The U.S. Department of Justice’s Final Rule restricting the export of sensitive U.S. data to foreign entities took effect April 8, 2025. The rule, titled Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern [90 FR 1636] [13273], imposes significant new compliance obligations on U.S. companies and organizations handling covered data.
The rule targets data transactions involving individuals or entities linked to designated “countries of concern”—including China (with Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. The restrictions apply to a broad range of U.S. personal and government-related data, including biometric identifiers, precise geolocation, personal health and financial data, and genomic information.
Act now
A 90 day limited enforcement policy allows additional time for compliance review and implementation, Baker McKenzie notes that
"Companies need to proceed with deliberate speed to assess applicability, develop and implement a compliance plan, and engage in ongoing monitoring, in order to be able to demonstrate that they are engaging in “good faith efforts.”
"As noted, this is a new, complex, and rigorous outbound data transaction regulation. Since the purpose of the DSP is national security (not commercial privacy), many terms used in data privacy regimes are defined differently in the DSP, and risk remediation measures that have been sufficient under data privacy regulations might not be fit for purpose under the DSP.
"More generally, many companies consider the definitions to be complex, the structure to be complicated, the exemptions to be narrow, and the designated security requirements to be strict.
"Compliance for many companies will require cross-functional input and support, and often may absorb some or all of the 90-day limited enforcement policy provided."
Key provisions include:
Prohibited Transactions: Data brokerage and transfers involving bulk genomic data or biospecimens to covered persons are banned.
Restricted Transactions: Vendor, employment, and investment arrangements involving covered data are permitted only if they meet specific cybersecurity requirements established by the Cybersecurity and Infrastructure Security Agency (CISA).
Exemptions: Certain activities—such as personal communications and data used for regulatory approvals of medical products—are exempt, subject to conditions.
Penalties: Civil penalties may reach $368,136 or twice the transaction value; willful violations may incur criminal penalties up to $1 million and 20 years’ imprisonment.
Future Requirements: Additional due diligence mandates for restricted transactions will apply beginning October 6, 2025.
Action Required:
Firms are advised to:
Identify Exposure: Audit existing data flows and transactions involving sensitive or government-related data.
Review Relationships: Evaluate current vendors, partners, and third parties for ties to covered jurisdictions or individuals.
Implement Controls: Ensure data-sharing practices meet new DOJ and CISA requirements.
When publishing the Final Rule, the Justice Department said that it would publish compliance, enforcement, and other guidance, at www.justice.gov/nsd/data-security.
[Update] April 11, the DOJ issued answers to more than 100 Frequently Asked Questions (“FAQs”), published a Compliance Guide, and issued a Limited Enforcement Policy for the first 90 days of the Final Rule.
The Department of Justice (DOJ) Compliance Guide outlines best practices for adhering to the Data Security Program (DSP), implemented under Executive Order 14117. It provides:
A policy framework addressing foreign threats to U.S. Government-related and sensitive personal data.
Definitions, prohibited/restricted data transactions, exemptions, and compliance program recommendations.
Model contract language to mitigate onward data transfer risk.
Audit and recordkeeping best practices.
The DOJ has published over 100 FAQs addressing:
DSP scope, licensing and advisory opinion processes, and reporting obligations.
Application of IEEPA-based constructs (e.g., general/specific licenses, 50% rule, exemptions).
Comparisons with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).
Penalties, enforcement expectations, and “know your data” obligations (e.g., FAQ 79).
Limited Enforcement Policy:
The DSP took effect April 8, 2025. The DOJ will not prioritize civil enforcement from April 8–July 8, 2025, if entities demonstrate good faith compliance efforts (e.g., contract revisions, internal data flow reviews, CISA requirements). Full compliance is expected after this period. Deadlines for due diligence, audits, and rejected transaction reporting (effective October 6, 2025) remain unchanged.
Comments
No comments on this item Please log in to comment by clicking here