On April 11, 2025, the U.S. Department of Justice (DOJ) announced the implementation of the Data Security Program (DSP), established under Executive Order 1411 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). DOJ recently issued a Compliance Guide and Frequently Asked Questions aimed at preventing foreign adversaries from accessing and exploiting Americans' sensitive personal and government-related data, and address national security threats posed when foreign adversaries acquire sensitive data through commercial bulk transfers.
What does DSP mean for US companies?
For US companies engaging in certain data transactions, this means they must develop and implement a written data compliance program that includes risk-based procedures for verifying data flows. Those procedures must also be annually audited, and the audit must examine the restricted transactions and overall compliance program, among other requirements.
In certain circumstances, DSP also establishes a licensing scheme to engage in a Covered Data Transaction that otherwise would violate the DSP with two types of licenses: a general license and a specific license. Other Covered Data Transactions are permitted if rigorous Cybersecurity and Infrastructure Security Agency security requirements are applied and other conditions are met.
Below, we summarize the key DSP provisions and enforcement considerations.
What are the Key Provisions?
Countries of Concern. Executive Order 14117 specifically restricts access to sensitive personal and government-related data for the following six countries, China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
Covered Persons. DSP applies to"covered persons," which is a broad term similar in scope to the US Department of Treasury's Office of Foreign Assets Control's "50-Percent Rule." It covers any foreign person (entities and individuals) under the jurisdiction or control of the identified Countries of Concern. This encompasses foreign employees or contractors and individuals primarily resident in these countries.
Sensitive Personal Data Categories. The DSP regulates transactions involving six categories of sensitive personal data deemed likely to harm U.S. national security if linked to identifiable individuals. Those six categories of sensitive personal data include:
- Certain personal identifiers (e.g., names linked to device identifiers, Social Security numbers)
- Precise geolocation data
- Biometric identifiers (e.g., facial images, voice prints)
- Human genomic data
- Personal health data
- Personal financial data
Government-related data refers to any precise geolocation data, regardless of volume, for any location within any area on the Government-Related Location Data List found within the final rule or any "sensitive personal data," regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government.
Exempt Personal Identifiers. DSP provides a helpful exclusion from the term Covered Personal Identifiers for demographic or contact data that is linked only to other demographic or contact data — such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address, and similar public account identifiers.
Bulk Data Thresholds. DSP sets specific thresholds for covered "bulk" data:
- Human genomic data on over 100 U.S. persons
- Biometric identifiers on over 1,000 U.S. persons
- Personal health or financial data on over 10,000 U.S. persons
- Certain personal identifiers on over 100,000 U.S. persons
Prohibited and Restricted Transactions: DSP restricts transactions that would provide access to Countries of Concern or Covered Persons to bulk Sensitive Personal Data or government-related data, especially when thresholds are met or exceeded. This includes data brokerage, vendor agreements, employment agreements, and investment agreements.
Exempt transactions. DSP does not apply to certain categories of exempt data transactions. Those include:
- Transactions ordinarily incident to and part of the provision of financial services.
- Corporate group transactions between a U.S. person and its foreign subsidiary or affiliate provided they are ordinarily incident to and part of administrative or ancillary business operations.
- Telecommunications services — that is, data transactions, other than those involving data brokerage, to the extent they are ordinarily incident to and part of the provision of telecommunications services.
- Drug, biological product and medical device authorizations — that is, necessary to obtain or maintain regulatory authorization or approval to research or market such products.
- Other clinical investigations and post-marketing surveillance data, for example, product safety monitoring.
Enforcement and Penalties: DOJ, through the National Security Division (NSD), is authorized to enforce the DSP, with violations subject to civil and criminal penalties under the International Emergency Economic Powers Act (IEEPA). From now through July 8, 2025, DOJ instituted a limited enforcement policy to allow entities time to align their operations with these new requirements, as long as a "good faith" effort to come into compliance with DSP is underway during this time.
Recommended Actions/ Examples of Good Faith Efforts. DOJ's Enforcement Policy provided examples of "good faith efforts" that serve as a helpful to-do list of recommended actions for companies to undertake, including:
- Conducting internal reviews of access to Sensitive Personal Data, including whether transactions involving access to such data flows constitute data brokerage
- Reviewing internal datasets and datatypes to determine if they are potentially subject to DSP
- Renegotiating vendor agreements or negotiating contracts with new vendors
- Transferring products and services to new vendors
- Conducting due diligence on potential new vendors
- Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions
- Adjusting employee work locations, roles, or responsibilities
- Evaluating investments from Countries of Concern or Covered Persons
- Renegotiating investment agreements with Countries of Concern or Covered Persons
- Implementing CISA Security Requirements, including the combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transactions
DOJ's enforcement policy makes clear, however, that DOJ will "pursue penalties and other enforcement actions as appropriate for egregious, willful violations" of DSP during this 90-day period. Note that DOJ is authorized to bring both civil enforcement actions for knowing violations of the DSP that can bring civil penalties of up to the greater $368,136 or twice the value of each violating transaction, as well as to bring criminal prosecutions for willful violations of the DSP's requirements that are punishable up to 20 years imprisonment and a $1,000,000 fine.
Conclusion
DSP represents a significant shift in the US Government's approach to protecting Sensitive Personal Data from foreign exploitation, and companies should proactively assess their data practices to ensure compliance readiness in the weeks ahead. Given DSP's broad scope and significant implications, time is of the essence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
