The U.S. Department of Justice (DOJ) issued a Final Rule, effective April 8, 2025, to implement Executive Order 14117 Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which was issued on February 28, 2024. More information can be found in DOJ’s Frequently Asked Questions.
What are the Key Elements of the New Regulations:
Scope of Covered Data Transactions: The new regulations impose requirements on U.S. persons and entities that provide access to U.S. Government-related data or bulk U.S. sensitive personal data when that data is accessed by a country of concern or a covered person. These transactions include:
- Data brokerage.
- Vendor agreements.
- Employment agreements.
- Investment agreements.
“Countries of Concern” include:
- The People's Republic of China (PRC), including the Special Administrative Region of Hong Kong and the Special Administrative Region of Macau
- The Russian Federation (Russia).
- The Islamic Republic of Iran (Iran).
- The Democratic People's Republic of Korea (North Korea).
- The Republic of Cuba (Cuba).
- The Bolivarian Republic of Venezuela (Venezuela).
A “U.S. Person” is any:
- Person in the United States (regardless of citizenship or status, physically located in the U.S.)
- U.S. citizen, national, lawful permanent resident, asylee, or refugee
- Entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches)
Any person who is not a U.S. Person is a “Foreign Person”
A “Covered Person” is
- Foreign entities that are 50% or more owned (directly or indirectly) by a country of concern or another covered person.
- Foreign entities organized or chartered under the laws of, or with their principal place of business in, a country of concern.
- Foreign individuals primarily resident in a country of concern.
- Foreign individuals who are employees or contractors of a country of concern’s government or a covered person entity.
The Attorney General may also designate any person (including a U.S. person) as a covered person if they meet specific criteria, such as being subject to the ownership or control of a country of concern
What Types of Data are Covered by the New Regulations?
The new rule applies to data transactions that involve sensitive U.S. personal data when the volume exceeds a specific "bulk threshold".
Bulk Thresholds and Restrictions
The rule's prohibitions and restrictions on data transactions apply if the thresholds below are met for a data category. These restrictions apply even if the data is anonymized, pseudonymized, de-identified, or encrypted.
When a data set contains multiple categories, it is subject to the lowest threshold that applies to any category within it.
| Data Category | Bulk Threshold |
|---|---|
| Covered Personal Identifiers | 100,000 U.S. persons |
| Personal Health Data | 10,000 U.S. persons |
| Personal Financial Data | 10,000 U.S. persons |
| Precise Geolocation Data | 1,000 U.S. persons |
| Biometric Identifiers | 1,000 U.S. persons |
| Human ‘omic Data (not Genomic) | 1,000 U.S. persons |
| Human ‘omic Data | 100 U.S. persons |
U.S. Government-Related Data: This includes precise geolocation data for any location on the Government-Related Location Data List (e.g., Department of Defense sites) and data concerning recent former employees or contractors of the U.S. government. There are no bulk threshold requirements for this type of data.
What are the Effective Dates for the New Regulations?
The prohibitions and restrictions and most other provisions of the DSP became effective on April 8, 2025.
The due diligence and audit requirements (Subpart J) and certain reporting requirements (§§ 202.1103 and 202.1104) become effective on October 6, 2025.
How is Rice University addressing the New Regulations?
Rice University has taken a structured, multi-step approach to address the regulation. An internal working group was formed, which included representatives from the Office of the General Counsel (OGC), the Office of Technology Transfer (OTT), the Office of Research Security & Export Controls (RSEC), the Office of Ethics, Compliance, and Enterprise Risk, and the Office of Sponsored Projects (OSP), along with an external law firm.
The group's process included the following key actions:
- Developed and Distributed a Survey: An assessment survey was created by the working group and distributed to relevant stakeholders that may provide access to U.S. Government-related data or bulk U.S. sensitive personal data.
- Collected and Verified Data: Data was collected from the surveys and then spot-checked for reliability and validity.
- Addressed Concerns: The verified data was leveraged to identify and address any potential concerns.
- Conducted an External Review: An external peer review team was established to review the entire process.
What do you do if you believe the new regulations impact your research?
Immediately reach out to the Office of Research Security and Export Controls (RSEC) via email: rsec@rice.edu before proceeding with your research.