痳豆在线

A covered person is an individual or entity that either falls into one of the Data Security Program鈥檚 (DSP) categories of covered persons, or that the DOJ National Security Division (NSD) has designated as a covered person.

Under of the DOJ , there are four categories of covered persons, which exclude U.S. persons.

These include any foreign entities and/or individuals:

• headquartered in or organized under the laws of a ;
• 50% or more owned by a country of concern or covered person;
• 聽primarily resident in a country of concern; and
• who are employees or contractors of a covered person entity or a country-of-concern government.

Any person falling into one or more of these categories is automatically a covered person without further action by DOJ’s National Security Division (NSD).

The NSD may also designate any person (including a U.S. person) as a covered person… NSD will add designated covered persons to the Covered Persons List. Designated covered persons remain covered persons even when located in the United States.

Review more information:

• Examples from the rule

Please review the as designated by the Dept. of Justice.

Bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold set forth in 搂 202.205.

There are six categories of U.S. sensitive personal data defined in the DOJ regulations with the following bulk thresholds:

• collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.
• collected about or maintained on more than 1,000 U.S. persons.
• collected about or maintained on more than 1,000 U.S. persons.
• collected about or maintained on more than 10,000 U.S. persons.
• collected about or maintained on more than 10,000 U.S. persons.
• collected about or maintained on more than 100,000 U.S. persons.

The Department of Justice defines Bulk () and Bulk Sensitive Data ().

U.S. Government-related data is defined under of the DOJ as:

1. Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List () which the Attorney General has determined poses a heightened risk of being exploited by a to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there. Locations may include:

• • The worksite or duty station of Federal Government employees or contractors who occupy a national security position as that term is defined in
  • A military installation as that term is defined in ; or
  • Facilities or locations that otherwise support the Federal Government’s national security, defense, intelligence, law enforcement, or foreign policy missions.

2. Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.

See Government-related data for examples.

Exempt data transactions are a specific type of transaction or activity that is excluded from the prohibitions or restrictions. The following categories are considered exempt data transactions:

• Official Business of the U.S. Government (): Data transactions conducted for the official business of the U.S. government, including activities pursuant to a federal grant, contract, or other agreement entered into with the U.S. government.
  • Research Implications: If a research project involving covered data and a country of concern/covered person is funded by a U.S. federal agency (like NIH, NSF, DOD), the activities directly related to that federally funded research may be exempt.
  • NIH specifics: Agencies like the NIH have issued their own independent policies (e.g., NOT-OD-25-083) that prohibit institutions located in countries of concern from accessing NIH Controlled-Access Data Repositories and associated data. This NIH prohibition applies even if the transaction would be exempt under the DOJ鈥檚 鈥渙fficial business鈥� rule. Researchers working with NIH data must comply with both the DOJ rule and NIH鈥檚 specific policies.
• Drug, Biological Product, and Medical Device Authorizations () and Other clinical investigations and post-marketing surveillance data (): Transactions necessary for obtaining or maintaining regulatory authorization or approval to research or market a drug, biological product, or medical device. This also extends to certain post-market clinical investigations and surveillance data.
  • Research implications: Highly relevant for clinical trials, medical research, and studies supporting FDA (Food and Drug Administration) approvals. The DOJ acknowledged the importance of being able to associate patient data longitudinally in this context and expanded this exemption to include pseudonymized data. This applies to data required by a regulatory entity to obtain or maintain authorization or approval, and that is 鈥渞easonably necessary鈥� to assess safety and effectiveness.
• Personal Communications (): Routine personal communications, including emails, text or instant messages, and phone calls.
• Informational Materials (): Expressive material like publications, films, photographs, artworks, and news feeds, are generally exempted, except for technical or functional data.
• Travel (): Transactions ordinarily incident to and part of travel, such as airline bookings or hotel reservations.
• Financial Services (): Transactions that are part of providing financial services (e.g., payment processing, settlements).
• Corporate Group Transactions (): Internal corporate transactions within the same legal entity or its affiliates.
• Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance with Federal Law (): This applies to data transfers mandated by U.S. federal law, an international agreement, or is essential for legal compliance (e.g., reporting requirements).
• Investment agreements subject to a CFIUS action () doesn鈥檛 typically apply to research in higher education settings. see rule for details.
• Telecommunication Services (): Providing telecommunication services, including voice and data communications in various
  formats (e.g., IP, voice, cable, wireless, fiber).

See for details on the categories of data transactions exempt from the Dept. of Justice鈥檚:.

See for guidance and more examples.

• with a or Covered Person: This includes the sale of data, licensing access to data, or similar commercial transactions involving the transfer of covered data (bulk U.S. sensitive personal data or U.S. government-related data) to a country of concern or a covered person.
• Bulk human `omic data or human biospecimens from which such data can be derived (see ).

Review the Cybersecurity and Infrastructure Agency (鈥淐ISA鈥�) and the .