The term access means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software. For purposes of determining whether a transaction is a covered data transaction, access is determined without regard for the application or effect of any security requirements.

The term Attorney General means the Attorney General of the United States or the Attorney General's designee.

The term Assistant Attorney General means the Assistant Attorney General, National Security Division, United States Department of Justice, or the Assistant Attorney General's designee.

The term biometric identifiers means measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.

The term bulk means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person:

(a) Human `omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons;

(b) Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;

(c) Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;

(d) Personal health data collected about or maintained on more than 10,000 U.S. persons;

(e) Personal financial data collected about or maintained on more than 10,000 U.S. persons;

(f) Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or

(g) Combined data, meaning any collection or set of data that contains more than one of the categories in paragraphs (a) through (f) of this section, or that contains any listed identifier linked to categories in paragraphs (a) through (e) of this section, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.

The term bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold set forth in § 202.205.

The term CFIUS action means any agreement or condition the Committee on Foreign Investment in the United States has entered into or imposed pursuant to 50 U.S.C. 4565(l)(1), (3), or (5) to resolve a national security risk involving access by a country of concern or covered person to sensitive personal data that the Committee on Foreign Investment in the United States has explicitly designated, in the agreement or document containing the condition, as a CFIUS action, including:

(a) Suspension of a proposed or pending transaction, as authorized under 50 U.S.C. 4565(l)(1);

(b) Entry into or imposition of any agreement or condition with any party to a covered transaction, as authorized under 50 U.S.C. 4565(l)(3); and

(c) The establishment of interim protections for covered transactions withdrawn before CFIUS's review or investigation is completed, as authorized under 50 U.S.C. 4565(l)(5).

The term China means the People's Republic of China, including the Special Administrative Region of Hong Kong and the Special Administrative Region of Macau, as well as any political subdivision, agency, or instrumentality thereof.

The term country of concern means any foreign government that, as determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce:

(a) Has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons; and

(b) Poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons.

(a) Definition. A covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:

(1) Data brokerage;

(2) A vendor agreement;

(3) An employment agreement; or

(4) An investment agreement.

(b) Examples—(1) Example 1. A U.S. institution conducts medical research at its own laboratory in a country of concern, including sending several U.S.-citizen employees to that laboratory to perform and assist with the research. The U.S. institution does not engage in data brokerage or a vendor, employment, or investment agreement that gives a covered person or country of concern access to government-related data or bulk U.S. sensitive personal data. Because the U.S. institution does not engage in any data brokerage or enter into a vendor, employment, or investment agreement, the U.S. institution's research activity is not a covered data transaction.

(2) Example 2. A U.S. person engages in a vendor agreement with a covered person involving access to bulk U.S. sensitive personal data. The vendor agreement is a restricted transaction. To comply with the CISA security requirements, the U.S. person, among other things, uses data-level requirements to mitigate the risk that the covered person could access the data. The vendor agreement remains a covered data transaction subject to the requirements of this part.

(3) Example 3. A covered person engages in a vendor agreement with a U.S. person involving the U.S. person accessing bulk U.S. sensitive personal data already possessed by the covered person. The vendor agreement is not a covered data transaction because the transaction does not involve access by the covered person.

(a) Definition. The term covered person means:

(1) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in paragraph (a)(2) of this section; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;

(2) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in paragraphs (a)(1), (3), (4), or (5) of this section;

(3) A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in paragraphs (a)(1), (2), or (5) of this section;

(4) A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or

(5) Any person, wherever located, determined by the Attorney General:

(i) To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person;

(ii) To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or

(iii) To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

(b) Examples—(1) Example 1. Foreign persons primarily resident in Cuba, Iran, or another country of concern would be covered persons.

(2) Example 2. Chinese or Russian citizens located in the United States would be treated as U.S. persons and would not be covered persons (except to the extent individually designated). They would be subject to the same prohibitions and restrictions as all other U.S. persons with respect to engaging in covered data transactions with countries of concern or covered persons.

(3) Example 3. Citizens of a country of concern who are primarily resident in a third country, such as Russian citizens primarily resident in a European Union country or Cuban citizens primarily resident in a South American country that is not a country of concern, would not be covered persons except to the extent they are individually designated or to the extent that they are employees or contractors of a country of concern government or a covered person that is an entity.

(4) Example 4. A foreign person is located abroad and is employed by a company headquartered in China. Because the company is a covered person that is an entity and the employee is located outside the United States, the employee is a covered person.

(5) Example 5. A foreign person is located abroad and is employed by a company that has been designated as a covered person. Because the foreign person is the employee of a covered person that is an entity and the employee is a foreign person, the person is a covered person.

(6) Example 6. A foreign person individual investor who principally resides in Venezuela owns 50% of a technology company that is solely organized under the laws of the United States. The investor is a covered person because the investor is a foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern. The technology company is a U.S. person because it is an entity organized solely under the laws of the United States or any jurisdiction within the United States. The technology company is not a covered person because it is not a foreign person and therefore does not meet the criteria of § 202.211(a)(2). However, the technology company could still be designated as a covered person following a determination that the technology company meets one or more criteria of § 202.211(a)(5).

