On January 8, 2025, the U.S. Department of Justice (“DOJ”) issued its final rule to implement Executive Order 14117 aimed at preventing access to Americans' bulk sensitive personal data and government-related data by countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela (the “Data Security Program” or “DSP”). The DSP sets forth prohibitions and restrictions on certain data transactions that pose national security risks. The regulations took effect on April 8, 2025, with additional compliance requirements for U.S. persons taking effect by October 6, 2025.

On April 11, 2025, the DOJ issued a compliance guide, along with a list of Frequently Asked Questions (FAQs) to assist entities with understanding and implementing the DSP. The DOJ also announced a 90-day limited enforcement period from April 8 to July 8, 2025, focusing on facilitating compliance rather than enforcement, provided that entities are making good faith efforts as outlined in the 90-day policy.

By July 8, 2025, entities must be fully compliant with the DSP, as the DOJ will begin enforcing the provisions more rigorously. By October 6, 2025, compliance with all aspects of the DSP, including due diligence, audit requirements, and specific reporting obligations, will be mandatory.

SCOPE OF THE DSP

The DSP applies to U.S. persons and entities engaging in transactions that provide access to Covered Data to Countries of Concern or Covered Persons.

Countries of Concern: The DSP has initially listed China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela as countries of concern. The Attorney General, along with the Secretary of State and the Secretary of Commerce, may amend such countries based on guidelines in the DSP.

Covered Persons: The DSP defines Covered Persons as entities or individuals associated with a Country of Concern, including those who are substantially owned, organized, or primarily operating within these countries, as follows: 

• An entity that is 50% or more owned by a Country of Concern
• An entity that is organized or chartered under the laws of a Country of Concern
• An entity that has its primary place of business in a Country of Concern
• An entity that is 50% or more owned by a Covered Person
• A foreign person, as an individual, who is an employee or contractor of a Country of Concern 
• A foreign person, as an individual, who is primarily a resident in the territorial jurisdiction of a country of concern
• Any entity or individual that the Attorney General designates as a Covered Person subject to broad discretion set forth in the DSP

Covered Data: The DSP regulates transactions involving two primary categories of data: U.S. sensitive personal data and U.S. government-related data.

U.S. Sensitive Personal Data – applies to data that meets the “bulk” thresholds, including: 

• Human 'omic Data: This includes human genomic, epigenomic, proteomic, and transcriptomic data. 
• Biometric Identifiers: These are measurable physical characteristics or behaviors used to recognize or verify an individual's identity, such as facial images, voice prints, retina scans, and fingerprints. 
• Precise Geolocation Data: This identifies the physical location of an individual or device to within 1,000 meters. 
• Personal Health Data: This includes data that indicates, reveals, or describes an individual's physical or mental health condition, healthcare provision, or payment for healthcare. 
• Personal Financial Data: This includes data about an individual's financial accounts, transactions, and credit history. 
• Covered Personal Identifiers: These are combinations of listed identifiers, such as government ID numbers, financial account numbers, device identifiers, demographic or contact data, advertising identifiers, account authentication data, network-based identifiers, and call-detail data.

Bulk Thresholds – The “bulk” threshold is calculated from a collection or set of U.S. Sensitive Personal Data, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, over a 12-month period, whether it is one data transfer or over multiple transfers. 

U.S. Government-Related Data – The DSP applies to the following categories of government related data:

• Precise Geolocation Data: For locations designated by the Attorney General as posing a heightened risk of exploitation by a country of concern.
• Sensitive Personal Data Linked to Government Employees: Data marketed as linked or linkable to current or former U.S. government employees or officials, including military and intelligence personnel.

COVERED TRANSACTIONS

Transactions are categorized as Prohibited, Restricted, or Exempt and receive varying degrees of restrictions.

Prohibited Transactions: Fully banned transactions include:

• Data Brokerage: The sale, licensing, or similar commercial transactions involving the transfer of data from a provider to a recipient who did not collect or process the data directly is prohibited. 
• Human 'Omic Data: Transactions involving access to bulk human 'omic data (genomic, epigenomic, proteomic, and transcriptomic data) or human biospecimens from which such data could be derived are prohibited.

