Primer on the DOJ final rule on protecting Americans' sensitive data from foreign adversaries

On 8 Jan., the U.S. Department of Justice published in the Federal Register its final rule on protecting Americans' sensitive data from foreign adversaries. As a follow-up, on 11 April, the DOJ's National Security Division took additional steps to implement the final rule. Specifically, the DOJ issued answers to more than 100 frequently asked questions, published a compliance guide, and issued a limited enforcement policy for the first 90 days of the final rule.

This overview of the final rule outlines its statutory authority, describes covered data transactions, and provides background on key definitions, various exemptions, exclusions and other provisions.

What is the statutory basis for the final rule?

On 28 Feb. 2024, the Biden administration declared a national emergency regarding access by China and other countries of concern to U.S. sensitive personal data and government-related data under the International Emergency Economic Powers Act. Specifically, he administration issued Executive Order 14117 on "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," and directed the DOJ to adopt a regulation implementing the order. The executive order directed various U.S. government agencies to take actions, including a directive for the DOJ to develop the final rule.

What is a 'covered data transaction' under the final rule?