What Happened? On January 8, 2025, the United States Department of Justice (“DOJ”) issued a final rule (“Final Rule”) to implement Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”). The Final Rule aims to restrict or prohibit certain categories of data transactions by U.S. persons with “Countries of Concern,” including the People’s Republic of China (“China” or the “PRC”) and “Covered Persons.”
The Final Rule regulating data transactions went into effect on April 8, 2025, with additional compliance provisions—audits, recordkeeping, and reporting—scheduled to come into force by October 6, 2025. The DOJ implemented a 90-day grace period from the effective date of the Final Rule for individuals and entities to prepare for and comply with enforcement of EO 14117, which ended recently on July 8, 2025.
Why Is It Important? The change in presidential administrations has not kept the DOJ from moving forward with implementing the Final Rule and robust enforcement of EO 14117. Indeed, transactions involving bulk U.S. sensitive personal data (e.g., precise geolocation data, biometric identifiers, and personal health data) and U.S. government-related data are now subject to heightened regulatory scrutiny by the agency. This new enforcement environment presents significant compliance challenges for Chinese enterprises conducting business in the United States, particularly where data processing and cross-border data flows are involved which could not only implicate EO 14117, but also any number of Chinese laws and regulations governing the inbound and outbound flow of data in China. Accordingly, cross-border collaborations between Chinese and U.S. entities will be directly affected and require heightened attention.
What Can or Should I Do Now? Given that the audits, recordkeeping, and reporting compliance provisions of EO 14117 do not take effect until October 6, 2025, there is no reason for companies to panic. There are proactive steps you can take to prepare for the new enforcement landscape created by the Order. “U.S. Persons” or “Covered Persons, as defined under the Final Rules (and potentially including Chinese companies engaging in a restricted transaction), are required to conduct annual data audits. These companies can begin (or continue) designing audit plans to meet the regulatory requirements of EO 14117 and, if necessary, relevant Chinese data laws and regulations.
Based on our experience, below are recommendations for how to design an effective annual audit plan and enhance (or design) the appropriate compliance framework:
- National Security Focus: The Final Rule focuses heavily on national security. The United States, like China, prioritizes the regulation of data and data privacy as a “national security” measure—in addition to viewing active regulation as important to civil, personal, and privacy considerations. As such, covered individuals and entities must consider U.S. national security interests when designing specific audit and/or conducting cross-border data transfers.
- Dual-Regime Compliance: If a “Covered Transaction” includes Chinese-origin data and, particularly if it involves the cross-border transmission of Chinese-origin data out of China and to the United States, then any audit and broader internal compliance scheme should include elements that navigate both the new EO 14117 and the PRC’s current data compliance rules and regulatory framework (e.g., Personal Information Protection Law (“PIPL”) and Data Security Law (“DSL”), etc.). For example, Chinese enterprises responding to U.S. data reporting requirements under the Final Rule should consider Article 36 of the DSL, which prohibits providing data to foreign judicial or law enforcement bodies without prior approval. Cross-border data strategies and compliance programs must, therefore, bridge and accommodate both U.S. and Chinese laws and regulations. While this is challenging, maintaining a compliance framework that accounts for risks in both is essential to mitigating civil and criminal risks in either nation.
- Technical Data Mapping and Audit: While compliance reviews and enhancements are essential, cross-border data transmission is inherently a technical challenge. It is usually best to have technical experts identify the scenarios to map out and illustrate the data flow pathways between China and the United States to identify, document, and visualize, for example:
-
- What sensitive U.S. personal data or government-related data will be handled?
- Where the above data originates from, is stored, and processed?
- How these data flows internally and externally?
- Who has access to these data?
Through technical data mapping techniques, companies can (i) rigorously map restricted transactions involving “U.S. Persons/Covered Persons;” (ii) monitor whether any bulk collections of personal data trigger reporting requirements; and (iii) determine whether any cross-border flow of data involves prohibited or restricted data under EO 14117, the Final Rule, or one of China’s data protection laws, including the involvement of internal transactions of affiliated companies.
