University of Michigan and University of Michigan Health System (UMHS) are committed to protecting data in accordance with applicable laws. Below are a set of FAQs that explain the new rules relating to the sharing of bulk sensitive personal data or government-related data with certain countries outside of the United States.

• What are the new Department of Justice regulations?
• What type of data is covered under the new regulations?
• What is considered bulk U.S. sensitive personal data?
• Whose sensitive personal data falls under the scope of the new regulations?
• What U.S. government-related data is covered?
• Who could be impacted by the regulations?
• What type of data access may be impacted by the regulations?
• What happens if the regulations are violated?
• What if I have more questions?

---

Q: What are the new Department of Justice regulations?

A: In December 2024, the U.S. Department of Justice issued a Final Rule to implement Executive Order 14117 Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, which was issued on February 28, 2024. The regulations become effective on April 8, 2025.

In general, the new regulations impose requirements on U.S. individuals and entities that provide access to bulk U.S. sensitive personal data or U.S. government-related data to “covered persons” that are affiliated with six “countries of concern”: China (including Hong Kong and Macau), Russia, Iran, North Korea, Venezuela, and Cuba.

“Covered persons” include, among others, entities that are organized or chartered under the laws of a country of concern or have a principal place of business in a country of concern, individuals who are employees or contractors of such entities, or non-U.S. individuals who are primarily a resident of a country of concern.

More information on the new regulations can be found here.

Q: What type of data is covered under the new regulations?
A: The new regulations cover two categories of data:

1. Bulk U.S. sensitive personal data, and
2. U.S. government-related data.

Q: What is considered bulk U.S. sensitive personal data?
A: The regulations define six categories of U.S. sensitive personal data that have defined “bulk” thresholds detailed below.

• Human ’omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.
• Biometric identifiers collected about or maintained on more than 1,000 U.S. persons.
• Precise geolocation data collected about or maintained on more than 1,000 U.S. persons.
• Personal health data collected about or maintained on more than 10,000 U.S. persons.
• Personal financial data collected about or maintained on more than 10,000 U.S. persons.
• Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons.

Q: Whose sensitive personal data falls under the scope of the new regulations?
A: The regulations apply to sensitive personal data about U.S. persons.  The definition of a U.S. person includes:

• Any U.S. citizen, national or lawful permanent resident;
• Any individual admitted to the United States as a refugee or granted asylum; or
• Any person in the United States (i.e., any individual—regardless of citizenship or status—physically located in the United States).

Q: What U.S. government-related data is covered?
A: The regulations generally define U.S. government-related data as (i) any precise geolocation data relating to a list of over 700 geofenced areas near government facilities, and (ii) sensitive personal data that is marketed as linkable to employees, contractors, or officials of the United States government.

There is no “bulk” threshold for U.S. government-related data.

Q: Who could be impacted by the regulations?
A: U.S. individuals or entities, including partners, vendors, or other associates, who provide access to bulk U.S. sensitive personal data or U.S. government-related data to covered persons may be impacted.

Q: What type of data access may be impacted by the regulations?
A: At a high level, any access to bulk U.S. sensitive personal data or U.S. government-related data by covered persons may be impacted.

• Selling or licensing bulk U.S. sensitive personal data or U.S. government-related data, or providing access to bulk human ‘omic data, to covered persons may be prohibited.
• Access to bulk U.S. sensitive personal data or U.S. government-related data to vendors, employees, or investors who are covered persons may be provided only after complying with certain security requirements.

Q: What happens if the regulations are violated?
A: Civil and criminal penalties may be imposed by the U.S. Department of Justice.

Q: What if I have more questions?
A: This FAQ provides only a high-level overview of the regulations. If you have further questions or would like more information, please contact the Office of General Counsel (bulkdataregulation@umich.edu).