Main Menu
SPARCS - Topic Of The Week

Digging Deeper: U.S. Sensitive Data Rule

This week, we continue the conversation around the Sensitive Data Rule that we discussed last week and the week before, but will dig a little deeper into some of its intricacies. Specifically, we will discuss the types of prohibited transactions.

The first, and most important, thing to note is what types of data transactions are in scope. The Sensitive Data Rule defines this as a Covered Data Transaction–any transaction that involves any access by a country of concern or covered person to any government-related data (see below) or bulk U.S. sensitive personal data and that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.

There are two types of government related data defined:

  1. Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in § 202.1401.
  2. Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States government, including the military and intelligence community.

Bulk U.S. sensitive personal data is defined as a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable bulk threshold set forth in § 202.205.

In the Sensitive Data Rule, the following groups are defined when describing types of prohibited transactions:

  • Countries of Concern: These countries are the following - China (including Hong Kong and Macau), North Korea, Cuba, Russia, Iran, Venezuela
  • Covered Persons: An individual or entity that, whether or not publicly designated by the Department of Justice, falls into one of the classes of covered persons described in the Data Security Program (DSP); or is any individual or entity that the Department has designated and publicly determined to be a covered person. There are five categories of covered persons:
    1. Foreign entities headquartered in or organized under the laws of a country of concern or 50% or more owned, individually or in the aggregate, by one or more countries of concern or other covered persons.
    2. Foreign entities 50% or more owned, individually or in the aggregate, by a country of concern or another covered person.
    3. Foreign individuals that are employees or contractors of a country of concern or covered person.
    4. Foreign individuals who are primarily resident in a country of concern.
    5. Those persons the National Security Division designates and publicly identifies. This list will be published on the NSD website.

It is pertinent to understand what the distinction between these groups are, and how the ability to share data with them is affected. There are two types of prohibited transactions: 

  1. Prohibited transactions with countries of concern or covered persons - Unless exempt or otherwise authorized by a general or specific license, U.S. persons may not knowingly engage in a covered data transaction involving data brokerage with a country of concern or covered person.
  2. Prohibited transactions with foreign persons - Unless exempt or otherwise authorized by a general or specific license, U.S. persons may not knowingly engage in a data transaction involving data brokerage with a foreign person unless the U.S. person (1) contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and (2) reports any known or suspected violations of this contractual requirement in accordance with § 202.302(b).

To further understand what is considered a prohibited transaction, here are some examples:

Example 1: DNA Sequencing for Foreign Lab
A U.S. biotech company outsources genetic testing services to a lab in China that is partially state-owned.
Why is this prohibited? It involves transferring genomic data, which is sensitive personal data, to a covered person in a country of concern.

Example 2: Data Broker Selling Location Data
A U.S.-based data broker sells precise location data of U.S. mobile users to a company affiliated with the Russian government.

  • Why is this prohibited? Location data is considered sensitive personal data, and the buyer is a covered person from a country of concern.

Example 3: Cloud Storage Access
A cloud services provider in the U.S. stores health records of U.S. patients but allows technical support access from engineers located in Iran.

  • Why is this prohibited? The engineers (likely covered persons) gain access to health data, making this an unauthorized transfer to a country of concern.

Example 4: Employment of Offshore Developers
A U.S. health tech company uses developers based in North Korea to maintain systems that process health insurance and biometric data.

  • Why is this prohibited? The developers are covered persons, and they have access to identifiable health and biometric data, violating the rule.

Example 5: AI Training with U.S. Voice Data
A U.S. company sends voice recordings of American users (used in training a voice assistant) to a state-linked Venezuelan AI startup for model development.

  • Why is this prohibited? The recordings may be identifiable and contain voiceprints, which are covered under biometric data.

This law requires a thorough understanding of who has access to your data, where your data goes, and who ultimately benefits from it. As organizations continue to evaluate their data flows and third-party relationships, it is critical to identify and mitigate risks associated with prohibited transactions. By breaking down prohibited transactions and providing examples of real-world scenarios, we can begin to translate this regulatory complexity into practical action.

Important Dates:
Requirements related to due diligence, auditing and reporting don't become effective until October 6, 2025.

Penalties for Violations:
In case you didn’t already grasp how seriously this law will be taken, take a look at the potential penalties… Civil penalties for violations include fines up to $368,000 (USD) or twice the amount of the transaction that is the basis of the violation, whichever is greater. Additionally, criminal penalties may apply in cases of willful noncompliance, including attempts, conspiracy or aiding and abetting. Criminal convictions can result in up to 20 years of imprisonment and a fine of up to $1,000,000 (USD).

More Definitions:
Data brokerage: The sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. 

On
Back to Top