If your company transfers sensitive personal data of U.S. individuals to entities or persons associated with certain countries deemed foreign adversaries, two federal programs designed to address national security risks should be on your radar -- the Department of Justice's Data Security Program (DSP) and the Protecting Americans' Data from Foreign Adversaries Act (PADFAA). While different, both frameworks address risks of data exploitation by adversarial nations and have significant potential penalties for non-compliance. PADFAA is a law that was enacted in June 2024; the DSP is a DOJ-administered program born from an executive order, and the DOJ has announced that it will begin enforcing the framework on July 8, 2025.
Who Must Comply?
The DSP applies to all U.S. persons (individuals and companies) who engage in covered data transactions, which are described below, with China, Russia, Iran, North Korea, Venezuela, Cuba, and certain persons deemed on a list "covered persons" maintained by the National Security Division.
The PADFAA applies to "data brokers," which are entities that, for valuable consideration, sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available data of U.S. individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider. Entities are not data brokers if they:
- Transmit data of an individual at the request of the individual;
- Provide, maintain, or offer a product or service with respect to which personally identifiable sensitive data, or access to the data, is not the product or service;
- Are reporting or publishing news; or
- Are acting as a service provider, which is an entity that collects, processes, or transfers data on behalf of, and at the direction of, an individual or entity that is not a foreign adversary country or a government entity and receives data from such an entity.
What Data and Transactions Are in Scope?
The PADFAA targets a broad range of sensitive personal data, including:
- Government identifiers (SSNs, passports, or driver's license number);
- Financial account numbers;
- Health data;
- Genetic information;
- Precise geolocation, which reveals location of an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals within a range of 1,850 feet or less;
- Biometric information;
- Private communications, including voicemails, emails, texts;
- Account or device log-in credentials;
- Information identifying the sexual behavior of an individual;
- Calendar information, address book information, photos, or videos, maintained for private use by an individual;
- Information revealing video content requested or selected by an individual;
- Information about an individual under the age of 17;
- An individual's race, color, ethnicity or religion; or
- Behavioral information like online activity tracking or media consumption patterns.
PADFAA prohibits data brokers, as defined above, from selling, licensing, renting, trading, transferring, or disclosing covered data to foreign adversaries (China, Russia, Iran, and North Korea) or entities "controlled by" them (≥20% ownership). Transactions involving first-party services (e.g., apps collecting user data), service providers, or news/media activities are exempt.
The DSP regulates covered data transactions, which involve access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves, as discussed further below: (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement. Government-related data is: (1) any precise geolocation data within any area enumerated on the government-related location data list contained in § 202.1401, or (2) sensitive personal data that is linked or linkable to a current or recent former employee or contractor of the U.S. government. Bulk U.S. sensitive personal data means sensitive personal data relating to U.S. persons – regardless of whether the data is anonymized, pseudonymized, or encrypted – where the data meets a bulk threshold during the preceding twelve months (after the effective date of the DSP), which is set out below. The types of sensitive data categories are:
|
Sensitive Data Category |
Bulk Threshold |
|
Human Genomic Data (data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions within a human cell. This includes results from an individual's genetic test and any related human genetic sequencing data). |
100+ U.S. persons. |
|
Human 'omic Data (human epigenomic data, human proteomic data, and human transcriptomic data). |
|
|
Biometric Identifiers (measurable physical characteristics or behaviors used to recognize or verify the identity of an individual). |
1,000+ U.S. persons. |
|
Precise Geolocation (data that identifies the physical location of an individual or a device with a precision of within 1,000 meters). |
1,000+ U.S. devices. |
|
Personal Health Data (health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of individuals; the provision of healthcare to individuals; or the past, present, or future payment for the provision of healthcare to individuals). |
10,000+ U.S. persons. |
|
Personal Financial Data (data about individuals' credit, charge, or debit card, or bank accounts). |
10,000+ U.S. persons. |
|
Certain Covered Personal Identifiers (specified types of personally identifiable data that can be reasonably linked to an individual and, when combined with other data either sensitive or shared during a transaction, could be exploited by a country of concern). |
100,000+ U.S. persons. |
The DSP prohibits U.S. persons from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered persons, as well as knowingly engaging in a covered data transaction involving access to bulk human 'omic data, or to human biospecimens from which bulk human data could be derived. Data brokerage constitutes the sale or licensing of access to data, or similar commercial transactions involving the transfer of data from any person to another person, where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. This description covers both first-party data brokerage (by the person that directly collected the U.S. person's data) and third-party data brokerage (by a person that did not directly collect the U.S. person's data, such as a subsequent reseller).
The DSP also prohibits U.S. persons from knowingly engaging in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country or covered person, unless the U.S. person complies with CISA security requirements and other applicable requirements. U.S. persons can engage in data-brokerage transactions involving bulk U.S. sensitive personal data or U.S. government related data with foreign persons who are not covered persons if the U.S. person uses contract language in which the foreign person agrees not to resell or give access to the data to a country of concern or covered person.
