On April 8, 2025, the US Department of Justice’s National Security Division’s final rule regulating sensitive data about US persons came into effect. DOJ also announced a 90-day grace period on enforcement. At a moment of heightened geopolitical competition, the rule was designed to prevent foreign adversaries from exploiting data that could be used to enhance artificial intelligence capabilities, augment intelligence collection and foreign espionage, or enable malicious cyberattacks and malign foreign influence operations.
Broadly speaking, the rule regulates two kinds of transactions involving US government data and Americans’ bulk sensitive personal data. First, transactions involving “data brokerage,” broadly defined as the sale or licensing of access to data, are subject to strict prohibitions: US persons may not knowingly engage in such a transaction with a country of concern (China, along with Hong Kong and Macau; Cuba; Iran; North Korea; Russia; or Venezuela) or with a covered person (certain foreign companies and foreign individuals located in a country of concern). Second, vendor, employment, and investment agreements with covered persons are prohibited unless the US person complies with a robust set of data security requirements.
Because the rule targets specific kinds of transactions rather than a particular industry, it will affect US firms broadly, not just “data brokers.” The new framework is complex: DOJ released several resources, including a compliance guide, an implementation and enforcement policy, and a list of more than 100 frequently asked questions to assist companies with implementation. Many companies will benefit from the guidance of outside counsel, who can help implement a tailored compliance effort, including specific due diligence, audit, and record-keeping requirements. Firms should proactively assess their regulatory obligations and engage in good-faith compliance efforts, including by conducting internal data access reviews, adjusting employee locations or responsibilities, and/or implementing relevant security requirements.
This article is available in the Jenner & Block Japan Newsletter. / この記事はJenner & Blockニュースレターに掲載されています。
[View source.]
