The Justice Department’s New Rule on Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons: A Guide to Determining[...]

Privacy & Data Security

On April 8, 2025, the Department of Justice's new rule on Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons took effect. The rule, referred to by DOJ as the Data Security Program ("DSP"), could have significant implications for U.S. businesses, even those who don't think of themselves as dealing in "sensitive personal data" or government-related data, or doing business with "countries of concern" such as China, Iran, or Russia.

The DSP establishes prohibitions and restrictions on a wide range of transactions involving the exchange of certain types of data with countries of concern or "covered persons," and also addresses exemptions and licenses. In addition, it requires significant compliance measures, including due diligence, implementation of vendor management policies, record-keeping and auditing, for U.S. persons engaged in such transactions.

This alert summarizes the key takeaways for U.S. businesses from the DSP and recent guidance issued by DOJ, focusing on the steps those businesses should take to determine whether their activities implicate the DSP's prohibitions, restrictions, and compliance requirements.

Overview of the DSP

The DSP has its origins in Executive Order ("EO") 14117, issued by President Biden in February 2024. The EO directed the Attorney General to issue regulations prohibiting or restricting certain data transactions that could pose a risk to national security or U.S. foreign policy. Pursuant to that directive, DOJ finalized the DSP on January 8, 2025.

The DSP, according to DOJ "establishes what are effectively export controls that prevent foreign adversaries, and those subject to their control and direction, from accessing U.S. Government-related data and bulk U.S. sensitive personal data" with the aim of countering an "unusual and extraordinary threat" to national security posed by countries of concern that "may seek to collect and weaponize Americans' most sensitive personal data."

The DSP regulates "Covered Data Transactions" by U.S. Persons, which are defined by reference to three key criteria: (i) the data involved, (ii) the nature and purpose of the transaction, and (iii) the identity and location of the party receiving the data:

• Data: "Bulk U.S. Sensitive Personal Data" or "Government-related Data."
• Nature and Purpose of Transaction: "Data Brokerage," a "Vendor Agreement," an "Employment Agreement," or an "Investment Agreement."
• Identity and location of the recipient: recipient is a "Country of Concern," or a "Covered Person."

Under the DSP, transactions that satisfy these criteria can be either "Prohibited Transactions" (strictly prohibited unless subject to a license or exemption) or "Restricted Transactions" (only permitted in compliance with DSP-specified data security and other requirements). The DSP also regulates transactions that involve "Data Brokerage" of U.S. sensitive personal data or government-related data with any "foreign person" by imposing requirements that restrict onward disclosures by those persons to Countries of Concern or Covered Persons.

The DSP includes significant penalties for violations. DOJ can pursue substantial civil penalties of up to $368,136 or twice the amount of the violating transaction, and criminal penalties of up to 20 years imprisonment and a $1,000,000 fine for any person who "willfully commits, willfully attempts to commit, willfully conspires to commit, or aids or abets" a violation.

The effects of the DSP are serious enough that a broad coalition of major American companies asked the administration to delay the DSP's effective date. While DOJ did not grant that request, it did publish on April 11 a Compliance Guide and FAQs to assist U.S. businesses in understanding and complying with the DSP, as well as an Implementation and Enforcement Policy that offers a 90-day grace period (of sorts) for companies that engage in good faith efforts to comply. Under that policy, DOJ will not "prioritize" civil actions against companies that are engaged in good faith efforts to comply with or come into compliance with the DSP, but will still pursue penalties and other enforcement actions for "egregious, willful violations."

Know Your Data: The DSP's Broad Reach, and How To Determine Whether Your Activities Are Covered

At first glance, many companies may not think they need to worry about a federal regulation focused on national security risks that arise from doing business with foreign adversaries. But despite its use of terms like "national security" and "government-related data," the DSP can cover a wide range of engagements and business practices that are commonplace in today's interconnected world.

DOJ's Compliance Guide explains that it expects U.S. persons to "know their data," including the kinds and volumes of data collected about or maintained on U.S. Persons or U.S. devices; how their company uses the data; whether their company engages in covered data transactions; and how such data is marketed.

To that end, we offer the following series of questions that organizations can use to determine whether their operations implicate the DSP.