(7) Example 7. Same as Example 6, but the technology company is additionally organized under the laws of Luxembourg. A U.S. company wishes to license bulk U.S. sensitive personal data to the technology company. The technology company is not a U.S. person because it is not solely organized under the laws of the United States. The technology company is a covered person because it is 50% or more owned, directly or indirectly, individually or in the aggregate, by a foreign person that is an individual who is primarily resident in the territorial jurisdiction of a country of concern. The transaction between the U.S. company and the technology company would be a prohibited data transaction.

(8) Example 8. A foreign person that lives in China owns 50% of Foreign Entity A. Foreign Entity A owns 100% of Foreign Entity B and 100% of Foreign Entity C. Foreign Entity B owns 20% of Foreign Entity D. Foreign Entity C owns 30% of Foreign Entity D. Foreign Entity D would be a covered person for two independent reasons. First, Foreign Entity D because it is “indirectly” 50% or more owned by Foreign Entity A (20% through Foreign Entity B and 30% through Foreign Entity C). Second, Foreign Entity D is directly 50% owned, in the aggregate, by Foreign Entity B and Foreign Entity C, each of which are covered persons because they are 50% or more owned by Foreign Entity A.

(a) Definition. The term covered personal identifiers means any listed identifier:

(1) In combination with any other listed identifier; or

(2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data.

(b) Exclusion. The term covered personal identifiers excludes:

(1) Demographic or contact data that is linked only to other demographic or contact data (such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers); and

(2) A network-based identifier, account-authentication data, or call-detail data that is linked only to other network-based identifier, account-authentication data, or call-detail data as necessary for the provision of telecommunications, networking, or similar service.

(c) Examples of listed identifiers in combination with other listed identifiers—(1) Example 1. A standalone listed identifier in isolation (i.e., that is not linked to another listed identifier, sensitive personal data, or other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data)—such as a Social Security Number or account username—would not constitute a covered personal identifier.

(2) Example 2. A listed identifier linked to another listed identifier—such as a first and last name linked to a Social Security number, a driver's license number linked to a passport number, a device Media Access Control (“MAC”) address linked to a residential address, an account username linked to a first and last name, or a mobile advertising ID linked to an email address—would constitute covered personal identifiers.

(3) Example 3. Demographic or contact data linked only to other demographic or contact data—such as a first and last name linked to a residential street address, an email address linked to a first and last name, or a customer loyalty membership record linking a first and last name to a phone number—would not constitute covered personal identifiers.

(4) Example 4. Demographic or contact data linked to other demographic or contact data and to another listed identifier—such as a first and last name linked to an email address and to an IP address—would constitute covered personal identifiers.

(5) Example 5. Account usernames linked to passwords as part of a sale of a dataset would constitute covered personal identifiers. Those pieces of account-authentication data are not linked as a necessary part of the provision of telecommunications, networking, or similar services. This combination would constitute covered personal identifiers.

(d) Examples of a listed identifier in combination with other data disclosed by a transacting party—(1) Example 1. A foreign person who is a covered person asks a U.S. company for a list of Media Access Control (“MAC”) addresses from devices that have connected to the wireless network of a U.S. fast-food restaurant located in a particular government building. The U.S. company then sells the list of MAC addresses, without any other listed identifiers or sensitive personal data, to the covered person. The disclosed MAC addresses, when paired with the other data disclosed by the covered person—that the devices “have connected to the wireless network of a U.S. fast-food restaurant located in a particular government building”—makes it so that the MAC addresses are linked or linkable to other sensitive personal data, in this case precise geolocation data of the location of the fast-food restaurant that the national security-related individuals frequent with their devices. This combination of data therefore meets the definition of covered personal identifiers.

(2) Example 2. A U.S. company sells to a country of concern a list of residential addresses that the company describes (whether in a heading on the list or separately to the country of concern as part of the transaction) as “addresses of members of a country of concern's opposition political party in New York City” or as “addresses of active-duty military officers who live in Howard County, Maryland” without any other listed identifiers or sensitive personal data. The data disclosed by the U.S. company's description, when paired with the disclosed addresses, makes the addresses linked or linkable to other listed identifiers or to other sensitive personal data of the U.S. individuals associated with them. This combination of data therefore meets the definition of covered personal identifiers.

(3) Example 3. A covered person asks a U.S. company for a bulk list of birth dates for “any American who visited a Starbucks in Washington, DC, in December 2023.” The U.S. company then sells the list of birth dates, without any other listed identifiers or sensitive personal data, to the covered person. The other data disclosed by the covered person—“any American who visited a Starbucks in Washington, DC, in December 2023”—does not make the birth dates linked or linkable to other listed identifiers or to other sensitive personal data. This combination of data therefore does not meet the definition of covered personal identifiers.

(4) Example 4. Same as Example 3, but the covered person asks the U.S. company for a bulk list of names (rather than birth dates) for “any American who visited a Starbucks in Washington, DC in December 2023.” The other data disclosed by the covered person—“any American who visited a Starbucks in Washington, DC, in December 2023”—does not make the list of names, without more, linked or linkable to other listed identifiers or to other sensitive personal data. This combination of data therefore does not meet the definition of covered personal identifiers.

(5) Example 5. A U.S. company sells to a covered person a list of residential addresses that the company describes (in a heading in the list or to the covered person as part of the transaction) as “households of Americans who watched more than 50% of episodes” of a specific popular TV show, without any other listed identifiers or sensitive personal data. The other data disclosed by the U.S. company—“Americans who watched more than 50% of episodes” of a specific popular TV show—does not increase the extent to which the addresses are linked or linkable to other listed identifiers or to other sensitive personal data. This combination of data therefore does not meet the definition of covered personal identifiers.

