Last year, we wrote about updates from the Department of Justice (DOJ) and the DOJ's proposed enforcement efforts and regulations implementing Executive Order 14117 "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Data by Countries of Concern" (Rule).
A year later, the DOJ has finalized the Rule and developed guidance on what companies handling (i) bulk U.S. sensitive personal data or (ii) U.S. Government-related data must know, especially when interacting with persons and entities in "Countries of Concern," which currently include:
- China (includes Hong Kong and Macau)
- Cuba
- Iran
- North Korea
- Russia
- Venezuela
In April of this year, the DOJ's National Security Division (NSD) issued its Data Security Program and corresponding Compliance Guide (DSP) and Frequently Asked Questions (FAQs) providing information that all U.S. entities must understand and follow to comply with the Rule. The NSD's stated primary mission with respect to the implementation and enforcement of the DSP is to protect U.S. national security from Countries of Concern that may seek to collect and weaponize both government data and Americans' most sensitive personal data.
As we have written previously, the DSP will require U.S.
organizations to look deeply into their data collection and data
sharing practices to determine whether they are (i) providing
covered data to a Country of Concern and (ii) subject to the
DSP's requirements.
All U.S. organizations handling government-related data and
bulk U.S. sensitive personal data must make good-faith efforts to
comply with the DSP by July 8, 2025.
Specifically between now and then, those organizations need to consider quickly doing the following:
- Assess Applicability. U.S. organizations first need to understand if they process and share either "government-related data" or "bulk transfers of sensitive personal information as part of "covered transactions" with "covered persons" in Countries of Concern
- Evaluate Compliance Status and Address Any Gaps. Assuming the law applies to a U.S. organization's data processing operations, the organization should conduct necessary diligence and take steps to comply. The DOJ has stated while the Rule is currently in effect, it will commence enforcement on July 8, 2025.
To assist in this endeavor, the following is a general overview of what U.S. organizations should understand and be working on as the applicable compliance deadlines approach. As with all Taft PDS posts, this is not intended to be an exhaustive summary or legal advice. Businesses considering compliance should consult qualified legal counsel.
Part 1: The Basics
A. What is the DSP's Purpose? In line with the DSP's stated purposes to protect the data of the United States and its citizens, the DSP establishes export controls that prevent foreign adversaries in Countries of Concern, and those subject to their control and direction, from accessing U.S. Government-related data and bulk U.S. sensitive personal data.
B. What is "U.S. Government-Related Data" and "Bulk U.S. Sensitive Personal Data?"
- U.S. Government-Related Data. There are two
types of government-related data.
- The first type is any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List. Examples of such locations include: (i) worksite or duty station of Federal Government employees or contractors who occupy a national security position; (ii) a military installation; or (iii) facilities or locations that otherwise support the Federal Government's national security, defense, intelligence, law enforcement, or foreign policy missions.
- The second type of government-related data is any sensitive
personal data, regardless of volume, that a transacting party
markets as linked or linkable to current or recent former employees
or contractors, or former senior officials, of the United States
Government, including the military and the intelligence
community.
The terms "recent former employees" or "recent former contractors" mean employees or contractors who worked for or provided services to the United States Government, in a paid or unpaid status, within the past two years of a potential Covered Data Transaction (defined below) with a Country of Concern or Covered Person (defined below).
- Bulk U.S. Sensitive Personal Data. The term
"bulk U.S. sensitive personal data" means a collection or
set of sensitive personal data relating to U.S. persons, in any
format, regardless of whether the data is anonymized,
pseudonymized, de-identified, or encrypted, (emphasis
added), where such data meets or exceeds the applicable
"bulk" threshold set forth below.
- "Sensitive personal data" means covered personal identifiers, precise geolocation data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof.
- "Bulk" means any sensitive personal data that meets
or exceeds the following thresholds at any point in the preceding
12 months, whether through a single Covered Data Transaction or
aggregated across Covered Data Transactions involving the same U.S.
person and the same foreign person or Covered Person:
- Human `omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons;
- Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;
- Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;
- Personal health data collected about or maintained on more than 10,000 U.S. persons;
- Personal financial data collected about or maintained on more than 10,000 U.S. persons;
- Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or
- Combined data, meaning any collection or set of data that contains more than one of the categories above, or that contains any listed identifier linked to categories in paragraphs (a) through (e) in § 202.205, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.
C. Which Entities Must Abide by the DSP? The
NSD expects all U.S. organizations
to understand their transactions and comply with the DSP.
Specifically, U.S.
organizations should know:
- any Covered Person, including vendors, contractors, employees in a Country of Concern that the organization interacts with;
- the kinds of data the organization collects or maintains on U.S. persons or U.S. devices;
- the volume of data the organization collects or maintains on U.S. persons or U.S. devices (including whether this volume meets the "bulk" thresholds under the Rule);
- how the organization uses the data;
- whether the organization engages in Covered Data Transactions; and
- how such data is marketed, particularly with respect to current or recent former employees or contractors, or former senior officials, of the United States government, including the military and intelligence community (e.g., if the organization collects certain data from members that are military/government employees).
D. What is a Covered Data Transaction under the Rule and
DSP? A Covered Data
Transaction is a transaction that (1) involves any access by a
Country of Concern or
Covered Person to any government-related data or bulk U.S.
sensitive personal data
and (2) that involves: (a) data brokerage; (b) a vendor agreement;
(c) an employment
agreement; or (d) an investment agreement. These transactions are
further classified
as prohibited and restricted transactions, with specific
obligations and restrictions
that attach to each class of transaction.
