Department of Justice (DoJ) Final Rule Relating to U.S. Sensitive Personal Data and Government-Related Data

Background

The Department of Justice (DoJ) recently issued a Final Rule, effective April 8, 2025, implementing Executive Order 14117 that prevents individuals or entities located in, or affiliated with, the governments of Cuba, China (including Hong Kong and Macau), Russia, Venezuela, Iran, and North Korea from accessing certain bulk data relating to individuals in the United States and U.S. Persons. The National Institutes of Health (NIH) followed suit and issued a Notice protecting NIH Controlled-Access Data Repositories by prohibiting access to NIH Controlled-Access Data Repositories and associated data by institutions located in the above-named Countries of Concern.

Regulatory Requirements

The DoJ Final Rule restricts U.S. Persons from engaging in Covered Data Transactions involving Data Brokerage with a Covered Person. What does this mean for MSU faculty, students, and staff?

U.S. individuals and entities are prohibited from providing access to U.S. bulk sensitive personal data and U.S. government-related data to Covered Persons that are affiliated with Countries of Concern (Cuba, China, Hong Kong, Macau, Russia, Venezuela, Iran and North Korea).
The definition of Covered Persons includes both:
1. Entities that are 50% or more owned by a Country of Concern, are organized or chartered under the laws of a Country of Concern, or have a principal place of business in a Country of Concern, and
2. Individuals who are employees or contractors of such entities, or non-U.S. individuals who are primarily residents of a Country of Concern.

The Covered Data Transactions involve two categories of data: 1) Sensitive Personal Data, and 2) Government-related Data. Sensitive Personal Data has defined “bulk” thresholds as detailed below.

Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.
Biometric identifiers collected about or maintained on more than 1,000 U.S. persons.
Precise geolocation data collected about or maintained on more than 1,000 U.S. persons.
Personal health data collected about or maintained on more than 10,000 U.S. persons.
Personal financial data collected about or maintained on more than 10,000 U.S. persons.
Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons.

The second category of data covered under the DOJ Rule is Government-related Data, which is defined as (i) any precise geolocation data, regardless of volume, relating to a list of over 700 geofenced areas near government facilities, and (ii) sensitive personal data, regardless of volume, that is marketed as linkable to employees, contractors, or officials of the United States government.

Guidance for MSU faculty

The DoJ and NIH rules introduce significant changes.The DoJ has provided FAQ’s to help provide additional information to navigate these updates. MSU faculty, students and staff working with these data should take proactive measures to evaluate their activities and ensure compliance, including the following:

Assess whether you access the types of data covered by these new regulations: Bulk U.S. Sensitive Data or U.S. government related data
Assess whether you provide access to these data to individuals or entities physically located in, or owned by, the defined Countries of Concern (Cuba, China, Hong Kong, Macau, Russia, Venezuela, Iran and North Korea)
Reach out to MSU’s Research Security Program for more information

This guidance is intended to provide an overview of the regulations with additional details provided in the Final Rule. For questions, please reach out to MSU’s Research Security Program at ORI.Security@msu.edu.