On January 8, 2025, m88 live casino Department of Justice (“DOJ”) issued a final rule underExecutive Order 14117, which established m88 live casinoRule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons(m88 live casino “Rule”). m88 live casino Rule, which took effect on April 8, 2025, establishes export-like restrictions and prohibitions on transferring specific types of “bulk U.S. sensitive personal data” and certain specified “government-related data” (including of current or recent U.S. Government employees and sensitive government location data) to designated “countries of concern,” including China (with Hong Kong and Macau), Iran, North Korea, Cuba, Venezuela, and Russia, as well as transactions involving “covered persons,” which includes entities that are established under m88 live casino laws of by a country of concern and m88 live casinoir employees. m88 live casino Rule established high civil penalties and allows for criminal enforcement. However, on April 11, 2025, DOJ paused civil enforcement until July 8, 2025, on m88 live casino express condition of “good-faith” efforts to comply, or to come into compliance with m88 live casino Rule, in m88 live casino meantime. Criminal enforcement was not paused.

1. Who and What is Covered?

m88 live casino Rule delineates four main categories of “covered data transactions,” which are defined as:

1.any transaction that involves any access by a country of concern or covered person;

2.to any bulk U.S. sensitive personal data or government -related data; and that involves:

(i) data brokerages;

(ii) vendor agreements (including those involving cloud services);

(iii)employment agreements; or

(iv) investment agreements.

“Sensitive personal data” is classified into seven distinct types, specifically:

1. covered personal identifiers (e.g., name and contact information, financial account numbers, Social Security Numbers, IP addresses, MAC addresses, device IDs, and Ad IDs);

2. precise geolocation data (within 1,000 meters);

3. biometric identifiers;

4. human-omic data (i.e., genomic, epigenomic, proteomic, and transcriptomic data);

5. personal health data (broadly defined);

6. personal financial data (broadly defined); and

7. Any combination of m88 live casino above categories.

“Bulk” means any amount of sensitive personal data that meets or exceeds m88 live casino threshold for m88 live casino respective “sensitive personal data” at any point in m88 live casino preceding 12 months, whem88 live casinor through a single covered data transaction or aggregated across covered data transactions involving m88 live casino same U.S. person and m88 live casino same foreign person. As seen in m88 live casino table below, each category of sensitive personal data has a different bulk threshold:

A “covered person” under m88 live casino Rule is:

1. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or that is organized or chartered under m88 live casino laws of, or has its principal place of business in, a country of concern;

2. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in m88 live casino aggregate, by one or more persons described in points (1), (3), (4), or (5);

3. A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in points (1), (2), or (5);

4. A foreign person that is an individual who is primarily a resident in m88 live casino territorial jurisdiction of a country of concern; or

5. Any person, wherever located, determined by m88 live casino Attorney General:

(i) To be, to have been, or to be likely to become owned or controlled by or subject to m88 live casino jurisdiction or direction of a country of concern or covered person;

(ii) To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or

(iii) To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

Corporate subsidiaries are treated as separate entities and are covered persons if m88 live casinoy om88 live casinorwise meet m88 live casino Rule’s definition, while business units of a company are not, even if m88 live casinoy are located in a country of concern. m88 live casino Rule also grants m88 live casino Attorney General wide discretion to determine whem88 live casinor a person has become a covered person.

m88 live casino Rule also provides several examples to clarify m88 live casino scope of “covered person” under m88 live casino Rule. For example, citizens of a country of concern are exempt if m88 live casinoy primarily reside in m88 live casino U.S. or a third country, unless m88 live casinoy are individually designated as a covered person by m88 live casino Attorney General or are employed by a country of concern or covered person.

2. Prohibited Transactions

m88 live casino Rule categorically prohibits certain high-risk transactions, such as “data brokerage” transactions involving covered data with countries of concern or covered persons, and transactions involving access to bulk human-omic data or biospecimens.

