Cross-Border Data Compliance Countdown: U.S. Department of Justice Officially Launches Sensitive Information Oversight

In December 2024, the U.S. Department of Justice (DOJ) issued the final rule implementing Executive Order 14117, titled "Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." This regulation, known as the Data Security Program (DSP), represents a significant expansion of U.S. national security oversight over cross-border data transactions.

The rule took effect on April 8, 2025, with full enforcement of all provisions commencing on October 6, 2025. It authorizes the DOJ to regulate cross-border transactions involving sensitive U.S. data based on national security concerns. The rule is expected to have a substantial impact on businesses engaged in artificial intelligence, cloud services, data platforms, cross-border workforce management, and overseas investments. Companies are advised to promptly conduct internal compliance reviews, establish necessary protocols, and prepare for implementation.

Scope of the Rule

Countries of Concern & Covered Persons

The rule applies to entities and individuals linked to the following Countries of Concern: China, Russia, Iran, North Korea, Cuba, and the Maduro regime in Venezuela. Government bodies, businesses, individuals, or entities controlled by or affiliated with these countries may be classified as Covered Persons.

What qualifies as sensitive data?

The rule targets two primary categories of data:

• U.S. Sensitive Personal Data, including:

  • Regulated personal identifiers

  • Precise geolocation data

  • Biometric identifiers

  • Human genomic data

  • Personal health and financial information

    
    

• U.S. Government-Related Data, including:

  • Data pertaining to government locations

  • Data linked to current or former U.S. government employees or contractors

    
    

Who should pay attention?

Your business may fall within the rule’s scope if it:

• Operates in the U.S. or collects, uses, or transmits data concerning U.S. residents;

• Engages in data exchanges with clients, suppliers, investors, employees, or partners from Countries of Concern;

• Offers services such as cloud computing, data platforms, AI model training, or medical data analytics.

Tiered Transaction Review System

The Final Rule classifies data-related transactions into three categories, each subject to different compliance requirements:

• Prohibited Transactions:

  • Includes the sale of data by data brokers, transactions involving human genomic data or biospecimens, and any actions that facilitate, evade, or enable violations.

• Restricted Transactions:

  • Involves data exchanges as part of supply agreements, employment relationships, or investment deals with Covered Persons or entities from Countries of Concern. These require compliance obligations such as due diligence, internal audits, reporting, and a formal data compliance plan.

• Exempt Transactions:

  • Includes disclosures mandated by law, intergovernmental cooperation, certain research or journalism activities, which may be exempt from the rule’s requirements.

Compliance Timeline

April 8, 2025

The rule takes effect. Companies should begin reviewing operations, contracts, and partner relationships to identify any transactions that may fall under regulation. The period from April 8 to October 6 is critical for internal assessments and compliance planning.

July 8, 2025

From April 8 to July 8, the DOJ has indicated that good-faith efforts to comply will not trigger civil enforcement actions. However, malicious or intentional violations may still be prosecuted.

October 6, 2025

Full enforcement begins. By this date, companies must have:

• Completed due diligence and internal audits for restricted transactions

• Submitted required reports to the DOJ and filed any disclosures of denied transactions

• Implemented comprehensive compliance processes including employee training, recordkeeping, and policy certification

DOJ Guidance Materials

To support implementation, the DOJ’s National Security Division (NSD) released the following resources on April 11, 2025:

1. Data Security Program: Implementation and Enforcement Policy through July 8, 2025

2. Data Security Program: Compliance Guide

3. Data Security Program: Frequently Asked Questions (FAQs)

   
   

These materials are essential for businesses preparing compliance plans and should be reviewed and integrated into daily operations.

What Should Businesses Do Now?

With the rule now in effect, businesses are encouraged to act early and take steps to establish a compliance framework that aligns with EO 14117. Key action items include:

• Develop a Data Compliance Plan:

  • Design risk-based procedures to verify data flows, identify data categories, counterparties, end-use purposes, and transmission methods. The plan must be certified annually by senior executives and regularly monitored.

    
    

• Implement Security Measures:

  • For restricted transactions, comply with security requirements issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), including access controls, encryption, and protective measures.

    
    

• Employee Training:

  • Employees must receive annual training, with enhanced training for high-risk roles. Noncompliance or process failures should trigger immediate remediation and updates to training protocols.

    
    

• Independent Audits:

  • Conduct annual audits. Reports must be submitted to senior leadership within 60 days and retained for at least 10 years.

    
    

• Reporting & Recordkeeping:

  • Maintain accurate, auditable records of all DSP-covered transactions for a minimum of 10 years.

We recommend that businesses conduct a full self-assessment of operations potentially subject to regulation and begin drafting and implementing a customized data compliance plan as soon as possible.

If you have questions about how the Final Rule may apply to your business or need assistance with compliance, please contact us at contact@consultils.com.

Fiona Xu, Esq. is the Partner and Head of Transaction of ILS.

She has extensive experience supporting global and high-growth technology companies on compliance and business needs. Her practice focuses on regulatory compliance across different sectors, with a focus on sector-specific regulations for artificial intelligence (AI) and medical devices. She supports multinational corporations in establishing and maintaining U.S. operations, managing legal and compliance challenges in various areas such as Privacy, Export Control, and CFIUS issues.

Email: contact@consultils.com | Phone: 626-344-8949