Protecting sensitive data has never been more important. In a globalized world of advanced cyber threats, sophisticated espionage techniques, and external data monetization, increased security is crucial to safeguard sensitive information from theft and misuse. The recent implementation of the Department of Justice’s (DOJ) Data Security Program (DSP) demonstrates how seriously the government considers the threat posed by foreign adversary access to such data. U.S. persons and companies who aggregate the personal data of Americans or collect any information linked to U.S. government personnel now face mandatory restrictions and prohibitions when transferring this data to identified countries and persons of concern. With the leniency period for enforcement of the program officially over as of July 8, 2025^[1], failure to come into immediate compliance creates exposure to stiff civil and criminal penalties.

Background

The DSP essentially establishes export control restrictions that prevent foreign adversaries, and those subject to those adversaries’ control and direction, from accessing U.S. government-related data and bulk U.S. sensitive personal data.

The DSP was issued under the International Emergency Economic Powers Act (IEEPA) and in accordance with Executive Order 14117, related to Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.^[2] Although the effective date for the program was April 8, 2025, the DOJ’s National Security Division (NSD) announced a delay in enforcement efforts for 90 days to allow additional time for U.S. individuals and companies to implement the necessary changes to comply and engage with NSD on DSP-related issues.

Now that the grace period has ended, individuals and entities are expected to be in full compliance, and the NSD may begin to pursue enforcement of potential violations. The DSP is meant to address the continued efforts of foreign adversaries to use commercial activities to access, exploit, and weaponize covered categories of U.S. government and sensitive personal data. As the program is in line with various Trump Administration priorities, U.S. companies should anticipate aggressive enforcement and ensure they are compliant.^[3]

Covered Countries and Persons

The DSP restricts and prohibits U.S. persons and entities from engaging in certain transactions surrounding U.S. government data and the personal data of Americans with “countries of concern” or “covered persons.”

On April 11, 2025, the NSD issued a compliance guide related to the DSP, which identified each of the following countries as a “country of concern”:

• China (including Hong Kong and Macau)
• Cuba
• Iran
• North Korea
• Russia
• Venezuela

These countries were identified as demonstrating an intent and capability to use government-related data and Americans’ sensitive personal data to threaten U.S. national security through various specified means.^[4]

“Covered persons” are described in the Final Rule as (1) foreign entities headquartered in or organized under the laws of a country of concern or majority owned by one or more countries of concern or other covered persons, (2) foreign entities that are majority owned by a country of concern or another covered person, (3) foreign individuals who are employees or contractors of a country of concern or covered person, (4) foreign individuals who are primarily a resident in a country of concern, and (5) those persons the NSD designates and publicly identifies.^[5] As it pertains to subcategory (5), the NSD will designate and add persons to a published Covered Persons list following a determination that such persons meet certain criteria such as being subject to the ownership and control of a country of concern.^[6]

Covered and Exempt Data Transactions

In determining whether the requirements of the DSP apply to a particular U.S. person or entity, it is essential to understand the type of data at issue and the transactions covered by the program. If a company handles data covered under the program, they will be restricted or even prohibited from transferring such information in certain circumstances.

Covered Transactions: Any transaction that involves access by one of the countries of concern or covered persons to any government-related data or bulk U.S. sensitive personal data is subject to DSP restrictions. To be a “covered transaction,” the transaction must also involve (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.^[7]

“Government-related Data”: Certain geolocation data related to government activities,^[8] and any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors of the United States Government, such as a U.S. company that advertises the sale of a set of sensitive personal data as belonging to “government employees.”^[9]

“Bulk U.S. Sensitive Personal Data”: A collection or set of sensitive personal data relating to U.S. persons, in any format.^[10] “Sensitive personal data” includes (1) covered personal identifiers, (2) precise geolocation data, (3) biometric identifiers, (4) human genomic data, (5) personal health data, and (6) personal financial data or any combination thereof.^[11]

Under the DSP, there are two general categories of covered transactions: 1) Prohibited Transactions and 2) Restricted Transactions.

Prohibited Transactions: Generally involve data brokerage with a country of concern or covered person and prohibit any U.S. person from engaging in a covered transaction subject to certain exemptions, and transactions that involve access by a country of concern or covered person to certain bulk U.S. sensitive data.^[12]

Restricted Transactions: Generally cover data transactions under vendor agreements, employment agreements, or investment agreements, subject to certain exemptions, that are restricted unless the U.S. person complies with specific security requirements.^[13]

Exempt Transactions: Several transactions are exempt from the otherwise applicable prohibitions and restrictions. Such exemptions include but are not limited to:

• Information or informational materials;
• Financial services;
• Corporate group transactions (ordinarily incident to and part of administrative or ancillary business operations);
• Transactions required or authorized by federal law or international agreements;
• Investment agreements subject to a CFIUS action;
• Telecommunications services;
• Drug, biological product, and medical device authorizations; and
• Other clinical investigations and post-market surveillance data (ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration or the collection and processing of certain clinical care data or post-marketing surveillance data).^[14]

