U.S. Data Localization Law Coming Soon: What Life Science Companies Need to Know

2 minute read | January.24.2025

The DOJ has finalized a set of prohibitions and restrictions on cross-border transfers of certain U.S. data to China and other “Countries of Concern” (for now, Cuba, Iran, North Korea, Russia, and Venezuela), as well as to certain persons associated with those countries (so-called “Covered Persons”).

The rule creates an expansive new regulatory regime that prohibits or restricts certain transactions involving bulk U.S. sensitive personal data and U.S. government-related data.

Life science companies should take note – biometric identifiers, human ‘omic data and personal health data are all defined as sensitive personal data that could be subject to the prohibitions and restrictions. The rule defines these terms and sets thresholds at which sensitive data types are considered “bulk.”

Brief Summary of the Rule: When the rule takes effect on April 8, 2025, it will prohibit certain data brokerage transactions with Countries of Concern or Covered Persons. It also will prohibit other transactions that provide a Country of Concern or Covered Person with access to bulk human ‘omic data or human biospecimens from which that data can be derived. Additionally, it will:

Prohibit such data brokerage transactions with any foreign person without a contractual prohibition against making the data available to a Country of Concern or Covered Person.
Restrict (instead of prohibits) certain vendor, employment and investor agreements with Countries of Concern or Covered Persons involving access to bulk U.S. sensitive personal data and U.S. government-related data. These types of agreements must meet CISA security requirements.
Require companies engaging in restricted transactions to develop and implement risk-based compliance programs modeled on guidance issued by OFAC. This requirement takes effect October 6, 2025.

Important Exceptions for Life Science Companies: The rule contains two key exemptions for life science companies to help ensure that sensitive data transfer limitations do not impede therapeutic innovation. The rule:

Permits life science companies to rely on U.S.-generated data that is “reasonably necessary” to support a regulatory marketing submission in a Country of Concern. That recognizes the importance of allowing pharma, biologic and medical device companies to transfer data for clinical research or marketing authorization support (i.e., regulatory approval data).
Allows the transfer of sensitive clinical data that is “ordinarily incident” to, and part of, the collection or processing of clinical care data indicating real-world performance or product safety. This exemption also covers the collection or processing of post-marketing surveillance data, including pharmacovigilance and post-marketing studies for already approved therapies. Importantly, though, the clinical data must be de-identified or pseudonymized pursuant to applicable FDA regulations to be exempt.

Our Life Sciences & HealthTech team can help life science companies understand how to navigate these various important exemptions and stay compliant with DOJ and FDA recordkeeping and de-identification requirements. If you have questions please reach out to the authors (Thora Johnson, Georgia Ravitz, or Cosmas Robless).

Authors

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Georgia C. Ravitz Partner, FDA & Healthcare Regulatory, Life Sciences & HealthTech

Washington, D.C.

See my bio

D:+1 202 339 8651
E: gravitz@orrick.com

Practice:

FDA & Healthcare Regulatory
Life Sciences & HealthTech
Strategic Advisory & Government Enforcement (SAGE)
Technology Companies Group
Technology & Innovation

vCard

See full bio

Georgia C. Ravitz Partner

Washington, D.C.

Georgia also has extensive experience in assisting clients with product recalls, crisis management and government enforcement. Her practice in this sector includes assisting manufacturers, distributors, retailers and importers on all types of FDA regulated products including pharmaceuticals, medical devices and software, wearables, health and wellness products, cosmetics, cell and plant based foods, conventional foods, ag tech, compounded drugs, and dietary supplements.

Georgia’s deep experience and ability to provide practical guidance in FDA and FDA-adjacent regulatory matters allows her to work closely with innovative companies looking to minimize regulatory burdens and maximize U.S. marketing opportunities in the life science and health tech industry verticals. She also conducts regulatory due diligence for private equity and public company transactions involving life science, medtech and innovative companies.

Georgia is a frequent speaker at conferences and events who contributes regularly to leading trade and consumer media outlets.

Cosmas Robless Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 339 8663
E: crobless@orrick.com

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Cosmas Robless Associate

Washington, D.C.

Cosmas provides guidance on issues relating to numerous privacy and cybersecurity laws, including:

U.S. state privacy laws
U.S. state breach notification laws
U.S. state consumer health data privacy laws
Health Insurance Portability and Accountability Act (HIPAA)
Federal Trade Commission Act (FTC) Act
Telephone Consumer Protection Act (TCPA)
EU and UK General Data Protection Regulation (GDPR)

Cosmas graduated with honors from Harvard Law School. During law school, he participated in the Berkman Klein Center's Cyberlaw Clinic, completed a clinical placement in the Securities, Financial & Cyber Fraud Unit of the United States Attorney’s Office for the District of Massachusetts, and interned with the Special Assistant for Legal & Legislative Matters to the Secretary of the Navy. Prior to law school, Cosmas served as a submarine officer in the U.S. Navy.

Cosmas is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US).