ARTICLE
22 May 2025

Steptoe White Paper: DOJ Set To Begin Enforcement Of New Data Security Program

SJ
Steptoe LLP

Contributor

Steptoe LLP logo
In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
Explore Firm Details
The US Department of Justice (DOJ) recently announced that it will begin enforcement of sweeping new rules regarding the transfer and storage of sensitive US data in July 2025.
United States Privacy
Ross Weingarten,Evan T. Abrams,Andrew C. Adams
+3 Authors

Executive Summary

The US Department of Justice (DOJ) recently announced that it will begin enforcement of sweeping new rules regarding the transfer and storage of sensitive US data in July 2025. The rules prohibit transfers of sensitive personal data and US government-related data to certain countries of concern and persons affiliated with those countries, either directly or indirectly. Violations of the rules can result in significant civil or criminal penalties for individuals and companies. The new rules also mandate certain due diligence and auditing requirements, as well as contractual language when engaging in data transactions with any foreign party. This white paper, authored by members of our National Security, Data Privacy, and WhiteCollar practices, provides a detailed analysis of the newly enacted regulations, including the types of transactions they prohibit or restrict, and outlines the necessary actions that corporations and individuals must take to ensure compliance with these rules.

I. Introduction

In January 2025, the US Department of Justice (DOJ) finalized a sweeping set of new regulations regarding the protection of "bulk sensitive personal data" and US governmentrelated data. The program, known as the Data Security Program (DSP), imposes stringent requirements designed to prevent such data from flowing to "countries of concern" and certain persons affiliated with those countries, with potentially significant criminal and civil penalties for violations. The DSP applies not only to data brokerage or similar transactions, but also to the transfer of data associated with vendor, employment, and investment agreements, potentially having a broad impact across multiple aspects of a company's operations. The rules became effective on April 8, 2025, although DOJ announced that it was providing a 90-day grace period for enforcement against most violations. 

While initiated under former President Biden's Executive Order (EO) 14117, the Trump administration is poised to fully to implement and enforce the rules. The DOJ's National Security Division (NSD) promulgated the final rule implementing EO 14117, codified at 28 CFR Part 202, on January 8, 2025. On April 11, NSD issued a Compliance Guide, a list of over 100 Frequently Asked Questions (FAQs), and an Implementation and Enforcement Policy for the first 90 days. While NSD has long played an important role in prosecuting criminal violations of national security-related laws, it has not historically acted as a regulator in the area of technology or data transfers, as it now will under the DSP.

Based on both public statements and conversations with individuals familiar with the DOJ's plans, we expect that the Trump administration will emphasize enforcement efforts surrounding the Data Security Program. Indeed, in the DOJ's April 8 announcement, Deputy Attorney General Todd Blanche made the DOJ's policy goals clear, stating, "If you're a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans' data when you can just buy it on the open market or force a company under your jurisdiction to give you access? ... The Data Security Program makes getting that data a lot harder."

While the DSP is now in effect, NSD announced that it will generally pause civil enforcement until July 9, 2025 (although NSD has said it will pursue penalties and enforcement actions for "egregious, willful violations" during this period). NSD has strongly encouraged individuals and companies who might be impacted by the new enforcement regime to review the DSP rules and implement new compliance policies and procedures during this window prior to enforcement. Which sectors are most impacted will become clearer over time and as enforcement begins, but companies in the artificial intelligence, financial services, data brokerage, information technology, healthcare, life sciences, and consumer sectors are likely to face increased exposure due to the nature of their business operations and the sensitivity of their acquired and stored data. Businesses with significant cross-border activities will likely be most impacted by the DSP rules. However, businesses with a primarily domestic presence may still be subject to the DSP given its significant breadth and impact on vendors, employees, and investors, in addition to data brokerage.

The DSP rules mirror, to some degree, requirements applicable in other jurisdictions, such as European Union (EU) Data Protection requirements, which impose restrictions on the transfer of personal data outside of the EU. These rules are also aligned with the current concerns and scrutiny of EU Data Protection Authorities regarding the transfer of personal data to China. In light of these developments and given the DOJ's stated priority concerning data protection going forward, companies should carefully consider how to navigate and comply with the new rules and the rapidly changing enforcement climate. In particular, global companies may need to consider how the DSP rules intersect with their obligations under other regimes and revise existing data security and privacy policies and procedures targeted at compliance with those non-US laws. Steptoe stands ready to provide guidance and address any questions you may have regarding the new data protection regulatory regime.

