DOJ’s Bulk Sensitive Personal Data Rule: A Cross-Border Compliance Imperative for the Life Sciences Industry
July 15, 2026For the life sciences industry, the flow of human genomic data, biospecimens, and clinical trial records across borders is not merely an operational detail, it is the lifeblood of global research and development. But the regulatory environment governing the flow of this data and materials has shifted dramatically. Now at the end of its initial grace period, the US Department of Justice’s Data Security Program is in full effect. Concurrently, the House Select Committee on the Chinese Communist Party has initiated investigations into clinical trials conducted in China by major pharmaceutical companies with an eye toward the handling of sensitive health data.
As detailed in our June LawFlash US-China Biotech Transactions: Navigating Each Country’s Evolving Regulatory Landscape, the regulatory environment governing cross-border biotech activity is evolving rapidly on both sides of the Pacific, with developments such as the COINS Act, the proposed Biotech Investment National Security Act (BINSA), the BIOSECURE Act, and China’s State Council Decree No. 837 reshaping how transactions are structured.
This LawFlash addresses a complementary and equally consequential dimension of that landscape: the regulation of bulk sensitive personal data itself. While investment screening governs who may own or fund a life sciences business, the Data Security Program (DSP) governs the data that flows through it—and it applies regardless of how a transaction is structured.
In this LawFlash we analyze the impact of the DSP on the life sciences industry from a dual perspective, addressing the compliance imperatives for US pharmaceutical companies and the strategic considerations for Chinese biotechnology firms navigating this complex cross-border environment.
THE US PERSPECTIVE: ENFORCEMENT, EXEMPTIONS, AND EMERGING RISKS
The DSP[1] fundamentally alters how US life sciences companies must manage bulk sensitive personal data, but it is not a blanket ban on data flows. The rule establishes a two-tier structure.
First, a narrow set of transactions is prohibited outright: data brokerage transactions with countries of concern or covered persons, and any covered data transaction that gives a country of concern or covered person access to bulk human 'omic data or human biospecimens from which such data could be derived.[2] Second, covered data transactions involving vendor agreements, employment agreements, or investment agreements are restricted transactions.
As we explored in our report DOJ’s Data Security Program Enforcement in Full Swing: Key Considerations for Companies, restricted transactions may lawfully proceed provided that the US person implements the security requirements developed by the Cybersecurity and Infrastructure Security Agency (CISA) and complies with the applicable due diligence, audit, reporting, and recordkeeping obligations.[3] A restricted transaction conducted without the required security measures is treated as a prohibited transaction, so the distinction is only as good as the compliance program behind it.[4]
This two-tier structure has particular significance for the life sciences industry, which routinely handles data categories subject to the rule’s strict bulk thresholds. The rule defines “bulk” as meeting or exceeding specific volume thresholds at any point in the preceding 12 months, whether in a single transaction or aggregated across transactions with the same non-US or covered person.[5]
The thresholds for the categories of sensitive personal data are:
- Human Genomic Data: More than 100 US persons
- Other Human 'Omic Data (epigenomic, proteomic, transcriptomic): More than 1,000 US persons
- Biometric Identifiers: More than 1,000 US persons
- Precise Geolocation Data: More than 1,000 US devices
- Personal Health Data: More than 10,000 US persons
- Personal Financial Data: More than 10,000 US persons
- Covered Personal Identifiers: More than 100,000 US persons
Crucially, outside the data-brokerage context, human genomic and other 'omic data, along with human biospecimens from which bulk human 'omic data could be derived, are the only categories for which the rule imposes a categorical prohibition that cannot be cured by security measures.[6]
For life sciences companies whose research, biobanking, and clinical operations routinely involve precisely these data types, the compliance stakes are materially higher than for companies handling only personal health or financial data where the restricted-transaction pathway remains available under vendor, employment, or investment agreements.
Furthermore, unlike the Committee on Foreign Investment in the United States’ regulations and many privacy laws, the DSP does not exempt anonymized, pseudonymized, de-identified, or encrypted data.[7]
The Narrow Scope of the Clinical Investigation Exemption
A central issue for US pharmaceutical companies conducting clinical trials abroad—particularly where the arrangements involve clinical trial services and may therefore constitute restricted transactions—is the scope of the clinical investigation exemption. While the rule exempts data transactions ordinarily incident to and part of clinical investigations in support of regulatory applications to the US Food and Drug Administration or other regulatory entities,[8] this exemption is narrowly construed. It does not provide a blanket safe harbor for all data generated during a clinical trial.
