The U.S. Department of Justice has issued regulations effective April 8, 2025 that restrict foreign access to so-called “Bulk Sensitive Personal Data” and “U.S. government-related data” through investments (or other agreements, including employment and vendor contracts).
The regulations define Bulk Sensitive Personal Data (so-called “Covered Data”) based on specific thresholds ranging from 100 persons to 100,000 persons. Covered Data includes (1) precise geolocation data, (2) biometric identifiers, (3) human ’omic data, (4) personal health data, (5) personal financial data and (6) personal identifiers.
Unless a foreign investment in a U.S. company is an “Exempt Transaction,” companies that meet the thresholds of Bulk Sensitive Personal Data and seek certain foreign investments must comply with the robust security requirements of the Cybersecurity and Infrastructure Agency (“CISA”). These include organizational, system, and data-level safeguards to protect Covered Data. Foreign investments triggering the regulations are those from China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela (the current “Countries of Concern”) and investments by “Covered Persons,” a complicated definition which includes individuals and entities who are residents of or controlled by Countries of Concern.”
U.S. companies of all sizes that maintain relatively large databases of sensitive personal data and have potential foreign investors (and/or foreign contractors or employees) should determine if the new DOJ regulations apply to them. Due diligence requirements for investment transactions with foreign investors should include a review of the possible applicability of these new regulations, and appropriate provisions should be added to transaction documentation.
If you have questions on these regulations and how they may impact you, please contact Russel Hansen, or any member of Prince Lobel’s Business Transactions group.
