The U.S. Department of Justice (DOJ) issued a final rule implementing Executive Order 14117 (“Data Security Program” or “DSP”). As detailed in our previous advisory, the DOJ DSP prohibits or restricts access to U.S. sensitive personal data and government data by covered persons and countries of concern. The rule establishing the Data Security Program took effect on April 11, 2025 (except for specific provisions that are effective October 6, 2025; see below). However, DOJ published a release with a statement regarding their Data Security Program implantation and enforcement policy through July 8, 2025 that advised the Department will target enforcement efforts during this period to allow additional time to implement changes required by the DSP.
The DOJ stated that they, “will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.” During this initial enforcement period, the DOJ, “will pursue penalties and other enforcement actions as appropriate for egregious, willful violations.” After July 8, 2025, DOJ expects companies to be fully compliant with all requirements of the DSP that became effective on April 11. The DOJ’s enforcement policy through July 8 does not impact sections of the DSP that become effective on October 6, 2025, such as due diligence, audit, reporting and recordkeeping requirements. The DOJ stated that those requirements will be enforced as of the October 6 effective date.
Which Companies Need to Take Action Now?
Companies that collect or process bulk U.S. sensitive personal data.
The Data Security Program defines sensitive data broadly to include genomic data, biometric identifiers, geolocation data, health data, financial data, personal identifiers and combinations of those data types. Personal identifiers are similarly broadly defined by the DSP and datasets require a relatively low quantity of data subjects to qualify as bulk data. (See our previous advisory for more information on how the DSP defines bulk U.S. sensitive personal data.) If your company collects or processes bulk U.S. sensitive personal data, it is important to review whether any countries of concern or covered persons have access to that data under a covered transaction.
Companies that have transactions with countries of concern or covered persons.
Companies that do business with countries of concern or covered persons should review transactions to understand whether they are covered data transactions subject to the DSP. Countries of concern are China, Russia, Iran, North Korea, Cuba, and Venezuela. Covered persons include entities owned by countries of concern or other covered persons, as well as individuals who are employees or contractors of those entities or who reside in a country of concern. Covered data transactions include data brokerage transactions, as well as vendor, employment, or investment agreements involving access to bulk U.S. sensitive personal data. If your company is involved in data transactions with countries of concern or covered persons, it is important to consider whether any such transactions are subject to the DSP prior to the DOJ’s July 8, 2025 enforcement date.
Companies involved in data brokerage transactions.
Under the DOJ’s Data Security Program, data brokerage is defined broadly to mean, “the sale of data, licensing of access to data, or similar commercial transactions … where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” The DSP prohibits data brokerage involving bulk U.S. sensitive personal and government data with a covered person or country of concern unless the transaction is exempt or a license for the transaction is issued by DOJ. Companies involved in data brokerage transactions as defined by the DSP must review transactions involving bulk U.S. sensitive personal data to identify whether covered persons or countries of concern are involved. If so, the data brokerage company must identify an available exemption (e.g., the DSP exemption for data transactions that, “are ordinarily incident to and part of the provision of telecommunications services”) or file for a DOJ license to proceed with the transaction.
Companies that have transactions with foreign persons involving bulk U.S. sensitive personal data.
Under the DOJ’s Data Security Program, a foreign person is anyone who is not a U.S. person. A U.S. person is a U.S. citizen or legal resident, a person in the U.S., or any entity organized solely under the laws of the U.S. or a jurisdiction within the U.S. (including foreign branches). The DSP includes specific provisions covering certain covered data transactions with foreign persons (i.e., non-U.S. persons). For any data brokerage transaction with a foreign person, the DSP requires, among other things, that the foreign person be contractually barred from providing access to bulk U.S. sensitive personal data to a covered person or country of concern in a subsequent covered data transaction. Companies that are involved in transactions with foreign persons involving bulk U.S. sensitive personal data must consider whether contract provisions prohibiting the onward transfer of covered data are required and other DSP requirements for transactions with foreign persons apply.
Immediate Steps for Clients
- Conduct a Data Risk Assessment: Identify and map all data flows involving sensitive data types and third-party access.
- Review Vendor and Client Agreements: Ensure that contractual terms prevent unauthorized access to covered data by countries of concern and covered persons.
- Implement Compliance Programs: Develop data security protocols and train employees regarding the DOJ’s Data Security Program.
The CommLaw Group Can Help
If your company needs help navigating the new DOJ Data Security Program, our team is here to guide you.
Contact:
Brian Alexander – bal@commlawgroup.com
