October 22, 2025

Preface

This article is part of a series developed for Greenleaf Group to highlight the complexity of data and its use across organizations of all sizes and across vertical industries. The first four articles in this series focused on the life sciences industry. Subsequent articles will focus on other industries and on technology providers promising to revolutionize data analytics through Artificial Intelligence.

Compliance, Regulation, and National Security

Preface

This article is part of a series developed for Greenleaf Group to highlight the complexity of data and its use across organizations of all sizes and across vertical industries. The first four articles in this series focused on the life sciences industry. Subsequent articles will focus on other industries and on technology providers promising to revolutionize data analytics through Artificial Intelligence.

Introduction

In my past two blogs, I explored the role of data in life sciences, first through the lens of research and development and medical affairs, and then through the principles of quality and compliance in manufacturing. This next frontier takes that discussion one step further. Today, compliance and regulation in life sciences extend beyond clinical and manufacturing oversight; they now intersect with national security. As data volumes grow and global collaboration increases, protecting sensitive health and research information has become not only a matter of privacy and ethics but also of geopolitical importance.

Historically, life science organizations had to worry only about the United States Food and Drug Administration (FDA), the European Medicines Agency, and other countries’ pharmaceutical regulatory agencies.

In general, Life Science companies operated outside the scope of US national security regulations and exemptions from US Privacy laws. The United States has recognized that certain countries maintain an adversarial stance towards it.

Protecting Americans’ Sensitive Data from Foreign Adversaries

On February 28, 2024, President Joe Biden signed an executive order expanding the scope of Executive Order 13873 (May 15, 2019) and Executive Order 14034 (June 9, 2021) – Protecting Americans’ Sensitive Data from Foreign Adversaries. President Biden issued this order in response to certain countries attempting to steal various types of sensitive bulk personal data[KB1] [EF2] . From the administration’s perspective, this appropriation of this information constituted an unusual and extraordinary threat, originating in whole or in substantial part outside the United States, to the national security and foreign policy of the United States. Access to Americans’ bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. Countries of concern could use advanced technology (e.g., artificial intelligence) to analyze and manipulate bulk sensitive personal data to engage in espionage, influence kinetic or cyber operations, and identify strategic advantages over the United States.[1]

Building on the Biden Era Executive Order

In April 2025, the US Department of Justice’s (DOJ) Final Rule Restricting Transfers of Bulk Sensitive Personal Data took effect, marking a watershed moment for national security and biomedical research. Codified at 28 C.F.R. Part 202, the rule implements President Biden’s Executive Order 14117, which prohibits or restricts US persons from providing bulk sensitive personal data—or any government-related data—to “countries of concern” or entities under their control. [1]

On April 8, 2025, the Trump administration finalized an executive order that expanded the Biden administration’s language and specifically targeted the life sciences industry.[2]

The implications of this rule are significant for the life science industry. Life science companies and their medications frequently rely on human genomic, clinical, and biomarker data. The rule’s reach extends beyond espionage prevention; it rethinks how biotech, pharma, and digital health companies handle cross-border data, manage vendors, and design research collaborations.

A New National-Security Frontier in Data

The United States Department of Justice deems foreign exploitation of Americans’ health and genomic data an “unusual and extraordinary threat.”

The new rule closes a significant gap in US national security authorities: until now, foreign adversaries could buy or license US data through commercial IT. In Deputy Attorney General Todd Blanche’s words, “Why hack it when you can buy it?”

The rule formally designates countries, including:

· China (including Hong Kong and Macau)

· Cuba

· Iran

· North Korea

· Russia

· Venezuela

These countries are designated explicitly as of concern because they demonstrate the intent and capacity to use such data for surveillance, coercion, or military advantage. [3]

What is “Bulk Sensitive Personal Data”?

Bulk United States sensitive personal data is any collection or set of sensitive personal data related to US persons, encompassing all formats. For life-science organizations, “bulk” means more than volume—it defines the regulatory threshold for restrictions. Under the Final Rule, any dataset—whether anonymized, pseudonymized, or encrypted—can trigger compliance obligations if it meets or exceeds these limits within 12 months.

This information includes anonymized, pseudonymized, de-identified, or encrypted data that meets or exceeds the thresholds set by the new regulations. Any combination of these types that meets the lowest threshold also qualifies as bulk. That means even a modest-sized clinical trial can fall squarely within the rule. See Figures 1, 2, and 3 below.

Key Aspects

Life Science companies must evaluate how they handle bulk sensitive personal data and ensure that any commercial uses of this information do not include the sale to the DOJ’s listed countries of concern.

Implications

To ensure compliance, Life Science companies must assess their business models to determine which information is covered by the new rule.

Covered Data Transactions

There are two types of government-related data. The first is any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in the original Biden executive order. The second type of government-related data is any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or retired senior officials, of the United States Government, including the military and Intelligence Community. These provisions also include “recent former employees” or “recent former contractors” – employees or contractors who worked for or provided services to the United States government, in a paid or unpaid status, within the past two years of a potential covered data transaction with a country of concern or covered person.

Key Prohibitions and Restrictions [4]

The DOJ separates “covered data transactions” into prohibited, restricted, and exempt categories.

Prohibited transactions include:

• Data brokerage—the sale, licensing, or commercial transfer of bulk data to a covered person or country of concern.

• Any transaction giving such entities access to bulk human ‘omic’ or biospecimen data.

• Restricted transactions include vendor, employment, or investment agreements with covered persons or countries of concern. These may proceed only if the US party adopts the Cybersecurity and Infrastructure Security Agency (CISA) security requirements and maintains a DOJ-compliant Data Compliance Program with annual audits and officer certification.

