Department of Justice (DOJ) Executive Order 14117: Preventing Access to Americans' Bulk Sensitive Personal Data

Prohibited Transactions

• Data brokerage involving bulk sensitive data or government-related data to a country of concern or covered person.
• Transfers to third parties (even outside countries of concern) without contractual safeguards to prevent onward transfer to restricted entities.
• Access to human genomic data or biospecimens by covered persons or countries of concern.

Potentially Restricted Transactions

• License or collaboration agreements between UCSF and covered persons during which one of the parties conducts clinical trials in the United States and wants to transfer clinical data and/or biospecimens to a country of concern or covered person.
• Vendor agreements (such as those with contract research organizations, contract manufacturing organizations or data-hosting providers) and employment agreements in which US sensitive personal data is shared with a country of concern or covered person.
• Investment agreements with investors who are in a country of concern or are otherwise covered persons.

Potential Exemptions

• Clinical and surveillance exemption. Data transactions incident to and part of clinical investigations regulated by the FDA, or clinical investigations that support applications to the FDA for research and marketing permits (this includes post-marketing surveillance data, including pharmacovigilance and post-marketing studies for already approved therapies), provided that the clinical data is de-identified or pseudonymized in accordance with applicable FDA regulations.
• Regulatory approval exemption. Data transactions that involve “regulatory approval data,” which are necessary to obtain or maintain regulatory approval to research or market a pharmaceutical product or medical device, provided that such data is deidentified or pseudonymized in accordance with applicable FDA regulations and is required to be submitted to a regulatory entity.
• Federally funded research exemption. Data transactions that are expressly authorized under the terms of a U.S. government grant, contract, or other agreement.

Note: The scope of these exemptions remains to be determined as adjudicatory bodies have yet to publicly interpret the rule’s provisions.

This rule applies when cumulative data volumes across a 12-month rolling period meet or exceed the following thresholds (which apply regardless of anonymization, pseudonymization, or encryption):

• Covered Personal Identifiers: ≥ 100,000 U.S. persons
  • Includes data like names linked to social security numbers, email addresses, and device identifiers.
• Precise Geolocation Data: ≥ 1,000 devices
  • Data that tracks the real-time or historical location of a device or individual within a 1,000-meter accuracy.
• Biometric Identifiers: ≥ 1,000 U.S. persons
  • Physical characteristics such as facial images, fingerprints, or voice prints used for identity verification.
• Human Genomic Data/Biospecimens: ≥ 100 U.S. persons
  • Includes DNA sequences or tissues from which they may be derived.
• Other Human 'Omic Data: ≥ 1,000 U.S. persons
  • Includes proteomic, transcriptomic, epigenomic data.
• Personal Health Data: ≥ 10,000 U.S. persons
  • Information related to an individual's physical or mental health, including medical records, test results or treatment history.
• Personal Financial Data: ≥ 10,000 U.S. persons
  • Data on credit or bank accounts, financial transactions, and credit reports.
• Combined Data: Lowest applicable number

Countries of Concern

• The People’s Republic of China (including Hong Kong and Macau)
• The Republic of Cuba
• The Islamic Republic of Iran
• The Democratic People’s Republic of North Korea
• The Russian Federation
• The Bolivarian Republic of Venezuela

Covered Persons

• Entities 50% or more owned by (directly or indirectly) or controlled by a country of concern.
• Entities with a principal place of business in or organized under the laws of a country of concern.
• Entities owned by or affiliated with another covered person.
• Foreign individuals primarily resident in countries of concern or employees or contractors of a country of concern or covered entities.

April 8, 2025: Prohibitions and restricions took effect. Covered data transactions must cease or comply. 

April 8 - July 8, 2025: Enforcement Grace Period

October 6, 2025: Security, audit, and reporting requirements become mandatory for restricted transactions. 

Ongoing: DOJ may revise definitions, add covered persons, and issue further guidance or general licenses. 

UCSF frequently manages large datasets (including genomic, health, location, biometric, and financial data) that may now fall under federal security restrictions if accessed by certain foreign collaborators or contractors. This rule mandates careful review of data access, transfer agreements, and outside engagements. The rule applies even if data is anonymized or encrypted.

• Review Data Transactions: Assess any current or planned cross-border data sharing or access - especially if the data involves sensitive personal types and might exceed the bulk thresholds.
• Check Collaborators and Vendors: Determine whether your collaborators, contractors, vendors, or funders may qualify as “covered persons” or are based in “countries of concern.”
• Pause Risky Transfers: If you identify high-risk data transactions (e.g., involving genomic data to a research institution located in a country of concern), pause these until further guidance or a license is secured.
• Implement Contractual Safeguards: Include clauses in future agreements that prevents onward transfers of covered data to countries of concern.
• Consult UCSF Export Control & Research Security Unit: They can help you evaluate whether exemptions apply and assist in ensuring your agreements have the necessary contractual safeguards.

• Export Control and Research Security
• Office of Sponsored Research
• IT Research Cybersecurity
• UC Legal

• DOJ FAQs
• DOJ Press Release
• DOJ Rule Fact Sheet
• DOJ Foreign Investment Review Section