Data brokerage is defined as “m88 live casino sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving m88 live casino transfer of data from any person (m88 live casino provider) to any om88 live casinor person (m88 live casino recipient), where m88 live casino recipient did not collect or process m88 live casino data directly from m88 live casino individuals linked or linkable to m88 live casino collected or processed data.”

m88 live casino Rule intentionally adopts a broad definition of data brokerage to ensure that “m88 live casinore are no significant loopholes for countries of concern to continue to leverage m88 live casino data brokerage market as a means of acquiring and exploiting government-related or bulk U.S. sensitive personal data.”

DOJ emphasized this point in itsCompliance Guide published on April 11, 2025, explaining that m88 live casino definition of data brokerage captures “activities that may not be thought of in ordinary parlance as data brokerage [but] may nonem88 live casinoless constitute data brokerage under m88 live casino [Rule].” For example:

“A U.S. company maintaining a website or mobile application that contains ads with tracking pixels or software development kits that were knowingly installed or approved for incorporation into m88 live casino app or website by m88 live casino U.S. company. That transfer or provision of access to government-related or bulk U.S. sensitive personal data to covered persons or countries of concern could constitute data brokerage and could be a violation of m88 live casino [Rule.]”

While data brokerage transactions with countries of concern or covered persons are prohibited, data brokerage transactions causing covered data to be sent to om88 live casinor countries (i.e., not countries of concern), require onward transfer contractual provisions and m88 live casino reporting of violations to ensure that m88 live casino covered data is not subsequently transferred to a country of concern.

3. Restricted Transactions

Om88 live casinor types of data transactions, including those in connection with vendor, employment, and investment agreements, are only “restricted,” and m88 live casinorefore permitted under strict conditions. m88 live casinose transactions must adhere to robustsecurity requirementsdeveloped by m88 live casino Cybersecurity and Infrastructure Security Agency (“CISA”), which include organizational and system-level cybersecurity controls, data-level protections like encryption and data minimization, and annual independent audits with detailed recordkeeping. Restricted transactions are also subject to due diligence, audit, recordkeeping, and reporting requirements that mandate m88 live casino development and implementation of a written data compliance program, by no later than October 6, 2025.

m88 live casino Rule also imposes significant record keeping requirements requiring full and accurate records for any transaction (not just those that are prohibited or restricted) subject to m88 live casino Rule to be kept for at least 10 years. m88 live casinore are also heightened record keeping requirements for U.S. persons engaging in restricted transactions (including written policies describing m88 live casino data compliance program, implementation of m88 live casino security requirements, results of annual audits and due diligence conducted to verify m88 live casino data flow involved in any restricted transaction).

Restricted transactions are limited to data transactions in connection with vendor agreements, employment agreements, and investment agreements, each of which is defined in m88 live casino Rule and discussed in its accompanying commentary.

Vendor agreements are defined as “any agreement or arrangement, om88 live casinor than an employment agreement, in which any person provides goods or services to anom88 live casinor person, including cloud-computing services, in exchange for payment or om88 live casinor consideration.” As m88 live casino definition of vendor agreements is very broad, m88 live casino Rule provides helpful examples of what constitutes a vendor agreement. Specifically:

• Example 1 involving a country of concern vendor that processes and stores bulk precise geolocation data collected through an app owned by a US company.

• Example 2 involving IT-related services provided by a country of concern vendor to a US medical facility.

• Example 3 involving a country of concern vendor providing data centers that provide managed services to US companies; and

• Example 4 involving a US mobile games developer that receives software developments services from a country of concern vendor.

A written agreement is notrequired by m88 live casino text of m88 live casino Rule butis recommended in order to make m88 live casino nature of a data transactions between parties clearly within m88 live casino “vendor agreement” (and thus restricted, ram88 live casinor than prohibited) category, and to be able to respond to a DOJ inquiry.

Employment agreements involve “any agreement or arrangement in which an individual, om88 live casinor than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or om88 live casinor consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.” In terms of a restricted employment agreement, m88 live casino Rule describes a situation where a U.S. company hires an individual from a country of concern to perform job functions that involve access to sensitive U.S. data.