Restricted Transactions: Subject to the exemptions below, these transactions are types of agreements, which are allowed under the DSP subject to stringent security and compliance requirements:

• Vendor Agreements: Agreements where a person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration. These transactions must comply with security requirements to prevent unauthorized access to covered data.
• Employment Agreements: Agreements where an individual performs work directly for a person in exchange for payment or other consideration. This includes board service and executive-level arrangements.
• Investment Agreements: Agreements where a person gains direct or indirect ownership of a U.S. legal entity or real estate. Passive investments, such as publicly traded securities, are excluded. These transactions must adhere to security measures and due diligence requirements.

Exempt Transactions: categories exempt from regulation under the DSP include:

• Personal communications
• Information or informational materials
• Travel
• Official business of the U.S. Government
• Financial services
• Corporate group transactions
• Transactions required or authorized by U.S. federal law or international agreements, or necessary for compliance with federal law
• Investment agreements subject to CFIUS action
• Telecommunications services
• Drug, biological product and medical authorizations
• Other clinical investigations and post-marketing surveillance data

90-DAY LIMITED ENFORCEMENT PERIOD AND “GOOD FAITH EFFORTS” TO COMPLY

During the DOJ’s 90-day limited enforcement period from April 8 to July 8, 2025, the DOJ will focus on facilitating compliance rather than prioritizing enforcement actions, provided entities are making good faith efforts to comply. Good faith efforts include compliance activities described in this first 90-day policy, including:

1. Conducting internal reviews of sensitive data access.
2. Reviewing datasets for DSP applicability.
3. Renegotiating vendor agreements.
4. Transferring products to new vendors.
5. Conducting due diligence on new vendors.
6. Negotiating transfer provisions with foreign counterparts.
7. Adjusting employee roles or locations.
8. Evaluating investments from countries of concern.
9. Renegotiating investment agreements.
10. Implementing CISA Security Requirements.

LIABILITY

Violations of the DSP can lead to significant civil and/or criminal penalties, including fines up to $377,700 (adjusted for inflation) or twice transaction’s value. Intentional or willful violations can result in fines up to $1,000,000, imprisonment for up to 20 years, or both.

COMPLIANCE TIMELINE

• April 8, 2025: DSP regulations take effect.
• July 8, 2025: Full compliance with DSP required.
• October 6, 2025: Compliance with all DSP aspects, including audits and reporting, as may be required.

ACTIONABLE ITEMS

Companies should complete the following: 

1. Assess Data Holdings: Conduct thorough audits to identify sensitive personal data and government-related data and determine if it meets the DSP’s bulk thresholds (this includes information collected and transferred via online tracking technologies).
2. Review and Update Contracts: Amend contracts to cease prohibited transactions and ensure compliance with restricted transaction terms. This includes including provisions prohibiting unauthorized data brokerage.
3. Develop Compliance Programs for Restricted Transactions: Establish a comprehensive data compliance program by October 6, 2025.
4. Implement Security Measures: Apply organizational, system, and data-level security measures, using technologies like data minimization, encryption, masking, and privacy-enhancing technologies.
5. Conduct Annual Audits: Perform annual audits to assess DSP compliance, in line with the DSP requirements, and retain them for at least 10 years.
6. Prepare for Annual Reporting: Ensure records are being generated in anticipation of providing timely submission of annual reports for entities engaged in restricted transactions involving cloud-computing services in which 25% or more of its equity is owned, directly or indirectly, by a country of concern or a covered person,
7. Monitor Transactions: Regularly monitor data transactions and report any violations to the DOJ within 14 days.
8. Train Employees: Implement training programs to ensure understanding and compliance with DSP regulations.

CONCLUSION

The DSP signifies a significant effort to protect U.S. sensitive personal and government-related data from foreign threats. Compliance is a legal necessity and a strategic measure to safeguard business operations and reputation. By understanding the DSP's scope and implementing the steps outlined in this alert, businesses can ensure they are well-prepared to meet compliance requirements.