  Necessary Exemptions [4]

The new rule provides for some exempt transactions to protect legitimate scientific and regulatory activity:

• FDA-regulated clinical investigations and post-marketing surveillance using de-identified or pseudonymized data.

• Submissions required by the FDA or foreign health authorities.

• Federally funded research, telecommunications, financial services, and official US government business.

From Privacy to National Security

There is growing awareness among many governments worldwide that adversaries can weaponize various types of personal information. Unlike HIPAA or GDPR, which hinge on individual privacy and consent, the new DOJ rule is grounded in national security risk and applies to all information and events, including de-identified data. The DOJ’s National Security Division (NSD) explicitly likens the regime to export controls on data, placing it alongside sanctions administered by OFAC. US persons must “know their data”—inventory what they hold, where it flows, and who ultimately accesses it.

Data protection and national security fusion reflects a global trend: information is now a strategic resource. For life sciences, where genomic data is the new oil, the rule underscores that data sovereignty is security sovereignty. [5]

Impact on Life-Science Companies

In my first blog, I explained that intangible assets dominate the balance sheets of most modern companies. Other authors have noted “Data is the new oil” [6] [7]. Few industries rely more heavily on cross-border data sharing than biotechnology and healthcare. Clinical trials, genomic sequencing, contract research, and post-marketing surveillance all involve global data flows.

Yet these very strengths—data intensity and international collaboration—create exposure under the new rule. The rule’s breadth, departure from existing privacy-focused laws, and significant civil and criminal penalties mean life-science companies must now evaluate how to minimize risk in prohibited and restricted transactions

For many of Green Leaf’s life sciences clients, these shifts have prompted a reassessment of how data is stored, shared, and governed. Cloud strategy, vendor selection, and data classification polices now carry implications that reach beyond compliance.

Violations

Like other regulations with criminal liability, violating the new rule is a serious issue. Violations carry civil penalties up to $368,000 or twice the transaction value, and criminal penalties of $1 million and 20 years’ imprisonment for willful acts.

Life Science’s Plan for Action [4]

Life Science companies that generate and use bulk “omic” information must:

• Establish a Data Compliance Program – A written, risk-based program identifying data types, transaction parties, and data-flow maps; certified annually by a senior officer.

• Conduct independent audits – Annual audits verifying adherence to CISA security controls and compliance procedures.

• Maintain records for ten years – Covering transaction details, licenses, advisory opinions, and audit results.

• Report certain events – Including rejected prohibited transactions and suspected onward transfers to countries of concern.

• Develop an Action Plan that includes:

  • Map global data flows

  • Screen Counterparties

  • Amend contracts

  • Leverage exemptions

  • Integrate security frameworks

  • Educate leadership

Conclusion

As noted in my prior posts, the life science sector is experiencing a data revolution. From drug development to regulatory approval and manufacturing, Data analytics and AI are unlocking insights across genomics, clinical trials, and precision medicine.

However, with innovation comes exposure: the same datasets that enable breakthroughs can also reveal national vulnerabilities if exploited by adversaries.

The DOJ’s Data Security Program signals that data protection is now a matter of national defense, not merely corporate compliance. For life-science companies, aligning discovery with defense isn’t optional—it’s the new operating reality.

The 2025 DOJ Data Rule marks the first comprehensive US attempt to treat personal and biomedical data as a strategic asset. Life science organizations that proactively build compliant, risk-based data security programs will not only avoid penalties—they will also earn trust as stewards of America’s future genomic and health data.

Green Leaf Consulting Group is well-positioned to assist Life Science companies in understanding the risks. The experts at Green Leaf can design and implement a compliance action plan for the new rule, providing data flow analysis, information supply chain mapping, contract review, and modification of information security frameworks (policies and procedures). They can also educate leaders and managers on the implications of these changes and how to address them.

References

1. Biden, J.R., Executive Order 14117 of February 28, 2024, T.W. House, Editor. 2024, US Federal Register, Washington, DC.

2. Pierce, J.C., et al., Life Sciences Companies Must Navigate the DOJ Data Rule, in Goodwin - Alerts. 2025, Goodwin LLP: Boston, MA.

3. Division, N.S., Data Security Program: Compliance Guide, U.S.D.o. Justice, Editor. 2025, United States Department of Justice - National Security Division: Washington, DC.

4. Section, N.S.D.F.I.R., National Security Division Data Security Program Compliance Guide - 04112025, U.S.D.o. Justice, Editor. 2025, United States Department of Justice: Washington, DC.

5. Egan, M., et al., The DOJ’s Bulk Sensitive Personal Data Rule’s Imminent Relevance to Life Sciences Companies, in Cooley Alert. 2025, Cooley LLP: Palo Alto, CA.

6. Bhageshpur, K., Data Is The New Oil -- And That’s A Good Thing, in Forbes Technology Council. 2019, Forbes.

7. Technology, O.I., The DOJ Big Data Act: What Insurers Need to Know. 2025, OIP Insurance Technology: Henderson, NV.

^[1] Proteomics is the large-scale study of proteins, particularly their functions and structures. It involves the identification, quantification, and analysis of the entire set of proteins expressed by a genome, cell, tissue, or organism at a given time.

^[2] Transcriptomics is the study of the transcriptome, which comprises all the RNA molecules transcribed from the DNA in a cell or organism at a specific time. This field of research focuses on understanding gene expression patterns, RNA processing, and the functional roles of various RNA species.

^[3] Epigenomics is the study of the epigenome, the complete set of epigenetic modifications on a cell's genetic material. These modifications do not alter the DNA sequence but can influence gene expression, cellular functions, and ultimately organismal development and health.