Department of Justice (“DoJ”) regulations published at 28 C.F.R. pt. 202 (“Part 202”) impose restrictions on the transfer of “bulk U.S. sensitive personal data” to “countries of concern” and related “covered persons.” University faculty, staff, and students must not cause unauthorized transfers and related transactions in violation of Part 202.
Please contact the Export Controls and Research Security team (ECRS) at [email protected] with your questions about the restrictions, scope of regulated data, exception criteria, and other aspects of Part 202.
What are bulk U.S. sensitive personal data subject to Part 202?
Part 202 defines bulk U.S. sensitive personal data as sensitive personal data about U.S. individuals meeting specified volume thresholds that vary by category of information. For instance, the bulk threshold for human genomic data is 100 U.S. individuals, whereas the threshold for mere personal identifiers is 100,000 U.S. individuals.
Sensitive personal data include:
- covered personal identifiers
- precise geolocation data
- biometric identifiers
- human `omic data
- personal health data
- personal financial data
- any combination of the above
Note: Information that is lawfully available to the public, either from a government record or in widely distributed media (such as open-access repositories and websites), is not sensitive personal data subject to Part 202, and thus cannot be bulk U.S. sensitive personal data, regardless of volume.
What are the countries of concern?
For purposes of Part 202, the countries of concerns are:
- China
- Cuba
- Iran
- North Korea
- Russia
- Venezuela
Who or what are covered persons?
In simple terms, covered persons are individuals and organizations located in (or majority owned/controlled by an entity in) any country of concern. Covered persons would include universities, biotechnology companies, clinical research organizations, and their employees in China, Russia, and the other countries of concern.
Are all transfers of bulk U.S. sensitive personal data to countries of concern or covered persons categorically prohibited?
No, not necessarily. A transfer meeting specified criteria can qualify for one of Part 202’s exemptions. For example, a transfer of bulk U.S. sensitive personal data to a research institution in China made pursuant a federal grant or contract will not be subject to the restrictions of Part 202, provided certain conditions (including documentation requirements) are met. Exemptions might also apply in connection with clinical investigations subject to the jurisdiction of the Food and Drug Administration and releases of information needed to obtain regulatory approval from government authorities in a country of concern. University personnel wishing to utilize any exemption to Part 202 must coordinate with ECRS to ensure the qualifying criteria and recordkeeping requirements are met.
In some situations, it might be possible to obtain case-specific DoJ authorization to engage in a restricted transfer or related transaction that does not qualify for an exemption.
What are the consequences for violating Part 202?
Depending on the severity of the situation, infractions may result in warning letters, substantial civil fines, or—for willful, deliberate violations—possible criminal penalties, to include incarceration. Part 202 noncompliance could also put current or future federal research support at risk.