On 8 April 2025, the U.S. Department of Justice's rule on access to U.S. sensitive personal data and government-related data went into effect. Simultaneously, the DOJ announced that it would not enforce the rule through 8 July 2025 so long as a company is engaging in good faith efforts to comply or come into compliance. That clock is ticking. U.S. entities that collect data about Americans should be working now to understand and implement this complex new regulatory scheme, the Data Security Program.

Adopted pursuant to Executive Order 14117, the rule is designed to protect Americans' sensitive personal data from exploitation by foreign adversaries. After years of nation-state cyber actors breaking into government and private sector systems to steal data about Americans, and after many efforts aimed at improving the cybersecurity of public and private information systems, officials in both the Trump and Biden administrations recognized that there was a loophole in their efforts:  foreign adversaries could simply purchase bulk personal data about U.S. persons and government employees or acquire it in commercial transactions. The DSP aims to close that loophole by restricting how U.S. data can be shared, transferred, or accessed in relation to "countries of concern."

To help organizations achieve compliance, the DOJ published a DSP compliance guide and an extensive FAQ. This guidance clarifies how the rule applies and offers a detailed picture of the DOJ's expectations and its enforcement posture. Moreover, during the grace period, the National Security Division, which will be enforcing the rule, is encouraging informal inquiries about the DSP and its guidance.

The IAPP has published resources and primers that dive into the history, scope and some of the definitions of the rule. This article highlights key guidance for organizations to consider when developing their compliance practices, programs and controls.

'Covered person' focuses on ownership

The DSP addresses any transaction that involves any access by a "country of concern" or a "covered person" to any government-related data or bulk U.S. sensitive personal data via data brokerage or through a vendor, employment or investment agreement. "Country of concern" is clear: the rule currently designates China, Cuba, Iran, North Korea, Russia and Venezuela. With regard to entities, the DSP definition of covered person is focused on ownership. An entity is a "covered person" if it is organized or chartered under the laws of, or has its principal place of business in, a country of concern; or if it is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons otherwise fitting the definition of covered person.

A company incorporated or headquartered outside a country of concern will still be considered a covered person — so long as it is not a U.S. person — if it is majority-owned by one or more covered foreign entities. This applies even if the ownership flows through multiple layers.

Say for example that a foreign person living in China owns 50% of an Argentinian company. That Argentinian company owns 100% of a Brazilian company, and 100% of a Canadian company. The Brazilian company owns 20% of a Denmark company and the Canadian company owns 30% of the same Denmark company.

Under the DSP, the Denmark company would be a covered person for two reasons. First, the Denmark company is indirectly 50% or more owned by the Argentinian company — 20% through the Brazilian company and 30% through the Canadian company — which is 50% owned by a foreign person living in China. Second, the Denmark company is also directly 50% owned, in the aggregate, by the Brazilian and Canadian companies, each of which is a covered person because they are 50% or more owned by the Argentinian company, which is 50% owned by a foreign person living in China.

See other examples in FAQ 60. Using these definitions and guidance, organizations must ask whether ownership of vendors or investors traces back to persons in a country of concern.

Access is the central concern

Regulated transactions do not require the sale of data. Covered data transaction is defined as any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data via data brokerage or through a vendor, employment or investment agreement. This includes the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of or otherwise view or receive, in any form, including through information systems, cloud-computing platforms, networks, security systems, equipment or software. For example, using a cloud provider that is owned by a covered person, even if the servers are within the U.S., is still covered under the rule if that provider can access the data. Organizations must evaluate the technical capabilities of their foreign tech vendors and outsourced infrastructure and services.

Prohibited vs. restricted

Under the rule, some transactions are flatly prohibited, particularly those involving the sale —  brokerage — of sensitive data to a country of concern or covered persons, as well as data brokerage with a foreign person that is not a covered person, unless the U.S. person contractually requires that the foreign person refrain from onward sale with a country of concern or covered person.  See FAQs 16 and 18. Another key point: as Omer Tene emphasized in the IAPP LinkedIn Live data transfer and cybersecurity laws, there's no exception for anonymized, pseudonymized or de-identified data. See FAQ 22.

The DOJ compliance guide states that some activities that might not be thought of in ordinary parlance as data brokerage may nonetheless fall under the DSP. For example, if a U.S. company maintains a website that contains ads with tracking pixels or a mobile application that contains a software development kit knowingly installed or approved for incorporation into the website or app by the U.S. company, it may constitute the provision of access to bulk sensitive or government-related data that could constitute data brokerage.

Other transactions fall into the restricted category. Generally, restricted transactions may proceed if the U.S. person complies with security requirements set by the Cybersecurity and Infrastructure Security Agency.

Employee and workforce access

Merely hiring someone who is a national of a country of concern does not, on its own, trigger the rule. See FAQ 67. However, in a prior IAPP LinkedIn Live, Rush Atkinson explained how important it will be for companies to structure employee access to data, most notably by implementing the CISA security requirements to ensure that those covered person employees or vendors cannot access government-related data or bulk U.S. sensitive personal data.

This places emphasis on the role and access level of employees, not just their citizenship or location. Organizations will need to reassess how they manage remote work, especially when granting sensitive data access to employees or contractors abroad.

What the DOJ wants to see

FAQs 78 through 93 provide explicit guidance on what organizations should be doing to achieve compliance, beginning with "know your data." Specifically, that means that U.S. persons engaging in restricted transactions must develop and implement data compliance programs with risk-based procedures for verifying data transactions, including the types and volumes of data involved in the transactions, the identity of the transaction parties and the end use of the data. This could include revising or creating new internal policies and processes, identifying data flows, changing vendors or suppliers, adjusting employee roles or responsibilities, deploying new security requirements and revising existing contracts.

Compliance is not a one-time task. Companies must continue to monitor their data flows and business relationships over time at a frequency appropriate for their organization. A vendor that was not covered in January could become covered in July if ownership or control changes. The DOJ expects companies to update their compliance analyses accordingly.

Enforcement priorities

The FAQs outline how the DOJ plans to enforce the DSP. Through 8 July 2025, the DOJ is focusing on outreach and education while maintaining the discretion to pursue enforcement for egregious, willful violations, including criminal enforcement in cases where individuals or entities willfully violate, attempt to violate, conspire to violate, cause a violation of, or engage in any action intended to evade or avoid the DSP's requirements.

After the grace period ends next month, the DOJ expects full compliance. However, requirements related to due diligence, auditing and reporting don't become effective until 6 October 2025.

Civil penalties for violations include fines up to USD368,000 or twice the amount of the transaction that is the basis of the violation, whichever is greater. Additionally, criminal penalties may apply in cases of willful noncompliance, including attempts, conspiracy or aiding and abetting. Criminal convictions can result in up to 20 years' imprisonment and a fine of up to USD1 million.

A new thread to the web of international data transfer regulations

The DSP represents a major shift in how the U.S. government views the cross-border movement of personal data. It reaches beyond formal sales to include remote access, cloud services, internal transfers and even employee access. The DOJ's guidance reveals how expansive and dynamic the DSP is intended to be while hinting at how aggressively this administration intends to enforce it.

For organizations that deal with large-scale personal data, the message is clear: understand your data flows and vendor relationships and maintain a well-documented compliance process. The DOJ's expectations are detailed and public; the time to show good-faith efforts is now.

Cheryl Saniuk-Heinig, CIPP/E, CIPP/US, is a research and insights analyst at the IAPP and Jim Dempsey is the managing director for the IAPP Cybersecurity Law Center.