The term Cuba means the Republic of Cuba, as well as any political subdivision, agency, or instrumentality thereof.

(a) Definition. The term data brokerage means the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.

(b) Examples—(1) Example 1. A U.S. company sells bulk U.S. sensitive personal data to an entity headquartered in a country of concern. The U.S. company engages in prohibited data brokerage.

(2) Example 2. A U.S. company enters into an agreement that gives a covered person a license to access government-related data held by the U.S. company. The U.S. company engages in prohibited data brokerage.

(3) Example 3. A U.S. organization maintains a database of bulk U.S. sensitive personal data and offers annual memberships for a fee that provide members a license to access that data. Providing an annual membership to a covered person that includes a license to access government-related data or bulk U.S. sensitive personal data would constitute prohibited data brokerage.

(4) Example 4. A U.S. company owns and operates a mobile app for U.S. users with available advertising space. As part of selling the advertising space, the U.S. company provides IP addresses and advertising IDs of more than 100,000 U.S. users' devices to an advertising exchange based in a country of concern in a twelve-month period. The U.S. company's provision of this data as part of the sale of advertising space is a covered data transaction involving data brokerage and is a prohibited transaction because IP addresses and advertising IDs are listed identifiers that satisfy the definition of bulk covered personal identifiers in this transaction.

(5) Example 5. Same as Example 4, but the U.S. company provides the data to an advertising exchange based in the United States. As part of the sale of the advertising space, the U.S. advertising exchange provides the data to advertisers headquartered in a country of concern. The U.S. company's provision of the data to the U.S. advertising exchange would not be a transaction because it is between U.S. persons. The advertising exchange's provision of this data to the country of concern-based advertisers is data brokerage because it is a commercial transaction involving the transfer of data from the U.S. advertising exchange to the advertisers headquartered in the country of concern, where those country-of-concern advertisers did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. Furthermore, the U.S. advertising exchange's provision of this data to the country of concern-based advertisers is a prohibited transaction.

(6) Example 6. A U.S. information technology company operates an autonomous driving platform that collects the precise geolocation data of its cars operating in the United States. The U.S. company sells or otherwise licenses this bulk data to its parent company headquartered in a country of concern to help develop artificial intelligence technology and machine learning capabilities. The sale or license is data brokerage and a prohibited transaction.

(7) Example 7. A U.S. company owns or operates a mobile app or website for U.S. users. That mobile app or website contains one or more tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company. The tracking pixels or software development kits transfer or otherwise provide access to government-related data or bulk U.S. sensitive personal data to a country of concern or covered person-owned social media app for targeted advertising. The U.S. company engages in prohibited data brokerage.

(8) Example 8. A non-U.S. company is contracted to develop a mobile app for a U.S. company. In developing the mobile app for that U.S. company, the non-U.S. company knowingly incorporates tracking pixels or software development kits into the mobile app that then transfer or otherwise provide access to government-related data or bulk U.S. sensitive personal data to a country of concern or covered person for targeted advertising, at the request of the U.S. company. The non-U.S. company has caused a violation of the data brokerage prohibition. If the U.S. company knowingly arranged the transfer of such data to the country of concern or covered person by requesting incorporation of the tracking pixels or software development kits, the U.S. company has engaged in prohibited data brokerage.

(9) Example 9. A U.S. researcher shares bulk human `omic data on U.S. persons with a researcher in a country of concern (a covered person) with whom the U.S. researcher is drafting a paper for submission to an academic journal. The two researchers exchange country of concern and bulk U.S. human `omic data over a period of several months to analyze and describe the findings of their research for the journal article. The U.S. person does not provide to or receive from the covered person or the covered person's employer any money or other valuable consideration as part of the authors' study. The U.S. person has not engaged in a covered data transaction involving data brokerage, because the transaction does not involve the sale of data, licensing of access to data, or similar commercial transaction involving the transfer of data to the covered person.

(10) Example 10. A U.S. researcher receives a grant from a university in a country of concern to study. bulk personal health data and bulk human `omic data on U.S. persons. The grant directs the researcher to share the underlying bulk U.S. sensitive personal data with the country of concern university (a covered person). The transaction is a covered data transaction because it involves access by a covered person to bulk U.S. sensitive personal data and is data brokerage because it involves the transfer of bulk U.S. sensitive personal data to a covered person in return for a financial benefit.

The term directing means having any authority (individually or as part of a group) to make decisions for or on behalf of an entity and exercising that authority.

The term effective date refers to the effective date of this part, which is 12:01 a.m. ET on April 8, 2025.

(a) Definition. The term employment agreement means any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.

(b) Examples—(1) Example 1. A U.S. company that conducts consumer human genomic testing collects and maintains bulk human genomic data from U.S. consumers. The U.S. company has global IT operations, including employing a team of individuals who are citizens of and primarily resident in a country of concern to provide back-end services. The agreements related to employing these individuals are employment agreements. Employment as part of the global IT operations team includes access to the U.S. company's systems containing the bulk human genomic data. These employment agreements would be prohibited transactions (because they involve access to bulk human genomic data).

