As reported in our previous advisories, effective provisions of the U.S. Department of Justice's Data Security Program (DSP) (implementing Executive Order 14117) enter full enforcement in just one month, on July 8, 2025. The Rule, effective April 11, 2025, restricts or prohibits access to bulk U.S. sensitive personal data by countries of concern (e.g., China, Russia, Iran) and covered persons (e.g., affiliated entities or individuals).
Until July 8, DOJ has committed to prioritizing education over enforcement, provided companies show good faith efforts to comply. After that, companies face civil and criminal penalties for noncompliance. Additional DSP provisions (e.g., data compliance program, audits, reporting) will take effect October 6, 2025.
Who Must Act Now?
- Data Collectors: If you handle genomic, biometric, geolocation, health, financial, or large-scale personal identifiers, you may be subject to the DSP Rule.
- Companies with Foreign Partners: Vendor, employment, or investment relationships with foreign or covered persons must be reviewed.
- Data Brokers: Transactions involving third-party access to U.S. personal data are prohibited unless exempt or licensed.
- Telecom & Tech Providers: Ensure exemptions apply or compliance measures are in place if there are sensitive data flows to foreign infrastructure or partners.
Immediate Action Items
- Know Your Data: Understand whether covered data is collected or processed
- Map Data Flows & Access Points
- Review Contracts for Exposure
- Implement DSP Compliance Plans
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
