The Basics

In early 2024, Executive Order 14117 was signed to protect Americans’ bulk sensitive personal data and government-related data from access by countries of concern. The Department of Justice implemented this through 28 CFR Part 202, which went into effect in July 2025.

These rules are designed to protect sensitive U.S. data from being accessed or exploited by foreign entities, particularly in ways that could compromise national security, such as through surveillance, cyber threats, or misuse of advanced technologies like AI.

Understanding U.S. Data Restrictions and How They Affect Global Clinical Research

Clinical research increasingly spans international boundaries, with trials often generating and transferring large volumes of sensitive health and genetic data.  New U.S. rules require researchers to think more carefully about where data flows, who can access it, and under what conditions. These changes raise important questions about how and where sensitive data can be shared.

Even if you’re not conducting research in a country of concern, you may work with vendors, platforms, or service providers who do. These partners may have employees, infrastructure, or ownership links tied to high-risk jurisdictions. That means your operations could be impacted in ways you haven’t anticipated.

Here’s a quick breakdown of what you need to know.

Who’s Affected?

These rules apply whenever a country of concern can access bulk U.S. sensitive personal data or government-related data. Countries of concern include China (including Hong Kong & Macau), Cuba, Iran, North Korea, Russia, and Venezuela; however, the list may be updated by the Attorney General as needed.

It’s not just about where data is sent, the law covers any form of access, whether physical or digital. That means employees, vendors, or systems in those countries can trigger compliance obligations even if the data never “leaves” the U.S.

What Is Bulk U.S. Sensitive Personal Data, and Why Does It Matter?

The regulations define bulk U.S. sensitive personal data with specific thresholds that trigger regulatory obligations if exceeded within any 12-month period. These include thresholds such as:

• More than 1,000 individuals’ biometric data or ‘omic data (or 100 individuals’ genomic data)
• 10,000 individuals’ personal health data
• 1,000 U.S. devices’ precise geolocation data
• 100,000 individuals’ personal identifiers

Data, whether identified, de-identified, anonymized, encrypted, or pseudonymized, is considered “bulk” once it exceeds these thresholds and, if accessed directly or indirectly by a country of concern, becomes subject to regulatory restrictions. Covered data transactions that enable such access, such as vendor relationships, employment agreements, data brokerage, or certain investments, may fall into two regulatory categories:

• Prohibited transactions involve giving a country of concern access to bulk human ‘omic data or to biospecimens from which such data could be derived. These are strictly prohibited unless they qualify for an exemption or are specifically licensed.
• Restricted transactions include agreements such as vendor, employment, or investment relationships that allow access to covered data. These are permitted only if they meet due diligence, documentation, and security requirements, or qualify for an exemption.

Clinical Trial Exemptions

Here’s the good news: certain clinical research activities are exempt from the most stringent parts of the rule. Under Subpart E, activities like FDA-regulated clinical investigations and post-marketing safety monitoring are excluded. These include:

• Regulatory approval data: De-identified or pseudonymized personal data required to support the approval or oversight of a drug, biologic, device, or combination product. It includes data for post-marketing and supplemental applications, but excludes data not needed to assess safety or effectiveness.
• FDA Regulated Research: Activities that are a normal part of clinical trials overseen by the FDA, or that support FDA applications to research or sell drugs, biologics, devices, or infant formula.
• Real-world and post-market data: Activities involved in collecting or processing real-world safety or performance data, including post-marketing safety monitoring, if needed to maintain FDA approval and the data is properly de-identified.

However, even exempt data must comply with certain audit and recordkeeping requirements under Subpart K. So while access for legitimate research is possible, it still requires oversight.

