DOJ Issues Guidance on Bulk Sensitive Data Rules

Alert
|
17 min read
Jiang Liu |
F. Paul Pittman |
Hope Anderson |
David H. Lim |
Yuhan Wang |
Roseann Cook

On April 11, 2025, the Department of Justice (DOJ) issued guidance (Guidance) to assist individuals and entities in coming into compliance with its final rule, referred to as the "Data Security Program" (DSP Rule), which implements Executive Order 14117 on "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" (Executive Order). The DSP Rule prohibits and restricts "bulk" data transactions involving China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela and individuals and entities under their control.1 The DSP Rule took effect on April 8, 2025.

The DOJ's newly issued Guidance, which includes a Compliance Guide, FAQs and an Implementation and Enforcement Policy that is to remain in place only through July 8, 2025, are intended to facilitate compliance with the DSP Rule.2 The DOJ, however, emphasizes that "[n]othing in these documents supplements, modifies, or supersedes the requirements set forth in the [DSP Rule]."

This alert offers a high-level summary of the key aspects of the Guidance along with our key takeaways.

Summary of the DSP Rule3

The DSP Rule prohibits or restricts various categories of transactions involving bulk sensitive personal data or government-related data between U.S. persons and the countries of concern or covered persons.

Countries of concern

The countries of concern currently identified by the DOJ: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela. As the DOJ indicates in the newly issued Compliance Guide "[t]hese countries of concern demonstrate an intent and capability to use US Government-related data and Americans' sensitive personal data to threaten US national security, including through espionage and economic espionage, surveillance, coercion and influence, blackmail, foreign malign influence, curbing dissent by U.S. persons, targeting journalists, political figures, members of marginalized communities, and other populations, and engaging in nefarious, cyber-enabled activities."

Covered persons

The DSP Rule defines a covered person as:

  • A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons …; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
  • A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in [the other] paragraphs of this section;
  • A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity [identified by] this section;
  • A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or
  • Any person, wherever located, determined by the Attorney General: (i) to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) to act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

As noted in the Compliance Guide, the fifth category will be comprised of any foreign or U.S. persons that the DOJ adds to the Covered Persons List the DOJ plans to issue and maintain based on a determination that the person meets the applicable criteria, such as being subject to the ownership or control of a country of concern.

Covered data

The DSP Rule regulates transactions concerning two categories of data:

  • US bulk sensitive personal data – comprised of six categories each with its own defined "bulk" threshold, which refers to the amount of the data transferred that meets or exceeds the threshold, including human 'omic data, biometric identifiers, precise geolocation data, personal health data, personal financial data and covered personal identifiers; and
  • US government-related data – comprised of: (1) precise geolocation data for any area specifically designated as posing a heightened risk of exploitation, such as military installations, national security, defense or intelligence facilities, or worksites of federal national intelligence personnel; and (2) any sensitive personal data that is marketed as linked or linkable to current or former US government employees or officials, including from the military or intelligence community.

Covered transactions

The DSP Rule covers the following categories of transactions:

  • Prohibited Transactions – include any covered "data brokerage" transactions involving covered data with covered persons and any data transaction with a covered person that involves access to bulk human omic data or to human biospecimens from which such data could be derived. Unless exempt or otherwise authorized by a general or specific license, U.S. persons may not knowingly engage in a data transaction involving data brokerage with a covered person; and
  • Restricted Transactions – include any covered data transaction involving an employment agreement, vendor agreement, or investor agreement with a country of concern or a covered person. U.S. persons can only engage in any restricted transactions if it complies with: (1) Cybersecurity and Infrastructure Agency (CISA) security requirements; (2) all Data Compliance Program development and implementation requirements; (3) the obligation to conduct audits; and (4) the recordkeeping requirements.