If a US sponsor transfers bulk sensitive personal data to a clinical research organization or clinical site in a country of concern for activities that are not ordinarily incident to and part of the FDA-regulated clinical investigation, or a clinical investigation supporting an FDA research or marketing application—such as standalone exploratory biomarker research outside the trial protocol or commercial use unrelated to the clinical investigation—the exemption may not apply.
Furthermore, when relying on the exemption branch for real-world performance or post-marketing surveillance data (including pharmacovigilance), the exemption is contingent on the data being de-identified or pseudonymized consistent with the standards of 21 CFR Part 314.80.
In response to these strict parameters, life sciences companies and major research institutions are actively revising their template agreements. Clinical trial agreements are increasingly incorporating provisions that restrict onward transfers of data to covered persons when the sponsor is a foreign entity, or require US sponsors to affirmatively represent and warrant that they are not covered persons.
Similarly, licensing and pharmacovigilance agreements are being updated to expressly limit a covered person’s use of shared data solely to activities permitted under the regulatory approval exemption.[9]
Full Enforcement and Escalating Compliance Obligations
The DSP’s initial grace period ended on July 8, 2025. Since October 6, the rule’s rigorous compliance requirements for restricted transactions—including due diligence, independent annual audits, and a 10-year recordkeeping mandate—have been fully effective.[10]
An audit must be conducted once for each calendar year in which a US person engages in a restricted transaction and must cover the preceding 12 months. Separately, companies were to submit their annual reports to the DOJ by March 1, 2026 for any restricted transactions involving cloud-computing services and that has 25% or more of the US person’s equity interests owned (directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise) by a country of concern or covered person.[11]
Violations of the DSP carry severe consequences under the International Emergency Economic Powers Act, with civil penalties up to $377,700 (as adjusted for inflation) or twice the value of the transaction, alongside potential criminal liability.[12] To further drive compliance, the DOJ updated its FAQs in September 2025 to establish a formal process for reporting DSP violations, backed by financial incentives for whistleblowers.[13]
Congressional Scrutiny and Emerging Class Action Risk
The compliance burden is compounded by intense congressional scrutiny. In late June 2026, the House Select Committee on the Chinese Communist Party sent inquiry letters to five major US pharmaceutical companies regarding their clinical trials in China, raising concerns about data security, ethical standards, and the potential transfer of intellectual property.[14] While these letters are investigatory rather than punitive, they signal a clear legislative intent to closely monitor life sciences data flows.
More notable is the emerging trend of private litigation weaponizing the DSP. Plaintiffs’ attorneys are increasingly citing alleged violations of the DSP as a predicate for consumer privacy class actions, arguing that the transfer of sensitive data to covered persons without adequate safeguards constitutes a violation of the Electronic Communications Privacy Act under the crime-tort exception.
While courts are divided on the applicability of this exception, at least one federal court has recently allowed such a wiretap claim to proceed past the pleading stage and recognized that non-US parent companies could face vicarious liability for alleged DSP violations by their US subsidiaries.[15] This development transforms the DSP from a purely regulatory compliance issue into a significant source of civil liability risk for US companies collecting health data.
THE CHINESE BIOTECH PERSPECTIVE: COVERED PERSON STATUS AND CROSS-BORDER CONFLICTS
For Chinese biotechnology companies and research institutions, the DSP presents a different set of challenges. These entities must navigate their status as “covered persons” under the rule and manage the potential conflicts between US data security requirements and Chinese domestic law.[16]
Navigating ‘Covered Person’ Status in Cross-Border Deals
Chinese entities that fall within the definition of a “covered person” must know which pathway applies to a proposed data flow from a US partner.[17] Transactions involving bulk human 'omic data or human biospecimens from which such data could be derived are categorically prohibited, and no security measures grant them authorization.