(2) Example 2. A U.S. company develops its own mobile games and social media apps that collect the bulk U.S. sensitive personal data of its U.S. users. The U.S. company distributes these games and apps in the United States through U.S.-based digital distribution platforms for software applications. The U.S. company intends to hire as CEO an individual designated by the Attorney General as a covered person because of evidence the CEO acts on behalf of a country of concern. The agreement retaining the individual as CEO would be an employment agreement. The individual's authorities and responsibilities as CEO involve access to all data collected by the apps, including the bulk U.S. sensitive personal data. The CEO's employment would be a restricted transaction.

(3) Example 3. A U.S. company has derived U.S. persons' biometric identifiers by scraping public photos from social media platforms. The U.S. company stores the derived biometric identifiers in bulk, including face-data scans, for the purpose of training or enhancing facial-recognition software. The U.S. company intends to hire a foreign person, who primarily resides in a country of concern, as a project manager responsible for the database. The agreement retaining the project manager would be an employment agreement. The individual's employment as the lead project manager would involve access to the bulk biometric identifiers. The project manager's employment would be a restricted transaction.

(4) Example 4. A U.S. financial-services company seeks to hire a data scientist who is a citizen of a country of concern who primarily resides in that country of concern and who is developing a new artificial intelligence-based personal assistant that could be sold as a standalone product to the company's customers. The arrangement retaining the data scientist would be an employment agreement. As part of that individual's employment, the data scientist would have administrator rights that allow that individual to access, download, and transmit bulk quantities of personal financial data not ordinarily incident to and part of the company's underlying provision of financial services to its customers. The data scientist's employment would be a restricted transaction.

(5) Example 5. A U.S. company sells goods and collects bulk personal financial data about its U.S. customers. The U.S. company appoints a citizen of a country of concern, who is located in a country of concern, to its board of directors. This director would be a covered person, and the arrangement appointing the director would be an employment agreement. In connection with the board's data security and cybersecurity responsibilities, the director could access the bulk personal financial data. The director's employment would be a restricted transaction.

The term entity means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.

The term exempt transaction means a data transaction that is subject to one or more exemptions described in subpart E of this part.

The term former senior official means either a “former senior employee” or a “former very senior employee,” as those terms are defined in 5 CFR 2641.104.

The term foreign person means any person that is not a U.S. person.

(a) Definition. The term government-related data means the following:

(1) Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in § 202.1401 which the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there. Such locations may include:

(i) The worksite or duty station of Federal Government employees or contractors who occupy a national security position as that term is defined in 5 CFR 1400.102(a)(4);

(ii) A military installation as that term is defined in 10 U.S.C. 2801(c)(4); or

(iii) Facilities or locations that otherwise support the Federal Government's national security, defense, intelligence, law enforcement, or foreign policy missions.

(2) Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.

(b) Examples of government-related data marketed by a transacting party—(1) Example 1. A U.S. company advertises the sale of a set of sensitive personal data as belonging to “active duty” personnel, “military personnel who like to read,” “DoD” personnel, “government employees,” or “communities that are heavily connected to a nearby military base.” The data is government-related data.

(2) Example 2. In discussing the sale of a set of sensitive personal data with a covered person, a U.S. company describes the dataset as belonging to members of a specific named organization. The identified organization restricts membership to current and former members of the military and their families. The data is government-related data.

(a) The term human biospecimens means a quantity of tissue, blood, urine, or other human-derived material, including such material classified under any of the following 10-digit Harmonized System-based Schedule B numbers:

(1) 0501.00.0000 Human hair, unworked, whether or not washed or scoured; waste of human hair

(2) 3001.20.0000 Extracts of glands or other organs or of their secretions

(3) 3001.90.0115 Glands and other organs, dried, whether or not powdered

(4) 3002.12.0010 Human blood plasma

(5) 3002.12.0020 Normal human blood sera, whether or not freeze-dried

(6) 3002.12.0030 Human immune blood sera

(7) 3002.12.0090 Antisera and other blood fractions, Other

(8) 3002.51.0000 Cell therapy products

(9) 3002.59.0000 Cell cultures, whether or not modified, Other

(10) 3002.90.5210 Whole human blood

(11) 3002.90.5250 Blood, human/animal, other

(12) 9705.21.0000 Human specimens and parts thereof

(b) Notwithstanding paragraph (a) of this section, the term human biospecimens does not include human biospecimens, including human blood, cell, and plasma-derived therapeutics, intended by a recipient solely for use in diagnosing, treating, or preventing any disease or medical condition.

(a) The term human `omic data means:

(1) Human genomic data. Data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual's “genetic test” (as defined in 42 U.S.C. 300gg-91(d)(17)) and any related human genetic sequencing data.

(2) Human epigenomic data. Data derived from a systems-level analysis of human epigenetic modifications, which are changes in gene expression that do not involve alterations to the DNA sequence itself. These epigenetic modifications include modifications such as DNA methylation, histone modifications, and non-coding RNA regulation. Routine clinical measurements of epigenetic modifications for individualized patient care purposes would not be considered epigenomic data under this rule because such measurements would not entail a systems-level analysis of the epigenetic modifications in a sample.

(3) Human proteomic data. Data derived from a systems-level analysis of proteins expressed by a human genome, cell, tissue, or organism. Routine clinical measurements of proteins for individualized patient care purposes would not be considered proteomic data under this rule because such measurements would not entail a systems-level analysis of the proteins found in such a sample.

