Login
Home / Areas of Service / Export Compliance / DOJ Regulations Regarding Bulk U.S. Sensitive Data

DOJ Regulations Regarding Bulk U.S. Sensitive Data

The Department of Justice Data Security Program (DSP)

Earlier this year, the Justice Department (DOJ) recently issued and publicly posted a Final Rule, also called the Data Security Program (DSP Rule), which implements Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The program functions similarly to export controls, prohibiting or restricting certain transactions that could grant foreign entities access to sensitive data.  The rule prohibits or restricts “bulk” data transactions with countries of concern as well covered person(s) certain entities and individuals that reside in or are otherwise associated with a country of concern.

FAQ's: Understanding the Data Security Program

Researchers handling sensitive data such as those described below must ensure compliance with the DSP. The program prohibits certain transactions involving these data with countries of concern and covered person(s).

The Final Rule’s prohibitions and restrictions generally apply to covered data transactions involving a country of concern or covered person and sensitive personal data that meets or exceeds certain bulk volume thresholds.

  • China (including Hong Kong and Macau)
  • Cuba
  • Iran
  • North Korea
  • Russia
  • Venezuela

*The above list of countries also includes individuals and entities under their control.

The term “covered person” means:

  • Foreign entities that are organized under the laws of a country of concern, have their principal place of business in a country of concern, or are 50% or more owned by a country of concern.
  • Entities that are 50% or more owned by another covered person.
  • Foreign individuals who are:
    • Primarily a resident in a country of concern, or
    • Employed by or acting on behalf of a covered entity.
  • Any individual specifically designated by the U.S. Department of Justice as subject to the direction or control of a country of concern or another covered person.

The rule establishes the following six categories of personal data, along with the designated bulk thresholds below. Any combination of these categories in which at least one type meets the bulk threshold is subject to the DSP:

  1. Covered personal identifiers – any “listed identifiers” when combined with, linked, or linkable to any other listed identifier.
  2. Precise geolocation data - Data, whether real-time or historical, that identifies location of device/individual (e.g., GPS coordinates).
  3. Biometric identifiers - measurable physical characteristics or behaviors used to recognize or verify the identity of an individual (e.g., facial images, voice prints and patterns, retina scans, palm/fingerprints, gait, keyboard usage pattern that are enrolled in a biometric system).
  4. Human genomic data and three other types of human ‘omic data:
    • Human genomic data such as data representing nucleic acid sequences that comprise the entire set or a subset of the genetic instructions found in a human cell, including results of a “genetic test” and biospecimens.
    • Human epigenomic, proteomic, or transcriptomic data.
  5. Health data - health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. (e.g., height, weight, vital signs, symptoms, test results, diagnosis, exercise habits, prescription history).
  6. Financial data - data about an individual's credit, charge, or debit card, or bank account.

The table below summarizes the bulk thresholds for sensitive personal data. Sensitive personal data meeting or exceeding these thresholds at any point in the preceding twelve months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person, is bulk U.S. sensitive personal data:

U.S. Sensitive Personal Data Threshold of data collected about or maintained on…
Human genomic data 100 U.S. persons
Human epigenomic data 1,000 U.S. persons
Human proteomic data 1,000 U.S. persons
Human transcriptomic data 1,000 U.S. persons
Biometric identifiers 1,000 U.S. persons
Precise geolocation data 1,000 U.S. devices
Personal health data 10,000 U.S. persons
Personal financial data 10,000 U.S. persons
Covered personal identifiers 100,000 U.S. persons
Combined data, as described in § 202.205(g) Lowest applicable number

No. The term “bulk U.S. sensitive personal data” means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold.

Yes. The DSP includes exemptions which allow data transactions that would otherwise be prohibited under the Rule:

  • Data transactions with countries of concern or covered persons involving drug, biological product, device, or combination product approvals or authorizations if the data transactions involve regulatory approval data necessary to obtain or maintain regulatory

Please note that exemptions may also trigger additional reporting requirements. The above is a brief overview of an allowable exemption. If a researcher believes this may be applicable, please refer to the Final Rule to ensure the data transaction meets the exemption criteria.

International collaborations involving sensitive data may be subject to DSP restrictions. Researchers must ensure that any data sharing complies with DSP regulations. It is essential to assess the involvement of foreign entities and the nature of the data being shared.

A covered person can access bulk sensitive U.S. data or U.S. government-related data while located in the United States. Upon leaving the United States, the covered person can no longer access this data.

There are some exceptions. If an individual has been specifically designated by the U.S. Department of Justice, they are prohibited from accessing bulk sensitive U.S. data wherever they are located. In addition, any attempt to avoid the regulations’ prohibitions, such as by having a covered person enter the United States to receive bulk U.S. sensitive personal data, could constitute evasion and a violation of the regulations.

The researcher should assess whether the research involves:

  • Accessing or sharing sensitive data types listed above.
  • Collaborating with foreign entities or researchers from countries of concern.
  • Utilizing data platforms or services that may be subject to DSP restrictions.

If the research involves any of these factors, it may be subject to DSP regulations.

Non-compliance with the DSP can lead to:

  • Civil or criminal penalties
  • Sanctions
  • Reputational damage to the researchers and institution

It is crucial to adhere to DSP requirements to avoid these potential consequences.

Researchers should:

  • Ensure that any data sharing or collaboration complies with DSP restrictions.
  • Review the DSP Compliance Guide provided by the Department of Justice National Security Division (NSD).
  • For assistance in understanding specific compliance scenarios refer to the US Department of Justice’s frequently asked questions.
  • Consult with Research Compliance Officer for additional guidance, kcraig@upenn.edu.

For additional guidance, please reach out to Penn’s Research Compliance Officer: kcraig@upenn.edu.

See also:

IAPP's Data Security Program Cheat Sheet
icon-arrowicon-circlesicon-docicon-downloadicon-externalicon-lettericon-lockicon-magnifiericon-pdficon-phoneicon-resourceicon-xls