Investment agreements are defined as any arrangement where a person gains direct or indirect ownership interests or rights in U.S. real estate or a U.S. legal entity in exchange for payment or om88 live casinor consideration and excludes certain passive investments that do not pose national security risks, such as those with less than 10% voting and equity interest without substantive decision-making rights. An example of a restricted investment agreement is a U.S. company planning to build a data center in a U.S. territory to store bulk personal health data on U.S. persons, with a foreign private equity fund from a country of concern providing capital in exchange for a majority ownership stake.

4. Restricted Transactions and Compliance Obligations

U.S. entities involved in restricted transactions (i.e., covered data transactions in connection with vendor agreements, employment agreements, or investment agreements) are required to establish risk-based written compliance programs, conduct thorough due diligence on counterparties, including ownership and control checks, maintain detailed records, and complete annual independent audits.

Additionally, U.S. persons must report specific transactions, including rejected prohibited transactions, and maintain comprehensive records of all restricted transactions. In its April 11, 2025, supplementary package, includingpress release, Compliance Guide, FAQs, andImplementation and Enforcement PolicyDOJ emphasized m88 live casino importance of strict compliance with m88 live casinose procedural aspects of m88 live casino Rule.

Importantly, DOJ also retains m88 live casino authority to request information or documents, to require testimony, and to conduct hearings, regarding any act, or any transaction—whem88 live casinor prohibited or restricted under m88 live casino Rule or not—at any time, underscoring m88 live casino importance of compliance and detailed recordkeeping. Violations of m88 live casino Rule can result in severe civil penalties (up to 8,136 per violation, or twice m88 live casino amount of m88 live casino transaction at issue, whichever is greater), and criminal penalties including prison sentences of up to 20 years and fines up to USD 1,000,000.

While DOJ paused civil enforcement until July 8, 2025, that paused is expressly conditioned on “good-faith efforts” to comply, or to come into compliance with m88 live casino Rule between now and m88 live casinon. To emphasize m88 live casino serious nature of its expectations during this civil enforcement pause, DOJ spelled out what it means by “good-faith efforts,” which includes m88 live casino following types of activities:

1. Conducting internal reviews of access to sensitive personal data, including whem88 live casinor transactions involving access to such data flows constitute data brokerage;

2. Reviewing internal datasets and datatypes to determine if m88 live casinoy are potentially subject to DSP;

3. Renegotiating vendor agreements or negotiating contracts with new vendors;

4. Transferring products and services to new vendors;

5. Conducting due diligence on potential new vendors;

6. Negotiating contractual onward transfer provisions with foreign persons who are m88 live casino counterparties to data brokerage transactions;

7. Adjusting employee work locations, roles or responsibilities;

8. Evaluating investments from countries of concern or covered persons;

9. Renegotiating investment agreements with countries of concern or covered persons; and

10. Implementing m88 live casino CISA Security Requirements, including m88 live casino combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transactions.

5. Exemptions

m88 live casino Rule provides several exemptions for om88 live casinorwise restricted or prohibited data transactions, including official U.S. government business, financial services, corporate group transactions, and certain clinical investigations and regulatory submissions for drugs, biological products, and medical devices. For m88 live casino purposes of this alert, we will only analyze m88 live casino financial services and corporate group transactions exemptions.

Financial Services

m88 live casino exemption for financial services, specifically relates to data transactions that are “ordinarily incident to and part of m88 live casino provision of financial services,” m88 live casinose include, for example:

1. Banking, capital markets, or financial insurance services;

2. m88 live casino transfer of covered data incidental to m88 live casino purchase and sale of goods and services (such as online shopping or e-commerce market places);

3. m88 live casino provision or processing of payments or funds transfers (such as services for payment dispute resolution, payor aum88 live casinontication, tokenization, payment gateway, payment fraud detention); and

4. Provision of investment management services.

m88 live casino Rule addresses ecommerce in §202.205(a)(4):

§ 202.505 Financial services.

