On January 8, 2025, the U.S. Department of Justice (DOJ) issued its final rule to implement Executive Order 14117 aimed at preventing access to Americans' bulk sensitive personal data and government-related data by countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela (Data Security Program or DSP). The regulations took effect on April 8, 2025, with additional compliance requirements for U.S. persons taking effect by October 6, 2025.

While the DSP includes an exemption for “telecommunications services” (as specifically defined in the rule), telecommunications providers must closely review their services involving data transactions with countries of concern or covered persons associated with those countries to ensure the particular service provided or transaction falls within the exemption. Non-compliance with the DSP can result in significant civil and criminal penalties, underscoring the importance for telecommunications providers to thoroughly understand and adhere to these rules, where applicable.

Scope and Applicability

The DSP sets forth prohibitions and restrictions on certain data transactions that pose national security risks. The rules are designed to be national security regulations to address identified risks to U.S. national security, rather than privacy regulations designed to protect privacy or other individual interests.

The DSP applies to U.S. persons and entities engaging in transactions that provide access to Covered Data to Countries of Concern or Covered Persons associated with those countries in specified ways. Countries of Concern currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, but this list is subject to future change. The DSP defines Covered Persons as entities or individuals associated with a Country of Concern, based on the following criteria:

• An entity that is 50% or more owned by a Country of Concern
• An entity that is organized or chartered under the laws of a Country of Concern
• An entity that has its primary place of business in a Country of Concern
• An entity that is 50% or more owned by a Covered Person
• A foreign person, as an individual, who is an employee or contractor of a Country of Concern 
• A foreign person, as an individual, who is primarily a resident in the territorial jurisdiction of a country of concern
• Any entity or individual that the Attorney General designates as a Covered Person subject to broad discretion set forth in the DSP

Covered Data involves two primary categories of data: U.S. sensitive personal data and U.S. government-related data. At a high level, the new rules prohibit, restrict, or exempt certain data transactions involving Covered Data that could give countries of concern or Covered Persons access to such data, and are triggered by bulk data transfers, which can include individual transfers that over time trigger specified volume thresholds. The rules also include specified record keeping and reporting requirements, as well as a process for obtaining approval of otherwise prohibited transfers. The rules also include enforcement mechanisms with the potential for civil and criminal penalties for non-compliance.

On April 11, 2025, DOJ issued a compliance guide, along with a list of Frequently Asked Questions (FAQs) to assist entities with understanding and implementing the DSP. DOJ also announced a 90-day limited enforcement period from April 8 to July 8, 2025, focusing on facilitating compliance rather than enforcement, provided that entities are making good faith efforts as outlined in the 90-day policy.
By July 8, 2025, entities must be fully compliant with the DSP, as the DOJ will begin enforcing the provisions more rigorously. By October 6, 2025, compliance with all aspects of the DSP, including due diligence, audit requirements, and specific reporting obligations, will be mandatory.

For a more detailed discussion of the persons and transactions covered under the DSP and its applicability, including definitions, see our recent alert on Navigating the New DOJ Data Security Program Compliance.

Telecommunications Services Exemption

Of note for telecommunications providers is that the DSP, Rule Section 202.509, includes a “telecommunications services” exemption. This exemption for telecommunications services states that the DSP rules: “…do not apply to data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of telecommunications services,” as that term is defined under the rule. Specifically, Rule Section 202.252, the new DOJ rule definition of “telecommunications service” means:

the provision of voice and data communications services regardless of format or mode of delivery, including communications services delivered over cable, Internet Protocol, wireless, fiber, or other transmission mechanisms, as well as arrangements for network interconnection, transport, messaging, routing, or international voice, text, and data roaming.¹

Of note, this exemption specifically applies to activities directly related to the technical and operational aspects of delivering telecommunications services and does not extend to ancillary services like marketing or data analytics. The Department also declined to expand the exemption to include data transactions related to IP addresses or cybersecurity services.

Importantly, the DOJ made clear the definition of telecommunications services for purposes of the DSP is unique to the DSP and is without reference to the definition in Section 153(53) of the Communications Act. The import of this is that the definition is apparently without reference to whether the service is a common carrier offering.

Examples of Exempt and Non-Exempt Transactions

Rule Section 202.509 provides examples of bulk data transfers incident to telecommunications services that fall within the exemption, and an example of a bulk data transfer by a telecommunications service provider that falls outside the exemption:

(1) Example 1. A U.S. telecommunications service provider collects covered personal identifiers from its U.S. subscribers. Some of those subscribers travel to a country of concern and use their mobile phone service under an international roaming agreement. The local telecommunications service provider in the country of concern shares these covered personal identifiers with the U.S. service provider for the purposes of either helping provision service to the U.S. subscriber or receiving payment for the U.S. subscriber's use of the country of concern service provider's network under that international roaming agreement. The U.S. service provider provides the country of concern service provider with network or device information for the purpose of provisioning services and obtaining payment for its subscribers' use of the local telecommunications service provider's network. Over the course of 12 months, the volume of network or device information shared by the U.S. service provider with the country of concern service provider for the purpose of provisioning services exceeds the applicable bulk threshold. These transfers of bulk U.S. sensitive personal data are ordinarily incident to and part of the provision of telecommunications services and are thus exempt transactions.