By contrast, data flows occurring through vendor, employment, or investment agreements, including many clinical trial services, pharmacovigilance, and research collaboration arrangements involving other categories of sensitive personal data, remain available as restricted transactions if the US partner implements the aforementioned CISA security requirements and associated compliance measures.
This distinction directly shapes how cross-border licensing, joint ventures, and collaborative research agreements can be structured. This data-level analysis operates alongside the transaction-structure analysis discussed in our June LawFlash: even where a deal is structured as pure licensing for cash, which generally carries the least investment-screening friction on both sides of the Pacific, any accompanying flow of bulk US sensitive personal data or human biospecimens to a covered person must be independently assessed under the DSP.
If a Chinese biotech company seeks to enter into a data-sharing arrangement with a US partner, it must anticipate that the US partner will require stringent contractual representations, warranties, and audit rights to comply with the DSP. Because the restricted-transaction pathway depends on the US person’s ability to implement and verify the CISA security requirements, Chinese companies that proactively assess their data infrastructure, segregate access controls, and demonstrate auditable governance will be materially more attractive as collaboration partners than those that cannot. In practice, a Chinese company’s DSP readiness is becoming a commercial differentiator in cross-border deal negotiations, not merely a legal formality.
THE COLLISION OF US AND CHINESE DATA REGULATIONS
The most complex challenge arises when the requirements of the DSP conflict with Chinese domestic regulations. As we explored in our May LawFlash Strategic Compliance: Navigating HGR and Data Risks in China Life Sciences Transactions, China maintains strict oversight over human genetic resources (HGR) and the cross-border transfer of personal information, and a May 2026 consultation draft of updated HGR implementation rules may meaningfully reshape those requirements.
The DSP mandates that US persons implement security measures, including data minimization and access controls, when engaging in restricted transactions. In some scenarios, a US partner may require that data generated in a collaborative project in China be stored exclusively on US servers or that access by the Chinese partner be restricted to comply with the DSP.
This requirement directly conflicts with Article 24 of the Chinese HGR Regulations, which mandates that Chinese partners in international collaborative research must have full access to all records and data and that such data must be backed up locally in China.[18]
Furthermore, if a US partner acting under the DSP’s audit or reporting requirements requests information from a Chinese entity, the Chinese entity must carefully evaluate whether providing such information violates Article 36 of the Chinese Data Security Law, which prohibits the provision of data stored in China to foreign judicial or law enforcement authorities without approval from the competent Chinese authorities.[19]
Compliance with the DSP’s restrictive measures by a Chinese entity or its US partner operating in China could also potentially trigger scrutiny under China’s Anti-Foreign Sanctions Law or the Rules on Counteracting Unjustified Extraterritorial Application of Foreign Legislation, or the Regulations on Countering Unjustified Extraterritorial Jurisdiction by Foreign States, which prohibit compliance with discriminatory foreign measures and block enforcement of unlawful foreign extraterritorial mandates.[20]
Navigating this regulatory collision requires sophisticated structuring of data flows, IP ownership, and contractual obligations to satisfy the mandates of both jurisdictions simultaneously. When contracting, it is important to consider how arising liability is allocated and potential judgments would be enforced.
HOW WE CAN HELP
Morgan Lewis’s cross-border life sciences team is uniquely positioned to assist clients in navigating the intersection of US and Chinese regulatory frameworks.
We regularly advise pharmaceutical and biotechnology companies on conducting comprehensive data mapping and compliance audits under the DSP; structuring cross-border licensing, joint venture, contract services, and clinical trial agreements to mitigate risks under both the DSP and Chinese HGR and data export regulations; developing contractual mechanisms, including exclusive grant-back licenses and segmented IP definitions, to reconcile conflicting data access and ownership requirements; and responding to congressional and regulatory inquiries as well as emerging class action litigation arising from cross-border data flows.
For a deeper discussion of the transaction-structuring dimension of these issues, please join the authors on July 22 for our webinar Structuring Cross-Border Biotech Deals in the Shadow of US and China Regulatory Tightening, which will address the COINS Act, BINSA, BIOSECURE Act, and China’s Decree No. 837 and how deal teams can build structural flexibility into cross-border transactions.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
[1] 28 CFR Part 202 (2025); Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, 90 Fed. Reg. 1636 (Jan. 8, 2025) (final rule implementing EO 14117, 89 Fed. Reg. 15421 (Mar. 1, 2024)).