Licenses

The DOJ, through the NSD, may issue either general or specific licenses to engage in a covered data transaction that would otherwise violate the DSP. A general license will authorize a particular type of transaction, subject to prohibitions or restrictions without the need to apply for a specific license.^[15] A specific license is a document issued by the NSD to a particular person or entity, authorizing a particular transaction.^[16]

DOJ Implementation & Enforcement

The DSP is administered and enforced by the Foreign Investment Review Section (FIRS) of the NSD, which is responsible for the DOJ’s non-prosecutorial efforts to address and manage national security risks to cross-border transactions, business, and technology that are posed by threats such as foreign adversaries. The FIRS also may handle requests for advisory opinions submitted by potentially regulated parties regarding the application of the DSP to specific transactions, which is a mechanism embedded within the Final Rule pertaining to the DSP.^[17]

Any civil or criminal prosecutions related to violations of the DSP likely will be handled by the NSD or will be referred to the appropriate U.S. attorney’s office. U.S. companies should expect enforcement under the DSP to largely mirror traditional export control or sanctions violations actions. Both the DSP and U.S. economic sanctions regimes derive their authority from the IEEPA. Civil and criminal liability under the IEEPA can be significant, with civil penalties of up to the greater of $386,136, or twice the value of each violative transaction, and criminal penalties of up to 20 years in prison, a $1,000,000 fine, or both.^[18] As such, U.S. persons or companies whose activities may fall within the ambit of the DSP should engage with counsel early and often to ensure appropriate compliance and reporting requirements are met.

Key Takeaways and Recommendations

U.S. persons and companies that have not already begun planning for full implementation of the DSP should come into compliance immediately. Such impacted companies may include:

• Cloud service providers
• Virtual service providers
• Data processing centers
• Medical device manufacturers
• Academic institutions
• Data analytics firms and consultants
• Government contractors in the defense or health care sectors

Like export control compliance measures, these U.S. persons and entities should engage counsel experienced in this area to undertake the following:

• Conduct internal reviews and audits to identify potential access to covered data or transactions involving the flow of such data to covered countries or persons.
• Implement policies, procedures, and trainings addressing data security and the transfer or access to any U.S. government-related data or bulk U.S. sensitive personal data.
• Determine the applicability of any general licenses or the need to apply for specific licenses for any prohibited or restricted transactions.
• Implement a compliance program to track transactions, perform regular due diligence, and maintain accurate records.
• Engage counsel to draft or revise vendor contracts as necessary, conduct due diligence, and interface with government agencies such as the DOJ when necessary.
• Adjust employee work locations, roles, or responsibilities depending on proximity or exposure to countries of concern or covered persons.
• Implement the Cybersecurity and Infrastructure Agency (CISA) Security Requirements.

Taking these measures will assist U.S. companies and persons to adequately prepare for enforcement action likely to come.

Affected companies and persons should also take note of October 6, 2025. Starting on that date, entities and individuals must comply with due diligence and audit requirements for restricted transactions, and reporting requirements for restricted transactions and rejected prohibited transactions.

Footnotes

[1] “DATA SECURITY PROGRAM: IMPLEMENTATION AND ENFORCEMENT POLICY THROUGH JULY 8, 2025,” Department of Justice (April 11, 2025), https://www.justice.gov/opa/media/1396346/dl?inline

[2] See 50 U.S.C. § 1705; see also Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (February 28, 2024), https://www.federalregister.gov/documents/2024/03/01/2024-04573/preventing-access-to-americans-bulk-sensitive-personal-data-and-united-states-government-related

[3] The White House, “American First Investment Policy,” (February 21, 2025), https://www.whitehouse.gov/presidential-actions/2025/02/america-first-investment-policy/; The White House, “Fact Sheet: President Donald J. Trump Restores Maximum Pressure on Iran,” (February 4, 2025), https://www.whitehouse.gov/fact-sheets/2025/02/fact-sheet-president-donald-j-trump-restores-maximum-pressure-on-iran/

[4] “DATA SECURITY PROGRAM: COMPLIANCE GUIDE,” Department of Justice (April 11, 2025), https://www.justice.gov/opa/media/1396356/dl

[5] See §§ 202.211(a)(1)-(5)

[6] See § 202.701

[7] See §§ 202.214, 202.258, 202.217, & 202.228

[8] See § 202.222(a)(1)

[9] See § 202.222(b)

[10] See § 202.206

[11] See § 202.249

[12] See §§ 202.301-303

[13] See § 202.401

[14] See §§ 202.501-511

[15] See § 202.801

[16] See § 202.802

[17] See § 202.901

[18] See § 202.1301; see also 50 U.S.C. § 1705