Home Research Services
Research Services

Department of Justice (DOJ) Bulk Data Rule

DOJ Final Rule Relating to U.S. Sensitive Personal Data and Government-Related Data

Published: December 19, 2025.

The National Security Division of the Department of Justice (DOJ) has issued a Final Rule (codified at 28 CFR Part 202), effective April 8, 2025, implementing Executive Order 14117 Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” as a Data Security Program (DSP).

Applies to: All Cornell data custodians, including research faculty and staff who handle government-related data and U.S. sensitive personal data as those terms are defined in the Bulk Data Rule.

Bulk Data Rule Regulations

The DOJ’s Bulk Data Rule imposes requirements on U.S. persons and entities that provide access to bulk U.S. sensitive personal data and government-related data, including the need to prohibit or restrict transfers of such data to Countries of Concern or Covered Persons, as defined in the Rule.

  • Currently, the “Countries of Concern” are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
  • The definition of “Covered Person” includes:
    • Foreign person primarily resident in a Country of Concern;
    • Foreign person (entity) headquartered or organized under the laws of a Country of Concern or that is 50% or more owned by a Country of Concern or other covered persons;
    • Foreign individuals who are employees or contractors of a covered person entity or Country of Concern government; or
    • Anyone designed by the U.S. Attorney General as a covered person, whether U.S. or foreign if they meet the specific criteria, such as being subject to the ownership or control of a Country of Concern.
  • The term “foreign person” means any person that is not a U.S. Person.
  • For purposes of the Rule, a “United States Person” or “U.S. Person” is any:
    • Person in the United States (regardless of citizenship (regardless of citizenship or status, physically located in the U.S.);
    • U.S. citizen, national, lawful permanent resident, asylee, or refugee; or
    • Entity organized solely under the laws of the U.S. or any jurisdiction within the U.S. (including foreign branches).

Covered Data 

The regulations apply to Covered Data Transactions that involve transfer or access to: 

  • Bulk U.S. Sensitive Personal Data when the volume exceeds the specified “bulk threshold” listed in the Chart below at any point over a rolling 12-month period for covered data transactions (single or in the aggregate) involving the same parties. 

If the applicable threshold is met, the Bulk Data Rule’s prohibitions and restrictions on data transactions apply regardless of whether the data is de-identified, anonymized, pseudonymized, or encrypted. For a data set that contains more than one covered data category, the data set is subject to the lowest threshold for any covered data category contained within it.

Data CategoryBulk Threshold
Covered Personal Identifiers     100,000 U.S. Persons
Personal Financial Data   10,000 U.S. Persons
Personal Health Data   10,000 U.S. Persons
Precise Geolocation Data    1,000 U.S. Persons
Biometric Identifiers   1,000 U.S. Persons
Human ‘omic Data (not Genomic)  1,000 U.S. Persons
Human Genomic Data      100 U.S. Persons
Combined data   Lowest applicable number

 

  • U.S. Government-Related Data: This includes precise geolocation data for any location on the Government-Related Location Data List or any sensitive personal data that a transacting party markets as linked or linkable to U.S. government personnel (current or former U.S. Government. There is no “bulk” threshold for U.S. Government-related data.

Covered Data Transactions

A covered data transaction is any transaction that involves access by a Country of Concern or Covered Person to any bulk U.S. sensitive personal data or government-related data and that involves: 

  1. data brokerage
  2. a vendor agreement
  3. an employment agreement or
  4. an investment agreement. 

Payment or other valuable consideration is an element of covered data transactions, thus research funding, gifts, revenue contracts, and payment for goods or services all qualify as consideration. The Bulk Data Rule includes Exempt transactions which allow data transactions that would otherwise be prohibited or restricted. Some exemptions, however, may trigger reporting requirements. If you have questions about the applicability of any exemption, please contact exportcontrols@cornell.edu for additional guidance.

Prohibited Transactions

Data brokerages with Countries of Concern or Covered Persons are prohibited.  

The Bulk Data Rule prohibits covered data transactions with Countries of Concern or Covered Persons that involves access to human ‘omic data (collected or maintained on more than 1,000 U.S. Persons) or access to human biospecimens from which bulk human ‘omic data could be derived.

The Bulk Data Rule also prohibits data sharing with a foreign person who is not a Covered Person that involves the sale or licensing of bulk U.S sensitive personal data unless the agreement contains certain contractual prohibitions on sharing such data with a Country of Concern or Covered Persons (“onward transfers”)

Any known or suspected violations must be reported to the DOJ within 14 days.

Activities that are not restricted by the Bulk Data Rule

Generally, the Bulk Data Rule does not apply to:

  • Purely domestic data sharing between U.S. Persons or entities within the U.S. except to the extent that a U.S. Person has not been specially designated as a Covered Person;
  • Data sharing that is without any kind of financial benefit or consideration;
  • Data about non-U.S. Persons; or
  • Data sharing that is directed or authorized pursuant to the terms of a federal grant. Non-federally funded research data is not exempt. 

The Rule does not apply when a U.S. person is given access to U.S. sensitive personal data or U.S. government-related data by a Covered Person.

Restricted Transactions

The other covered data transactions – vendor agreements, employment agreements, and investment agreements – are restricted transactions subject to certain reporting, recordkeeping, data security and auditing requirements. (Subpart J, §§ 202.1103, 202.1104) 

Before proceeding with any restricted transaction, the transacting party must implement a Data Security Program that includes: (1) a data compliance program with policies and procedures for conducting risk based reviews and annual certification; (2) Cybersecurity and Infrastructure Security Agency (CISA) Security Requirements with access controls, risk assessments, and data-level controls; and continuing audit, reporting, and recordkeeping requirements. 

Additional Resources 

More information can be found in the DOJ’s Data Security Program FAQ and on the DOJ’s National Security Division website  For specific questions, please reach out to exportcontrols@cornell.edu.

Does the Bulk Data Rule impact your research or international transactions?

If you are dealing with U.S. government-related data or bulk U.S. sensitive personal data meeting the volume thresholds and plan to disclose or make the data accessible to an external entity, immediately notify exportcontrols@cornell.edu to determine if the transaction will be permissible. 

Important Notice: Civil and criminal penalties may be imposed by the DOJ for violations of the Bulk Data Rule. If you suspect that a violation may have occurred, work to remediate it as soon as possible and immediately contact exportcontrols@cornell.edu