The following memorandum explains 1) what the Data Security Program entails and the compliance requirements for US and foreign companies; 2) the necessary actions companies should take prior to the start of general enforcement efforts in July 2025; and 3) how Steptoe can support and advise clients in effectively implementing these changes.

To begin, we list the key questions that companies and individuals should be asking regarding their current or future data transactions:

Critical Questions to Consider Under the DSP

  1. Evaluate whether the company or individual is a US Person status.
  2. Is the data recipient a Country of Concern or a Covered Person?
  3. Is the transaction a Covered Data Transaction?
  4. What is the nature of the data being transferred?
    1. Does it involve "Bulk" US sensitive personal data?
      1. If so, does it meet personal data thresholds?
    2. Does it involve "Governmentrelated data"?
  5. What is the arrangement under which the data is being transferred?
    1. Data brokerage agreement?
    2. Vendor agreement?
    3. Employment agreement?
    4. Investment agreement?
  6. Does the transfer provide Country of Concern or Covered Person access to data in question?
  7. Can the transfer be conducted as a Restricted Transaction?

II.Prohibited and Restricted Transactions

The DSP is complex, and the full scope of its reach will remain uncertain until NSD begins to enforce its rules and clarifies its enforcement priorities. In the following section, we provide an explanation of the structure and application of the new regulatory regime.

At its base, the DSP prohibits US Persons from engaging in certain types of transactions, many of which might be common data transactions for certain companies or in other instances may only be tangentially related to data. In certain cases, transactions are considered "restricted," as opposed to "prohibited," meaning US Persons may engage in such transactions provided they adhere to a variety of requirements including creation of a compliance program and implementation of various data security measures. We discuss the criteria for these transactions in detail below. In order to understand those criteria, it is important to define three key terms in the regulations: "Country of Concern," "Covered Person," and "US Person." We turn to the definitions of these terms first before analyzing their application under the DSP.

A. Key Regulatory Terms

1. Country of Concern

The Attorney General determined, with the concurrence of the Secretaries of State and Commerce, that the following countries are "Countries of Concern" as listed in § 202.601:

  • China (including Hong Kong and Macau)
  • Iran
  • Russia
  • Cuba
  • North Korea
  • Venezuela

The Final Rule explained NSD's view that the governments of these countries "have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of U.S. persons, and pose a significant risk of exploiting governmentrelated data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or the security and safety of U.S. persons." Notably, Section 2(f) of EO 14117 authorizes the Attorney General to identify new or remove existing countries of concern going forward.

2. Covered Persons

Executive Order 14117 directed the DOJ to identify classes of "Covered Persons." Notably, "Person" means an individual or entity under the regulations, and a "Foreign Person" means any person that is not a US Person (defined below). The categories of Covered Persons as set forth in § 202.211(a) are described below. Importantly, a Covered Person includes not just entities and individuals physically located in a Country of Concern but also includes several additional categories of persons with less direct relationships to Countries of Concern.

Category 1 – Certain Foreign Companies

  • Foreign entity that is at least 50% owned (directly, indirectly, or in the aggregate) by one or more Countries of Concern or a Category 2 entity;
    OR
  • Foreign entity organized or chartered under the laws of a Country of Concern;
    OR
  • Foreign entity that has its principal place of business in a Country of Concern.

Example: Acme Corp. is a Cayman Islands registered corporation with its headquarters in Shenzhen, China. Acme Corp. is a Covered Person as it is a foreign person located in China, a Country of Concern.

Category 2 – Certain Foreign Companies

  • Foreign entity that is at least 50% owned (directly, indirectly, or in the aggregate) by one or more Category 1, 3, 4, or 5 persons.

Example: Through its various subsidiaries, Acme Corp. is a 51% owner of a joint venture, Acme France, which is registered in France and headquartered in Paris. Acme France is a Covered Person because it is a Foreign Person that is at least 50% owned by a Category 1 person.

Category 3 – Certain Employees & Contractors

  • Foreign individual who is an employee or contractor of a Country of Concern or of a Category 1, 2, or 5 entity.

Example: Employee A is a South Korean national residing in Seoul who is working as a contractor for Acme France on the development of Acme France's customer payment platform. Employee A is a Covered Person because she is a

Category 4 – Certain Individuals

  • Foreign individual who is primarily a resident in the territorial jurisdiction of a Country of Concern.

Example: Person B is a Swiss national who resides in Moscow, Russia. Person B is a Covered Person because of his residence in Russia, a Country of Concern.

