The new Department of Justice (DOJ) rule governing international transfers of Americans' information, codified at 28 C.F.R. Part 202, became effective on April 8, 2025.
Our user's guide to the rule lays out what it covers, and we recently recorded a webinar walking through the rule.
Any U.S. company that transfers personal data to foreign companies or gives foreign companies access to personal data should review the rule–even if they encrypt or anonymize their data. The rule imposes prohibitions, restrictions, and security and recordkeeping requirements for different types of transfers or access. The rule covers data that a company uses in its everyday business, such as advertising IDs and location information, as well as data that third-party vendors such as internal or external helpdesks or customer support can access. U.S. companies that use foreign vendors will need to look at their contracts and due diligence processes, and vendors to U.S. companies will need to be prepared to attest to their compliance.
The rule became effective April 8, but DOJ has suspended enforcement until July 8 for companies that make a good-faith effort to come into compliance. Perkins Coie can help assess whether and to what degree the rule applies to your business, map out any necessary steps to come into compliance, document those steps to demonstrate good-faith efforts, and set up any necessary compliance, security, recordkeeping, and audit program.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
