U.S. Department of Justice Data Security Program
Introduction
The University of Illinois Chicago is committed to protecting data in accordance with state and federal law. The National Security Division of the U.S. Department of Justice (DOJ) has issued a Final Rule to implement Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” effective April 8th, 2025.
Guidance
Q: What are the new regulations under Executive Order 14117?
The Data Security Program restricts access to or the exchange of any government-related data or bulk United States sensitive personal data with specified Countries of Concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela and certain people and entities subject to coercion by the countries of concern, “Covered Persons.” Below are a set of frequently asked questions that explain the Data Security Program.
“Covered persons” include, among others, entities that are organized or chartered under the laws of a country of concern or have a principal place of business in a country of concern, individuals who are employees or contractors of such entities, or non-U.S. individuals who are primarily a resident of a country of concern. The four categories of covered persons, which exclude U.S. persons, are:
- Foreign entities headquartered in or organized under the laws of a country of concern
- Foreign entities 50% or more owned by a country of concern or covered person
- Foreign individuals primarily resident in a country of concern
- Foreign individuals who are employees or contractors of a covered person entity or a country of concern
More information can be found in the U.S. DOJ’s Data Security Program FAQ.
Q: What is bulk U.S. sensitive data?
| U.S. Sensitive Personal Data | Threshold of data collected or maintained on |
|---|---|
| Human genomic data | 100 U.S. persons |
| Human epigenomic data | 1,000 U.S. persons |
| Human proteomic data | 1,000 U.S. persons |
| Human transcriptomic data | 1,000 U.S. persons |
| Biometric identifiers | 1,000 U.S. persons |
| Precise geolocation data | 1,000 U.S. persons |
| Personal health data | 10,000 U.S. persons |
| Personal financial data | 10,000 U.S. persons |
| Covered personal identifiers | 100,000 U.S. persons |
| Combined data | Lowest applicable number |
Q: What U.S. government related data are covered under the Data Security Program?
The regulations generally define U.S. government-related data as:
- Any precise geolocation data, of any volume, for any location within any area on the Government-Related Location Data List and
- Sensitive personal data that is marketed as linkable to employees, contractors, or officials of the United States government.
There is no “bulk” threshold for U.S. government-related data.
Q: Can a covered person access bulk sensitive U.S. data while they are in the United States?
A covered person can access bulk sensitive U.S. data while located in the United States. Upon leaving the United States, the covered person can no longer access this data.
However, there are some exceptions. If an individual has been specifically designated by the U.S. department of Justice, they are prohibited from accessing bulk sensitive U.S. data or U.S. government-related data wherever they are located. In addition, any attempt to avoid the regulations’ prohibitions, such as by having a covered person enter the United States to receive bulk U.S. sensitive personal data, could constitute evasion and a violation of the regulations.
Q: Are deidentified, anonymized, or aggregated data exempt from the regulations?
No. The restrictions apply to bulk U.S. sensitive data in any format. As per the DOJ, “advances in technology, combined with access by countries of concern to large datasets, increasingly enable countries of concern that access this data to re-identify or de-anonymize data, allowing them to reveal exploitable sensitive personal information on U.S. persons.”
Q: What is a data covered transaction?
A covered data transaction is any transaction that involves access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:
- Data brokerage
- A vendor agreement
- An employment agreement
- An investment agreement
Data brokerages with countries of concern or covered persons are prohibited. The other covered data transactions—vendor agreements, employment agreements, and investment agreements—are restricted transactions subject to certain reporting, data security, and auditing requirements.
Q: Are there exemptions?
The Data Security Program states that federally funded research is exempt from the limitations when data transactions are conducted with pursuant to a grant, contract, or other agreement with Federal departments and agencies. Non-federally funded research data are not exempt.
There is not an educational exemption for accessing data in any of the Countries of Concern; therefore, under the Data Security Program researchers and students residing in these countries would not be able to access data.
Q: What are the penalties for violations?
The Department of Justice may seek civil penalties of up to $368,136 or twice the amount of the transaction involved, whichever amount is greater. Willful violations can lead to criminal fines up to $1,000,000 and up to 20 years imprisonment.
Q: What if I have more questions?
This FAQ provides only a high-level overview of the regulations. If you have further questions or would like additional information, please contact EODataCompliance@uic.edu.
Guidance is subject to change.
Guidance is subject to change.