The Guidance

In its press release accompanying the issuance of the Guidance, the DOJ noted that its "continued prioritization of the Data Security Program delivers on promises made by President Trump" to address the urgent threat posed by China, Russia, Iran, and other foreign adversaries using commercial activities to access and exploit US government-related data and Americans' sensitive personal data to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security. The Guidance is intended to assist the public in coming into compliance with the DSP Rule. The Guidance is divided into three parts:

  • Implementation and Enforcement Policy (Implementation Policy). This part of the Guidance is perhaps the most immediately helpful piece, because it establishes a 90-day window during which the DOJ "will not prioritize civil enforcement actions against any person for violations of the DSP [Rule] that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP [Rule] during that time. This policy aims to allow the private sector to focus its resources and efforts on promptly coming into compliance and to allow [DOJ] to prioritize its resources on facilitating compliance."
  • Compliance Guide. The Compliance Guide provides general guidance to regulated parties on the DOJ's expectations for the elements to be included in a DSP compliance program; and
  • FAQs. The DOJ has put together more than 100 FAQs on the DSP Rule. While those FAQs reiterate the provisions of the DSP Rule, they do add commentary that may be helpful in determining the persons, data and transactions that are or are not covered by the DSP Rule.

Implementation and Enforcement Policy (Implementation Policy)

The DOJ instituted the Implementation Policy as a temporary measure that is intended to give the private sector time to focus on complying with the DSP.

DSP Compliance Date: Individuals and entities are required to comply with the DSP starting April 8, 2025.4 The Implementation Policy does not change that.

Extended Enforcement: The Implementation Policy does provide that, for the 90-day period from April 8, 2025 through July 8, 2025, the DOJ will not "prioritize" civil enforcement actions against any person that is engaging in "good faith efforts" to come into compliance with the DSP. This extended enforcement, however, is limited:

  • The extension is intended to give individuals and companies time to take "good faith" steps (1) to determine whether the DSP's prohibitions and restrictions apply to their activities, and (2) to implement changes to their existing policies and practices or to establish new policies and practices to comply with the DSP; and
  • The pause is only on civil enforcement actions against persons making good faith efforts to comply with the DSP, but would still allow the DOJ to pursue civil actions for "egregious, willful violations" and to take criminal action against individuals or entities believed to be willfully violating, attempting or conspiring to violate, causing a violation, or engaging in any action intended to evade or avoid the DSP's requirements.5

Good Faith Efforts: The key factor in relying on the delayed implementation and enforcement offered by the Implementation is for an individual or company to be able to provide evidence that of its "good faith effort" to focus its resources and efforts "on promptly coming into compliance" with the DSP. The Implementation Policy offers the following examples of actions that may be considered good faith efforts:6

  • Conducting internal reviews of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage;
  • Reviewing internal datasets and datatypes to determine if they are potentially subject to DSP;
  • Renegotiating vendor agreements or negotiating contracts with new vendors;
  • Transferring products and services to new vendors;
  • Conducting due diligence on potential new vendors;
  • Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions;
  • Adjusting employee work locations, roles or responsibilities;
  • Evaluating investments from countries of concern or covered persons;
  • Renegotiating investment agreements with countries of concern or covered persons; and
  • Implementing the CISA Security Requirements, including the combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transaction.

DSP Key Compliance Dates View full image: DSP Key Compliance Dates (PDF)

Compliance Guide

The Compliance Guide identifies and describes what the DOJ calls "best practices" for complying with the DSP, including to provide guidance on key definitions, prohibited and restricted transactions and the elements of a "robust" data compliance program and model contractual language. The DOJ notes that it is "crucial" for U.S. persons to familiarize themselves and become prepared to comply with the DSP's prohibitions and restrictions. The DOJ, however, emphasizes that, while intended to help with that process, the Compliance Guide provides only general information and that failing to adhere to the guidance in the Compliance Guide will not be deemed to violate the DSP. According to the Compliance Guide, U.S. persons should "know their data," including the kinds and volumes of data collected about or maintained on U.S. persons or US devices; how their company uses the data; whether their company engages in covered data transactions; and how such data is marketed, particularly with respect to current or recent former employees or contractors, or former senior officials, of the United States government, including the military and Intelligence Community.

The Compliance Guide underscores the importance of U.S. persons understanding their data and the risks associated with foreign access and establishes criteria for evaluating the risk of applications associated with foreign adversaries, further enhancing the protection of personal data. The Compliance Guide lists a number of steps that companies should take to ensure compliance with the DSP, including creating or revising internal policies and procedures, modifying contracts with vendors, and clarifying management and employee responsibilities for compliance. Among other things, the Compliance Guide covers:

Key Definitions. The Compliance Guide offers guidance on the key definitions included in the DSP, such as covered data transactions, covered persons, prohibited and restricted transactions.

