3 minute read | May.14.2025
On April 11, 2025, the Department of Justice’s (DOJ) National Security Division (NSD) released an Implementation and Enforcement Policy, a Compliance Guide, and a list of over 100 Frequently Asked Questions (FAQs) to help individuals and organizations understand and comply with its rule on “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” which largely came into effect on April 8. The DOJ has termed the framework created by the rule, the “Data Security Program” (DSP).
We outline below the key things companies need to know. For more information about the requirements of the rule, please see our previous article: U.S. Data Localization Law Coming Soon: DOJ Issues Final Rule on Certain Data Transfers to “Countries of Concern”.
1. The new administration will likely enforce the DSP. At a time when many of the previous administration’s policies and programs are in question, the significant steps the DOJ has taken to implement this program demonstrate that the DSP aligns with this administration’s foreign policy goals and its commitment to enforcing the DSP.
2. There is a grace period for compliance – to an extent. Although most of the DSP took effect on April 8, 2025, the DOJ will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025, so long as the person is engaging in good-faith efforts to comply with or come into compliance with the DSP during that time. The Implementation and Enforcement Policy outlines examples of how companies can demonstrate good-faith effort, including:
a. Internal reviews of potential data brokerage transactions;
b. Negotiating onward transfer provisions in vendor and agreements;
c. Relocating employees or vendor support services; and
d. Implementing the CISA security requirements.
3. Enforcement will likely begin July 9, 2025. After the 90-day grace period, the DOJ’s position is that individuals and entities should be in full compliance with the effective provisions of the DSP (excluding provisions that become effective on October 6, 2025) and should expect NSD to pursue appropriate enforcement of any violations.
4. The DSP may cover more transactions than companies expect. The Compliance Guide indicates that the DOJ will interpret the rule broadly, potentially including activities not normally thought of as “data brokerage,” such as U.S. companies knowingly using ads with tracking technology on their websites or apps.
5. DOJ will require due diligence. According to the Compliance Guide, failure to conduct adequate due diligence could constitute an evasion of the regulations. Further, the FAQs suggest the DSP may require due diligence to determine if companies are engaging in a covered data transaction with a covered person, and to monitor compliance with contractual restrictions imposed on third parties. However, the DSP will not require companies to ascertain the extent to which an entity or individual is subject to the influence or control of a country of concern or covered person (as control/influence is not relevant to the definition of covered persons) (e.g., reviewing employment, board, or investor practices of foreign persons to determine whether their employees, directors or investors qualify as covered persons).
6. Companies should consider implementing training programs. Although the DSP does not explicitly require it, the DOJ recommends that U.S. companies conducting restricted transactions consider providing periodic—ideally, at least annual—training on their DSP compliance programs and the CISA security requirements.
We encourage any company that engages in personal or governmental data transactions, especially with countries identified as countries of concern in the DSP, to engage with counsel to stay ahead of its requirements. Our team helps companies build out and maintain robust compliance programs tailored to your organization. Please contact one of the authors (Matthew Coleman, Nicholas Farnsworth, Ben Hutten, Jeanine McGuinness, Shannon Yavorsky, Cosmas Robless) for more information.