The DSP does not address purely domestic data transactions between
U.S.
persons—such as the collection, maintenance, processing, or
use of data by
U.S. persons within the United States—unless such U.S.
persons are designated
as Covered Persons by the NSD.
E. Who are Covered Persons? There are five classes
of Covered Persons under the Rule and DSP, which include:
- an entity owned by, controlled by, or subject to the jurisdiction or direction of a Country of Concern;
- a foreign person who is an employee or contractor of such an entity;
- a foreign person who is an employee or contractor of a Country of Concern;
- a foreign person who is primarily resident in the territorial jurisdiction of a Country of Concern;
- those persons NSD designates and publicly identifies (including both foreign and U.S. persons) as Covered Persons. The NSD will add designated persons to the Covered Persons List published in the Federal Register. Designated Covered Persons retain their Covered Persons status, even when located in the United States.
F. Prohibitions, restrictions, and exemptions.
- Prohibitions. U.S. companies are prohibited from knowingly engaging in data brokerage transactions, the sharing of government related data, or the bulk transfer of sensitive personal data with Covered Persons in COC. U.S. companies must not knowingly engage in the sharing of Covered Data as part of Covered Transactions with Covered Persons in COC after April 8, 2025. Likewise, companies should not direct other entities or foreign individuals to do so. This knowledge requirement is met if a U.S. organization has "actual knowledge or reasonably should have known that the transaction involved access to covered data by a covered person."
- Restrictions. The Rule also places certain
restrictions on other Covered Transactions involving vendor,
employment or investment agreements. Restricted transactions are
allowed, provided the business or person:
- CISA safeguards. The organization must adhere to cybersecurity requirements issued by the Cybersecurity and Infrastructure Security Agency (CISA);
- Compliance program. The organization must establish and maintain an individualized, risk-based and written data compliance program, which meets several minimum requirements.
- Annual audits. The organization must conduct independent audits on an annual basis that address the requirements of the DSP. Record requirements. The organization must also comply with applicable recordkeeping and reporting obligations.
- Exemptions. The Rule, through the DSP, also
provides the following exemptions from the Rule's requirements:
- personal communications that do not involve the transfer of anything of value;
- importation or exportation of any information or informational materials (which is limited to expressive material); activities or transactions ordinarily incident to travel from any country and related transactions;
- conducted for official U.S. government business;
- ordinarily incident to and part of the provision of financial services described in the regulations;
- corporate group transactions to the extent that they are ordinarily incident to and part of administrative or ancillary business operations (such as, among other things, payroll transactions or business taxes);
- transactions required or authorized by federal law or international agreement, or necessary to comply with federal law; investment agreements subject to a Committee of Foreign Investment in the United States (CFIUS) action defined under the regulations. DSP obligations apply until and unless CFIUS takes action;
- ordinarily incident to telecommunications services, including the provision of voice and data communications services, but not all internet-based services, like cloud computing. This exemption does not apply for transactions involving data brokerage; and certain drug, biological product and medical device authorizations, and other clinical investigations and post-marketing surveillance data.
- certain drug, biological, product and medical device authorizations, and other clinical investigations and post-marketing surveillance data.
Part 2. Implementation, Compliance and Enforcement
A. What are the Penalties for Violating the DSP? The NSD, under the International Emergency Economic Powers Act (IEEPA) and the DSP, has the authority to bring both civil enforcement actions and criminal penalties for violations of the DSP's requirements. Unlawful acts under the IEEPA may lead to penalties up to the greater amount of $368,136 or twice the value of each violative transaction. Willful violations of IEEPA are punishable by imprisonment of up to 20 years and a $1,000,000 fine.
B. Relevant Compliance Timeline & Grace Period
The NSD's core prohibitions and restrictions on Covered Data Transactions took effect April 8, 2025. The NSD stated a grace period is in effect and it will not prioritize its civil enforcement of the DSP until July 8, 2025. However, the NSD will immediately pursue enforcement for willful and egregious violations of the DSP.
Additional DSP compliance requirements, including those related to due diligence, auditing and reporting take effect on October 6, 2025.
C. Business Considerations During the DSP Grace Period
All U.S. organizations handling government-related data and bulk U.S. sensitive personal data must make good-faith efforts to comply with the DSP. Specifically between now and the end of the enforcement grace period on July 8, 2025, the NSD has identified initial efforts for covered entities to include:
- conducting an internal review of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage;
- reviewing internal datasets and datatypes to determine if they are potentially subject to the DSP
- renegotiating vendor agreements or negotiating contracts with new vendors;
- transferring products and services to new vendors;
- conducting due diligence on potential new vendors;
- negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions
- adjusting employee work locations, roles, or responsibilities;
- evaluating investments from Countries of Concern to Covered Persons;
- renegotiating investment agreements with Countries of Concern or Covered Persons;
- implementing the Cybersecurity and Infrastructure Agency (CISA) Security Requirements, including the combination of data-level requirements necessary to preclude Covered Person access to regulated data for restricted transactions.
The robust initial steps prescribed by the NSD show that DSP compliance is not something companies should place on the back burner. While the steps above may seem daunting and time-consuming, the first step every U.S. organization should take is determining whether your organization interacts with Covered Persons/ is doing business in a Country of Concern. From there, working with legal counsel to get up to speed on DSP compliance is imperative. The NSD also encourages the public to contact the Division at nsd.firs.datasecurity@usdoj.gov with questions or information about the DSP and the guidance NSD has released.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