This example illustrates where the data sharing is integral to the core function of providing telecommunications services and facilitating international roaming, aligning with the exemption criteria.

(2) Example 2. A U.S. telecommunications service provider collects precise geolocation data on its U.S. subscribers. The U.S. telecommunications service provider sells this precise geolocation data in bulk to a covered person for the purpose of targeted advertising. This sale is not ordinarily incident to and part of the provision of telecommunications services and remains a prohibited transaction.

Here, the sale of geolocation data for advertising purposes is not directly related to the telecommunications service itself, placing it outside the scope of the exemption.

(3) Example 7. A U.S. company owns or operates a submarine telecommunications cable with one landing point in a foreign country that is not a country of concern and one landing point in a country of concern. The U.S. company leases capacity on the cable to U.S. customers that transmit bulk U.S. sensitive personal data to the landing point in the country of concern, including transmissions as part of prohibited transactions. The U.S. company's ownership or operation of the cable does not constitute knowingly directing a prohibited transaction, and its ownership or operation of the cable would not be prohibited (although the U.S. customers' covered data transactions would be prohibited). See 28 CFR § 202.305.

This example illustrates that while the infrastructure operation itself is not a prohibited transaction, the data transfers by customers using the international submarine cable are prohibited if they involve countries of concern. This would likely be a direct issue for the underlying customer rather than the telecommunications service provider, though providers might still consider whether it would make sense to ensure that their customer agreements include provisions insulating them from any potential exposure from such customer non-compliance.

The examples above focus on whether a particular bulk data transfer is “ordinarily incident to and part of the provision of” an exempt telecommunications service. So, for example, arrangements outside the actual provision of the service, such as the sale or sharing of customer data for marketing purposes or with application providers, would appear to be outside the scope of the exemption.

As one example, a number of major mobile carriers had location-based service programs, which were the subject of a series of FCC enforcement actions, that facilitated, through third party “location aggregators”, the sharing of user location data with application providers to enable location-based services.² Example No. 2, above, would suggest that this type of service would not be “ordinarily incident to and part of the provision of” a carrier’s mobile data services (the telecommunications service under the DSP definition) and hence outside the exemption.

Challenges and Considerations

The harder question, however, and one that will undoubtedly be initially vexing for providers without further clarification from DOJ, is the actual scope of the “telecommunications services” definition in the rule. This is particularly true for integrated offerings by providers that clearly include telecommunications services, but also include integrated components which include bulk transfers, that standing alone might be outside the scope of the telecommunications services definition. Of significance, in adopting this definition, the DOJ stated that the definition is limited to the listed telecommunications services and does not reach services like cloud computing.

The recently issued FAQs also reinforce this point, stating the definition is “limited to communications services and does not include all internet-based services like cloud computing.” See Question 77. This begs the question of an offering by a telecommunications services provider that includes both cloud computing and associated transport services. Similarly, the provision of integrated applications offered by telecommunications services providers in conjunction with their telecommunications service offerings, would raise similar questions, particularly, as noted above, in connection with Example No. 2.

Providers should note that any data transaction not essential to the core function of telecommunications—such as partnerships involving user data for non-service-related purposes—may fall outside the exemption. Providers must differentiate between core telecommunications functions and ancillary services, ensuring that services like data analytics or marketing, which are not ordinarily incident to the core telecommunications services, are carefully evaluated for compliance.

Implications of Limitation to Telecommunications Service Exemption

While DOJ’s final rule appears to provide three straightforward examples, the issues arise about integrated service offerings such as telecommunications services that include a cloud computing or a data center component. While the telecommunications service aspect appears to be exempt, the data storage or cloud computing aspect would not be, at least if offered on a standalone basis. The same may be true for integrated application offerings in connection with application providers, most obviously, under Example No. 2 in connection with sharing location data. This necessitates a thorough review of service offerings, particularly those bundled with non-telecommunications services like cloud computing, data center services, and applications, to determine compliance with DSP regulations. Accordingly, telecommunications providers must closely examine the integrated services they provide, along with their data sharing arrangements with third parties, to determine whether the transaction may trigger prohibited or restricted data transactions involving countries of concern or Covered Persons.

_{¹In adopting this definition, DOJ noted that commenters suggested that the definition of telecommunications services be expanded to include voice and data communications over the internet. DOJ agreed and instead of limiting the scope of “telecommunications services” to the definition in Communications Act, 47 U.S.C. 153(53) (which would have applied only to common carriers) the DOJ adopted its own definition of the term to cover present day communications for the purposes of the exemption. Under the Communications Act, telecommunications service means the offering of telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used.
²See FCC Fines AT&T, Sprint, T-Mobile and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data (FCC News Release, Apr. 29, 2024); see also AT&T, File No. EB-TCD-18-00027704, Forfeiture Order at ¶¶ 8-10 (FCC 24-40, Apr. 29, 2024), vacated, AT&T v. FCC, No. 24-60223, Slip Op. at 5-6 (5th Cir. Apr. 17, 2025).}