直 Japanese PDF Font
  • Our Professionals
  • Our Work
  • Our Insights
  • Offices
  • Firm
  • Careers
Finnegan
  • Articles & Books
    • Ad Law Buzz Blog
    • At the PTAB Blog
    • European IP Blog
    • Federal Circuit IP Blog
    • INCONTESTABLE® Blog
    • Prosecution First Blog
  • Events & Webinars
  • IP Updates
  • Podcasts
    • AI + Finnegan
    • AI + Copyright
    • AI + Patent
    • AI + Privacy
    • AI + Trade Secrets
    • AI + Trademark
  • Unified Patent Court (UPC) Hub

Article

Regulating International Bulk-Data Transactions: An Analysis of the DOJ's Newly Proposed Regulations, and What it May Mean for Businesses Involved in Such Transactions

April 22, 2024

By Lynn Parker Dupree; Emmanuel N. Onochie

Overview

The Department of Justice (DOJ) has released an Advance Notice of Proposed Rulemaking (ANPRM) regarding President Joe Biden’s February 28, 2024, executive order meant to regulate the international transaction of America’s bulk sensitive personal data. The ANPRM serves as a platform for soliciting public feedback on proposed rulemaking for information, data, ideas, or suggestions on developing regulations. After sufficient feedback, the DOJ will release the Proposed Rule, which will lay out how the government plans to address these transactions and request further comments before the Final Rule is implemented. This article explores the potential impact of the DOJ’s proposed rule disclosed in the March 5, 2024, ANPRM titled, “Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern.”

The ANPRM outlines the DOJ’s plan to implement a comprehensive program to identify 1) “prohibited transactions” and 2) “restricted transactions,” or transactions that would be prohibited if the transactors fail to comply with predefined security requirements. Specifically, this ANPRM is focused on defining and identifying prohibited transactions, countries of concern, and covered persons that may pose a direct national security risk to U.S. bulk sensitive personal information.

Definitions

1. “Sensitive Personal Data” and “Bulk Threshold”

Notably, the DOJ disclosed its proposed definition for ‘sensitive personal data’ and the ‘bulk threshold’.” 89 Fed. Reg. 15784 (March 5, 2024). “Sensitive personal data” is defined as: 1) covered personal identifiers, 2) geolocation and related sensor data, 3) related sensor data, 4) biometric identifiers, 5) human’ omic data, 6) personal health data, 7) personal financial data, or any combination of all seven. For the “bulk threshold,” the DOJ is considering “the relative sensitivity of each of the six categories of sensitive personal data and would inform the volume threshold applicable to each category.” Id. at 15786. Thus, the DOJ is considering adopting the thresholds shown below as the volume threshold applicable to each category.

2. “Covered Data Transactions,” “Countries of Concern,” and “Covered Persons.”

“Covered Data Transactions” are defined as transactions between U.S. persons or entities and a country of concern or covered person “that involves any bulk U.S. sensitive personal data or government-related data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.” Id. at 15788. To mitigate ambiguity, the ANPRM also provides various examples of each type of transaction. Id. at 15788-90.

For “countries of concern,” the DOJ is contemplating adopting the countries from Executive Order 13873, wherein the countries below were “identified . . . as having engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of the United States.” Id. at 15790.

In the same regard, “covered persons” are defined as ‘‘an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern.” Id. It also includes a foreign person who is an employee or contractor of the entity or one of the countries of concern. Id. As a catch-all, a “covered person” is also any person designated by the Attorney General as being owned or controlled by the entity or a country of concern. Id.

3. Parties must “knowingly” engage in covered transactions.

The program prohibits “knowingly engag[ing] in a covered data transaction with a country of concern or covered person.”   Id. The “knowingly” language applies to “persons who knew or should have known of the circumstances of the transaction.”  Id. These prohibitions encompass transactions such as data brokerage, access to bulk human genomic data, and transactions entailing heightened national security risks.

Exempt Transactions

Certain data transactions may obtain exemption from the program. The DOJ is contemplating making the following types of transactions exempt from the program.

  1. Transactions involving statutorily exempt data
  2. Official U.S. Government business transaction
  3. Financial Services, Payment Processing, and Regulatory-Compliance-Related Transaction
  4. Intra-entity transactions Incident to Business Operations such as those part of ancillary business operations, and
  5. Transactions mandated or authorized by federal law or international agreement

Proposed Compliance and Enforcement Model.

To promote compliance, the DOJ is considering “a compliance and enforcement program modeled on the Department of the Treasury’s International Emergency Economic Powers (IEEPA) based economic sanctions which are administered by the [Office of Foreign Assets Control,] OFAC.” Id. at 15790. Compliance measures will include due diligence, reporting obligations, audits, initiating investigations, and, when necessary, enforcement actions. Id. at 15797-98. The proposed program will utilize a risk-based approach, where U.S. individuals subject to regulation would “implement compliance programs based on their individualized risk profiles.” Id. at 1580. To ensure compliance, the DOJ will likely collaborate with relevant agencies and company stakeholders.

The DOJ encourages compliance with the Basic Organizational Cybersecurity Posture requirements. This will likely involve implementing data minimization techniques, privacy-preserving technologies, and robust access controls. The DOJ may also introduce both general and specific licensing systems for covered data transactions that would otherwise be restricted.

Conclusion

To conclude, the DOJ endeavors to craft comprehensive regulations that effectively address national security threats while fostering economic growth and innovation through public feedback. Public feedback from the perspective of stakeholders that deal in international data transactions will play a pivotal role in shaping the final regulations and ensuring their efficacy in safeguarding U.S. national security and maintaining economic growth. To read the Advance Notice of Public Rulemaking, please see the link below.[1]

Endnotes

[1] https://www.govinfo.gov/content/pkg/FR-2024-03-05/pdf/2024-04594.pdf

Tags

cybersecurity

Related Practices

Diligence, Licensing, and Opinions

Privacy

Related Offices

Washington, DC

Related Professionals

Lynn Parker Dupree
Partner
Washington, DC
+1 202 408 4462
Email
Emmanuel N. Onochie
Associate
Washington, DC
+1 202 408 4029
Email

Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients. 

Related Insights

Conference

IAM Live: Navigating the UPC 2026

November 3, 2026

Paris

Conference

2026 AIPLA Annual Meeting

October 29-31, 2026

Washington, DC

Conference

4th Global Patent Litigation FORUM

October 29, 2026

Munich

Conference

ChIPs Global Summit 2026

October 21-23, 2026

Los Angeles

Hybrid Conference

Intellectual Property Law Institute 2026 – California

October 19-20, 2026

San Francisco

Conference

31st Annual UMass Chan Research Retreat

October 14-15, 2026

Worcester

Hybrid Conference

Intellectual Property Law Institute 2026 – New York

September 28-29, 2026

New York

Conference

2026 IPO Annual Meeting

September 27-29, 2026

Toronto

Conference

IAM Live: SEP Summit Global 2026

September 9-10, 2026

London

Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.

  • Privacy
  • Disclaimer
  • Legal Notices
  • Fraud Alert
  • EEO Statement
  • Cookies
  • Contact Us

© 2026 Finnegan, Henderson, Farabow, Garrett & Dunner, LLP