Model Contract Language for Prohibited Transactions. The DSP requires a US person engaged in a covered data brokerage transaction with a foreign person (that is not a covered person) to contractually require the foreign person to refrain from engaging in any subsequent transfer or resale of the government-related data or bulk US sensitive personal data with a country of concern or covered person. The Compliance Guide offers sample provisions that U.S. persons can include in contracts to accomplish that goal.

[US person] provides [foreign person] with a non-transferable, revocable license to access the [data subject to the brokerage contract]. [Foreign person] is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in the following:

(a) selling, licensing of access to, or other similar commercial transactions, [such as reselling, sub-licensing, leasing, or transferring in return for valuable consideration,] the [data subject to the brokerage contract] or any part thereof, to countries of concern or covered persons, as defined in 28 CFR part 202; and

Where [foreign person] knows or suspects that a country of concern or covered person has gained access to [data subject to the brokerage contract] through a data brokerage transaction, [foreign person] will immediately inform [US person]. Failure to comply with the above will constitute a breach of [data brokerage contract] and may constitute a violation of 28 CFR part 202.

The sample contract language also includes optional provisions to require the foreign person to certify annually that it will not "evade or avoid, cause a violation of, or attempt to violate any of the prohibitions" of the DSP. While the sample language is not required to be included in contracts, it may well become the standard given that it was proposed by the DOJ.

It is worth noting also that the DOJ specified that adding the contract provisions alone would not be considered sufficient to show compliance, and that U.S. persons are also expected to follow the steps to ensure that the foreign person complies, including:

  • conducting adequate due diligence of foreign counterparties as part of a risk-based compliance program; and
  • maintaining appropriate systems and controls to evaluate whether foreign counterparties are complying with the contractual provisions.

Data Compliance Program Requirements for Restricted Transactions. The DSP requires U.S. persons engaged in restricted transactions to develop, implement, and routinely update a risk-based, written Data Compliance Program that is designed to prevent, detect, and remediate breaches in company procedures and violations of the DSP. The Compliance Guide specifies that the Data Compliance Program should be tailored to the US person's risk profile, but to be considered "robust" at a minimum should include the following "affirmative requirements:"

  • Risk-based due diligence procedures that include routine (ideally, at least annual) and ongoing risk assessments to evaluate the potential issues they are likely to encounter based on their business activity and risk appetite, and that include an assessment of the company's current data holdings and vendor, employee or investment agreements covered by the DSP;
  • Vendor management and validation procedures that include controls to screen vendors against the Covered Persons List periodically based on the company's risk appetite, and that may include the use of screening software to examine current or prospective vendors' geographical information to determine whether the vendor is located in, organized or chartered under the laws of, or has its principal place of business in a country of concern;
  • Written data compliance program policy that includes internal controls that are developed based on risk assessment results and that enable the organization to identify, escalate, and report to appropriate personnel any covered data transactions that may violate the DSP; and
  • Written security requirements policy that describes implementation of the security requirements and is certified annually by the CCO or responsible compliance officer.

According to the DOJ, "[w]hether a Data Compliance Program complies with the DSP's requirements is a holistic inquiry that depends on the facts and circumstances. Compliance with the suggestions outlined above may not satisfy the DSP's requirements in all circumstances and will not provide a safe harbor for apparent violations of the DSP. Conversely, failing to adopt the suggestions described below may not violate the DSP."

Licensing. The National Security Division (NSD) issues licenses to authorize transactions that would otherwise violate the DSP. There are two types of licenses: general licenses and specific licenses. A general license permits certain transactions for a group of people without the need for individual applications, while a specific license authorizes particular transactions for an entity upon application. NSD noted that it will publish any general licenses on its website and to the Federal Register, and entities may apply for a specific license authorizing covered data transactions with a covered person or country of concern.

FAQs

The Data Security Program FAQs address high-level clarifications of the intended scope of the DSP; procedures for complying with the DSP and the processes for requesting licenses and advisory opinions, making disclosures of DSP violations and reporting rejected prohibited transactions. The DOJ notes that the FAQs reflect and address at least some of the feedback and common issues raised during the DSP rulemaking process, including from businesses, trade groups and others that met with the DOJ, and that the DOJ plans to update the FAQs as necessary and appropriate to address any additional questions raised.

