DOJ Regulations: Access to U.S. Sensitive Personal Data and Government Related Data by Countries of Concern or Covered Persons

The U.S. Department of Justice (DOJ) rule on “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” restricts data brokerage transactions involving access to bulk U.S. sensitive personal data and transactions involving access to bulk human genomic data or biospecimens from which such data can be derived.

The rule went into effect on April 8, 2025.

The rule includes extensive definitions for the types of data and transactions that it covers. It also includes exclusions, exemptions, prohibitions and restrictions.

What Lehigh Researchers Need to Know

Prior to engaging in transactions that may include bulk data, consider the following three questions. If all three are “yes”, then the rule may apply to your transaction. You must contact the Office of Research Integrity prior to proceeding with the transaction.

Are you dealing with any of the following personal data types and volumes on U.S. persons (U.S. citizens, nationals, lawful permanent residents, admitted refugees or asylees, or other individuals in the U.S.)?

100+ people	1,000+ people	1,000 devices	10,000+ people	100,000+ people
Genomic data	Biometric identifiers, or epigenomic, proteomic, or transcriptomic data	Precise geolocation	Health data or financial data	Two or more of the following: Gov’t identification or account numbers (full or truncated) Financial account numbers or PINs Device-based or hardware-based identifiers (IMEI, MAC, SIM) Demographic or contact data (name, address, email, phone number, etc.) Advertising identifiers (MAID, Google ad ID, etc.) Account-authentication data (username, password, etc.) Network-based identifier (IP address, cookies) Call-detail data (CPNI)

100+ people

1,000+ people

1,000 devices

10,000+ people

100,000+ people

Genomic data

Biometric identifiers, or epigenomic, proteomic, or transcriptomic data

Precise geolocation

Health data or financial data

Two or more of the following:

Gov’t identification or account numbers (full or truncated)
Financial account numbers or PINs
Device-based or hardware-based identifiers (IMEI, MAC, SIM)
Demographic or contact data (name, address, email, phone number, etc.)
Advertising identifiers (MAID, Google ad ID, etc.)
Account-authentication data (username, password, etc.)
Network-based identifier (IP address, cookies)
Call-detail data (CPNI)

Is the data disclosed or accessible to either:
1. A vendor, employee, contractor, or investor in China, Cuba, Iran, North Korea, Russia, or Venezuela?
2. A person or entity other than a vendor, employee, contractor, or investor that is either:
  1. Any entity incorporated outside of the U.S. or
  2. A non-U.S. citizen, lawful permanent resident, or admitted refugee/asylee, located outside of the U.S.
Is the data disclosed or accessible to an individual or entity that:
1. Buys it, licenses access to it, or gets it from a similar commercial transaction; and
2. Did not collect it directly from the people it related to.

References

28 CFR Part 202