ARTICLE
23 July 2025

DOJ's Data Security Program Regarding Foreign Data Transfers Now In Force

HK
Holland & Knight

Contributor

Holland & Knight logo
Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
Explore Firm Details
The U.S. Department of Justice's (DOJ) new regulatory regime referred to as the Data Security Program (DSP) went into effect on April 8, 2025. The DSP was issued pursuant to Executive Order 14117...
United States Privacy
Brad A. Brooker and Mark H. Francis
Your Author LinkedIn Connections

Highlights

  • The U.S. Department of Justice's (DOJ) new regulatory regime referred to as the Data Security Program (DSP) went into effect on April 8, 2025. The DSP was issued pursuant to Executive Order 14117, broadly restricting data sales and commercial transactions that could potentially provide access to sensitive personal or government-related data to countries of concern.
  • Although the rule came into effect in April, the DOJ released a detailed FAQ, Compliance Guide and an Implementation and Enforcement Policy providing additional guidance and highlighting that the DOJ would not prioritize enforcement for the first 90 days of the program's implementation if entities engage in good-faith efforts to comply.
  • This 90-day period has expired, and the DOJ expects that individuals and entities be "in full compliance with the DSP."

The U.S. Department of Justice's (DOJ) new regulatory regime referred to as the Data Security Program (DSP) went into effect on April 8, 2025. The DSP was issued pursuant to Executive Order 14117, "Preventing Access to America's Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," after former President Joe Biden declared that the efforts of certain countries to access sensitive American personal and government-related data posed a significant threat to national security and foreign policy. The DSP broadly restricts data sales and commercial transactions that could potentially provide access to sensitive personal or government-related data to countries of concern.

Although the rule came into effect in April, the DOJ released a detailed FAQ, Compliance Guide and an Implementation and Enforcement Policy providing additional guidance and highlighting that the DOJ would not prioritize enforcement for the first 90 days of the program's implementation if entities engage in good-faith efforts to comply. However, the DOJ made clear that enforcement actions may still be brought for "egregious violations" during this period.

The 90-day period has expired, and the DOJ expects that individuals and entities be "in full compliance with the DSP." The DOJ, through the National Security Division, expects to pursue enforcement actions with respect to any violations. There are both potential civil and criminal penalties for violating the rule, including civil penalties up to the greater of $377,700 or twice the value of the transaction and criminal penalties up to $1 million and 20 years of imprisonment. Finally, companies should ensure they have assessed their compliance with the DSP.

As with any regulatory regime, this one is complex and requires a careful review of the nuances of the definitions, rules and exemptions to apply it properly. Holland & Knight has experienced attorneys who can assist companies in navigating this complex rule. However, at a high level, the DOJ's new regulatory regime broadly restricts data sales and commercial transactions that could potentially make sensitive, personal or government-related data available to countries of concern, specifically China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela or certain covered persons, including residents or employees of those countries. This includes transactions of bulk U.S. sensitive personal data if the data meets or exceeds certain thresholds for 1) geolocation, biometric identifiers, healthcare data, financial data, genomic data, or personal identifiers of American citizens or residents, or 2) government-related data, which includes precise geolocation data for locations near government facilities and sensitive personal data linked to U.S. government employees or contractors.

The rule outright prohibits data brokerage or data transactions with countries of concern or covered persons. It also prohibits such transactions with any foreign person unless there is an imposition of contractual safeguards to prevent the subsequent transfer of the data to a country of concern or covered person. Further, the rule restricts transactions with any covered persons, including vendors and employees, or in investment agreements, without first complying with cybersecurity standards set by the Cybersecurity and Infrastructure Security Agency (CISA). These transactions are subject to due diligence and audit requirements, which will go into effect in October 2025.

Though there are a number of exceptions to the restrictions, the exceptions are nuanced and require a careful review of both the rule and DOJ guidance. Recognizing the complexity of the rule, the DOJ welcomes – and encourages – companies to reach out for both formal and informal guidance on transactions.

What Should Companies Be Doing?

  • Assess Company Data. Companies subject to this rule should map covered data within the company to understand how the data is processed within the organization and how such data may be used in sales or other transactions with any foreign country or person and in particular with the identified countries of concern. (Even deidentified data is subject to the new DSP). This should include evaluating vendors, customers, employees and affiliates who may have access, directly or indirectly, to the data covered by the DSP. Importantly, the rule states that "access is determined without regard for the application or effect of any security requirements." To that end, access controls cannot save a transaction from the effects of the rule.
  • Unwind and Update Contracts. Transactions with countries of concern are outright prohibited, and those transactions must be unwound. As noted, data brokerage transactions with any foreign person are also prohibited unless there is an imposition of contractual safeguards to prevent the subsequent transfer of the data to a country of concern. To that end, companies should review and, as necessary, update contracts to include this onward restriction. The DOJ's guidance offers proposed contract language.
  • Implement Security Measures. If companies determine they are engaged in a restricted transaction, they are required to implement and demonstrate compliance with cybersecurity standards promulgated by CISA.
  • Develop a Compliance Program. Finally, all companies should ensure they have a compliance program. The DSP imposes an affirmative due diligence requirement on companies engaged in restricted transactions "to develop, implement, and routinely update an individualized risk-based, written Data Compliance Program." This includes a requirement that companies be able to demonstrate and certify a compliance program annually beginning Oct. 6, 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Brad A. Brooker
Brad A. Brooker
Photo of Mark H. Francis
Mark H. Francis
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More