Real-World Examples of these Exemptions

• ✅ Exempt: 
  • A U.S. pharmaceutical company can send de-identified safety and effectiveness data to a regulator in a country of concern when required for drug approval.
  • A U.S. company may use a local registered agent to submit required approval data, if local law mandates it, as long as only necessary data is shared and proper records are kept.
  • De-identified post-marketing safety data may be sent through a local agent to a regulator in a country of concern if required to maintain marketing authorization.
  • De-identified personal health data may be submitted to a regulator in a country of concern to support required safety research for medical device approval.
• ❌ Not exempt: 
  • If a local regulator requires identifiable personal data, the transfer is not allowed. 
  • A U.S. company may not hire a vendor in a country of concern to store or organize bulk sensitive data if that is not required by law for regulatory submission.

Takeaway: Sharing de-identified clinical data with regulators in countries of concern may be permitted; but if the data must be re-identified or handled beyond what’s required, the transaction may become restricted or prohibited.

What This Means for Contracts and Risk Management

The implementation of 28 CFR Part 202 doesn’t just affect your data infrastructure, it fundamentally changes how research-related agreements must be structured.

No Grandfathering: Review Every Agreement

There’s no exemption for older contracts. The rule applies to any transaction that takes place after the effective date, even if the agreement was signed years ago. That means now is the time to review and revise:

• Master Service Agreements (MSAs) with CROs
• Data transfer agreements with academic collaborators
• Clinical trial agreements with foreign sites
• Service agreements with cloud, analytics, and tech vendors

If any of these arrangements involve access to covered data by a country of concern or covered person, the agreement must be amended (or ended) to remain compliant.

 What to Include in Your Contracts

New or updated agreements should contain clear language to show due diligence and reduce risk. At minimum, your counterparties should:

• Certify they are not a “covered person” and are not owned or controlled by a country of concern
• Notify you immediately of any change in that status
• Commit to following all restrictions in 28 CFR Part 202

For situations that might resemble data brokerage, such as sharing datasets with foreign universities for a fee, contracts must also include onward transfer restrictions, like:

• A clear ban on sharing, selling, or giving access to anyone in a country of concern
• A requirement that the counterparty pass this restriction along to any sub-parties
• An obligation to report any known or suspected breach
• Strong indemnification language to protect the U.S. organization

These terms may not be easy to negotiate, especially with partners in allied countries that already have strong data privacy laws, but they’re essential to minimize exposure under the rule.

Data Access and Audit Clauses

For restricted transactions, compliance needs to be built directly into the contract:

• Data Access Limits: Define exactly who at the vendor can access the data
• Audit Rights: Allow U.S. organizations to verify compliance with CISA and DOJ standards
• Cooperation Clauses: Require prompt cooperation with any compliance inquiries or investigations

What Should You Do?

Navigating the complex landscape of 28 CFR Part 202 requires more than tactical compliance, it demands a long-term strategic response. The rule fundamentally alters the risk calculus for global research, and companies must adapt their operations, governance, and planning accordingly.

Even if your organization isn’t directly affected today, the implications for global research infrastructure are clear. Here’s how to stay aligned:

• Map Your Data Flows: Know where your data is accessed or stored.
• Classify Your Data and Understand Exemptions: Determine whether your data qualifies as exempt and remember that early-stage or non-FDA research may still be restricted.
• Review and Update Your Agreements: Ensure contracts contain required representations, transfer restrictions, and audit terms.
• Understand Your Vendor Landscape: Identify vendors, partners, or contractors who may have access pathways involving countries of concern.
• Keep Records: Even exempt transactions must be documented under Subpart K.
• Be Strategic About Engagement: While DOJ licensing and advisory opinions are options, they are designed for exceptional cases, not as standard workarounds.
• Plan for the Future: As global research expands, build compliance into cross-border collaboration models.

Final Thoughts

At Florence and The Contract Network, we’re committed to helping the research community navigate compliance while enabling global innovation. EO 14117 and 28 CFR 202 don’t mean shutting the door on international work, they just mean planning smarter, documenting better, and building systems for secure, compliant collaboration.

We’re both fully compliant with these requirements. We don’t store data or have employees in countries of concern, and we actively monitor our third-party partners to ensure they align with these standards.