Categories: Health Care, Privacy and Security Law
,

This blog post is the latest installment in a series focused on the DOJ’s Bulk Sensitive Data Rule, and is intended to help stakeholders navigate the complex rule’s requirements and move toward full compliance.

Epstein Becker Green’s previous blog post on this topic encouraged U.S. organizations across all industries with cross-border operations – including health care/life sciences, finance, e-commerce, and research – to “know their data.”

In this post, we discuss why it is critical for these organizations to also “know their vendors.” We discuss how the BSD Rule imposes new requirements on U.S.-based companies to monitor and scrutinize vendor engagements beyond those with the six designated countries of concern.

As we previously reported, the National Security Division of the U.S. Department of Justice (“DOJ”) issued a new rule, effective on April 8, 2025, coined the Bulk Sensitive Data Rule (“BSD Rule”) (codified at 28 C.F.R. Part 202), which prohibits and/or restricts U.S. persons and companies from engaging in certain data driven transactions. The BSD Rule’s restrictions target certain categories of bulk government-related data and U.S. sensitive personal data shared with covered persons or six countries of concern – China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela – but impose broader restrictions on U.S. companies to understand and control the flow of data leaving the U.S.

Implementation of the BSD Rule is a culmination of a bipartisan, heightened interest in ensuring the security of U.S. data, particularly in cross-border data sharing arrangements. In an effort to better protect U.S. sensitive personal data, the BSD Rule requires U.S. organizations to self-evaluate and audit their business operations to ensure transparency into where bulk U.S. data is transferred and by whom bulk U.S. data is accessed outside the country. What is more, the BSD Rule allows the DOJ to investigate non-compliance and enforce civil and criminal penalties for violations.

Taking stock of your organization’s external business relationships is the first step to conducting the required internal assessment under the BSD Rule. While the BSD Rule requires immediate and defined steps to thwart the risks of sharing or providing access to U.S. bulk data to a “covered person” as that term is defined in 28 C.F.R. §202.211, the Rule’s broad compliance mandates necessitate a 360-degree review of an organization’s data flow and identification of all parties with temporary or permanent access to those data. Data recipients need not be the intended end users identified in an agreement but may include intermediaries, such as contract research organizations, authorized data brokers, and retailers, along with other parties to a transaction that gain access under an existing business arrangement. And it is not enough to review data flow with regard to the six countries of concern. A company must identify all recipients of bulk data on a transaction-by-transaction basis. Even recipients who are not located in the designated countries of concern, but who receive bulk U.S. sensitive personal data otherwise protected by the BSD Rule, require enhanced scrutiny and safeguards.  

Steps to Vet Bulk Data Flowing from the U.S.

Once your organization determines that a non-U.S. entity receives access to bulk U.S. data, as defined under the applicable thresholds, the next step is to determine whether the entity qualifies as a covered person. The following questions should be answered for all entities that receive U.S. bulk data as part of business operations (these may include recipients with an active contract, but a contract is not required if the end user receives bulk data):

  • Where the entity is physically located;
  • Under which country’s laws the entity is organized;
  • Whether the entity has any subsidiaries, related parties, and/or affiliates located in a country of concern that may receive access to U.S. bulk data; and
  • Where executives, board members, and/or other individuals who may have access to the relevant U.S. bulk data reside if outside of the U.S.

In particular, the BSD Rule directly impacts the following routine transactions to the extent they involve bulk U.S. sensitive personal data:

  • Data brokerage transactions (licensing, sale of data, data exchanged in a commercial transaction);
  • Employment agreements and/or board service involving foreign persons or companies;
  • Vendor agreements (for goods or services other than employment); and
  • Investment agreements (providing direct or indirect ownership in U.S. real estate or legal entities).

Even routine data transactions with entities in foreign countries not among the six countries of concern are subject to the BSD Rule, and those transactions should be evaluated to assess whether the non-country of concern recipients receive bulk U.S. sensitive personal data. If so, companies must ensure that the appropriate downstream data protection language is included in all relevant contracts and appropriate diligence of those transactions is routinely performed.

Enforcement Risk and Next Steps

Even though the BSD Rule took effect in April, the DOJ implemented a 90-day safe harbor period during which time organizations were encouraged to become compliant with the rule before the July 2025 enforcement date. Now, almost seven months since the DOJ began enforcement, and as the BSD Rule’s reporting requirements take effect in 2026, it is vital that organizations assess their business relationships and data to ensure compliance with this complex rule that imposes new requirements on both U.S. organizations and persons – and carries civil and criminal penalties for willful violations, pursuant to Subpart M of the Rule. Additionally, if there is a known or suspected violation, U.S. persons are encouraged to file a report within fourteen days of becoming aware of the violation so as to avoid penalties, a topic that EBG will be reporting on in short order.

For additional questions about the scope and applicability of the BSD Rule and how to evaluate your data, please contact Elizabeth McEvoy and Elena Quattrone.

Tags: DOJ, personal data
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.