What is DOJ Bulk Data Rule?

The DOJ Bulk Data Rule is a United States federal regulation that restricts bulk transfers of sensitive personal data of Americans to "countries of concern" — countries that the US government has identified as posing national security risks. The rule became effective April 8, 2025, and represents a major new data export control regime with significant compliance implications for US companies.

Background: Executive Order 14117

The rule was issued under Executive Order 14117, signed by President Biden in February 2024. The order directed the Department of Justice to establish regulations preventing "countries of concern" from accessing large volumes of sensitive US personal data — either through direct data broker purchases, cloud hosting arrangements, corporate data flows, or other commercial transactions.

The concern driving the regulation: foreign adversaries could acquire bulk sensitive data about Americans through commercial channels — data brokers, app developers, genomics companies — and use it for intelligence analysis, influence operations, or targeting of individuals.

Countries of Concern

The rule designates six countries of concern:

• China (including Hong Kong and Macau)
• Russia
• Iran
• North Korea
• Cuba
• Venezuela

The regulation covers not just direct transfers to these countries, but also transfers to "covered persons" — companies or individuals owned, controlled, or directed by entities from these countries, or who are nationals of these countries residing outside the US.

What Data Is Restricted

The rule restricts "bulk" transfers of these categories of sensitive data:

• Genomic and genetic data — 100+ US persons
• Biometric identifiers — 1,000+ US persons (fingerprints, voiceprints, facial geometry)
• Health and medical data — 10,000+ US persons
• Precise geolocation data — 1,000+ US persons (within 1,000 meters)
• Financial data — 10,000+ US persons
• Covered personal identifiers — 100,000+ US persons (government ID numbers, device identifiers, account credentials)

"Bulk" thresholds vary by data category. The genomic threshold is notably low — 100 individuals — reflecting the specific national security concern about genetic data.

Prohibited vs. Restricted Transactions

The rule distinguishes two levels:

Prohibited transactions — Entirely banned, regardless of safeguards. These involve data brokerage: selling or licensing covered data to countries of concern or covered persons.

Restricted transactions — Permitted only with security requirements. These include employment relationships, vendor agreements, investment relationships, and certain operational data flows. Organizations must implement a Data Compliance Program (DCP) with specific security controls (encryption, access controls, identity management).

Exemptions

Several categories of transactions are exempt:

• Personal communications — emails, calls, texts between individuals
• Information that is broadly available to the public
• Financial transactions incident to goods/services (e.g., processing a payment from a Chinese customer)
• Intra-corporate transfers for legitimate business operations (with compliance obligations)
• US government activities
• Clinical trials and medical research under existing regulatory frameworks
• Immigration and visa processes

Who Must Comply

Any US person (individual, company, or organization) that engages in transactions involving covered data. This includes:

• Data brokers selling health, financial, or location data
• Technology companies with operations or data flows involving covered countries
• Healthcare organizations with cross-border data arrangements
• Financial services firms
• Genomics and consumer DNA testing companies
• App developers collecting location or biometric data with users in covered countries

Foreign companies operating in the US also have obligations in certain circumstances.

Enforcement

DOJ's National Security Division enforces the rule. Civil penalties can reach the greater of $368,136 per violation (adjusted for inflation) or twice the amount of the transaction. Criminal penalties — for willful violations — include up to 20 years imprisonment and fines up to $1 million. Penalties mirror those of economic sanctions programs, reflecting the national security framing.

Context: A New Kind of Data Export Control

The DOJ Bulk Data Rule represents a meaningful shift in US data governance philosophy. Unlike GDPR, which is primarily a privacy law protecting individuals, the Bulk Data Rule is a national security measure. Its target is not commercial data misuse — it is the acquisition of Americans' data by foreign intelligence services.

This creates a new axis of compliance for US companies: in addition to GDPR obligations for data flowing to Europe, they now face export-control-style restrictions on data flowing to specific adversary nations. The two regimes operate independently and can create tension: GDPR requires transfers to be protected by legal mechanisms like SCCs, while the Bulk Data Rule may prohibit certain transfers entirely regardless of what contracts exist.