DOJ rule limiting sensitive data transfers to adversarial countries: Health care, life sciences impact

On 8 Jan., the U.S. Department of Justice published a landmark rule that changed the landscape around cross-border transfers of personal information.

The DOJ's final rule limiting certain cross-border transfers of sensitive personal data prohibits or restricts U.S. persons from engaging in "covered data transactions," defined as transactions that involve any access by a "country of concern" or "covered person" to any government-related data or bulk sensitive personal data related to U.S. persons. It covers not only data brokerages but also vendor, employment and investment agreements that may involve access to covered data.

Most of the rule's provisions are expected to take effect 8 April.

The rule fully prohibits some transactions and places limits on others. Fully prohibited are covered transactions involving data brokerages and bulk "human 'omic data," which includes genomic, epigenomic, proteomic and transcriptomic data, as well as biospecimens from which such data can be derived.

Restricted transactions are those involving vendor agreements, employment agreements or investment agreements. The restricted transactions are allowed but only if the U.S. entity engaging in the transaction complies with certain cybersecurity, recordkeeping and audit requirements.

Key aspects for health care and life sciences companies

The rule designates six countries — the People's Republic of China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia and Venezuela — as "countries of concern."