Under the Biden Administration, the so-called “Bulk Data Rule” was issued on February 28, 2024, as an Executive Order 14117, entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”. A final rule, 90 Fed. Reg. 1646 (Jan. 8, 2025) (codified at 28 C.F.R. pt. 202), under this Executive Order issued on January 8, 2025, with an intended effective date of April 8, 2025. Thereafter, under the Trump administration, the final rule, drafted by the Department of Justice, implementing the “Bulk Data Rule” took effect on April 8, 2025, with a 90-day grace period that ended July 8, 2025. An extended grace period for internal reporting and tracking requirements ended on October 6, 2025. The grace period is now over, and thus the Bulk Data Transfer Rule is in full effect.
In general, the purpose of the Bulk Data Rule is to restrict transfer of specified bulk data to persons from countries of concern.
Countries of concern (as well as persons from countries of concern), include the People’s Republic of China, and Hong Kong and Macau, Russia, Iran, North Korea, Cuba and Venezuela. Covered person covers any primary resident of one of these countries, or entity more than 50% owned by persons or entities of a covered country.
The Bulk Data Rule governs transactions of “Bulk Data”: bulk United States sensitive personal data (e.g., Human ‘omics data, biometric identifiers, and precise geolocation data of over 1000 persons, human health and personal financial data of over 10,000 persons) or United States government data by a country or person of concern, known as a “covered person” (see Table 1 below).
Table 1 – Bulk Data:
| U.S. Sensitive Personal Data | Threshold |
| Human genomic data | 100 U.S. persons |
| Human ‘omic data | 1,000 U.S. persons |
| Biometric Identifier | 1,000 U.S. persons |
| Precise geolocation data | 1,000 U.S. persons |
| Personal health data | 10,000 U.S. persons |
| Personal financial data | 10,000 U.S. persons |
| Covered personal identifiers | 100,000 U.S. persons |
| Combined data[1] | Lowest applicable number |
The Bulk Data Rule is especially relevant as it relates to data acquisition, access and transfer to countries or persons of concern. Significantly, this applies not only to business partners in covered countries, but also to employees, consultants, or contractors who are primary residents of countries of concern.
Does the Bulk Data Rule apply to you?
- Do you maintain, transfer, or provide access to any of the data categories listed in Table 1?
If you answer yes, or potentially yes, it is imperative that you understand the scope of your data and whether or not you must comply with the Bulk Data Rule.
- Do you have employees, contractors, interns, or other faculty/staff members who are primary residents of Countries of concern?
If you answer yes, then you must understand with great details the data that you receive, store, and transfer along with the individuals who have access, in any form, to this data.
- Do you know your customer?
Failing to know your customer can lead to costly mistakes the violate the Bulk Data Rule.
If you are a university, healthcare or health data company, or any other organization that has access, at any point or for any time, to Bulk Data you might be affected by the Bulk Data Rule.
If you would like to learn more about the Bulk Data Rule, and how it applies to you please contact us.
[1] Combined data is data combined from any category or data that can be linked to any category (a) – (e).
* Charles R. Macedo is a Partner, Gary J. Gershik is a Partner, and Lewis Derenzis III is a Patent Agent at Amster, Rothstein & Ebenstein LLP. They practice all areas of intellectual property law, including data licensing. They can be reached at [email protected], [email protected] and [email protected].