Research Operations | Research Compliance & Integrity | Research Security | Department of Justice Bulk Sensitive Data Regulations and Data Security Program
Department of Justice Bulk Sensitive Data Regulations and Data Security Program
Compliance & Integrity Quick Links
The U.S. bulk sensitive data rule, implemented by the Department of Justice, restricts the transfer of sensitive personal data and government related data to certain countries deemed as national security risks.
On January 8th, 2025, the Department of Justice’s (DOJ), issued a final rule implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. The Data Security Program (DSP) was adopted pursuant to Executive Order 14117. The program functions similarly to export controls, prohibiting or restricting certain types of “bulk” data transactions with countries of concern as well covered person(s), certain entities and individuals that reside in or are otherwise associated with a country of concern. The final rule regulates not only data brokerage transactions, but also vendor, employment, and investment agreements.
The final rule that implemented Executive Order 14117, is now codified at 28 CFR Part 202, and went into effect on April 8th, 2025.
Why does this matter?
The University of North Carolina Greensboro is committed to protecting data in accordance with applicable laws and regulations. UNCG researchers handling sensitive data, such as described below must be aware of these regulations to ensure compliance when handling bulk sensitive personal data or U.S. government-related data. The DSP impacts international collaborations, data sharing agreements, vendor and employment contracts and research that involves sensitive datasets.
This U.S. Data Security Program Cheat Sheet from IAPP.org is helpful for a quick overview. An additional FAQ from the DOJ can be found here.
FAQ’s Pertaining to the Data Security Program
Executive Order 14117 of February 28, 2024 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“the Order”), directs the Attorney General to issue regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“transaction”), where the transaction: involves United States Government-related data (“government-related data”) or bulk U.S. sensitive personal data, as defined by final rules implementing the Order; falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because the transactions may enable access by countries of concern or covered persons to government-related data or bulk U.S. sensitive personal data; and meets other criteria specified by the Order. (source 28 CFR 202)
The term “bulk” means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person:
- Human `omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons;
- Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;
- Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;
- Personal health data collected about or maintained on more than 10,000 U.S. persons;
- Personal financial data collected about or maintained on more than 10,000 U.S. persons;
- Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons;
- or Combined data, meaning any collection or set of data that contains more than one of the categories in paragraphs (a) through (f) of this section, or that contains any listed identifier linked to categories in paragraphs (a) through (e) of this section, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.
| Type | Bulk Threshold |
|---|---|
| Human genomic data | More than 100 U.S. persons |
| Human `omic data | More than 1,000 U.S. persons |
| Biometric identifiers | More than 1,000 U.S. persons |
| Precise geolocation data | More than 1,000 U.S. devices |
| Personal financial data | More than 10,000 U.S. persons |
| Personal health data | More than 10,000 U.S. persons |
| Covered personal identifiers | More than 100,000 U.S. persons |
| Combined data | Aggregate for the lowest number of U.S. persons or U.S. devices in that category of data |
No. The term “bulk U.S. sensitive personal data” means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold.
The researcher should assess whether the research involves:
- Accessing or sharing sensitive data types listed.
- Collaborating with foreign entities or researchers from countries of concern.
- Utilizing data platforms or services that may be subject to DSP restrictions.
If the research involves any of these factors, it may be subject to DSP regulations.
Researchers should:
For assistance in understanding specific compliance scenarios refer to the US Department of Justice’s frequently asked questions.
Ensure that any data sharing or collaboration complies with DSP restrictions.
Review the DSP Compliance Guide provided by the Department of Justice National Security Division (NSD).