The United States just launched one of the most comprehensive digital data protection rules to date. With the DOJ’s final rule under Executive Order 14117, the U.S. is formally closing key pathways for foreign adversaries to access Americans’ most sensitive data.

On January 8, 2025, the Department of Justice published a sweeping regulation titled “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern.” It establishes clear prohibitions and restrictions on data-related transactions involving “countries of concern” with a specific focus on protecting national security, critical infrastructure, and American privacy.

Why the DOJ Rule Matters

In an era where artificial intelligence, machine learning, and surveillance technologies are increasingly powered by data, the U.S. has recognized that data security is national security. Foreign entities state-affiliated or otherwise have been able to exploit gaps in the U.S. regulatory framework to obtain sensitive personal or government-related information.

This final rule introduces a robust legal framework to:

• Protect U.S. persons’ biometric, genomic, health, and financial data

• Prevent misuse of government contractor and federal agency data

• Mitigate risks from data brokers, cloud providers, or software firms with foreign ties

It represents the first enforceable barrier to the commercial and strategic exploitation of American data by foreign powers.

Key Features of the DOJ Rule

1. Scope of Covered Data

The rule applies to two major data categories:

• Bulk U.S. Sensitive Personal Data, including:
  
  

  • Genomic data

  • Precise geolocation data

  • Financial account and insurance data

  • Health records and biometric identifiers
    
    

• Government-Related Data, such as:

  
  

  • Information from federal contractors

  • Non-public operational data

  • Sensitive communications related to national defense or critical infrastructure

2. Prohibited Transactions

Certain transactions are flatly prohibited if they involve covered data and:

• Are conducted with a “country of concern”, including China, Russia, North Korea, Iran, Cuba, and Venezuela

• Include entities owned, controlled, or influenced by those countries

• Risk indirect data access via subcontracting, partnerships, or shared infrastructure

3. Restricted Transactions

Other transactions are subject to restrictions, including:

• Data processing agreements with cross-border cloud service providers

• Licensing of software with embedded sensitive data

• Cross-border vendor relationships for critical data infrastructure

Restricted transactions may proceed only with security safeguards, such as data minimization, encryption, and access controls, or DOJ-issued licenses.

4. Due Diligence and Record keeping Requirements

Organizations must:

• Conduct robust due diligence to determine if transactions involve covered persons

• Maintain documentation, contracts, audit trails, and conduct risk assessments

• Submit certifications and disclosures when participating in restricted activities

The DOJ may request these records or conduct audits to verify compliance.

5. Exceptions and Exemptions

The rule allows narrowly tailored exceptions for:

• Transactions authorized by other federal law

• Activities involving U.S. government operations

• Health-related research and humanitarian projects with proper approvals

Entities may also request individual advisory opinions or licenses from the DOJ when uncertain about compliance.

Strategic Implications

For Technology Companies:

If your business collects, stores, or processes sensitive data—particularly in sectors like fintech, healthtech, or AI you’ll need to:

• Evaluate third-party vendors, software providers, and investors

• Establish data governance policies aligned with the rule

• Ensure your architecture prevents unauthorized access by foreign affiliates

Cloud services, SaaS tools, and API providers that serve U.S. users should take immediate steps to review cross-border dependencies.

For Government Contractors:

Firms working with federal agencies must reassess how they store and handle sensitive agency-related data, especially if contractors or sub-processors operate internationally.

Failure to comply could result in contract violations or criminal penalties.

For Data Brokers and Platforms:

Data marketplaces and brokers handling consumer information must now classify their inventory and segment out data covered by the rule or face shutdowns of certain services and partnerships.

Looking Ahead

Although the rule takes effect on April 8, 2025, the DOJ has extended the deadline for complying with due diligence and record keeping requirements to October 6, 2025, giving companies a short window to implement compliance strategies.

Over the coming months, expect:

• Clarifying guidance from DOJ on specific use cases

• Additional rulemakings addressing cloud and AI infrastructure

• Increased federal scrutiny of cross-border data partnerships and tech acquisitions

The DOJ has emphasized this is part of a “whole-of-government effort” to safeguard sensitive data—meaning this rule is likely just the beginning of a broader enforcement wave.

Conclusion: A New Data Defense Doctrine

The DOJ’s final rule marks a defining shift in the U.S. government’s approach to digital privacy and geopolitical cybersecurity. No longer reactive, the United States is proactively building legal infrastructure to ensure Americans’ most sensitive data does not become a strategic vulnerability.

For companies across sectors, this is a critical moment to get ahead of compliance, audit your digital supply chains, and prepare for a new data era where national interest and data access are tightly linked.

Those who respond early not just to the risks, but to the expectations—will be better positioned to innovate securely, build trust, and lead in an increasingly data-dependent global economy.

Learn More