Exemplifying this trend, on April 11, the Department of Justice (DOJ) announced measures to implement its sensitive bulk data rule, which DOJ finalized on December 27, 2024, pursuant to Executive Order 14117 (we previously addressed the rule’s compliance considerations in an article published by Law360 on November 22, 2024). Launching its Data Security Program (DSP), DOJ released compliance guidance, responses to frequently asked questions (FAQs), and a statement of implementation and enforcement policy for the first 90 days. The documents together affirm the Trump Administration’s intention to strongly enforce the rule, which came into effect on April 8. They also provide impacted parties with a roadmap for compliance.
The Executive Order and its implementing rule address the national security risks created when certain nations, including China, Russia, and Iran, exploit commercial activities to access US government-related data and bulk sensitive personal information relating to US persons. Any company that collects, processes, or stores such data—including both US and foreign enterprises—would be well advised to pay close attention to the DOJ announcement and work to ensure compliance, which entails the often complicated process of thoroughly understanding your data and where it goes, even when in the hands of service providers.
While issuing its compliance guidance, FAQs, and initial implementation and enforcement guidance, DOJ also announced that it would be taking additional steps to implement the DSP over coming weeks and months, including publishing an initial “Covered Persons List” that identifies persons considered to be subject to the control and direction of foreign adversaries.
The launch of the DSP and DOJ’s implementing guidance reflect the latest step in a growing trend to treat data—along with the artificial intelligence technologies that can process it at scale—as a national security priority. Navigating that new terrain requires an understanding of data privacy, cybersecurity, and the national security concerns underpinning the government’s concerns.
Initial Implementation and Enforcement Policy
DOJ’s National Security Division (NSD) has granted a short and limited 90-day grace period, until July 8, 2025, for companies to comply with the rule, which carries penalties of up to 20 years in prison and millions of dollars in fines. NSD also announced that most affirmative due diligence and reporting obligations under the rule will not come into effect until October 5, 2025.
Until July 8, NSD will not prioritize civil enforcement actions against those making good faith efforts to comply, though NSD may pursue willful and egregious violations. NSD has encouraged affected entities to submit informal inquiries and information during this period, but it has discouraged formal requests for specific licenses or advisory opinions unless there is an emergency or imminent threat to public safety or national security. During this period NSD will prioritize using its resources to facilitate compliance while minimizing business disruptions.
In addition to the 90-day pause on most civil enforcement actions, NSD will also delay many of the rule’s affirmative due diligence obligations until October 6, including due diligence and audit requirements for restricted transactions and reports for rejected prohibited transactions.
When NSD enforces the rule, it will exercise its powers under the International Emergency and Economic Powers Act (IEEPA), which includes civil penalties up to the greater or $368,136 or twice the value of each violative transaction. Criminal penalties for willful violations could be as high as 20 years in prison and a $1,000,000 fine.
According to NSD’s statement on implementation and initial enforcement, to come into compliance before the July 8 and October 6 deadlines, affected companies and individuals “should ‘know their data,’ including the kind and volume of data collected or maintained concerning US persons; how their company uses this data; whether they engage in covered data transactions with covered persons or countries of concern; and how such data is marketed, particularly with respect to current or recent former employees or contractors, or former senior officials, of the United States government, including the military and US Intelligence Community.” Examples of good faith efforts to comply include:
- Internal reviews of data access;
- Reviewing internal datasets and datatypes to determine if they are potentially subject to DSP;
- Negotiating and renegotiating vendor agreements;
- Conducting due diligence on and transferring services to new vendors;
- Negotiating onward transfer provisions with foreign persons who are counterparties to data brokerage transactions;
- Adjusting employee work locations, roles, or responsibilities to conform to the rule;
- Evaluating and, when necessary, renegotiating investment agreements from countries of concern or covered persons; and
- Implementing prescribed CISA Security Requirements to preclude covered person access to regulated data for restricted transactions.
Compliance Guide
To facilitate compliance following the July 8 and October 6 deadlines, NSD issued a compliance guide detailing best practices for adhering to the program's requirements. The guide includes definitions, prohibited transactions, and strategies for building robust compliance programs. It also offers model contractual language and recommendations for audit and recordkeeping.
