue for data brokers. It affects how businesses structure vendors, remote work, cloud support, ad-tech arrangements, research partnerships, and foreign investment. It also rewards something many companies should have done years ago: understand what data they hold, where it goes, who can access it, and why.

If there is one takeaway to remember, it is this: the DOJ rule is not trying to stop all global data movement. It is trying to stop risky access to the most sensitive data at the scale that turns ordinary records into national-security leverage. Companies that understand that distinction will be in a much better position to comply without freezing legitimate business activity.