(4) Human transcriptomic data. Data derived from a systems-level analysis of RNA transcripts produced by the human genome under specific conditions or in a specific cell type. Routine clinical measurements of RNA transcripts for individualized patient care purposes would not be considered transcriptomic data under this rule because such measurements would not entail a systems-level analysis of the RNA transcripts in a sample.

(b) The term human `omic data excludes pathogen-specific data embedded in human `omic data sets.

The term IEEPA means the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.).

(a) Definition. The term information or informational materials is limited to expressive material and includes publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds. It does not include data that is technical, functional, or otherwise non-expressive.

(b) Exclusions. The term information or informational materials does not include:

(1) Information or informational materials not fully created and in existence at the date of the data transaction, or the substantive or artistic alteration or enhancement of information or informational materials, or the provision of marketing and business consulting services, including to market, produce or co-produce, or assist in the creation of information or informational materials;

(2) Items that were, as of April 30, 1994, or that thereafter become, controlled for export to the extent that such controls promote the nonproliferation or antiterrorism policies of the United States, or with respect to which acts are prohibited by 18 U.S.C. chapter 37.

(c) Examples—(1) Example 1. A U.S. person enters into an agreement to create a customized dataset of bulk U.S. sensitive personal data that meets a covered person's specifications (such as the specific types and fields of data, date ranges, and other criteria) and to sell that dataset to the covered person. This customized dataset is not fully created and in existence at the date of the agreement, and therefore is not information or informational materials.

(2) Example 2. A U.S. company has access to several pre-existing databases of different bulk U.S. sensitive personal data. The U.S. company offers, for a fee, to use data analytics to link the data across these databases to the same individuals and to sell that combined dataset to a covered person. This service constitutes a substantive alteration or enhancement of the data in the pre-existing databases and therefore is not information or informational materials.

Except as otherwise provided in this part, the term interest, when used with respect to property (e.g., “an interest in property”), means an interest of any nature whatsoever, direct or indirect.

(a) Definition. The term investment agreement means an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to:

(1) Real estate located in the United States; or

(2) A U.S. legal entity.

(b) Exclusion for passive investments. The term investment agreement excludes any investment that:

(1) Is made:

(i) Into a publicly traded security, with “security” defined in section 3(a)(10) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(10)), denominated in any currency that trades on a securities exchange or through the method of trading that is commonly referred to as “over-the-counter,” in any jurisdiction;

(ii) Into a security offered by:

(A) Any “investment company” (as defined in section 3(a)(1) of the Investment Company Act of 1940 (15 U.S.C. 80a-3(a)(1)) that is registered with the United States Securities and Exchange Commission, such as index funds, mutual funds, or exchange traded funds; or

(B) Any company that has elected to be regulated or is regulated as a business development company pursuant to section 54(a) of the Investment Company Act of 1940 (15 U.S.C. 80a-53), or any derivative of either of the foregoing; or

(iii) As a limited partner into a venture capital fund, private equity fund, fund of funds, or other pooled investment fund, or private entity, if the limited partner's contribution is solely capital and the limited partner cannot make managerial decisions, is not responsible for any debts beyond its investment, and does not have the formal or informal ability to influence or participate in the fund's or a U.S. person's decision making or operations;

(2) Gives the covered person less than 10% in total voting and equity interest in a U.S. person; and

(3) Does not give a covered person rights beyond those reasonably considered to be standard minority shareholder protections, including (a) membership or observer rights on, or the right to nominate an individual to a position on, the board of directors or an equivalent governing body of the U.S. person, or (b) any other involvement, beyond the voting of shares, in substantive business decisions, management, or strategy of the U.S. person.

(c) Examples—(1) Example 1. A U.S. company intends to build a data center located in a U.S. territory. The data center will store bulk personal health data on U.S. persons. A foreign private equity fund located in a country of concern agrees to provide capital for the construction of the data center in exchange for acquiring a majority ownership stake in the data center. The agreement that gives the private equity fund a stake in the data center is an investment agreement. The investment agreement is a restricted transaction.

(2) Example 2. A foreign technology company that is subject to the jurisdiction of a country of concern and that the Attorney General has designated as a covered person enters into a shareholders' agreement with a U.S. business that develops mobile games and social media apps, acquiring a minority equity stake in the U.S. business. The shareholders' agreement is an investment agreement. These games and apps developed by the U.S. business systematically collect bulk U.S. sensitive personal data of its U.S. users. The investment agreement explicitly gives the foreign technology company the ability to access this data and is therefore a restricted transaction.

(3) Example 3. Same as Example 2, but the investment agreement either does not explicitly give the foreign technology company the right to access the data or explicitly forbids that access. The investment agreement nonetheless provides the foreign technology company with the sufficient ownership interest, rights, or other involvement in substantive business decisions, management, or strategy such that the investment does not constitute a passive investment. Because it is not a passive investment, the ownership interest, rights, or other involvement in substantive business decisions, management, or strategy gives the foreign technology company the ability to obtain logical or physical access, regardless of how the agreement formally distributes those rights. The investment agreement therefore involves access to bulk U.S. sensitive personal data. The investment agreement is a restricted transaction.

