ARTICLE
22 April 2025

DOJ Implements Bulk Personal Data Transfer Restrictions

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore Firm Details
Under Executive Order 14117, the U.S. Department of Justice's (DOJ) National Security Division (NSD) has implemented a Data Security Program (DSP)...
United States Privacy
Artie McConnell,Eric Gyasi,Jennifer Solari
+1 Authors
 Your Author LinkedIn Connections

Key Takeaways

  • Under Executive Order 14117, the U.S. Department of Justice's (DOJ) National Security Division (NSD) has implemented a Data Security Program (DSP) to address national security risks associated with foreign access to sensitive U.S. data.1
  • The DSP is designed to "prevent China, Russia, Iran, and other foreign adversaries from using commercial activities to access and exploit ... Americans' sensitive personal data to commit espionage, conduct surveillance and counterintelligence activities ... and otherwise undermine our national security."
  • The DSP is a national security directive, not a privacy regulation designed to protect individual privacy or interests. As a result, the DSP contains many characteristics that are similar to U.S. sanctions and export control regimes.
  • The DSP's regulations became effective on April 8, 2025, with certain compliance requirements taking effect 90 days later on July 7, 2025.
  • Companies that collect this sort of data are now subject to restrictions traditionally reserved for the defense sector and other highly sensitive government contracts. Failure to comply can result in DOJ inquiries and enforcement, including civil and criminal liability under the International Emergency Economic Powers Act (IEEPA) and other statutes. Civil violations can lead to fines of up to $366,136 (or an amount equal to twice the amount of the sanctioned transaction), while criminal penalties can include imprisonment for up to 20 years and a $1,000,000 fine.

The Data Security Program (DSP) recently implemented by the U.S. Department of Justice (DOJ) will have far-reaching implications for many businesses that transfer the personal data of U.S. citizens outside the United States. This client alert highlights key features of the DSP and recommends steps that companies can take to prepare for enforcement.

The Data Security Program's Key Provisions

Types of Covered Data – The DSP creates two categories of covered data: bulk sensitive personal data of U.S. persons and government-related data. The rule establishes six categories of "sensitive personal data":

  1. Covered personal identifiers (e.g., demographic information, contact information, and device identifiers when combined with other covered personal identifiers)
  2. Precise geolocation data (more expansive than most state privacy law definitions)
  3. Biometric identifiers
  4. Human 'omic data
  5. Personal health data
  6. Personal financial data

The DSP does not exempt pseudonymized, anonymized or de-identified data from the definition of personal sensitive data.

For each of the above categories, thresholds are established to quantify "bulk." To make the determination of whether a transaction meets the bulk threshold, all transactions for the preceding 12 months are aggregated.

Sensitive Data Category Bulk Threshold
Human Genomic Data Over 100 U.S. persons
Human 'omic Data Over 1,000 U.S. persons
Biometric Identifiers Over 1,000 U.S. persons
Precise Geolocation Over 1,000 U.S. devices
Personal Health Data Over 10,000 U.S. persons
Personal Financial Data Over 10,000 U.S. persons
Certain Covered Personal Identifiers Over 100,000 U.S. persons

Covered Data Transactions – The DSP defines covered data transactions as those transactions involving bulk U.S. sensitive personal data or government-related data.

  • Each type of transaction is categorized as either prohibited or restricted.
    • The DSP provides specific definitions for data brokerage, vendor agreements, employment agreements and investment agreements.
    • The DSP prohibits data brokerage transactions but provides allowances for vendor agreements, employment agreements, and investment agreements – as long as the transfers are subject to certain security requirements.
  • Exemptions – The DSP provides for certain types of transactions which are otherwise covered data transactions but are exempt transactions (e.g., personal communications, financial services, telecommunication services, and corporate group transactions).

Countries of Concern and Covered Persons

  • Countries of Concern – The DSP identifies the countries of concern as China, Russia, Iran, North Korea, Cuba and Venezuela.
  • Covered Persons – Those entities which are 50 percent or more owned, directly or indirectly or in the aggregate, by one or more countries of concern or covered persons or that are organized or chartered under the laws of, or have their principal place of business in, a country of concern.

"Know-Your-Data" and Diligence Requirements

  • Know-Your-Data Requirement – This provision goes into effect October 6, 2025. By that time, companies that participate in restricted transactions must design and implement a compliance program which contains the following elements:
    • Risk-based procedures to verify data flows that are auditable and identify: (i) the types and volume of covered data involved in that transaction; (ii) the transaction parties; and (iii) the ultimate use of the data and how the data was transferred.
    • A risk-based process for identifying vendors.
    • Written data compliance program policies that are certified annually by an officer, executive, or other employee who has responsibility for compliance.

