In today’s globalized and interconnected world, cross-border data transfers have become essential for business operations and industries ranging from healthcare and technology to finance and retail. However, moving sensitive data outside the United States carries significant risks, particularly involving foreign nations with adversarial intentions. Recognizing these risks, the Department of Justice (DOJ) released an updated rule on April 8, 2025, that reshapes how organizations handle data transfers across borders. This development marks a pivotal shift in US data regulation policies, emphasizing cybersecurity, privacy and national security.

In this blog, we’ll discuss the DOJ’s latest rule governing cross-border data transfers, explore its implications for industries like healthcare and life sciences and provide actionable steps organizations can take to comply with this crucial regulation before enforcement begins in October 2025.

The DOJ’s objective: Safeguarding critical information

When sensitive data leaves US borders, there’s always the risk that foreign adversaries can access it directly or indirectly. Whether through third-party vendors, employment arrangements or investments, the DOJ's updated rule aims to prevent unauthorized access to personal or government-related information. It underscores the importance of reshaping how US organizations process and share sensitive data, ensuring adversarial powers cannot exploit it for unethical or harmful purposes. This updated regulation doesn’t just address privacy concerns; it introduces measures that place data protection in the context of national security.

The DOJ articulates: Restricted and prohibited transactions

The DOJ’s updated rule defines two key types of transactions related to cross-border data transfers:

1. Restricted transactions: The regulation restricts US entities and individuals from allowing sensitive data access through employment, investments or vendor agreements to "covered persons" or entities located in "countries of concern." These arrangements are only permitted if stringent Cybersecurity and Infrastructure Security Agency (CISA) security requirements are met. Let’s break it down:

a. Covered persons: Any individual or entity located in, owned by, controlled, or directed by a government within a "country of concern."

b. Countries of concern: This designation includes adversarial nations such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela.

CISA’s requirements span two categories:

Category 1 - Organizational and system-level controls: These include robust mechanisms to protect data, such as asset inventory, vulnerability management protocols, vendor contracts with specific security clauses, network topology safeguards, change management procedures, incident response measures and strict access controls.

Category 2 - Data-level requirements: To reduce risks, organizations must adopt advanced privacy-enhancing technologies, including:

• Data masking and minimization: Ensures irrelevant data is excluded from exchange.
• Encryption: Protects sensitive data during transfer.
• Other privacy tools: Which ensure real-time audits and anonymization processes.

Additionally, organizations must conduct annual security audits and implement a recordkeeping system capable of storing documentation for up to 10 years.

2. Prohibited transactions: Prohibited transactions apply to data brokerage activities, where bulk sensitive information (personal or government-related) is sold, traded, licensed or shared with adversarial nations or "covered persons." These transactions are forbidden under the following circumstances:

• No direct consent or awareness: If the data is transferred without explicit user awareness or consent, it violates DOJ standards.
• Uses that target or profile US persons: Data must not be used to exploit or profile US citizens for any adversarial purpose.

This prohibition ensures entities tied to adversarial nations cannot access sensitive datasets for manipulative activities, making it a crucial national security measure.

Implications for healthcare and life sciences

Healthcare and life sciences stand out among the sectors significantly affected by this rule due to the nature of the data they handle. Sensitive information such as human genomic data, biometric identifiers, precise geolocation data and personal health records are all subject to heightened scrutiny under the updated DOJ framework.

Why this sector must act now?

The DOJ’s regulation is game-changing for organizations engaged in health-related activities, including clinical trials, Contract Research Organizations (CROs) and healthcare technology providers. This isn’t just about data privacy anymore—it's a regulatory issue tied to national security. Consider the following:

• Biosecurity threats: Exposure of human genomic or biometric data to adversarial nations could lead to severe biosecurity risks, including manipulation of genetic information or targeting individuals for adversarial purposes.
• Indirect exposure risks: Even if the direct exchange of data with a "country of concern" is avoided, adversaries can gain indirect access through intermediary companies, vendors or third-party employment arrangements.

For this reason, organizations in this sector must urgently review their data flows, revise vendor agreements and adopt compliance measures to prevent exposure to adversarial access.

Severe penalties for non-compliance

Failing to comply with the DOJ’s updated rule can result in severe penalties, demonstrating the seriousness of this regulation.

• Civil fines: Organizations face fines of up to $368,136 or twice the transaction value, whichever is higher.
• Criminal violations: Non-compliance could result in fines of up to $1 million and up to 20 years of imprisonment.

These harsh consequences reinforce the gravity of adhering to this rule, which goes beyond traditional privacy compliance measures to protect US national interests.

How organizations should prepare

With enforcement beginning in October 2025, organizations have a limited window to align their operations with the DOJ’s mandates. Here’s a step-by-step plan to help businesses prepare:

1. Map cross-border data flows: Understand where sensitive data originates, where it is stored and sent. Identify all external vendors, partners, or intermediaries involved in handling data. Ensure mapping includes precise boundaries for U.S.-based and foreign-based data handlers.
2. Screen third parties: Conduct robust due diligence on third-party vendors, employment arrangements and investment partners. Investigate whether your third parties have direct or indirect ties to "countries of concern" or "covered persons."
3. Implement risk-based compliance programs: Work with legal and IT teams to design compliance protocols aligned with CISA's requirements. Focus on integrating decision trees, organizational controls and data security measures to navigate restricted transactions effectively.
4. Maintain robust documentation: Ensure all agreements, audits, compliance findings and supporting records are stored securely and accessible for a minimum of 10 years. This will make it easier to demonstrate compliance to regulators and withstand audits.

Final thoughts: The intersection of privacy, cybersecurity and geopolitics

The DOJ’s updated rule on cross-border data transfer reflects the growing importance of cybersecurity in addressing geopolitical threats. It’s a clarion call for organizations operating globally to rethink their data governance strategies to protect sensitive information and preserve trust, resilience and regulatory readiness. At HCLTech, we’re actively assisting organizations in navigating this new chapter in global data compliance through:

• Data exposure assessments: Evaluating organizational vulnerabilities related to cross-border data flows.
• Compliance framework implementation: Designing systems compliant with US and international standards.
• Future-proofing data operations: Aligning businesses with evolving cybersecurity and data privacy regulations.

Time is of the essence. With October 2025 fast approaching, organizations must prioritize compliance to avoid hefty penalties and criminal liabilities while safeguarding their data from exploitation by adversarial nations.