Executive Summary
A sweeping new U.S. Department of Justice (DOJ) rule effective April 2025 imposes strict limits on how U.S. personal and government-related data can be shared with specific foreign countries. Focused on national security—not privacy rights—this rule represents a major shift in how organizations must govern cross-border data movement.
The regulation introduces prohibitions and conditions for data sharing with six “countries of concern,” targeting bulk transfers of biometric, genetic, health, geolocation, and financial data. The stakes are high: even indirect data access through vendors, cloud providers, or contractors can fall under scrutiny. We’re here to break down what’s changing and how organizations can prepare—starting with understanding where sensitive data lives, how it moves, and who has access.
What Is the DOJ’s Final Rule?
Issued under Executive Order 14117, the DOJ’s final rule aims to prevent hostile foreign actors from acquiring sensitive data about U.S. individuals or federal systems. It introduces two main categories of data under regulatory control:
- Bulk Sensitive Personal Data: Includes biometric data, precise geolocation, personal health info, financial account details, and any linked identifiers.
- Thresholds: Generally 1,000+ U.S. individuals; only 100 for genomic or DNA-related data.
The rule applies to a broad range of transactions—not just data sales, but also processing, licensing, outsourcing, employment, and investment activity involving the covered countries.
Key Compliance Dates
April 8, 2025 – Rule becomes effective. Covered data transactions must cease or comply with restrictions.
July 8, 2025 – End of DOJ’s 90-day “good faith” grace period. Enforcement begins in earnest.
October 6, 2025 – Affirmative compliance obligations (e.g., due diligence, audits, documentation) take effect.
Prohibited vs. Restricted Transactions
| Transaction Type | Status Under the Rule |
| Sale or licensing of bulk personal data | ❌ Prohibited outright |
| Transfers of genomic / ‘omic data | ❌ Categorically banned |
| Cloud storage or offshore vendors | ⚠️ Restricted with safeguards required |
| Foreign employees with access | ⚠️ Permitted only with documented controls |
| Investment deals involving data access | ⚠️ Subject to national security review |
What Makes This Rule Different
While frameworks like GDPR and CPRA regulate personal data to protect individual privacy, this DOJ rule is centered on data exposure risk to adversarial governments. There is no opt-out, consent model, or consumer rights component. Instead, organizations must:
- Identify covered data across all systems
- Quantify whether thresholds are met (e.g., 1,000 records)
- Assess potential access by foreign entities—even indirectly
- Maintain defensible documentation and implement technical safeguards
Unlike privacy laws focused on transparency, this rule demands visibility and control at the infrastructure level. It’s a call for operational maturity around sensitive data that spans privacy, security, and geopolitical risk.
The BigID Advantage: Know Your Data, Protect It Everywhere
Meeting the demands of this rule starts with a simple truth: you can’t protect what you can’t find. BigID helps organizations tackle cross-border risk by giving them unmatched visibility into their data—what it is, where it resides, how it flows, and who can access it.
With BigID, organizations can:
- Discover and classify sensitive data—including biometric, health, genomic, and government-linked information
- Understand which datasets exceed the DOJ’s thresholds and trigger compliance obligations
- Map data flows across borders, vendors, and environments to identify exposure
- Flag risk scenarios involving storage, vendors, or foreign access
- Document controls and generate defensible audit artifacts
Whether you’re managing regulated data in the cloud, preparing for vendor diligence, or mitigating emerging geopolitical risks—BigID gives you the foundation to act confidently.
