The U.S. Department of Justice (DOJ)’s new data security rule went into effect April 8, 2025. The rule creates what are effectively export controls and requires companies to take measures to prevent U.S. sensitive personal and government-related data from falling into the hands of foreign adversaries. The rule targets transactions (including data brokerage, vendor agreements, employment agreements, and investment agreements) involving access to bulk sensitive personal data or government-related data when those transactions involve identified covered persons or countries of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela).

On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, a Frequently Asked Questions (FAQs) document, and its Implementation and Enforcement Policy, offering critical clarity on how it will assess compliance and approach enforcement of the rule. One of the most significant elements of the policy is the DOJ’s announcement of a 90-day grace period (between April 8, 2025 and July 8, 2025) for companies making good faith efforts to comply (willful violations may still be pursued).This grace period is intended to encourage early cooperation and foster a compliance-first mindset across industries.

Companies should take action now, if they have not done so already, to engage in compliance efforts (many of which are identified by DOJ as evidence of “good faith”) such as:

• Assessing datasets and datatypes that might be covered by the rule
• Reviewing data flows and data transactions, particularly those that might constitute data brokerage as defined in the rule
• Analyzing vendor agreements to determine the need for new contractual terms; renegotiation of agreements; and potential transfer of products and services to new vendors
• Instituting vendor due diligence practices aligned with the rule
• Evaluating employee access and potentially modifying roles, responsibilities, or work locations
• Assessing investments and investment agreements relating to countries of concern or covered persons
• Revising or creating internal policies and procedures
• Implementing security controls as set forth in the requirements established by the Cybersecurity and Infrastructure Agency (CISA)

The DOJ guidance confirms the effective dates in the rule and expectation for full compliance with initial requirements after the 90-day grace period. While the core rule took effect April 8, 2025, additional compliance obligations (e.g., audits, reporting, due diligence) must be in place by October 6, 2025.

Organizations that collect, store, or transmit sensitive personal data—especially with cross-border implications—should begin engaging in the activities listed above. The rule is effectively a form of national security data control and applies to a broad array of actors, from data brokers and cloud infrastructure providers to businesses with international partnerships or data transfers.