The Compliance Guide describes the new rule as “effectively export controls that prevent foreign adversaries” from accessing the categories of protected data. Mirroring the export control slogan of “Know Your Customer,” the Guide emphasizes that US persons should “Know Their Data” to be compliant with the DSP.
US persons engaging in data transactions involving data brokerage with foreign persons who are not considered covered persons under the DSP must include contractual language forbidding foreign persons from engaging in the further transfer of protected data to countries of concern or covered persons. The Compliance Guide provides sample language of appropriate contract provisions that meet this requirement.
The Compliance Guide also provides guidance to help individuals and entities design and implement a number of the DSP’s requirements. For example, the Guide gives additional information regarding:
- Data Compliance Program. The DSP imposes due diligence requirements for all US persons engaged in restricted transactions. These programs must be in writing and should include risk-based procedures for verifying both data flows and the identity of vendors.
- Audit Requirements. While the DSP does not require compliance with specific auditing standards, the audits must be comprehensive, independent, objective, and conducted annually.
- Recordkeeping and Reporting Requirements. With limited exceptions, US persons engaging in transactions subject to the DSP should keep a full and accurate record of each transaction. Further, for US entities subject to the DSP, a senior official must sign an annual certification attesting to the completeness and accuracy of the company’s recordkeeping.
- Best practices for training personnel. While not required, the Compliance Guide urges US companies to conduct periodic training on the DSP. Specifically, the Guide suggests training sessions that focus on the “why” of the DSP’s requirements and that are developed according to the responsibilities of the employees being trained.
To come into compliance with the rule over the next 90 days, companies and individuals engaged in data-related activities should:
- Review their data handling practices to ensure compliance with the DSP;
- Identify and assess any transactions that may fall under the DSP’s scope; and
- Implement necessary compliance programs, including due diligence and reporting mechanisms.
Given the complexities of the DSP and its potential impact across all sectors, companies would be well advised to consult counsel to navigate these regulations successfully.
Frequently Asked Questions
Finally, NSD released a set of over 100 Frequently Asked Questions (FAQs) that provide background information on the DSP; clarify high-level aspects of the program, and review many of the program’s elements, definitions, and exceptions; and provide various examples of how the rule may be enforced. Topics covered in the FAQ include:
- Who must comply with the DSP, including both US and foreign companies that handle covered data; the circumstances in which the DSP applies; and the deadlines for compliance. All US companies would be well advised to review and determine whether they handle data subject to the rule and, if so, whether they engage in restricted or prohibited transactions.
- The relationship between the DSP and the Committee on Foreign Investment in the United States (CFIUS), the Department of Commerce’s Office of Information and Communications Technology and Services (ICTS), and economic sanctions and export controls. The FAQ provides guidance on when CFIUS action might supersede DSP requirements and when Commerce requirements might exceed DSP requirements; companies who find themselves balancing between CFIUS, DSP, and ICTS requirements would be well advised to review carefully those potentially overlapping obligations.
- How DSP compares to the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA). The FAQ outlines the significant differences between PADFAA and the DSP, including who is covered, for what types of data, and for which countries of concern. The rule also addresses the two regimes’ different approaches to third-party re-export, attaining consent, and mechanisms for redress. Companies will need to understand both regimes to fulfill their compliance obligations.
- Who constitutes a “covered person” under the rule, how the Covered Persons List will be maintained, what restrictions apply to Covered Persons, and the responsibility of US financial institutions toward Covered Persons.
- How to approach transactions involving US Government official business, financial services, corporate group transactions, and telecommunications services.
- How to comply with the rule’s affirmative obligations, including “know your data” requirements. Those obligations include reporting rejection of a prohibited transaction, maintaining audit reports, filing annual reports, and fulfilling the rule’s due diligence requirements, all of which may require a well-designed compliance program.
- How to apply for advisory opinions and specific licenses, and how to report possible DSP violations. Companies seeking to understand whether their unique circumstances fall under the rule would be well advised to understand their options for seeking both clarity and potentially a specific license, while any entity that finds out of compliance with the rule will be well served to understand how and when to report violations.
Read in conjunction with the Compliance Guide, the rule itself, and the commentary accompanying the final rule, the FAQs provide companies and individuals with a roadmap for determining their exposure and obligations under the rule, then establishing internal systems and controls to ensure they remain in compliance.