The more than 100 FAQs provided so far reiterate much of the information included in the DSP final rulemaking but do provide some added clarity. Among other things, the FAQs address:

  • the intended scope of the DSP, including that U.S. persons should only consider covered data transactions that occur on or after the DSP effective date (i.e., April 8, 2025);
  • the processes for requesting specific licenses and advisory opinions, guidance on making disclosures about violations (though the DOJ has noted that any formal requests for specific licenses or advisory opinions during the 90-day period are discouraged); and
  • the procedure for reporting rejected prohibited transactions.

Key Takeaways

There is a lot to digest and incorporate in the new DOJ guidance, but perhaps the key takeaway is the clear DOJ expectation that covered persons are taking affirmative action and making "good faith efforts" to assess how to bring their activities into compliance with the DSP. To that end, we suggest that it may be worthwhile to use the 90-day Implementation Period to focus on the following:

  • Audit Data and Data Flows. Conduct audits (1) to identify whether sensitive personal data and government-related data held (including data collected and transferred through online tracking) meet the DSP bulk thresholds, and (2) to establish procedures to verify data flows of covered data;
  • Vendor Due Diligence. Take steps to identify how to identify covered vendors and the compliance measures that will be needed to allow the company to monitor the activities of those vendors, including their access to covered data;
  • Review and Update Contracts. Amend contracts to include provisions to prohibit third parties from transacting in prohibited data and to report such transactions. See sample contract provisions above; and
  • Review and Determine Needed Monitoring Measures. Determine monitoring and related security measures that will be needed to allow the company to identify and monitor transactions involving covered data and to capture that information for required reporting under the DSP.
  • Compliance Oversight. Ensure that the company's DSP compliance policy includes adequate provisions for oversight by the board of directors and senior management. For instance, the Compliance Guide provides that:
    • The board of directors and senior management should oversee that the Company has qualified compliance managers and review audit reports related to restricted transactions; and
    • The CCO or responsible compliance officer should provide an annual certification to the board of directors and senior management indicating: (1) the company's Data Compliance Program implementation and due diligence efforts; (2) the company's implementation of any applicable security requirements as defined in the DSP; and (3) the completeness and accuracy of recordkeeping documenting the company's due diligence, as supported by an audit. The responsible employee should not be a covered person.

  • Employee Training. Consider the need to implement training programs to ensure understanding and compliance with the DSP, including to provide training on conducting ongoing risk assessments, implementing internal controls to monitor covered transactions and to facilitate employee reporting and escalation of any prohibited transactions or other potential issues identified.

    We expect more issuances from the DOJ in the near term, including its initial Covered Persons List that will identify and designate persons subject to the control and direction of foreign adversaries.

1 DOJ, Final Rule: Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. 
2 The DOJ Guidance is available at https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive.
3 For a more detailed discussion of the DSP Rule, please see our alert available here.
4 The DSP's requirements relating to due diligence and audits, reporting of certain restricted transactions and rejected prohibited transactions take effect starting October 6, 2025.
5 The DOJ is authorized to bring both civil enforcement actions for knowing violations of the DSP that can bring civil penalties of up to the greater $368,136 or twice the value of each violating transaction, as well as to bring criminal prosecutions for willful violations of the DSP's requirements that are punishable up to 20 years imprisonment and a $1,000,000 fine.
6 The Implementation Policy notes also that the DOJ will consider voluntarily cooperating with the DOJ on any inquiries as evidence of good faith efforts to comply with the DSP.

In its press release accompanying the issuance of the Guidance, the DOJ noted that its "continued prioritization of the Data Security Program delivers on promises made by President Trump" to address the urgent threat posed by China, Russia, Iran, and other foreign adversaries using commercial activities to access and exploit U.S. government-related data and Americans' sensitive personal data to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

Jiang Liu
Jiang Liu
Partner|New York
Services
Financial Services Regulatory, Foreign Direct Investment (FDI) Reviews, Debt Finance, Financial Institutions
F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
David Lim
David H. Lim
Partner|Washington, DC
Services
International Trade, Economic Sanctions & Export Controls, White Collar/Investigations, Regulatory & Compliance, Sovereigns, Foreign Direct Investment (FDI) Reviews
Henry Y. Huang
Yuhan Wang
Associate|Silicon Valley
Services
Intellectual Property, Technology, Data, Privacy & Cybersecurity, Litigation, Mergers & Acquisitions
New York
Roseann Cook
Bank Regulatory Analyst|New York
Services
Debt Finance, Financial Services Regulatory, Financial Institutions, Regulatory & Compliance, Fintech, Investment Funds

Service areas

Top