ARTICLE
11 July 2025

DOJ DSP Compliance Enforcement Begins Today: Key Steps For Covered Entities

RJ
Roth Jackson

Contributor

Roth Jackson logo
Roth Jackson and Marashlian & Donahue’s strategic alliance delivers premier regulatory, litigation,and transactional counsel in telecommunications, privacy, and AI—guiding global technology innovators with forward-thinking strategies that anticipate risk, support growth, and navigate complex government investigations and litigation challenges.
Explore Firm Details
As reported in our previous advisories, effective provisions of the U.S. Department of Justice's Data Security Program (DSP; 28 C.F.R. Part 202) will be fully enforced as of today, July 8, 2025, pursuant to the DOJ's DSP: Implementation...
Worldwide Privacy
E. Brian Alexander
Your Author LinkedIn Connections

As reported in our previous advisories, effective provisions of the U.S. Department of Justice's Data Security Program (DSP; 28 C.F.R. Part 202) will be fully enforced as of today, July 8, 2025, pursuant to the DOJ's DSP: Implementation and Enforcement Policy. The Rule, effective April 11, 2025, restricts or prohibits access to bulk U.S. sensitive personal data by countries of concern (e.g., China, Russia, Iran) and covered persons (e.g., entities or individuals affiliated with countries of concern) and certain government-related data.

Prior to July 8, DOJ committed to prioritizing education over enforcement, provided companies could show good faith efforts to comply. As of July 8, companies can face civil and criminal penalties for noncompliance. Additional DSP provisions (e.g., implementation of data compliance programs, audits, and reporting) will take effect October 6, 2025.

Who Must Act Now?

  • Data Collectors (regardless of sector or intended use of the data): Companies that collect genomic, biometric, geolocation, health, financial, or large-scale personal identifiers may be subject to the DOJ DSP Rule.
  • Companies with Foreign Partners: Companies with vendor, employment, or investment relationships with foreign or covered persons must review those relationships for compliance.
  • Data Brokers: Transactions with countries of concern or covered persons involving access to U.S. personal data are prohibited unless exempt or licensed.
  • Telecom & Tech Providers: Companies must review exemptions to the DOJ DSP (e.g., the DSP exemption for certain data transactions that are, "ordinarily incident to and part of the provision of telecommunications services") and ensure compliance measures are in place to protect against the onward transfer of covered data by foreign persons.

Immediate Action Items

  • Know Your Data: Understand whether covered data is collected or processed
  • Map Data Flows & Access Points to covered data
  • Review Agreements to ensure any covered data transactions are identified (including data brokerage transactions and also any vendor, employment and investment agreements that involves access to covered data)
  • Implement DSP Compliance Plans

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of E. Brian Alexander
E. Brian Alexander
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More