The DSP's April 11, 2025 Guidance

On April 11, 2025, DOJ announced the next steps in the implementation of DSP.2 NSD also issued a Compliance Guide,3 an initial list of over 100 Frequently Asked Questions,4 and an Implementation and Enforcement Policy for the first 90 days.5 An initial Covered Persons List that identifies and designates people and entities "subject to the control and direction of foreign adversaries" is forthcoming.

It is important to note that the DSP is a national security directive, not a privacy regulation designed to protect individual privacy or interests. Not surprisingly, in issuing the April 11, 2025 guidance, DOJ noted that the DSP "establishes what are effectively export controls" governing the sensitive data and foreign parties at issue.

Indeed, compliance practitioners and litigators who handle sanctions and export control matters will find much about the DSP that is familiar: the DSP closely tracks the restrictions, oversight, licensing and enforcement frameworks used by the Department of the Treasury's Office of Foreign Assets Control (OFAC) and the Department of Commerce's Bureau of Industry and Security (BIS) governing the flow of goods and funds to and involving foreign entities.

Next Steps for Your Company

Given this context and precedent, there are steps that U.S. businesses should consider taking to ensure compliance with the DSP and minimize potential disruptions to their business.

  • Know Your Data: Identify and classify categories of data that fall under the rule and assess whether it is stored, processed or transmitted in ways that could be accessed by covered persons. Per the April 11, 2025 guidance, the covered persons analysis mirrors the "50% Rule" OFAC uses to identify sanctioned parties. The guidance also describes how combinations of data can trigger the rule, including things like IP addresses, mobile device IDs, MAC addresses and mobile advertising IDs together with other identifiers.
  • Restrict Access: Review relationships with vendors and identify potential access by foreign subsidiaries and third parties, such as IT service contractors, data analytics providers and offshore cloud storage. Where appropriate, implement access controls and logging mechanisms.
  • Gap and Security Assessments: To ensure compliance with the CISA security requirements (which were updated in conjunction with the DSP), conduct a gap assessment to identify noncompliant processes and procedures (including the requirement for asset inventories, updated software and hardware, and remediation timelines for vulnerability patching).
  • Prepare for Audits and Reporting: Document your organization's data flow and ensure appropriate policies and procedures to identify potentially covered transactions. At a minimum, when conducting due diligence on data transfers to prevent unauthorized downstream access, make sure that such efforts are preserved and can be retrieved in the future.
  • Update and Revise Contract Language: Contractual protections can be effective tools to manage and allocate compliance risk when sharing data with third parties, vendors or foreign affiliates. The April 11, 2025 Compliance Guide provides model contractual language that should be implemented immediately and, where possible, incorporated into existing relationships. Should a relationship or contract require termination to comply with the DSP, companies must be mindful of litigation risks, as compliance with EO 14117 and the DSP will not necessarily constitute a force majeure event.
  • Contact NSD with Questions and Requests for Clarification: During this 90-day period, NSD encourages the public to contact them with informal inquiries about the DSP. While NSD will not be able to respond to every inquiry, the mere fact that a company sought clarification about the DSP or guidance regarding a third-party relationship or transaction, evinces good faith and reasonableness that, in the event of an inadvertent breach, can be cited as evidence of attempted compliance.
  • Prepare Specific License Requests: The DSP tracks OFAC's approach to "general" and "specific" licenses. Companies should prepare any specific license applications as far in advance as possible, as similar requests with BIS and OFAC typically take months to be processed and frequently require extensive communications between the government and the applicant.

Conclusion

As with other national security-focused initiatives, the DSP creates a variety of compliance challenges that transcend traditional practice areas and implicate a variety of cybersecurity, international trade and white collar litigation issues. As U.S. businesses adjust, the touchstones for compliance are, and will remain, good faith, reasonable and proportionate steps, and due diligence. Such an approach, consistent with the April 11, 2025 guidance, will not only minimize the risk of noncompliance with the DSP but also help protect a company and its partners in the event of a government inquiry down the road.

Footnotes

1. https://www.federalregister.gov/documents/2024/03/01/2024-04573/preventing-access-to-americans-bulk-sensitive-personal-data-and-united-states-government-related. The DOJ issued a Final Rule implementing EO 14117 on January 8, 2025. See https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern.

2. https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive

3. https://www.justice.gov/opa/media/1396356/dl

4. https://www.justice.gov/opa/media/1396351/dl

5. https://www.justice.gov/opa/media/1396346/dl?inline

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Artie McConnell
Artie McConnell
Photo of Eric Gyasi
Eric Gyasi
Photo of Gerald Ferguson
Gerald Ferguson
Photo of Jennifer Solari
Jennifer Solari
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More