On January 8, 2025, the Department of Justice (DOJ) issued a Final Rule, now referred to as the Data Security Program (DSP), that establishes sweeping new restrictions on access to sensitive personal data and government-related data by countries of concern and covered persons.1 A key feature of the DSP is the introduction of a public Government-Related Location Data List (the "GRLD List" or the "List"), codified at 28 C.F.R. § 202.1401. The GRLD List designates 736 geofenced locations—defined by latitude and longitude coordinates—as posing heightened national security risks, if precise geolocation data2 from within those areas is accessible to foreign adversaries. Notably, any precise geolocation data collected from within a designated area is automatically treated as government-related data and subject to the DSP's restrictions, regardless of volume, which renders potentially routine location data from government sites into highly regulated information. Recently, we used artificial intelligence (AI) to identify the 736 sites on the GRLD List. In this Legal Update, we share our key takeaways on the locations identified in the current GRLD List.
Background & Significance
Under the DSP, any precise geolocation data originating from within an area identified on the GRLD List is automatically classified as "government-related data" and restricted—regardless of volume, as no bulk threshold applies. Unlike sensitive personal data, government-related location data does not need to be linked or linkable to a person. And unlike the other subcategory of government-related data, which concerns sensitive personal data that is "market[ed]" as linked or linkable to federal employees or contractors (reflecting knowledge and intent by the data collector), precise geolocation data from within the GRLD List locations ipso facto carry heightened protection under the DSP—regardless of how one "markets" or labels it.3
Knowingly permitting access to this protected data by countries of concern or covered persons is prohibited, at least in the absence of mitigation measures (such as compliance with DHS's Security Requirements) and in all cases involving data brokerage. For companies in industries where voluminous geolocation data is collected—such as mobile applications, advertising, logistics, and connected devices—the DSP introduces a new compliance obligation. Even entities outside the traditional data economy, such as defense contractors, may be affected if they collect location data in proximity to sensitive government sites (e.g., from devices of employees meeting with government clients). These businesses must now assess whether they are collecting precise geolocation data within the areas identified on the GRLD List, and they may need to implement controls either to avoid collecting this data in the first place or to take additional steps to prevent access to it by covered persons (such as their vendors and suppliers or through commercial arrangements involving access to that location data). Even if they sell or lease that location data to foreign persons who are not covered persons, the DSP requires onward-transfer clauses and reporting of known or suspected violations of those clauses.4
Methodology
We wanted to understand more about the locations on the GRLD List, but we found that efforts to reverse geocode or precisely map the geofenced areas would be costly and time-consuming. Instead, we used an AI resource to analyze the GRLD coordinates and prompted it to identify publicly-known Department of Defense (DoD), intelligence, or other national-security related facilities that it could associate with each set of coordinates. After more than an hour of "work," it produced named locations for all 736 sets of coordinates.
To verify the accuracy of the list, we conducted a random sample of several entries and found the AI's output to be generally accurate. Perhaps the most common issue we identified was the misidentification of facilities located near one another, where the listed coordinates were mistakenly attributed to the wrong site due to their close proximity. In addition, we could not verify the accuracy of some locations with open-source information alone. For example, our AI system identified some national guard "training areas" that we could not find online.
Key Takeaways from the GRLD List:
Broad Scope of Locations: The GRLD List is composed primarily of Department of Defense sites, including installations, ranges, and training areas. It includes not only well-known Air Force, Army, and Navy installations, but also encompasses national guard installations and training areas as well as additional facilities such as ammunition plants and research centers. The List further includes certain notable Intelligence Community locations, such as the Office of the Director of National Intelligence, but by no means all of them. For example, CIA headquarters is not currently included, and only one FBI facility appears on the List. The List only identifies two sites in Washington, DC—the Naval Observatory and the Washington Navy Yard—while omitting the White House and other federal agencies. DOJ has acknowledged in the Rule that the current list is not comprehensive and will consider adding more locations.
Broad Geographic Coverage: The GRLD List includes locations in all 50 states, the District of Columbia, Puerto Rico, and Guam. The states with the most locations on the List are California (74), Virginia (52), Florida (39), Hawaii (35), and Alabama (30).
Extensive Geofences: From our sampling, the geofences provided by DOJ often correspond to large physical perimeters that exceed the expected boundaries of the identified site. In multiple instances, a single identified location (e.g., an Air Force Base) has been assigned two distinct Area IDs, each linked to a different set of coordinates. One set typically covers the primary footprint of the installation, while another encompasses a neighboring or overlapping area, including publicly accessible areas.
Conclusion:
DOJ's 90-day enforcement "pause" ends on July 8, at which time companies are expected to be in full compliance with the DSP, save for a limited number of recordkeeping and auditing requirements that become effective on October 6. Companies that either collect precise geolocation data or that operate in proximity to sensitive government facilities, such that they may incidentally collect such data within the geofences on the GRLD List, should take immediate action to address the DSP's requirements pertaining to this data. Depending on their specific circumstances, these companies should review and, if necessary, modify their current data flows to prevent any inadvertent restricted or prohibited transactions. Additionally, they should update their internal controls to ensure proper handling of data collected within the designated locations.
Footnotes
1. For background on the DSP, see our prior Legal Updates on the Final Rule and on DOJ's compliance and enforcement guidance. Also see our webinar on DSP compliance.
2. The term precise geolocation data means data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters (28 C.F.R. § 202.242).
3. See 28 C.F.R. § 202.222.
4. See 28 C.F.R. § 202.302.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2025. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