(4) Example 4. Same as Example 3, but the U.S. business does not maintain or have access to any government-related data or bulk U.S. sensitive personal data (e.g., a pre-commercial company or startup company). Because the data transaction cannot involve access to any government-related data or bulk U.S. sensitive personal data, this investment agreement does not meet the definition of a covered data transaction and is not a restricted transaction.

The term Iran means the Islamic Republic of Iran, as well as any political subdivision, agency, or instrumentality thereof.

(a) Definition. The term knowingly, with respect to conduct, a circumstance, or a result, means that a person has actual knowledge, or reasonably should have known, of the conduct, the circumstance, or the result.

(b) Examples—(1) Example 1. A U.S. company sells DNA testing kits to U.S. consumers and maintains bulk human genomic data collected from those consumers. The U.S. company enters into a contract with a foreign cloud-computing company (which is not a covered person) to store the U.S. company's database of human genomic data. The foreign company hires employees from other countries, including citizens of countries of concern who primarily reside in a country of concern, to manage databases for its customers, including the U.S. company's human genomic database. There is no indication of evasion, such as the U.S. company knowingly directing the foreign company's employment agreements with covered persons, or the U.S. company engaging in and structuring these transactions to evade the regulations. The cloud-computing services agreement between the U.S. company and the foreign company would not be prohibited or restricted, because that covered data transaction is between a U.S. person and a foreign company that does not meet the definition of a covered person. The employment agreements between the foreign company and the covered persons would not be prohibited or restricted because those agreements are between foreign persons.

(2) Example 2. A U.S. company transmits the bulk U.S. sensitive personal data of U.S. persons to a country of concern, in violation of this part, using a fiber optic cable operated by another U.S. company. The U.S. cable operator has not knowingly engaged in a prohibited transaction or a restricted transaction solely by virtue of operating the fiber optic cable because the U.S. cable operator does not know, and reasonably should not know, the content of the traffic transmitted across the fiber optic cable.

(3) Example 3. A U.S. service provider provides a software platform on which a U.S. company processes the bulk U.S. sensitive personal data of its U.S.-person customers. While the U.S. service provider is generally aware of the nature of the U.S. company's business, the U.S. service provider is not aware of the kind or volume of data that the U.S. company processes on the platform, how the U.S. company uses the data, or whether the U.S. company engages in data transactions. The U.S. company also primarily controls access to its data on the platform, with the U.S. service provider accessing the data only for troubleshooting or technical support purposes, upon request by the U.S. company. Subsequently, without the actual knowledge of the U.S. service provider and without providing the U.S. service provider with any information from which the service provider should have known, the U.S. company grants access to the data on the U.S. service provider's software platform to a covered person through a covered data transaction, in violation of this part. The U.S. service provider itself, however, has not knowingly engaged in a restricted transaction by enabling the covered persons' access via its software platform.

(4) Example 4. Same as Example 3, but in addition to providing the software platform, the U.S. company's contract with the U.S. service provider also outsources the U.S. company's processing and handling of the data to the U.S. service provider. As a result, the U.S. service provider primarily controls access to the U.S. company's bulk U.S. sensitive personal data on the platform. The U.S. service provider employs a covered person and grants access to this data as part of this employment. Although the U.S. company's contract with the U.S. service provider is not a restricted transaction, the U.S. service provider's employment agreement with the covered person is a restricted transaction. The U.S. service provider has thus knowingly engaged in a restricted transaction by entering into an employment agreement that grants access to its employee because the U.S. service provider knew or should have known of its employee's covered person status and, as the party responsible for processing and handling the data, the U.S. service provider was aware of the kind and volume of data that the U.S. company processes on the platform.

(5) Example 5. A U.S. company provides cloud storage to a U.S. customer for the encrypted storage of the customer's bulk U.S. sensitive personal data. The U.S. cloud-service provider has an emergency back-up encryption key for all its customers' data, but the company is contractually limited to using the key to decrypt the data only at the customer's request. The U.S. customer's systems and access to the key become disabled, and the U.S. customer requests that the cloud-service provider use the back-up encryption key to decrypt the data and store it on a backup server while the customer restores its own systems. By having access to and using the backup encryption key to decrypt the data in accordance with the contractual limitation, the U.S. cloud-service provider does not and reasonably should not know the kind and volumes of the U.S. customer's data. If the U.S. customer later uses the cloud storage to knowingly engage in a prohibited transaction, the U.S. cloud-service provider's access to and use of the backup encryption key does not mean that the U.S. cloud-service provider has also knowingly engaged in a restricted transaction.

(6) Example 6. A prominent human genomics research clinic enters into a cloud-services contract with a U.S. cloud-service provider that specializes in storing and processing healthcare data to store bulk human genomic research data. The cloud-service provider hires IT personnel in a country of concern, who are thus covered persons. While the data that is stored is encrypted, the IT personnel can access the data in encrypted form. The employment agreement between the U.S. cloud-service provider and the IT professionals in the country of concern is a prohibited transaction because the agreement involves giving the IT personnel access to the encrypted data and constitutes a transfer of human genomic data. Given the nature of the research institution's work and the cloud-service provider's expertise in storing healthcare data, the cloud-service provider reasonably should have known that the encrypted data is bulk U.S. sensitive personal data covered by the regulations. The cloud-service provider has therefore knowingly engaged in a prohibited transaction (because it involves access to human genomic data).

(a) General license. The term general license means a written license issued pursuant to this part authorizing a class of transactions and not limited to a particular person.

