The U.S. Department of Justice (DOJ) issued data transfer rules that may apply to any business depending on its data sharing activities. The rules prohibit or restrict the sending of bulk sensitive data or U.S. government-related data to prohibited countries and persons. The rules are designed to protect national security and implement Executive Order 14117. The DOJ’s new Data Security Program (DSP) took effect in April. The rules are broad and complex, but here are some key things you need to know:

• Aggressive enforcement has been delayed, but the grace period ends on July 8, 2025.
• Additional due diligence, reporting, and auditing requirements will take effect on October 6, 2025.
• The rules apply to all businesses, regardless of size, and even companies outside the data broker industry may be covered.
• The rules also cover common things like vendor, employment, and outsourcing arrangements as well as some mergers and acquisitions (M&A) activity where there is foreign data transfer or access.

Now is the time to check whether your business needs to act. We’ve pulled together some additional resources, FAQs, and a cheat sheet on the DSP to help you think through the issue. If you need more help, please reach out to a member of our Data Privacy, Cybersecurity & Technology practice.

What are some red flags for the DSP’s application?

The rules are intricate, and it’s impossible to identify every way a business might find itself in the DSP’s ambit. Some common risk factors that may trigger the DSP include:

• investment or ownership holdings in your business by entities from or involved with countries of concern, if your business holds U.S. persons’ sensitive data.
• M&A or other corporate transactions involving: (1) U.S. persons’ sensitive data; and (2) investment, ownership, or control stakes being taken by entities from or involved with countries of concern.
• agreements or outsourcing arrangements involving vendors, employees, or contractors from or involved with countries of concern.
• sale or licensing to any foreign entities of the following types of data:
  • U.S. persons’ sensitive data, particularly if at volumes over 1,000 data subjects or devices; or
  • Any amount of data specifically relating to U.S. government personnel or their geolocation data in sensitive areas.

What types of data transfers does the DSP apply to?

The DSP applies to any “covered data transaction” involving access by certain types of foreign entities to two broad types of data: government-related data and bulk U.S. sensitive personal data. Government-related data is defined as any sensitive personal data, regardless of volume, that is associated with current or recently-former government employees, contractors, or officials, and any precise geolocation data, regardless of volume, for any location set out on the Government-Related Location Data List. Bulk sensitive personal data is defined as six types of data when certain volume thresholds are met. (We’ve provided a table with the types of data and applicable thresholds in the cheat sheet below.)

The DSP is triggered when a “country of concern” or a “covered person” may access either type of data. Current countries of concern include China (including Hong Kong and Macau), North Korea, Cuba, Russia, Iran, and Venezuela. Covered persons, defined in four broad categories, consist of residents, contractors/employees, majority-owned entities organized under the laws of a country of concern, and entities majority-owned by any persons of the mentioned categories. The DOJ also reserves the right to designate “[a]ny person, wherever located” as a covered person in certain circumstances.

What does the DSP prohibit or require?

Restricted Transactions. Some more common types of foreign data transactions are deemed “restricted.” These include transactions that allow any access by a country of concern or covered person to government-related or bulk U.S. sensitive personal data in the context of:

• Data brokerage with a non-covered foreign person—meaning that any data brokerage with any foreign person is restricted under the DSP;
• Vendor agreements with covered persons;
• Employment agreements with covered persons; and
• Investment agreements, such as those involving the transfer of ownership rights, U.S. real estate, or U.S. entities, with covered persons.

Requirements for Restricted Transactions. Any entity engaging in restricted transactions must comply with various reporting, auditing, and security requirements. For instance, an entity engaged in a restricted transaction must annually audit all its restricted transactions and also meet the DSP and the Cybersecurity and Infrastructure Security Agency’s security requirements.

Prohibited Transactions. The DSP also explicitly prohibits:

• Data brokerage of any type—meaning the sale of data, licensing of access to data, or a similar commercial transaction—with a covered person or country of concern;
• Transactions of bulk human ‘omic data with a covered person or country of concern; and
• Any restricted transaction made while the subject entities are out of compliance with the restricted-transfer requirements on issues like reporting, auditing, and security compliance.

Is my business exempt?