[2] 28 CFR § 202.301 (prohibited data-brokerage transactions); 28 CFR § 202.302 (other prohibited data-brokerage transactions involving potential onward transfer); 28 CFR § 202.303 (prohibited human 'omic data and human biospecimen transactions).
[3] 28 CFR § 202.401(a) (authorization to conduct restricted transactions); 28 CFR § 202.248 (security requirements); 28 CFR Part 202, subpart J (due diligence and audit requirements); 28 CFR Part 202, subpart K (reporting and recordkeeping requirements).
[4] 28 CFR § 202.401(c)(2) (example treating a noncompliant restricted transaction as prohibited).
[5] 28 CFR § 202.205 (definition of bulk thresholds).
[6] 28 CFR § 202.303 (prohibited human 'omic data and human biospecimen transactions).
[7] See 28 CFR § 202.206 (sensitive personal data definition encompassing anonymized, pseudonymized, de-identified, or encrypted data, except where specific exemptions like § 202.511 apply).
[8] 28 CFR § 202.511(a)(1)-(2) (FDA-regulated clinical investigations and FDA applications); 28 CFR § 202.511(a)(2) (requiring de-identification or pseudonymization consistent with 21 CFR 314.80).
[9] See 28 CFR § 202.511 (exemption for clinical investigations and post-marketing surveillance data); 28 CFR § 202.510 (exemption for drug, biological product, and medical device authorizations).
[10] 28 CFR Part 202, subpart J (due diligence and audit requirements, effective Oct. 6, 2025); 28 CFR Part 202, subpart K (recordkeeping).
[11] 28 CFR § 202.1103 (annual reporting requirements for certain restricted transactions).
[12] 50 USC § 1705 (penalties under IEEPA); 28 CFR § 202.1301; see also 90 Fed. Reg. 8429 (Jan. 29, 2025) (notice on penalty inflation adjustments).
[13] US Dep’t of Justice, Nat’l Sec. Div., Data Security Program FAQs (updated Sept. 24, 2025).
[14] Letters from Rep. John Moolenaar, Chairman, House Select Comm. on the Strategic Competition Between the United States and the Chinese Communist Party, to five major pharmaceutical companies (June 30, 2026).
[15] See, e.g., Complaint, Porcuna v. Xandr, Inc., No. 4:25-cv-07385 (N.D. Cal., filed Sept. 2, 2025); Complaint, Baker v. Index Exchange, Inc., No. 1:25-cv-10517 (N.D. Ill., filed Sept. 2, 2025); Complaint, Christy v. Lenovo (United States) Inc., No. 3:26-cv-0113 (N.D. Cal., filed Feb. 5, 2026). For the recent pleading-stage decision allowing a wiretap claim to proceed based on an alleged DSP predicate violation, see Baker v. Index Exch. Inc., No. 25 C 10517, 2026 U.S. Dist. LEXIS 133750 (N.D. Ill. June 16, 2026).
[16] 28 CFR § 202.211 (definition of covered person).
[17] 28 CFR §§ 202.301-202.303, 202.401.
[18] Regulation on the Administration of Human Genetic Resources, State Council Decree No. 717, arts. 24, 28 (promulgated May 28, 2019, effective July 1, 2019), as amended by State Council Decree No. 777 (effective May 1, 2024) (China).
[19] Data Security Law of the People’s Republic of China, art. 36 (promulgated by the Standing Comm. Nat’l People’s Cong., June 10, 2021, effective Sept. 1, 2021) (China).
[20] Anti-Foreign Sanctions Law of the People’s Republic of China, art. 12 (promulgated by the Standing Comm. Nat’l People’s Cong., June 10, 2021, effective June 10, 2021) (China); Rules on Counteracting Unjustified Extraterritorial Application of Foreign Legislation, MOFCOM Order No. 1 of 2021 (promulgated Jan. 9, 2021, effective Jan. 9, 2021) (China); Regulations of the People’s Republic of China on Countering Unjustified Extraterritorial Jurisdiction by Foreign States, State Council Decree No. 835 (Apr. 7, 2026) (China).