(b) Specific license. The term specific license means a written license issued pursuant to this part to a particular person or persons, authorizing a particular transaction or transactions in response to a written license application.

(a) Definition. The term linked means associated.

(b) Examples—(1) Example 1. A U.S. person transfers two listed identifiers in a single spreadsheet—such as a list of names of individuals and associated MAC addresses for those individuals' devices. The names and MAC addresses would be considered linked.

(2) Example 2. A U.S. person transfers two listed identifiers in different spreadsheets—such as a list of names of individuals in one spreadsheet and MAC addresses in another spreadsheet—to two related parties in two different covered data transactions. The names and MAC addresses would be considered linked, provided that some correlation existed between the names and MAC addresses (e.g., associated employee ID number is also listed in both spreadsheets).

(3) Example 3. A U.S. person transfers a standalone list of MAC addresses, without any additional listed identifiers. The standalone list does not include covered personal identifiers. That standalone list of MAC addresses would not become covered personal identifiers even if the receiving party is capable of obtaining separate sets of other listed identifiers or sensitive personal data through separate covered data transactions with unaffiliated parties that would ultimately permit the association of the MAC addresses to specific persons. The MAC addresses would not be considered linked or linkable to those separate sets of other listed identifiers or sensitive personal data.

The term linkable means reasonably capable of being linked.

The term listed identifier means any piece of data in any of the following data fields:

(a) Full or truncated government identification or account number (such as a Social Security number, driver's license or State identification number, passport number, or Alien Registration Number);

(b) Full financial account numbers or personal identification numbers associated with a financial institution or financial-services company;

(c) Device-based or hardware-based identifier (such as International Mobile Equipment Identity (“IMEI”), Media Access Control (“MAC”) address, or Subscriber Identity Module (“SIM”) card number);

(d) Demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers);

(e) Advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID (“MAID”));

(f) Account-authentication data (such as account username, account password, or an answer to security questions);

(g) Network-based identifier (such as Internet Protocol (“IP”) address or cookie data); or

(h) Call-detail data (such as Customer Proprietary Network Information (“CPNI”)).

The term National Security Division means the National Security Division of the United States Department of Justice.

The term North Korea means the Democratic People's Republic of North Korea, and any political subdivision, agency, or instrumentality thereof.

The term Order means Executive Order 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), 89 FR 15421 (March 1, 2024).

The term person means an individual or entity.

The term personal communications means any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value, as set out under 50 U.S.C. 1702(b)(1).

The term personal financial data means data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report” (as defined in 15 U.S.C. 1681a(d)).

The term personal health data means health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.

The term precise geolocation data means data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.

The term prohibited transaction means a data transaction that is subject to one or more of the prohibitions described in subpart C of this part.

The terms property and property interest include money; checks; drafts; bullion; bank deposits; savings accounts; debts; indebtedness; obligations; notes; guarantees; debentures; stocks; bonds; coupons; any other financial instruments; bankers acceptances; mortgages, pledges, liens, or other rights in the nature of security; warehouse receipts, bills of lading, trust receipts, bills of sale, or any other evidences of title, ownership, or indebtedness; letters of credit and any documents relating to any rights or obligations thereunder; powers of attorney; goods; wares; merchandise; chattels; stocks on hand; ships; goods on ships; real estate mortgages; deeds of trust; vendors' sales agreements; land contracts, leaseholds, ground rents, real estate and any other interest therein; options; negotiable instruments; trade acceptances; royalties; book accounts; accounts payable; judgments; patents; trademarks or copyrights; insurance policies; safe deposit boxes and their contents; annuities; pooling agreements; services of any nature whatsoever; contracts of any nature whatsoever; any other property, real, personal, or mixed, tangible or intangible, or interest or interests therein, present, future, or contingent.

The terms recent former employees or recent former contractors mean employees or contractors who worked for or provided services to the United States Government, in a paid or unpaid status, within the past 2 years of a potential covered data transaction.

The term restricted transaction means a data transaction that is subject to subpart D of this part.

The term Russia means the Russian Federation, and any political subdivision, agency, or instrumentality thereof.

The term security requirements means the Cybersecurity and Infrastructure Agency (“CISA”) Security Requirements for Restricted Transactions E.O. 14117 Implementation, January 2025. This material is incorporated by reference into this section with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. This incorporation by reference (“IBR”) material is available for inspection at the Department of Justice and at the National Archives and Records Administration (“NARA”). Please contact the Foreign Investment Review Section, National Security Division, U.S. Department of Justice, 175 N St. NE, Washington, DC 20002, telephone: 202-514-8648, [email protected]; www.justice.gov/nsd. For information on the availability of this material at NARA, visit www.archives.gov/federal-register/cfr/ibr-locations or email [email protected]. The material may be obtained from the National Security Division and the Cybersecurity and Infrastructure Security Agency (CISA), Mail Stop 0380, Department of Homeland Security, 245 Murray Lane, Washington, DC 20528-0380; [email protected]; 888-282-0870; www.cisa.gov/.

(a) Definition. The term sensitive personal data means covered personal identifiers, precise geolocation data, biometric identifiers, human `omic data, personal health data, personal financial data, or any combination thereof.

