“A covered person is an individual or entity that either falls into one of the Data Security Program’s (DSP) categories of covered persons, or that the DOJ National Security Division (NSD) has designated as a covered person.

Under § 202.211(a) of the DOJ Data Security Protection Rule, there are four categories of covered persons, which exclude U.S. persons.

These include any foreign entities and/or individuals :

• headquartered in or organized under the laws of a country of concern;
• 50% or more owned by a country of concern or covered person;
•  primarily resident in a country of concern; and
• who are employees or contractors of a covered person entity or a country-of-concern government.

Any person falling into one or more of these categories is automatically a covered person without further action by DOJ’s National Security Division (NSD).

The NSD may also designate any person (including a U.S. person) as a covered person… NSD will add designated covered persons to the Covered Persons List. Designated covered persons remain covered persons even when located in the United States.”

Review more information:

• Examples from the rule § 202.211(a)
• Sept. 2025 DOJ National Security Division – Data Security Program FAQs

Please review the list of countries in the rule as designated by the Dept. of Justice.

Bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold set forth in § 202.205.

There are six categories of U.S. sensitive personal data defined in the DOJ regulations with the following bulk thresholds:

• Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.
• Biometric identifiers collected about or maintained on more than 1,000 U.S. persons.
• Precise geolocation data collected about or maintained on more than 1,000 U.S. persons.
• Personal health data collected about or maintained on more than 10,000 U.S. persons.
• Personal financial data collected about or maintained on more than 10,000 U.S. persons.
• Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons.

The Department of Justice defines Bulk (28 CFR § 202.205) and Bulk Sensitive Data (28 CFR § 202.206).

U.S. Government-related data is defined under 28 CFR § 202.222 of the DOJ Data Security Protection Rule as:

1. Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List (§ 202.1401) which the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there. Locations may include:
   • The worksite or duty station of Federal Government employees or contractors who occupy a national security position as that term is defined in 5 CFR 1400.102(a)(4)
   • A military installation as that term is defined in 10 U.S.C. 2801(c)(4); or
   • Facilities or locations that otherwise support the Federal Government’s national security, defense, intelligence, law enforcement, or foreign policy missions.
2. Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.

See Government-related data 28 CFR § 202.222 for examples.

Exempt data transactions are a specific type of transaction or activity that is excluded from the DOJ rule’s prohibitions or restrictions. The following categories are considered exempt data transactions:

• Official Business of the U.S. Government (§ 202.504): Data transactions conducted for the official business of the U.S. government, including activities pursuant to a federal grant, contract, or other agreement entered into with the U.S. government.
  • Research Implications: If a research project involving covered data and a country of concern/covered person is funded by a U.S. federal agency (like NIH, NSF, DOD), the activities directly related to that federally funded research may be exempt.
  • NIH specifics: Agencies like the NIH have issued their own independent policies (e.g., NOT-OD-25-083) that prohibit institutions located in countries of concern from accessing NIH Controlled-Access Data Repositories and associated data. This NIH prohibition applies even if the transaction would be exempt under the DOJ’s “official business” rule. Researchers working with NIH data must comply with both the DOJ rule and NIH’s specific policies.
• Drug, Biological Product, and Medical Device Authorizations (§ 202.510) and Other clinical investigations and post-marketing surveillance data (§ 202.511): Transactions necessary for obtaining or maintaining regulatory authorization or approval to research or market a drug, biological product, or medical device. This also extends to certain post-market clinical investigations and surveillance data.
  • Research implications: Highly relevant for clinical trials, medical research, and studies supporting FDA (Food and Drug Administration) approvals. The DOJ acknowledged the importance of being able to associate patient data longitudinally in this context and expanded this exemption to include pseudonymized data. This applies to data required by a regulatory entity to obtain or maintain authorization or approval, and that is “reasonably necessary” to assess safety and effectiveness.
• Personal Communications (§ 202.501): Routine personal communications, including emails, text or instant messages, and phone calls.
• Informational Materials (§ 202.502): Expressive material like publications, films, photographs, artworks, and news feeds, are generally exempted, except for technical or functional data.
• Travel (§ 202.503): Transactions ordinarily incident to and part of travel, such as airline bookings or hotel reservations.
• Financial Services (§ 202.505): Transactions that are part of providing financial services (e.g., payment processing, settlements).
• Corporate Group Transactions (§ 202.506): Internal corporate transactions within the same legal entity or its affiliates.
• Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance with Federal Law (§ 202.507): This applies to data transfers mandated by U.S. federal law, an international agreement, or is essential for legal compliance (e.g., reporting requirements).
• Investment agreements subject to a CFIUS action (§ 202.508) doesn’t typically apply to research in higher education settings. see rule for details.
• Telecommunication Services (§ 202.509): Providing telecommunication services, including voice and data communications in various
  formats (e.g., IP, voice, cable, wireless, fiber).

See 28 CFR Subpart E: § 202.501 – 202.511 for details on the categories of data transactions exempt from the Dept. of Justice’s: Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons.

See Subpart C—Prohibited Transactions and Related Activities for guidance and more examples.

• Data Brokerage Transactions with a Country of Concern or Covered Person: This includes the sale of data, licensing access to data, or similar commercial transactions involving the transfer of covered data (bulk U.S. sensitive personal data or U.S. government-related data) to a country of concern or a covered person.
• Bulk human `omic data or human biospecimens from which such data can be derived (see § 202.303).