UPDATE (April 17, 2025): The below reflects a development occurring after our publication of the original post.
On April 11, 2025, the National Security Division (the “NSD”) released several documents setting out initial guidance on how to comply with the Rule, which the NSD refers to as the Data Security Program (the “DSP”). [Such documents can be found here: (1) Compliance Guide, (2) FAQ, and (3) Implementation and Enforcement Policy (the “Policy”).] Notably, the Policy states that the NSD “will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025” (the “90-Day Period”), provided that such person uses good faith efforts to comply with the DSP during this time period. The Policy also lists examples of evidence of such good-faith efforts, such as internal review of access to sensitive personal data, review of internal datasets and datatypes, conducting due diligence on potential new vendors, and evaluating investments from countries of concern or covered persons.
The Compliance Guide and FAQ provide a helpful high-level breakdown of the DSP’s key definitions and concepts as well as recommendations for establishing or tailoring internal data compliance programs, but several points remain ambiguous, including what exactly is considered “data brokerage” and what exactly constitutes “access” to U.S. sensitive data. The NSD has indicated it will issue additional guidance in the coming weeks and encourages entities to contact the NSD at nsd.firs.datasecurity@usdoj.gov with informal inquiries about the DSP during the 90-Day Period.
________________________________________
On December 27, 2024, the Department of Justice (the “DOJ”) issued its final rule (the “Rule”) carrying out Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” [A Fact Sheet is available here.] The Rule is designed to prevent access to certain categories of U.S. data by China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela (collectively, “Countries of Concern”), as well as foreign entities or individuals with significant ties to these nations (“Covered Persons”) and will take effect on April 8, 2025.