(b) Exclusions. The term sensitive personal data, and each of the categories of sensitive personal data, excludes:

(1) Public or nonpublic data that does not relate to an individual, including such data that meets the definition of a “trade secret” (as defined in 18 U.S.C. 1839(3)) or “proprietary information” (as defined in 50 U.S.C. 1708(d)(7));

(2) Data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories);

(3) Personal communications; and

(4) Information or informational materials and ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials.

The term Special Administrative Region of Hong Kong means the Special Administrative Region of Hong Kong, and any political subdivision, agency, or instrumentality thereof.

The term Special Administrative Region of Macau means the Special Administrative Region of Macau, and any political subdivision, agency, or instrumentality thereof.

The term telecommunications service means the provision of voice and data communications services regardless of format or mode of delivery, including communications services delivered over cable, Internet Protocol, wireless, fiber, or other transmission mechanisms, as well as arrangements for network interconnection, transport, messaging, routing, or international voice, text, and data roaming.

The term transaction means any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest.

The term transfer means any actual or purported act or transaction, whether or not evidenced by writing, and whether or not done or performed within the United States, the purpose, intent, or effect of which is to create, surrender, release, convey, transfer, or alter, directly or indirectly, any right, remedy, power, privilege, or interest with respect to any property. Without limitation on the foregoing, it shall include the making, execution, or delivery of any assignment, power, conveyance, check, declaration, deed, deed of trust, power of attorney, power of appointment, bill of sale, mortgage, receipt, agreement, contract, certificate, gift, sale, affidavit, or statement; the making of any payment; the setting off of any obligation or credit; the appointment of any agent, trustee, or fiduciary; the creation or transfer of any lien; the issuance, docketing, filing, or levy of or under any judgment, decree, attachment, injunction, execution, or other judicial or administrative process or order, or the service of any garnishment; the acquisition of any interest of any nature whatsoever by reason of a judgment or decree of any foreign country; the fulfillment of any condition; the exercise of any power of appointment, power of attorney, or other power; or the acquisition, disposition, transportation, importation, exportation, or withdrawal of any security.

The term United States means the United States, its territories and possessions, and all areas under the jurisdiction or authority thereof.

(a) Definition. The terms United States person and U.S. person mean any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. 1157 or granted asylum under 8 U.S.C. 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.

(b) Examples—(1) Example 1. An individual is a citizen of a country of concern and is in the United States. The individual is a U.S. person.

(2) Example 2. An individual is a U.S. citizen. The individual is a U.S. person, regardless of location.

(3) Example 3. An individual is a dual citizen of the United States and a country of concern. The individual is a U.S. person, regardless of location.

(4) Example 4. An individual is a citizen of a country of concern, is not a permanent resident alien of the United States, and is outside the United States. The individual is a foreign person.

(5) Example 5. A company is organized under the laws of the United States and has a foreign branch in a country of concern. The company, including its foreign branch, is a U.S. person.

(6) Example 6. A parent company is organized under the laws of the United States and has a subsidiary organized under the laws of a country of concern. The subsidiary is a foreign person regardless of the degree of ownership by the parent company; the parent company is a U.S. person.

(7) Example 7. A company is organized under the laws of a country of concern and has a branch in the United States. The company, including its U.S. branch, is a foreign person.

(8) Example 8. A parent company is organized under the laws of a country of concern and has a subsidiary organized under the laws of the United States. The subsidiary is a U.S. person regardless of the degree of ownership by the parent company; the parent company is a foreign person.

The term U.S. device means any device with the capacity to store or transmit data that is linked or linkable to a U.S. person.

(a) Definition. The term vendor agreement means any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.

(b) Examples—(1) Example 1. A U.S. company collects bulk precise geolocation data from U.S. users through an app. The U.S. company enters into an agreement with a company headquartered in a country of concern to process and store this data. This vendor agreement is a restricted transaction.

(2) Example 2. A medical facility in the United States contracts with a company headquartered in a country of concern to provide IT-related services. The contract governing the provision of services is a vendor agreement. The medical facility has bulk personal health data on its U.S. patients. The IT services provided under the contract involve access to the medical facility's systems containing the bulk personal health data. This vendor agreement is a restricted transaction.

(3) Example 3. A U.S. company, which is owned by an entity headquartered in a country of concern and has been designated a covered person, establishes a new data center in the United States to offer managed services. The U.S. company's data center serves as a vendor to various U.S. companies to store bulk U.S. sensitive personal data collected by those companies. These vendor agreements are restricted transactions.

(4) Example 4. A U.S. company develops mobile games that collect bulk precise geolocation data and biometric identifiers of U.S.-person users. The U.S. company contracts part of the software development to a foreign person who is primarily resident in a country of concern and is a covered person. The contract with the foreign person is a vendor agreement. The software-development services provided by the covered person under the contract involve access to the bulk precise geolocation data and biometric identifiers. This is a restricted transaction.

(5) Example 5. A U.S. multinational company maintains bulk U.S. sensitive personal data of U.S. persons. This company has a foreign branch, located in a country of concern, that has access to this data. The foreign branch contracts with a local company located in the country of concern to provide cleaning services for the foreign branch's facilities. The contract is a vendor agreement, the foreign branch is a U.S. person, and the local company is a covered person. Because the services performed under this vendor agreement do not “involve access to” the bulk U.S. sensitive personal data, the vendor agreement would not be a covered data transaction.

The term Venezuela means the Bolivarian Republic of Venezuela, and any political subdivision, agency, or instrumentality thereof.