- Consider an Advisory Opinion: Given how recently EO 14117 was implemented, it may be challenging to determine if a certain transaction is covered under its requirements. Consider requesting an advisory opinion under Final Rule Section 202.901. The request and resulting information, will help you explain the transaction and who/what is involved, and allow the DOJ to inform you whether you have any auditing, reporting, enforcement, or other requirements. The response could be helpful to enhancing your program and fending off future DOJ inquiries. It will also provide insight into whether modifications should be made before moving forward with your compliance planning for the Final Rule.
- Develop a Consistent Compliance Program: Companies engaged in restricted transactions should design, develop, implement, and routinely enhance a robust data Compliance Program—or assess and update the existing one. Covered companies are encouraged to embrace their data compliance obligations, including compliance program updates, internal and external reporting, and annual data audits to ensure compliance with evolving regulatory requirements. While the initial costs involved with program assessments and updates may cost time, money, and resources on the front end, they can save a company from future financial and legal entanglements with both U.S. and Chinese authorities.
While not exhaustive, these key recommendations can help prepare covered companies in China and elsewhere for the developing data compliance enforcement regime in the United States, and likewise assist entities in continuing to meet previously-existing global obligations.
About Dickinson Wright: Founded in Detroit, Michigan, USA in 1878, Dickinson Wright is an international law firm with a full range of legal services and a distinguished reputation. Today, with offices located in key North American trade and manufacturing corridors, our firm draws on the resources of more than 40 practice areas and 500 lawyers, offering integrated solutions to our clients’ global business needs. Our collaborative approach includes an experienced and fully integrated team offering a knowledgeable and informed approach to your projects. Additionally, Dickinson Wright offers a unique, China and East Asia-focused practice group that has over a decade of experience representing Chinese companies in the United States across practice areas, including corporate mergers, high-stakes government investigations and sanctions, and all types of litigation. Dickinson Wright’s attorneys boast a wide range of backgrounds to match our client’s every need.
About JunHe: As China’s longest-standing independent law firm, JunHe has a proven track record of guiding multinational and domestic enterprises through high-stakes government investigations and internal corporate reviews. JunHe’s attorneys, many of whom graduated from elite law schools globally, bring diverse perspectives from prior roles as senior government officials, judges, prosecutors, and practitioners at leading international firms. Notably, a significant number of JunHe lawyers hold dual qualifications in jurisdictions such as the United States, U.K., Australia, and Hong Kong. This dual expertise allows JunHe’s attorneys to bridge cultural and regulatory gaps, ensuring clients receive strategic advice that aligns with both local practices and global business objectives.
Dickinson Wright PLLC Authors
John P. Cunningham (Member, Washington, D.C.) is current member of the firm’s Compliance, Investigations, and Government Enforcement Team and International Practice Group. He is a former FBI investigator, federal prosecutor, Global 500 Chief Compliance Officer, and partner at an AmLaw 10 firm. You can access John’s bio here, and contact him via email at [email protected].
Jacob L. Clark (Associate, Ann Arbor) is part of the firm’s International and East Asia Practice Groups. He spent five years in Shanghai, China as foreign counsel at the strategic alliance office for an AmLaw 50 firm. You can access Jacob’s bio here, and contact him via email at [email protected].
JunHe Law Offices Authors
Leon Liu (Partner, Shanghai) now leads JunHe’s Government Regulatory and Investigation Team. He is as a former prosecutor and leads international teams in reputable law firms. He has served companies in almost a third of all the Top 50 FCPA cases, in front of the U.S. DOJ/SEC as well as in front of PRC authorities. You can access Leon’s bio here, and contact him via email at [email protected]
James Chen (Partner, Shanghai) practices at the JunHe Shanghai office of JunHe and has over 15 years of extensive legal experience, primarily in the areas of dispute resolution, compliance investigation, and white-collar crime. Before joining JunHe, he worked as a prosecutor in the Second Branch of the Shanghai People’s Procuratorate. You can access James’ bio here, and contact him via email at [email protected].
Helen Li (Associate, Shanghai) has 9 years of experience focusing on complex legal matters such as cross-border government regulatory, investigation and white-collar crimes. She provided compliance legal services to many large state-owned enterprises and multinational companies. You can contact her via email at [email protected].