Limits on Access to U.S. Sensitive Personal Data and U.S. Government-Related Data

Sensitive personal data includes categories such as personal health data, personal financial data, precise geolocation data, certain biometric identifiers, and “human ʼomic data” (genomic, epigenomic, proteomic, transcriptomic). Some categories are regulated only when bulk thresholds are met (see below).

Bulk thresholds includes the following categories of data at the following limits:

• Human genomic data: ≥ 100 U.S. persons
• Human epigenomic/proteomic/transcriptomic data: ≥ 1,000 U.S. persons
• Biometric identifiers: ≥ 1,000 U.S. persons
• Precise geolocation data: ≥ 1,000 U.S. persons
• Personal financial data: ≥ 10,000 U.S. persons
• Personal health data: ≥ 10,000 U.S. persons
• Covered personal identifiers: ≥ 100,000 U.S. persons

It does not matter whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold.

Government-related data includes, among other things, location data associated with specified government facilities and functions.

Under the DOJ rule, a covered person is a foreign person designated by DOJ on a Covered Persons List, as well as entities/persons meeting specified criteria under the rule, including:

• Persons primarily resident in a country of concern
• Contractors of a country of concern or of a covered person
• An entity 50% or more owned by covered person(s)
• An entity that has its primary place of business in a country of concern
• An entity organized or chartered in a country of concern
• An entity 50% or more owned by a country of concern

Covered data transaction is any transaction that involves access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves: (a) data brokerage; (b) a vendor agreement; (c) an employment agreement; or (d) an investment agreement. The specific transaction types carry different implications.

Prohibited transactions include the following: 

• Any data brokerage transaction that involves access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data; and 
• Any covered data transactions with countries of concern or covered persons involving access to bulk human ʼomic data or human biospecimens from which bulk human ʼomic data could be derived.

Restricted transactions are covered data transactions involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person.

Exempt transactions include: 

• Personal communications, such as email or phone calls, not involving the physical transfer of anything of value, including tangible goods and software. 
• The import or export of information or informational materials. 
• Activities conducted on behalf of the U.S. government or required by federal law. 
• Drug, biological product and medical device authorizations. 
• Medical research or clinical trials that fall under certain regulatory frameworks.
• Certain other exemptions relating to the provision of financial services or telecommunications service, corporate group transactions, and certain investment agreements

If a collaborator, visiting scholar, cloud/IT vendor, contract research organization, or data recipient is in China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, or Venezuela, or appears on DOJ’s Covered Persons list (when made available), pause all work and contact research-compliance-help@mit.edu to determine if the work may continue and if so, applicable restrictions.

• Human ʼomic data (genomic, epigenomic, proteomic, transcriptomic) at or above bulk thresholds: Prohibited to provide access to countries of concern/covered persons. 
• Sensitive personal data (e.g., health, financial, precise location) in bulk, but not human ʼomic data: Cannot broker it; other access may be restricted, requiring certain security controls. 
• Includes data regarding the location of government facilities and activities, or identifying data regarding personnel on DOJ’s list: Treat as regulated and consult research-compliance-help@mit.edu.

Review cloud storage, compute, laboratory information management systems, collaboration platforms, remote desktop, and code repositories. Ensure foreign vendor personnel from countries of concern and non-MIT collaborators from countries of concern cannot reach data regulated under the rule.

• Working with RAS and OSATT as necessary, update data use agreements, subaward, and contract research organization agreements with DOJ-compliant security and non-transfer clauses. 
• Ensure COUHES protocols/consents reflect impermissibility of sharing regulated datasets with countries of concern/covered persons and the technical/contractual controls you will apply.

Build/maintain a data compliance program, keep records, and plan for annual audits covering security requirements for any restricted transactions.

As you share research security practices with your team, consider using this language:

Do not give any collaborator or contractor in, or visitor from, China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, or Venezuela access to bulk U.S. human ʼomics data or the biospecimens behind it. That is prohibited under DOJ rules effective April 8, 2025.

Before sharing any large U.S. health, financial, geolocation, or biometric dataset with a foreign person in a country of concern, email research-compliance-help@mit.edu. Some cases may be restricted and require DOJ-required security controls and later audits.