(As of October 29, 2025)

University of Michigan and University of Michigan Health (UMH) are committed to protecting data in accordance with applicable laws. Below are a set of FAQs that explain the rules relating to the sharing of bulk U.S. sensitive personal data or U.S. government-related data with certain countries outside of the United States.

• What are the Department of Justice regulations?
• What type of data is covered under the regulations?
• What is considered bulk U.S. sensitive personal data?
• Whose sensitive personal data falls under the scope of the regulations?
• Can a covered person access bulk U.S. sensitive personal data or U.S. government-related data while they are located in the United States?
• What does “accessing” data mean under the regulations?
• Do the regulations apply to data that is de-identified, anonymized, or encrypted?
• What U.S. government-related data is covered?
• Who could be impacted by the regulations?
• What type of data access may be impacted by the regulations?
• What happens if the regulations are violated?
• Can federal agencies expand the scope of the regulations?
• What if I have more questions?

---

Q: What are the Department of Justice regulations?

A: In December 2024, the U.S. Department of Justice issued a Final Rule to implement Executive Order 14117 Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, which was issued on February 28, 2024. The regulations became effective on April 8, 2025.

In general, the regulations impose requirements on U.S. individuals and entities that provide access to bulk U.S. sensitive personal data or U.S. government-related data to “covered persons” that are affiliated with six “countries of concern”: China (including Hong Kong and Macau), Russia, Iran, North Korea, Venezuela, and Cuba.

“Covered persons” include, among others, entities that are organized or chartered under the laws of a country of concern or have a principal place of business in a country of concern, individuals who are employees or contractors of such entities, or non-U.S. individuals who are primarily a resident of a country of concern.

More information on the regulations can be found in the U.S. Department of Justice’s Frequently Asked Questions.

Q: What type of data is covered under the regulations?

A: The regulations cover two categories of data:

1. Bulk U.S. sensitive personal data, and
2. U.S. government-related data.

Q: What is considered bulk U.S. sensitive personal data?

A: The regulations define six categories of U.S. sensitive personal data that have defined “bulk” thresholds detailed below.

• Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.
• Biometric identifiers collected about or maintained on more than 1,000 U.S. persons.
• Precise geolocation data collected about or maintained on more than 1,000 U.S. persons.
• Personal health data collected about or maintained on more than 10,000 U.S. persons.
• Personal financial data collected about or maintained on more than 10,000 U.S. persons.
• Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons.

Q: Whose sensitive personal data falls under the scope of the regulations?

A: The regulations apply to sensitive personal data about U.S. persons. The definition of a U.S. person includes:

• Any U.S. citizen, national or lawful permanent resident;
• Any individual admitted to the United States as a refugee or granted asylum; or
• Any person in the United States (i.e., any individual—regardless of citizenship or status—physically located in the United States).

Q: Can a covered person access bulk U.S. sensitive personal data or U.S. government-related data while they are located in the United States?

A: A covered person can access bulk U.S. sensitive personal data or U.S. government-related data while located in the United States. Upon leaving the United States, the covered person can no longer access this data.

There are some exceptions. If an individual has been specifically designated by the U.S. Department of Justice, they are prohibited from accessing bulk U.S. sensitive personal data or U.S. government-related data wherever they are located. In addition, any attempt to avoid the regulations’ prohibitions, such as by having a covered person enter the United States to receive bulk U.S. sensitive personal data, could constitute evasion and a violation of the regulations.

Q: What does “accessing” data mean under the regulations?

A: The regulations define access very broadly. Access includes transferring, storing, editing, reading, receiving, or having the ability to obtain bulk U.S. sensitive personal data or U.S. government-related data.

Q: Do the regulations apply to data that is de-identified, anonymized, or encrypted?

A: Yes. The regulations apply to bulk U.S. sensitive personal data or U.S. government-related data even if it has been de-identified, anonymized, or encrypted.

Q: What U.S. government-related data is covered?

A: The regulations generally define U.S. government-related data as (i) any precise geolocation data relating to a list of over 700 geofenced areas near government facilities, and (ii) sensitive personal data that is marketed as linkable to employees, contractors, or officials of the United States government.

There is no “bulk” threshold for U.S. government-related data.

Q: Who could be impacted by the regulations?

A: U.S. individuals or entities, including partners, vendors, or other associates, who provide access to bulk U.S. sensitive personal data or U.S. government-related data to covered persons may be impacted.

Q: What type of data access may be impacted by the regulations?

A: At a high level, any access to bulk U.S. sensitive personal data or U.S. government-related data by covered persons may be impacted. The regulations apply to two types of data access:

• Prohibited transactions – The sale or licensing of bulk U.S. sensitive personal data or U.S. government-related data to covered persons, or any provision of access to bulk human ‘omic data to covered persons, is prohibited.
• Restricted transactions – The provision of access to bulk U.S. sensitive personal data or U.S. government-related data to a vendor, employee, or investor who is a covered person is only permitted if certain security and compliance requirements are met.

Q: What happens if the regulations are violated?

A: Civil and criminal penalties may be imposed by the U.S. Department of Justice. If you suspect that a violation may have occurred, work to remediate it as soon as possible and contact U-M DOJ Bulk Sensitive Data Regulations Compliance (bulkdataregulation@umich.edu) immediately.

Q: Can federal agencies expand the scope of the regulations?

A: Yes. Federal agencies may issue policies and guidance that supplement the regulations or require organizations to apply the regulations’ requirements to additional data types. For example, the National Institutes of Health (NIH) has issued a policy placing restrictions on certain biospecimen data that is otherwise exempt under the regulations. Because the regulations are new, we expect to see the regulatory landscape continue to evolve.

If you encounter an agency requirement that expands or supplements the regulations, please contact the U-M DOJ Bulk Sensitive Data Regulations Compliance (bulkdataregulation@umich.edu) for assistance.

Q: What if I have more questions?

A: This FAQ provides only a high-level overview of the regulations. If you have further questions or would like more information, please contact U-M DOJ Bulk Sensitive Data Regulations Compliance (bulkdataregulation@umich.edu).