From April 2025, in contracts with U.S. megacorps, strange clauses have begun to appear pointing to this new U.S. rule: “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule”. Far from being part of the typical foliage—like the applicable sections styled after Californian regulations or parts from other regions that do not apply—this one could impact the processing of Americans’ personal data carried out as a provider, even when the provider is so foreign that it does not even have a headquarters or subsidiary in the United States. Very much in the style of the famous “signals intelligence” approach, but aimed at preventing certain countries and their companies from accessing specific categories of sensitive or restricted U.S. data.
What kind of clauses are we talking about?
All those that resemble the following:
“The provider represents, warrants, and undertakes that: (a) neither the provider nor any of its affiliates that have access to covered data – “Data Covered” (nor any employee or contractor of the provider or its affiliates that has access to covered data) is a covered person – “Person Covered”; (b) the Provider and its affiliates will not participate in any Covered Data Transaction; and (c) the Provider will immediately notify the Company in writing if any of the representations in this section change or cease to be true.”
U.S. regulations are outside our expertise, but the need to explain why you might encounter certain things in the middle of a DPA, access to the FAQs from the Department of Justice (referencing the linked “rule”), and a bit of help from AI (especially to confirm and create the tables we show) allow us to tell this story.
It is a journey through cross-referenced concepts, but much easier to understand than the Data Act and the AI Act.
You are reading ZERO PARTY DATA. The newsletter on current affairs and technology law by Jorge García Herrero and Darío López Rincón.
In the free time this newsletter leaves us, we solve complicated messes related to personal data protection and artificial intelligence regulations. If you have one of those, wave your little hand at us like this. Or contact us by email at jgh(at)jorgegarciaherrero.com
What is this rule and which countries does it blacklist?
This rule attempts to limit or prohibit access to two types of data—bulk sensitive personal data of Americans and U.S. government-related data—by the following restricted countries (“Country of Concern”).
Zero surprises on the blacklist of countries.
China (including Hong Kong and Macau);
Cuba;
Iran;
North Korea;
Russia; and
Venezuela.
What information, persons, and situations does it apply to? The central elements of “covered data” and “covered person.”
– “Covered Data” (Datos Cubiertos) means two main categories:
Bulk U.S. sensitive personal data, regardless of whether the data are anonymized, pseudonymized, de-identified, or encrypted, as long as they reach their respective threshold:
Human omic data (epigenomic, proteomic, genetic, or transcriptomic): more than 1,000 U.S. persons (or more than 100 for genomic data);
Biometric identifiers: more than 1,000 U.S. persons;
Precise geolocation data: more than 1,000 U.S. persons;
Health data: more than 10,000 U.S. persons;
Personal financial data: more than 10,000 U.S. persons; and
Covered personal identifiers: more than 100,000 U.S. persons (government identification numbers such as passport numbers, device identifiers, demographic/contact data, IP, cookie data, or call detail records).
U.S. government-related data:
Precise geolocation data at government locations; and
Sensitive data of government personnel.
– “Covered Person” (Persona Cubierta) includes the following categories of individuals or companies:
Foreign entities from the mentioned countries;
Entities 50% or more owned by Covered Countries/Persons;
Individuals resident in Countries of Concern;
Employees/providers or contractors from Covered Countries/Persons; and
Any listing determined by the Attorney General.
– If the following occur simultaneously: (i) the previous elements of a provider or employee from a restricted country (“Covered Person”), (ii) contracted by a U.S. entity (US Person), and (iii) with access to the covered data (“Covered Data”), then the scenario falls within the scope of compliance with this rule: a Covered Data Transaction.
This is subdivided into two cases: the main case of a prohibited transaction (Prohibited Transaction), and a secondary case of a restricted transaction if the U.S. entity complies with certain defined security requirements.
Most important for us: In which cases would a European company be affected?
Two main scenarios can be distinguished, based on the concurrence explained above.
A. – The U.S. subsidiary of a European parent company (“US Person”):
U.S. Subsidiary: it must exercise special control to avoid knowingly participating in any of these “transactions.” A group corporate exception may exist if the transaction is ordinarily incidental and part of administrative or auxiliary business operations—for example HR, payroll, or risk management.
If the transfer takes place for core business operations (such as research and development), the exemption does not apply. If the subsidiary falls under the obligation scenario, the following elements have applied since October 2025: a specific compliance program with defined security measures and an annual audit.
European parent company: the same classification as in the following scenario of a company without headquarters or personnel in the United States.
B. – An EU company providing services to a U.S. client without presence or headquarters there (“Foreign Person”).
In that case, four scenarios may occur depending on whether the entity is considered a covered person (CP), from a restricted country, or neither of the above (any).
Recommendations
In most cases, the application of this rule will be limited to the scenario described at the beginning and in the last case of the previous table (“foreign person” scenario): a company without processing of covered data nor covered persons—either directly or through providers—that commits not to process them and to notify if anything changes.
However, specific checks should be carried out regarding providers and potential subsidiaries in the United States:
Review whether any processors or sub-processors you rely on could fall within the scope: either because they are from these covered/prohibited countries or because, within the framework of the service, they end up providing access to this type of U.S. data. It is highly advisable to start including specific questions about this topic in the pre-Article 28(1) GDPR questionnaire; and
Verify, together with possible specialized advice from the United States, that the company’s U.S. subsidiary is sufficiently prepared to comply with this rule. There are always nuances that escape those of us from the old continent.
Grand Finale: Why should I care about all this?
First.— Because there are many multinational groups (for example Chinese ones) that provide services through a subsidiary established in a country not included in the blacklist of this amusing U.S. rule. It is the same move that Meta, Google, or Microsoft make by placing their shiny European subsidiary in all their DPAs, generating that reassuring cognitive dissonance in the head of the not-very-reflective DPO.
Last but not least.— As a closing note, and in addition to everything above, always remember the illustrative example from those EDPB guidelines about the interplay of Article 3 and Chapter V: if a company based in the EU acts as a processor for a non-European company, imports personal data, and returns them as part of a product or service, there is an international transfer in that return flow of the data to the non-EU controller.
