The Flow Report - The Art of the Data Deal

The Art of the Data Deal

Even seemingly mundane aspects of business operations are not immune to political risk in 2025. Research and data teams at companies with international footprints - particularly those with teams working across the US and China - now have to contend with a US Department of Justice rule prohibiting many data transfers to China, including Hong Kong offices of US companies. Ironically, this US rule is drafted with broad language more typical of regulators and courts in that country. And even though the rule derives from a 12+ month-old executive order, many teams impacted by the new restrictions are unaware of them.

What is the new DOJ rule?

The bulk data transfer rule prohibits many transfers of personal or sensitive data on Americans to certain foreign countries and individuals. The spirit of the rule is to protect Americans from data brokers selling large quantities of personal data to adversarial nations, including China. The rule derives from Executive Order 14117 issued by the Biden administration on February 28th, 2024 and made effective on April 8th, 2025.

Glacier published an FAQ ahead of the rule's effective date, which is now available on request to those subscribed to our blog. At nearly 200 pages (including recent DOJ commentary), the details of the rule are outside the scope of this post.

What are companies doing in response?

Anecdotally, it seems that many companies have been caught off guard, given the delay in implementation, the broad language of the rule, and perhaps an expectation that with a change in administrations, this rule would die on the vine. It did not.

Glacier has organized numerous 1x1 meetings and calls in response to the rule over the last few weeks, which have revealed uncertainty in the application of the rule's prohibitions and restrictions on transfers, even among large firms with substantial legal resources. It is worth noting that companies have started to take steps to comply. The rule provides a 90 day reprieve from civil enforcement for those making "good faith efforts" to comply.

Two concrete actions that many businesses might take today include -

• Mapping out impacted categories of data (e.g., credit/debit card transactions, location data, healthcare data, etc.) with a list of the most clearly impacted vendors/products, and the status of potential access controls for employees in China.

• Creating a similar list of impacted vendor contracts and reaching out to those vendors to add contract provisions (limiting transfers to third-parties in China, for example) as described under the DOJ rule. The DOJ did provide sample contract language in its FAQ.

It is important to consider that many existing policies, procedures, and diligence materials at companies can be recycled or repurposed to accommodate the new DOJ rule.

The data vendor response

The vendor response has been muted. While Glacier has only contacted a handful of vendors about the rule, even mature data vendors (that may be impacted) seem unaware of the DOJ rule. Buyers should not assume that vendors are managing compliance for them; this is now a topic that should be addressed in diligence on relevant data products.

Is the rule intended to cover US corporate or investment uses of data?

It’s risky to make assumptions about enforcement in this environment. The rule and related commentary strongly suggest that the DOJ’s primary focus is likely to be malicious and fraudulent uses of personal data – not investing in public markets or developing consumer products, for example. Yet those seemingly ordinary use cases are covered by the plain language of the rule. Glacier notes that the DOJ’s FAQ expressly states that data used for corporate R&D is covered by the rule’s prohibitions on transfers.

Does the rule only apply to transfers to China?

No, other adversarial nations such as Russia are also covered; however, the majority of prohibited corporate data flows are likely those to China. Unfortunately, the rule also requires that companies follow certain restrictions on other foreign data transfers, such as updating vendor contracts to prohibit subsequent (or forward) data transfers to China and other covered countries.

The implications of the DOJ rule

Perhaps the most important implication is that the current rule making environment related to data is unpredictable and likely to be turbulent. The overlaps between cybersecurity, AI, privacy, and national security mean that distinctions between the priorities of recent US administrations are likely to be blurred. Despite predictions of de-regulation in some areas, the US is now aggressively pursuing data border controls that resemble those imposed by China.

It will take vigilance and a new measure of creativity to navigate the data deal market in 2025.

Don D'Amico

Founder & CEO, Glacier Network

©2025 Glacier Network LLC d/b/a Glacier Risk (“Glacier”). This post has been prepared by Glacier for informational purposes and is not legal, tax, or investment advice. This post is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. This post was written by Don D’Amico without the use of generative AI tools. Don is the Founder & CEO of Glacier, a data risk company providing services to users of external and alternative data. Visit www.glaciernetwork.co to learn more.