Summary
On 8 January 2025, the Department of Justice (DOJ) issued a new rule concerning the transfer of sensitive personal data from the U.S., which officially came into effect on 8 April 2025. This rule places stringent restrictions on transferring specific data types to designated “countries of concern” such as China, Iran, and Russia. High penalties await those who violate these rules, although civil enforcement has been paused until 8 July 2025, conditional upon good-faith compliance efforts. The regulation covers a range of data types, outlining various categories of transactions considered restricted or prohibited.
Key Points
- New DOJ rules restrict the transfer of U.S. sensitive personal and government-related data to likely hostile nations.
- Civil penalties can reach up to $368,136 per violation, with potential criminal penalties including imprisonment.
- The rule defines “sensitive personal data” into seven categories, including financial and health data.
- Failing to comply with these new regulations can result in significant legal and financial repercussions.
- There are exemptions for certain transactions, particularly in financial services and corporate group transactions.
Why should I read this?
If you deal with sensitive data in your business, you absolutely need to get your head around this new rule. It’s a major shake-up in how personal information can be shared across borders, especially for businesses with a global footprint. Dodging these compliance hurdles could mean serious trouble down the line, so arm yourself with knowledge and take proactive steps to stay on the right side of the law!