Categories: Health Care, Privacy and Security Law, Trump Administration
, ,

As Epstein Becker Green previously reported, the National Security Division of the U.S. Department of Justice (“DOJ”) issued a final rule, effective on April 8, 2025, called the Bulk Sensitive Data Rule (“BSD Rule”) (codified at 28 C.F.R. Part 202).

The BSD Rule prohibits and/or restricts U.S. persons and/or companies from engaging in certain transactions involving certain categories of government-related data and sensitive personal data with covered persons or six countries of concern, including China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

This final rule implemented the Biden administration’s Executive Order 14117, dated February 28, 2024 – entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” In addition to safeguarding sensitive data, the BSD Rule allows for the DOJ to investigate non-compliance with its requirements and enforce civil and criminal penalties when non-compliance is discovered. Implementation of the BSD Rule is a result of a heightened interest in ensuring the security of data, especially in cross-border data sharing arrangements.

Even though the BSD Rule took effect in April, the DOJ implemented a 90-day safe harbor period during which time companies were encouraged to become compliant with the rule before the July 2025 enforcement date. Now, almost six months since the DOJ began enforcement, and as the BSD Rule’s reporting requirements take effect in 2026, it is vital that companies assess their business relationships and data to ensure compliance with this complex rule that imposes new requirements on both U.S. organizations and persons.

For instance, impacted relationships that companies should be aware of may include those held with:

  • Data brokerage transactions (licensing, sale of data, data exchanged in a commercial transaction);
  • Employment agreements and/or board service involving foreign persons or companies;
  • Vendor agreements (for goods or services other than employment); and
  • Investment agreements (providing direct or indirect ownership in U.S. real estate or legal entities).

Even business relationships and transactions with foreign countries not among the six countries of concern should be evaluated to assess whether the non-country of concern recipients still receive bulk U.S. sensitive personal data. If so, companies must ensure that the appropriate downstream data protection language is included in all relevant contracts and appropriate diligence of those transactions is routinely performed.

Accordingly, U.S. organizations across all industries – including health care/life sciences, finance, technology, research – must “know their data.”  This includes an assessment of the following:

  • their business relationships and employment agreements to know and understand the entities or persons with which they transact (including where they are located and/or physically store data);
  • the volume and type of personal data collected to determine whether the data is considered “sensitive personal data” within the rule’s prescribed thresholds or could be deemed government-related data also subject to the BSD Rule;
  • how the organization uses the data in business transactions and/or data sharing arrangements; and
  • whether an exemption applies.

If an organization handles human genomic data, human biometric data, precise geolocation data, personal health data, and/or personal financial data, then further analysis should be done to determine compliance with the BSD Rule.

The instruction to “know your data” is one that even the DOJ has directed U.S. companies and persons to be aware of in light of this new rule, especially if the company regularly conducts business with, or is affiliated with a country of concern. At a minimum, due diligence into the nature and extent of those relationships is essential to determine if any reporting is required pursuant to the rule in 2026.

For additional information about the issues discussed in this Insight, please contact the attorney(s) listed on this page.

Tags: Department of Justice (DOJ), personal data
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.