The U.S. Department of Justice (DOJ) is set to enforce its sweeping new rule on certain U.S. data transactions with countries of concern and covered persons as of July 9, 2025. The new rule regarding “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (Rule) – which is being referred to by the DOJ as the Data Security Program (DSP) – imposes strict prohibitions on certain data transfers outside the U.S., as well as detailed privacy, cybersecurity, and data governance restrictions on a broader set of transactions outside the U.S.
While the bulk of the Rule took effect on April 8, 2025, the DOJ issued the Data Security Program Implementation and Enforcement Policy Through July 8, 2025 (Policy) on April 11, 2025, which initiated a 90-day pause in civil enforcement of the new Rule for companies working in good faith to come into compliance with the DSP. Beginning July 9, 2025, that pause will no longer be in effect. The DOJ has cautioned that following this pause, “individuals and entities should be in full compliance with the DSP and should expect [the DOJ’s National Security Division (NSD)] to pursue appropriate enforcement with respect to any violations.”
The DSP will have wide-ranging impacts on U.S. companies that conduct international data transactions. Below, we provide a brief recap of key dates and compliance resources.
Key Dates
- The new Rule was finalized on January 8, 2025.
- The bulk of the Rule took effect on April 8, 2025; however, on April 11, 2025, the DOJ announced its Policy that it would “not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.” (emphasis added)
- The portions of the Rule that became effective on April 8 will be enforceable as of July 9, 2025.
- Certain due diligence, audit, and reporting requirements will take effect on October 6, 2025.
Key Compliance Resources
In addition to issuing the Policy on April 11, the DOJ also issued two compliance resources: (1) the NSD Data Security Program – Compliance Guide, and (2) FAQs. Both resources are helpful to inform compliance programs. Further, additional guidance from NSD may be forthcoming, including with respect to general or specific licenses to authorize certain transactions that would otherwise be prohibited.
***
The DSP reflects growing national security concerns over dealings with China and other countries of concern, which are being increasingly incorporated into policy by the Trump Administration and Congress. With the expiration of the pause in civil enforcement after July 8, U.S. companies should pay close attention to expanding obligations related to certain international data transactions.
[View source.]