There are no blanket business exemptions based on company size or industry. However, the regulations do outline eleven categories of exempt transactions. These include financial services transactions, corporate group transactions, and authorized drug or medical device operations. (See the cheat sheet below for the full list.)

What are the risks of noncompliance?

Violations can carry civil penalties of over $350,000, criminal fines of up to $1 million, and even imprisonment. Civil and criminal violations of the DSP will be enforced under the International Emergency Economic Powers Act.

Are there other resources about the DSP available?

Yes. In addition to the final regulation itself and the accompanying commentary, the DOJ has released:

• a Compliance Guide;
• responses to frequently asked questions; and
• an Implementation and Enforcement Policy.

Cheat Sheet

Covered Data Types and Thresholds

Type of Data	Threshold # of US Persons/Devices
Government-Related Data Sensitive personal data that is linked or linkable to current or recent former U.S. government employees/contractors/senior officials/military and intelligence personnel and precise geolocation data for any location listed in the Government-Related Location Data List.	N/A (any amount)
Human Genomic Data Data involving genetic instructions found in a human cell, results of a genetic test, and any related human genetic sequencing data.	100 persons
Other Human ‘Omic Data Data derived from analysis of human gene expression, proteins, and RNA transcripts.	1,000 persons
Precise Geolocation Data Data that identifies the physical location of an individual or a device with a precision within approximately 3,281 feet.	1,000 devices
Personal Health Data Health information that describes the past, present, or future physical or mental health of an individual, including reports, treatments, and diagnostics.	1,000 persons
Personal Financial Data Data about an individual’s credit, charge, debit card, or bank account, including financial statements and securities portfolios.	10,000 persons
Covered Personal Identifiers Any listed identifier in combination with another listed identifier or a listed identifier linked to or in combination with other data, such that the listed identifier becomes linked or linkable.	100,000 persons

Note: Where a transaction involves combined data from multiple categories, the lowest threshold number applies.
 

“Countries of Concern”

1. China (including Hong Kong and Macau)
2. Cuba
3. Iran
4. North Korea
5. Russia
6. Venezuela

“Covered Persons”

A business entity is a “covered person” if it meets any one or more of the following:

1. The entity is organized under the laws of a country of concern.
2. The entity has its principal place of business in a country of concern.
3. The entity is majority-owned by: (a) a country of concern, or (b) one or more covered persons.

An individual person is a “covered person” if they meet any one or more of the following:

4. The individual is a foreign person who is an employee or contractor of: (a) a country of concern, or (b) an entity described in items 1, 2, or 3, above.
5. The individual is a primary resident of a country of concern.
6. The individual has been determined to be a “covered person” by the U.S. Attorney General.
    

"Exempt Transactions"

Type of Transaction	Description
Personal communications	Data transactions that involve postal, telegraphic, telephonic, or other personal communications that do not contain anything of value.
Information or informational materials	Import or export of expressive material such as publications, photographs, or films.
Travel	Data transactions ordinarily incident to and part of travel to or from any country.
Official business of the U.S. government	Data transactions used for the conduct of official business by government employees/grantees/contractors, authorized activity by any department or agency, or transactions pursuant to a contract with the U.S. government.
Financial Services	Data transactions ordinarily incident to and part of financial services, such as the transfer of personal financial data incident to the purchase or sale of goods and services.
Corporate group transactions	Data transactions between a U.S. person and its subsidiary or affiliate located in a country of concern, as well as transactions ordinarily incident to and part of administrative or ancillary business operations.
Transactions required/authorized by Federal law or international agreements	Data transactions that are required or authorized by international agreements to which the U.S. is party or Federal law, such as a transaction ordinarily incident to the Bank Secrecy Act.
CFIUS action	Investment agreement data transactions that are subject to any agreement or condition the Committee on Foreign Investment in the U.S. has designated.
Telecommunication services	Data transactions, other than those involving data brokerage, which are ordinarily incident to and part of voice and communication services.
Drug, biological product, and medical device authorizations	Data transactions that involve “regulatory approval data” and are necessary to obtain/maintain authorization to research or market a drug, biological product, or medical device.
Other clinical investigations and post-marketing surveillance data	Data transactions ordinarily incident to and part of clinical care data, the processing of post-market surveillance, or FDA clinical investigations.