Meet Freya
June 13, 2025
As of 2025, the United States of America has introduced sweeping restrictions on cross-border access to sensitive personal data under 28 CFR Part 202, affecting global clinical research, biotech, and digital health operations. The regulation targets data sharing and access involving six countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, and applies even when access is indirect or data is anonymized.
This article outlines the scope of regulated data, highlights prohibited and restricted transactions, and explores the real-world impact on clinical trials, data storage, outsourcing, and international partnerships. It also reviews key exemptions, such as those for FDA-regulated studies, and provides actionable recommendations for companies to remain compliant in a shifting global data governance landscape.
| Regulation | 28 CFR Part 202 |
| Issued by | U.S. Department of Justice (DOJ) |
| Based on | Executive Order 14117 (Feb 28, 2024) |
| Scope | Limits foreign access to U.S. sensitive personal and government-related data by certain foreign governments or associated persons |
| Applies to | Legally binding restrictions on U.S. persons interacting with foreign entities or individuals |
| Published | January 8, 2025 |
| Effective | April 8, 2025 (90 days after publication)[Note: Entities must comply with the Rule’s due diligence, audit and reporting requirements by October 5, 2025. The Rule does not apply to transactions completed before its effective date, but it does apply to ongoing activity, even if that activity is required by prior contracts.] |
Companies engaging with Contract Research Organizations (CROs), labs, IT vendors, or collaborators from the following six countries must reassess data access and control. Any involvement, even indirectly could trigger restrictions under this rule:
Entities that are:
Individuals who are:
Any person, regardless of location, who is determined by the U.S. Attorney General to:
The regulation covers “bulk U.S. sensitive personal data” as defined in §202.206—referring to large volumes of personal information about U.S. individuals, regardless of format or whether it has been anonymized, pseudonymized, de-identified, or encrypted. Coverage applies when volume thresholds in §202.205 are met or exceeded. This includes:
Government-related data is separately defined under §202.222 and includes any data that could reveal information about federal personnel or sensitive government locations.
U.S. persons/entities (i.e. any U.S. citizen, national, lawful permanent resident, refugee, or asylee; any person located in the U.S.; or any entity organized under U.S. law (including foreign branches)) must avoid the following:
For example, if a U.S.-based genomics company develops an AI tool trained on a large volume of sensitive U.S. genomic data, and later licenses that tool to its parent company in China, this could be considered a prohibited transaction. Even if the tool itself does not directly share raw data, the potential to reveal sensitive training data, combined with the U.S. company's awareness of this risk, constitutes indirect access by a covered foreign person, which is restricted under the regulation.
Some activities with vendors, employees, or investors from the six restricted countries can proceed only if specific security requirements are met. These include agreements where sensitive data may be accessed directly or indirectly.
Applies to:
These are not allowed unless the U.S. company fully implements the required data safeguards. Simply using “equivalent” controls is not enough.
Take for instance a U.S.-based life sciences company that needs help maintaining its clinical data platform. To cut costs or find specific skills, it hires a remote IT contractor who happens to be based in a restricted country. Even if the contractor is only working on the back end, there is still a risk; they could potentially access sensitive U.S. personal health or financial data. In a situation like this, the company is required to have a full set of security measures in place. If it does not, the arrangement would violate 28 CFR Part 202. It does not matter that the contractor is not supposed to see the data, what matters is that the access risk exists.
| Allowed (with conditions) | Not Allowed |
| FDA-regulated clinical investigations, including clinical trials | Non-FDA/non-federally funded studies unless specifically licensed |
| Other clinical investigations and post-marketing surveillance with de-identified data | Studies where data can be re-identified or accessed by covered entities |
Current impact: As of April 2025, the National Institutes of Health (NIH) has barred researchers affiliated with the six countries of concern accessing 21 major U.S. biomedical datasets, enforcing provisions of 28 CFR Part 202. (Science, 2025)
The regulation has direct implications for:
In conclusion, the U.S. restrictions on foreign access to sensitive data signal a pivotal shift in global data governance, including for industries involved in clinical research, biotechnology, and digital health. As enforcement intensifies, organizations must take a proactive, risk-based approach, assessing exposure, verifying exemptions, securing data access, and documenting compliance efforts. By adapting operations and strengthening internal controls, businesses can protect sensitive U.S. data, uphold regulatory obligations, and maintain the integrity of their global collaborations.
Get your regulatory dose of information delivered straight to your inbox every month!
Subscribe Now
