The Data Security Program (DSP), finalized in April 2025 under Executive Order 14117, poses a broader and more punitive compliance regime than the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA), according to Ali Jessani and Sam Kane of WilmerHale, writing in Lawfare.
PADFAA originated in Congress, which enacted the measure in April 2024 as part of an emergency supplemental appropriations bill. It restricts data brokers from selling or transferring sensitive U.S. personal data to foreign adversaries.
PADFAA includes exemptions for service providers and for transfers based on consumer consent. Enforcement falls to the Federal Trade Commission, with violations treated as unfair or deceptive acts.
The DSP, by contrast, stems from the executive branch. President Biden issued EO 14117 in February 2024, directing the Attorney General to establish rules restricting bulk sensitive personal data and U.S. government-related data transactions involving foreign entities of concern. Those regulations, now the DSP, took effect in April 2025.
“The DSP… is likely to present a more substantial compliance challenge than PADFAA,” Jessani and Kane observed.
Unlike PADFAA, the DSP applies to any U.S. person engaged in prohibited transactions, covers onward transfers of data abroad, and contains no consent-based exemptions.
Its penalties are also stricter—civil fines up to $368,136 or double the transaction value, and criminal penalties of $1 million and 20 years’ imprisonment, enforced by DOJ’s National Security Division.
Elizabeth McEvoy of Epstein Becker Green, in a July 2025 client alert, emphasized that DOJ’s Final Rule on Bulk Data Transfers “applies broadly, covering routine business transactions and data transfers across all business sectors.” She noted the agency’s 90-day enforcement safe harbor ended July 8, 2025, after which “individuals and entities should be in full compliance with the DSP and should expect NSD to pursue appropriate enforcement.”
Deputy Attorney General Todd Blanche underscored the rationale for the new rule: “Why would you go through the trouble of complicated cyber intrusions… when you can just buy it on the open market? The DSP makes getting that data a lot harder.”
Comments
No comments on this item Please log in to comment by clicking here