Category 5 – Persons Determined by the Attorney General

  • Any Person, wherever located, determined by the Attorney General:
    1. To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a Country of Concern or Covered Person;
    2. To act, to have acted or purported to act, or to be likely to act for or on behalf of a Country of Concern or Covered Person; or
    3. To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

Example 1: Person C is a US national working in Singapore who provided strategic business advice to Acme Corp. on its acquisition of bulk sensitive data. The Attorney General determines that Person C is a Covered Person for acting or being likely to act on behalf of Acme Corp., a Covered Person.

Example 2: Company Z is a Delaware registered, New York headquartered software development firm. Acme Corp. acquires a majority ownership in Company Z. The Attorney General determines that Company Z is a Covered Person because it is owned or controlled by Acme Corp., a Covered Person.

The regulations also provide examples of persons who are not Covered Persons, including but not limited to:

  • A citizen of a Country of Concern (e.g., a Chinese citizen) that is located in the US. This person would be treated as a US Person and not a Covered Person, except to the extent the person is individually designated as a Covered Person by the DOJ.
  • A citizen of a Country of Concern (e.g., a Russian citizen) that is located in a third country that is not a Country of Concern (e.g., the UK). This person would not be a Covered Person unless the person was (i) individually designated by the DOJ or (ii) an employee or contractor of the government of a Country of Concern or a Covered Person entity.
  • An entity incorporated in the US that is 50% or more owned by a Covered Person, unless the entity is individually designated as a Covered Person by the DOJ.

Given the significant breadth of the definition of Covered Person, it will be important for companies to conduct careful due diligence on their vendors, employees, investors, and other persons to whom they make covered data available. We note that category five of Covered Persons potentially applies to all persons, regardless of citizenship or location, meaning even a US citizen or US incorporated entity can be a Covered Person if the Attorney General determines that the individual/entity meets one of the criteria listed in category five. Examples of individuals and entities that would meet the criteria for a determination by the Attorney General include:

  • A US subsidiary owned or controlled by a Chineseheadquartered company.
  • A US company that the Attorney General determines "to be likely to become" owned or controlled by a Russian-headquartered company.
  • A US employee, contractor, or vendor acting for or on behalf of a Chinese-headquartered employer.

Notably, although these US Persons meet the criteria for a determination, the Attorney General has discretion on whether to designate an individual or company as a Covered Person. At this early stage and before enforcement begins, it is unclear how DOJ will use its discretion under the regulations. The DOJ announced that it will in the future publish an initial Covered Persons List, which will identify the individuals and entities that DOJ has determined to be Covered Persons pursuant to its discretionary authority. We expect that this initial list of Covered Persons will aid in better understanding the DOJ's priorities with respect to the determinations of Covered Persons. At this early stage, we encourage impacted persons to consult with counsel if questions arise as to whether or not a transaction partner meets the definition of a Covered Person.

We note also that the DSP includes a path to challenge a Covered Person designation and seek removal from the list. It appears that, among other considerations, DOJ may grant removal on the basis of remedial steps taken by the applicant. Section 202.702 indicates that the removal process may be similar to the delisting processes used in other national security contexts (e.g., for parties seeking removal from a US economic sanctions or export controls list). However, the details are limited at this time and NSD has stated that it will release more information regarding the removal process in the future.

3. US Persons

The DSP rules apply to "US Persons," including US citizens, nationals, lawful permanent residents, refugees, and asylees, as well as entities organized solely under the laws of the United States (including foreign branches of US companies), and any persons within the United States. Some examples of Foreign Persons and US Persons include:

  • An individual citizen of a Country of Concern located in the United States is a US Person.
  • A dual citizen of the US and a Country of Concern is a US Person, regardless of location.
  • If a company is organized under the laws of the United States and has a foreign branch in a Country of Concern, the company, including its foreign branch, is a US Person. Likewise, if a company is organized under the laws of a Country of Concern and has a branch in the US, the company, including its US branch, is a Foreign Person.
  • In contrast to branches, subsidiaries are treated separately from their parent companies with respect to US Person and Foreign Person determinations. In other words, if a parent company organized under the laws of the United States has a subsidiary organized under the laws of a Country of Concern, the parent is a US Person and the subsidiary is a Foreign Person, regardless of the degree of ownership by the parent company. However, it is important to remember that Foreign Person entities can be Covered Persons by virtue of their ownership structure, as described above.

To view the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ross Weingarten
Ross Weingarten
Photo of Evan T. Abrams
Evan T. Abrams
Photo of Anne-Gabrielle Haie
Anne-Gabrielle Haie
Photo of Andrew C. Adams
Andrew C. Adams
Photo of Daniel W. Podair
Daniel W. Podair
Photo of Quentin Johnson
Quentin Johnson
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More