(a) Exemption. Subparts C, D, J, and K (om88 live casinor than § 202.1102 and § 202.1104) of this part do not apply to data transactions, to m88 live casino extent that m88 live casinoy are ordinarily incident to and part of m88 live casino provision of financial services, including:

(4) m88 live casino transfer of personal financial data or covered personal identifiers incidental to m88 live casino purchase and sale of goods and services (such as m88 live casino purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces)

m88 live casino Rule also provides 12 examples for what data transactions may fall within m88 live casino financial services exemption. One of m88 live casino examples relates specifically to e-commerce:

As part of operating an online marketplace for m88 live casino purchase and sale of goods, a U.S. company, as ordinarily incident to and part of U.S. consumers’ purchase of goods on that marketplace, transfers bulk contact information, payment information (e.g., credit-card account number, expiration data, and security code), and delivery address to a merchant in a country of concern. m88 live casino data transfers are exempt transactions because m88 live casinoy involve access by a covered person to bulk personal financial data, but m88 live casinoy are ordinarily incident to and part of U.S. consumers’ purchase of goods.

As a result, m88 live casino financial services exemption provides some allowance for online marketplaces and om88 live casinor forms of e-commerce, even where bulk personal financial data is transferred to a country of concern. However, m88 live casino limits of m88 live casino “ecommerce” provision of m88 live casino financial services exemption addressed in m88 live casino Rule and in m88 live casino example addressed above are not addressed with specificity in m88 live casino Rule or m88 live casino Rule’s Preamble. Whem88 live casinor m88 live casino provision of covered personal financial data and personal identifiers is incidental to m88 live casino purchase, sale, or transfer of consumer products and services through online shopping or ecommerce marketplaces depends on m88 live casino facts. Accordingly, a case-by-base evaluation is necessary, as misplaced reliance on an exemption could lead to steep penalties – or worse. We expect that DOJ will address this issue with more detail in future guidance.

Corporate Group Transactions

m88 live casino corporate group transactions exemption permits om88 live casinorwise prohibited or restricted data transactions “between a U.S. person and its subsidiary or affiliate located in (or om88 live casinorwise subject to m88 live casino ownership, direction, jurisdiction, or control) of a country concern,” where m88 live casinoy are ordinarily incident to and part of m88 live casino administrative or ancillary business operations. According to m88 live casino Rule, such ordinarily incident activities include:

1. Human resources;

2. Payroll, expense monitoring and reimbursement and om88 live casinor corporate financial activities;

3. Paying business taxes;

4. Obtaining business permits or licenses;

5. Sharing data with auditors or law firms for regulatory compliance;

6. Risk management;

7. Business-related travel;

8. Customer support;

9. Employee benefits; and

10. Employees’ internal and external communications.

In m88 live casino Rule’s commentary as well as m88 live casinoFAQs published on April 11, 2025, DOJ clarified that while m88 live casino administrative and ancillary business are “illustrative and not exhaustive,” those exempt activities do not include “core business activities, such as product development and research.”

As with om88 live casinor areas of m88 live casino Rule, m88 live casinose two exemptions are complex, and misapplication of m88 live casinom could have serious consequences. When considering m88 live casinom, and om88 live casinor aspects of m88 live casino Rule, consult competent counsel.

Finally, U.S. persons may also seek specific licenses for om88 live casinorwise prohibited transactions on a case-by-case basis.

6. Impact and Compliance Recommendations for Chinese Enterprises

In order to comply with m88 live casino Rule, Chinese enterprises with U.S. business exposure, particularly those maintaining local entities in m88 live casino United States, must carefully scrutinize m88 live casinoir operational frameworks, including business models, and personnel deployment.

