On April 11, 2025, the Department of Justice’s (DOJ) National Security Division (NSD) released an Implementation and Enforcement Policy, a Compliance Guide, and a list of over 100 Frequently Asked Questions (FAQs) to help individuals and organizations understand and comply with its rule on “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” which largely came into effect on April 8. The DOJ has termed the framework created by the rule, the “Data Security Program” (DSP).
We outline below the key things companies need to know. For more information about the requirements of the rule, please see our previous article: U.S. Data Localization Law Coming Soon: DOJ Issues Final Rule on Certain Data Transfers to “Countries of Concern”.
Key Resources
Key Takeaways for Companies
1. The new administration will likely enforce the DSP. At a time when many of the previous administration’s policies and programs are in question, the significant steps the DOJ has taken to implement this program demonstrate that the DSP aligns with this administration’s foreign policy goals and its commitment to enforcing the DSP.
2. There is a grace period for compliance – to an extent. Although most of the DSP took effect on April 8, 2025, the DOJ will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025, so long as the person is engaging in good-faith efforts to comply with or come into compliance with the DSP during that time. The Implementation and Enforcement Policy outlines examples of how companies can demonstrate good-faith effort, including:
a. Internal reviews of potential data brokerage transactions;
b. Negotiating onward transfer provisions in vendor and agreements;
c. Relocating employees or vendor support services; and
d. Implementing the CISA security requirements.
3. Enforcement will likely begin July 9, 2025. After the 90-day grace period, the DOJ’s position is that individuals and entities should be in full compliance with the effective provisions of the DSP (excluding provisions that become effective on October 6, 2025) and should expect NSD to pursue appropriate enforcement of any violations.
4. The DSP may cover more transactions than companies expect. The Compliance Guide indicates that the DOJ will interpret the rule broadly, potentially including activities not normally thought of as “data brokerage,” such as U.S. companies knowingly using ads with tracking technology on their websites or apps.
5. DOJ will require due diligence. According to the Compliance Guide, failure to conduct adequate due diligence could constitute an evasion of the regulations. Further, the FAQs suggest the DSP may require due diligence to determine if companies are engaging in a covered data transaction with a covered person, and to monitor compliance with contractual restrictions imposed on third parties. However, the DSP will not require companies to ascertain the extent to which an entity or individual is subject to the influence or control of a country of concern or covered person (as control/influence is not relevant to the definition of covered persons) (e.g., reviewing employment, board, or investor practices of foreign persons to determine whether their employees, directors or investors qualify as covered persons).
6. Companies should consider implementing training programs. Although the DSP does not explicitly require it, the DOJ recommends that U.S. companies conducting restricted transactions consider providing periodic—ideally, at least annual—training on their DSP compliance programs and the CISA security requirements.
What Steps Should Companies Take?
- Review Existing Data Transactions. Companies should immediately review their data handling practices and data inventories or maps to identify any transactions that may fall within the DSP’s scope, taking particular note of transactions where the new guidance suggests the DOJ may interpret the DSP broadly.
- Implement Compliance Measures. Begin implementing compliance measures, such as internal audits, vendor agreement reviews, template contract updates, and security enhancements, to align with the DSP’s requirements now—even with the DOJ delaying enforcement for 90 days. Implementing these measures now demonstrates that a company is making good-faith compliance efforts. Consider leveraging existing compliance controls for conducting diligence, including anti-money laundering and know-your-customer processes and sanctions compliance controls.
- Engage with Legal Counsel. We strongly recommend consulting with legal experts familiar with the DSP’s complicated requirements to assist with compliance ahead of the DOJ’s anticipated enforcement date.
- Stay Informed. NSD has requested further informal inquiries about the DSP and this guidance. We anticipate that the DOJ will continue to provide updated guidance, including by adding to the FAQs, in the coming months. We recommend companies monitor the DOJ’s website and other resources for further guidance. Additionally, the DOJ will update the covered persons list periodically, including through publication in the Federal Register.
[View source.]
