Department of Justice Releases Compliance & Enforcement Guidance on Data Security Program
On April 11, 2025, the Department of Justice (DOJ) announced additional guidance regarding the implementation of the Final Rule (the “Rule”), Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which DOJ now refers to as the “Data Security Program” (“DSP”). The guidance (which the commentary in the Rule predicted) was published just days after the DSP became effective, and includes an Implementation and Enforcement Policy, Compliance Guide, and a list of Frequently Asked Questions (FAQs).
For the most part, regarding interpretation, the guidance mostly restates text from the Rule itself, but it does offer some additional commentary on certain provisions, it outlines key compliance requirements, and, most significantly, it outlines how DOJ’s National Security Division (NSD) intends to prioritize enforcement of the DSP through the first 90 days of its implementation and how parties can obtain additional information in the interim. Below, we offer our key takeaways from the new guidance, but persons with compliance obligations under the Rule should review the guidance fully or consult with counsel for information that may be relevant to their specific compliance obligations.
Key Takeaways:
Delay in Enforcement of the DSP: As of April 8, 2025, key components of the DSP are now in effect. However, NSD has offered an additional period of accommodation for those working in good faith towards full compliance. Specifically, NSD will not prioritize civil enforcement actions for violations of the DSP that occur between April 8 and July 8, 2025. This temporary enforcement discretion is available to persons making demonstrable, good-faith efforts to achieve and maintain compliance with the DSP, such as by conducting internal reviews of access to sensitive personal data, renegotiating vendor agreements, conducting due diligence on new vendors, and implementing security requirements. NSD reserves the right to bring enforcement actions in cases of egregious, willful violations during this 90-day period, and the October 6, 2025 effective date for subpart J and §§ 202.1103 and 202.1104 (relating to due diligence, recordkeeping, and reporting requirements) remains unchanged.
Obtaining Interpretations of the DSP: During this 90-day period, DOJ explicitly discourages requests for advisory opinions (or specific licenses) until July 8 (and indicates it is unlikely to respond to such submissions during that period). Instead, DOJ urges parties with questions about the application of the Rule to contact DOJ by email with a more informal inquiry. Through that same channel, DOJ encourages parties to submit additional questions for DOJ to answer in updates to the FAQs.
Specific Licenses will be Disfavored: DOJ also indicated that, even when it entertains applications for specific licenses (for transactions that would otherwise be prohibited), it will review them under a presumption of denial. Instead, parties are generally expected to come into compliance with the Rule, rather than seeking additional exceptions.
Voluntary Self-Disclosure & Whistleblowers: Although the Rule did not formally establish a voluntary self-disclosure process, NSD notes in the FAQs (Question 105) that it may consider a “qualifying voluntary self-disclosure as a mitigating factor in any enforcement action.” A person disclosing a violation must, within 180 days of the notification, submit a report containing sufficient detail to afford NSD a complete understanding of the circumstances of the violation. Moreover, individuals who report violations of the DSP through FinCEN’s whistleblower program may be eligible for “substantial financial awards.” (Question 106)
Standard Contractual Language: In the Compliance Guide, NSD offers standard contractual language to US persons engaging in data brokerage transactions with foreign persons to prohibit foreign persons from engaging in onward transfer or resale of covered data. The contractual language may need to be adjusted to account for specific transactions and other contractual provisions. In addition, NSD notes that US persons engaging in such transactions may not simply shift responsibility for compliance using contractual provisions, and must still take reasonable steps under the circumstances to evaluate compliance.
Due Diligence on Vendors: The guidance emphasizes examples from the Rule (§ 202.401, Example 3, and § 202.305, Example 8) to make the point that, absent evasion, US persons engaged in data transactions with foreign persons who are not themselves covered persons are not expected to perform “second-level” due diligence on the employment practices of those foreign persons (e.g., to determine whether they employ covered persons). However, because knowledge of those practices by some US person employees may be imputed to the US person conducting the transaction, it may still be prudent to seek representations and warranties from foreign vendors and other foreign persons. By that same token, however, Question 5 of the FAQs makes clear that transactions between US persons (including with US vendors) generally fall outside the DSP (and would, therefore, require less by way of diligence).
Explanation of Data Compliance Program Elements: NSD’s Compliance Guide provides more detailed expectations for persons engaging in restricted transactions. For example, NSD provides guidance on how persons should screen vendors to verify whether they are covered persons. It notes that organizations employing screening software should ensure that they account for updates to the Covered Persons List, all identifiers or alternative spellings for covered persons, organizational hierarchy, and all relevant geographical information. The Compliance Guide also contains further details on certifications, recordkeeping and reporting, and audits (and the FAQs note that additional guidance on audits is forthcoming). In addition, although not required by the DSP, NSD recommends implementing training at least annually on the organization’s data compliance program for relevant employees.
Covered Persons List and Additional Guidance: The FAQs (Questions 42-47) provide information on the forthcoming Covered Persons List, which will identify all persons designated by DOJ as a “covered person” under §202.211(a)(5). NSD will make the Covered Persons List available on its website and publish the names of covered persons on the list in the Federal Register. In addition, NSD states in its Compliance Guidance that vendor screening methods should incorporate the Covered Persons List (including periodic updates to the list). The FAQs (Questions 57-61) also provide helpful guidance and additional examples regarding concepts such as aggregation of ownership by covered persons and the meaning of indirect ownership.
