• The People’s Republic of China (including Hong Kong and Macau)
• The Republic of Cuba
• The Islamic Republic of Iran
• The Democratic People’s Republic of North Korea
• The Russian Federation
• The Bolivarian Republic of Venezuela

• Entities 50% or more owned or controlled (directly or indirectly) by a country of concern
• Entities organized under the laws or primarily located in a country of concern
• Entities owned by or affiliated with another covered person
• Foreign individuals primarily resident in countries of concern
• Employees, contractors, or agents of countries of concern or covered entities

This rule applies when cumulative data volumes across a 12-month rolling period meet or exceed the following thresholds (regardless of anonymization, pseudonymization, or encryption):

• Covered Personal Identifiers: ≥ 100,000 U.S. persons
• Precise Geolocation Data: ≥ 1,000 devices
• Biometric Identifiers: ≥ 1,000 U.S. persons
• Human Genomic Data/Biospecimens: ≥ 100 U.S. persons
• Other Human ‘Omic Data: ≥ 1,000 U.S. persons
• Personal Health Data: ≥ 10,000 U.S. persons
• Personal Financial Data: ≥ 10,000 U.S. persons
• Combined Data: Lowest applicable threshold triggers review

Review Data Transactions: Assess any current or planned cross-border data sharing or access—especially where sensitive personal data may exceed bulk thresholds.

Check Collaborators and Vendors: Determine whether collaborators, contractors, vendors, or funders may be “covered persons” or based in “countries of concern.”

Pause Risky Transfers: Pause high-risk data transfers until institutional review is completed.

Implement Contractual Safeguards: Include clauses preventing onward transfer of covered data to restricted entities.

Consult Export Control & Research Security: Required before initiating any covered data transaction.

Prohibited Transactions

• Data brokerage involving bulk sensitive data to countries of concern
• Unrestricted transfers without safeguards
• Access to genomic or biospecimen data by covered persons

Restricted Transactions

• Clinical and research collaborations involving sensitive data transfers
• Vendor agreements involving data hosting or processing
• Investment or funding involving covered persons

Potential Exemptions

• FDA-regulated clinical investigations
• Regulatory approval data submissions
• Federally funded research explicitly authorized by U.S. government agreements

Note: Exemption scope remains subject to federal interpretation.