UW Research

Exempt Data Transactions – DOJ

Exempt data transactions are a specific type of transaction or activity that is excluded from the DOJ rule: Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. See 28 CFR Subpart E: § 202.501 – 202.511 for details.

The following categories are considered exempt data transactions:

  • Personal Communications (§ 202.501): Routine personal communications, including emails, text or instant messages, and phone calls.
  • Informational Materials202.502): Expressive material like publications, films, photographs, artworks, and news feeds, are generally exempted, except for technical or functional data.
  • Travel (§ 202.503): Transactions ordinarily incident to and part of travel, such as airline bookings or hotel reservations.
  • Official Business of the U.S. Government (§ 202.504): Data transactions conducted for the official business of the U.S. government, including activities pursuant to a federal grant, contract, or other agreement entered into with the U.S. government.
    • Research Implications: If a research project involving covered data and a country of concern/covered person is funded by a U.S. federal agency (like NIH, NSF, DOD), the activities directly related to that federally funded research may be exempt.
    • NIH specifics: Agencies like the NIH have issued their own independent policies (e.g., NOT-OD-25-083) that prohibit institutions located in countries of concern from accessing NIH Controlled-Access Data Repositories and associated data. This NIH prohibition applies even if the transaction would be exempt under the DOJ’s “official business” rule. Researchers working with NIH data must comply with both the DOJ rule and NIH’s specific policies.
  • Drug, Biological Product, and Medical Device Authorizations (§ 202.510) and Other clinical investigations and post-marketing surveillance data (§ 202.511): Transactions necessary for obtaining or maintaining regulatory authorization or approval to research or market a drug, biological product, or medical device. This also extends to certain post-market clinical investigations and surveillance data.
    • Research implications: Highly relevant for clinical trials, medical research, and studies supporting FDA (Food and Drug Administration) approvals. The DOJ acknowledged the importance of being able to associate patient data longitudinally in this context and expanded this exemption to include pseudonymized data. This applies to data required by a regulatory entity to obtain or maintain authorization or approval, and that is “reasonably necessary” to assess safety and effectiveness.
  • Financial Services (§ 202.505): Transactions that are part of providing financial services (e.g., payment processing, settlements).
  • Corporate Group Transactions (§ 202.506): Internal corporate transactions within the same legal entity or its affiliates.
  • Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance with Federal Law (§ 202.507): This applies to data transfers mandated by U.S. federal law, an international agreement, or is essential for legal compliance (e.g., reporting requirements).
  • Investment agreements subject to a CFIUS action (§ 202.508) doesn’t typically apply to research in higher education settings. see rule for details.
  • Telecommunication Services (§ 202.509): Providing telecommunication services, including voice and data communications in various
    formats (e.g., IP, voice, cable, wireless, fiber).

Resources