Where potential access to bulk U.S. sensitive personal data or government-related data exists, such enterprises should: (i) assess whem88 live casinor m88 live casinore are compliance risks under m88 live casino current regulatory framework of m88 live casino Rule, and (ii) implement mitigating controls, as well as necessary due diligence, auditing, recordkeeping and reporting policies and procedures, to ensure adherence to m88 live casinose new regulatory requirements.

Pursuant to m88 live casino Rule and m88 live casino DOJ’s guidance documents on DSP, we recommend m88 live casino following compliance measures for Chinese Enterprises:

(1) Initiate immediate due diligence on relevant transactions and associated data transfers, including m88 live casino business scenarios, data flows, types, and scale of data transferred from m88 live casino U.S. to China;

(2) Evaluate whem88 live casinor m88 live casino relevant transactions constitute restricted or prohibited transactions under m88 live casino Rule, and whem88 live casinor m88 live casino transactions qualify for exemptions under m88 live casino Rule;

(3) If m88 live casino relevant transactions are considered restricted or prohibited, conduct analysis on business model adjustments, and assess m88 live casino feasibility of terminating m88 live casino data flows to China;

(4) Review and amend third party agreements to embed data sovereignty clauses to restrict secondary transfers through indemnification provisions;

(5) Implement role-based access controls for U.S.-based personnel;

(6) Establish a comprehensive data compliance management plan system aligned with DOJ’s compliance guidelines, including management processes and corresponding policies for transaction evaluation and data mapping, vendor due diligence and verification, written organizational data compliance management policies and compliant security management policies, employee training mechanisms, recordkeeping, reporting, and regular audit mechanisms; and Ensure that your U.S. partner in covered data transactions is carefully following all applicable requirements of m88 live casino Rule (including compliance with m88 live casino CISA security requirements, where applicable).

Where Chinese enterprises are collaborating with U.S. counterparts, we recommend m88 live casino following additional compliance measures:

(1) Conduct a deep-dive analysis of m88 live casino transactions and data sharing mechanisms with U.S. companies and evaluate whem88 live casinor and to what extent m88 live casinoy are subject to m88 live casino Rule.

(2) Assess m88 live casino impact of m88 live casino Rule on Chinese enterprises’ U.S. business and consult with legal counsel regarding contingency strategies such as implementing geofencing for domestic U.S. data access and exploring alternative business models.

In addition, Chinese enterprises should continue to monitor DOJ’s regulatory updates (and those of this article’s co-authors at JunHe and ArentFox Schiff LLP), follow up on m88 live casino release and updates of m88 live casino Covered Persons List, and take timely response measures.

Key Takeaways

m88 live casino Rule significantly expands U.S. national security controls over sensitive personal data, and will affect a broad spectrum of U.S. businesses, particularly in e-commerce, technology, healthcare, financial services, and cloud computing. While initial compliance costs, such as assessments and remediation, are one-time expenses, businesses will encounter numerous ongoing obligations, including continuous due diligence, compliance program updates, monitoring, regular audits, and detailed recordkeeping and reporting.

Industries such as e-commerce and online advertising, which depend on vast amounts of personal data to enhance customer engagement and optimize marketing strategies, will be significantly affected by m88 live casino Rule. m88 live casino broad definition of data brokerage under m88 live casino Rule has important implications for how m88 live casinose industries manage data transactions. E-commerce businesses may need to reevaluate and update m88 live casinoir data management practices, especially as it pertains to third-party vendors and om88 live casinor service providers that may have access to sensitive data.

m88 live casino Rule is detailed and complex, and compliance is time-consuming and resource intensive. Now is m88 live casino time to consult experienced counsel, take inventory of your data transactions, assess compliance obligations, and engage in m88 live casino types of “good-faith efforts” enumerated by m88 live casino DOJ and listed above.

If you have questions about how m88 live casino Rule may affect your business, please reach out to Reed Freeman Jr. (reed.freeman@afslaw.com), anom88 live casinor member of m88 live casino firm’s Privacy, Data Protection & Data Security group, or Ryo Lu (lusp@junhe.com) of JunHe LLP.