On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024, and its Advance Notice of Proposed Rulemaking (“ANPRM”) earlier in 2024. (Ropes & Gray published alerts on the NPRM and ANPRM)

The Final Rule continues to assert the DOJ as a critical regulator of data transfers involving countries of concern or covered persons. Organizations transacting with entities or individuals located in or otherwise having relationships with the People’s Republic of China (including Hong Kong and Macau) (the “PRC”), Russia, Iran, North Korea, Cuba, and Venezuela should carefully review the Final Rule for potential impacts on their business models. The Final Rule prohibits certain data brokerage transactions and transactions involving human ‘omic data. The Final Rule also creates a set of restricted transactions involving vendor agreements, employment agreements, or investment agreements in which U.S. persons may engage only if they comply with a set of cybersecurity requirements. In tandem with the publication of the Final Rule, on January 8, 2025 Cybersecurity and Infrastructure Security Agency (“CISA”) published its final security requirements for restricted transactions.

Click here to read the full Ropes & Gray client alert for more detailed information.