Certain transaction-based exemptions exist, including: (1) transactions that are "ordinarily incident to and part of the provision of financial services," (2) certain routine e-commerce transactions, (3) activity that is ordinarily incident to and part of providing telecommunications services, except for data brokerage activities, (4) targeted exemptions for transactions necessary to obtain or maintain regulatory authorization for drugs, biological products, or medical devices, as well as for clinical investigations and post-marketing surveillance data; and (5) other exceptions, such as personal communications, official U.S. government activities, and certain informational or travel-related transactions.
The DSP also establishes a licensing system that allows certain otherwise prohibited or restricted data transactions to proceed if authorized by the DOJ's National Security Division. The licensing system is designed to provide limited, controlled exceptions to the program's prohibitions and restrictions, with a strong presumption against approval except in cases of clear necessity or broad industry need. The two licenses under the DSP are:
- Specific licenses are granted on a case-by-case basis and require an application to the NSD. The standard for approval is intentionally stringent: there is a "presumption of denial," meaning that the NSD will generally reject requests unless the applicant can present compelling countervailing considerations, such as an emergency or an imminent threat to public safety or national security. Applicants must provide detailed justification and supporting documentation to demonstrate why the transaction should be permitted despite the national security concerns that underpin the DSP.
- General licenses are not available by application from individual entities. Instead, the NSD may issue a general license on its own initiative in particular circumstances, such as when multiple companies or an entire industry faces similar needs, or if the NSD determines through industry engagement or other means that a general license is warranted. General licenses establish a standing authorization for a class of transactions or entities, subject to any conditions the NSD may impose.
What Proactive Compliance Obligations Exist?
The DSP imposes comprehensive compliance obligations on covered U.S. persons and entities, including specific requirements for auditing, due diligence, recordkeeping, and reporting. Entities subject to the DSP must establish and maintain a written, risk-based, data compliance program. This program must include procedures for verifying data flows in restricted transactions, identifying the types and volumes of data, the identities of transaction parties, and the intended end-use of the data. The compliance program must be documented in a written policy, which is to be annually certified by a responsible officer or executive.
Due diligence is a core requirement: organizations must proactively assess and document the risks associated with their data transactions, especially those involving restricted or bulk sensitive data. This includes verifying counterparties, understanding the nature and destination of data, and ensuring that transactions do not violate DSP restrictions. As noted above, contractual language may also be required in agreements with vendors or partners to ensure compliance.
Annual audits are mandatory for any calendar year in which a covered entity engages in restricted transactions. These audits must review the effectiveness of the compliance program, adherence to CISA security requirements, and actual data transactions for consistency with DSP obligations. The audits should be objective and may be conducted by internal or external auditors, provided they are independent of the covered transactions. Audit results must be used to enhance compliance and security practices, and audits conducted for other regulatory purposes may be leveraged if they specifically address DSP requirements.
Recordkeeping obligations require entities to maintain detailed records of all data transactions, compliance program documents, audit results, and related correspondence for at least ten years. These records must be sufficient to demonstrate compliance with all aspects of the DSP and be available for inspection by the DOJ upon request.
Reporting requirements include the obligation to report rejected transactions and any violations of the DSP to the DOJ. Transparency in reporting is emphasized as a critical component of compliance, and failure to report may be considered an aggravating factor in enforcement actions.
In contrast, the PADFAA does not impose specific affirmative requirements for due diligence, auditing, recordkeeping, or reporting on covered data brokers.
What Are the Penalties for Non-Compliance?
The DSP is enforced by the DOJ's National Security Division, which has broad authority to pursue both civil and criminal penalties for non-compliance. Under the DSP, civil penalties for violations can reach the greater of $368,136 per violation or twice the value of the underlying transaction. For willful violations, criminal penalties may include fines of up to $1 million and imprisonment for up to 20 years. The DOJ can bring enforcement actions and criminal prosecutions under the International Emergency Economic Powers Act. During the initial 90-day period following the rule's effective date, the DOJ adopted a limited enforcement policy, deprioritizing civil enforcement actions for entities making good-faith efforts to comply, but reserving the right to pursue egregious or willful violations even during this window. After this period, which ends on July 8, 2025, the DOJ expects full compliance and will actively enforce the program's requirements, including the due diligence, auditing, and reporting obligations.
PADFAA is enforced by the Federal Trade Commission, and a violation of the law is treated as a violation of an FTC rule pursuant to 15 U.S.C. 57a(a)(1)(B). The FTC has authority to obtain civil penalties under these circumstances, which are presently up to $53,088 per violation, as well as seek injunctive relief. Technically, the FTC must refer a matter seeking civil penalties to the Attorney General.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
