The final days of grace: Preparing for the U.S. sensitive data rule

On 8 April 2025, the U.S. Department of Justice's rule on access to U.S. sensitive personal data and government-related data went into effect. Simultaneously, the DOJ announced that it would not enforce the rule through 8 July 2025 so long as a company is engaging in good faith efforts to comply or come into compliance. That clock is ticking. U.S. entities that collect data about Americans should be working now to understand and implement this complex new regulatory scheme, the Data Security Program.

Adopted pursuant to Executive Order 14117, the rule is designed to protect Americans' sensitive personal data from exploitation by foreign adversaries. After years of nation-state cyber actors breaking into government and private sector systems to steal data about Americans, and after many efforts aimed at improving the cybersecurity of public and private information systems, officials in both the Trump and Biden administrations recognized that there was a loophole in their efforts:  foreign adversaries could simply purchase bulk personal data about U.S. persons and government employees or acquire it in commercial transactions. The DSP aims to close that loophole by restricting how U.S. data can be shared, transferred, or accessed in relation to "countries of concern."

To help organizations achieve compliance, the DOJ published a DSP compliance guide and an extensive FAQ. This guidance clarifies how the rule applies and offers a detailed picture of the DOJ's expectations and its enforcement posture. Moreover, during the grace period, the National Security Division, which will be enforcing the rule, is encouraging informal inquiries about the DSP and its guidance.

The IAPP has published resources and primers that dive into the history, scope and some of the definitions of the rule. This article highlights key guidance for organizations to consider when developing their compliance practices, programs and controls.