1. Are you a U.S. Person?

The DSP only imposes obligations on "U.S. Persons." As defined in the DSP, that term can extend to three categories of persons:

1. Natural persons who are United States citizens, nationals, or lawful permanent residents, or who have been admitted to the United States as refugees or asylees, regardless of location;
2. Entities that are organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or
3. Any person physically located within the territory of the United States, except to the extent individually designated as a "Covered Person" by DOJ.

That broad definition, and particularly the third category, can lead to some counterintuitive results, as reflected in examples set out in the DSP:

• An individual is a dual citizen of the United States and a country of concern. The individual is a U.S. person, regardless of location.
• A parent company is organized under the laws of a country of concern and has a subsidiary organized under the laws of the United States. The subsidiary is a U.S. person regardless of the degree of ownership by the parent company; the parent company is a foreign person.
• Chinese or Russian citizens located in the United States would be treated as U.S. persons and would not be covered persons (except to the extent individually designated). They would be subject to the same prohibitions and restrictions as all other U.S. persons with respect to engaging in covered data transactions with countries of concern or covered persons.

Multinational organizations will therefore need to carefully assess-on a context-specific basis-the designation of each of its related entities and personnel to determine whether they are a "U.S. Person" subject to the DSP's prohibitions and restrictions.

2. Do you have Covered Data?

There are two categories of data regulated by the DSP: Bulk U.S. Sensitive Personal Data and Government-Related Data. If a company determines it is a U.S. Person for purposes of the DSP, it should next determine whether it handles data in either category. That determination involves a three-step inquiry.

1. Do you have Sensitive Personal Data?

Sensitive Personal Data is defined in the DSP to include "covered personal identifiers, precise geolocation data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof," that relate to U.S. Persons, subject to certain enumerated exclusions.

While companies may have developed a working concept of "Sensitive Personal Data" for purposes of U.S. or foreign privacy and data protection laws, the DSP's definition of that term is likely much broader, and doesn't include standard exceptions (such as for de-identified data) that apply under those laws. To that end, as defined in the DSP, Sensitive Personal Data Includes the following categories:

• Covered Personal Identifiers: any "listed identifiers" when combined with, linked, or linkable to any other listed identifier. "Listed identifiers" include data elements commonly considered sensitive (e.g., a Social Security number), but also include demographic or contact information (including a ZIP code) and device and network identifiers (e.g., advertising IDs and IP addresses) that are not considered sensitive under U.S. and foreign privacy and data protection laws.
• Precise Geolocation Data: data identifying the location of an individual or a device with a precision within 1,000 meters (an area of approximately 1.2 miles), including both historical and real-time data.
• Biometric Identifiers: "measurable physical characteristics or behaviors used to recognize or verify the identity of an individual." These may include raw data.
• Personal Health Data: any data that indicates, reveals, or describes an individual's physical or mental health, the provision of healthcare to the individual, or payment for the provision of healthcare. Personal health data is not limited to data collected by healthcare providers. The definition extends to "basic physical measurements and health attributes" (like weight and vital signs) and "logs of exercise habits."
• Personal Financial Data: "data about an individual's credit, charge, or debit card, or bank account," and includes "purchases and payment history." The category is not limited to data collected or held by financial institutions.
• Human 'Omic Data: human genomic data, epigenomic data, proteomic data, and transcriptomic data, subject to certain exceptions for routine clinical measurements made solely for individualized patient care, and for pathogen-specific data embedded in human 'omic data.

b. Do you handle Sensitive Personal Data on U.S. Persons in volumes considered as "Bulk" by the DSP?

"Bulk" U.S. Sensitive Data is Sensitive Personal Data "relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted," if the volume of the data meets the definition of "Bulk" under the DSP. That definition includes category-specific thresholds that apply to each category of Sensitive Personal Data:

Category of Sensitive Personal Data	Human 'Omic Data	Biometric identifiers	Precise Geolocation Data	Personal Health Data	Personal Financial Data	Covered Personal Identifiers
Threshold to be considered "Bulk"	Genomic Data: More than 100 U.S. Persons Other Human 'Omic Data: More than 1,000 U.S. Persons	More than 1,000 U.S. Persons	More than 1,000 devices	More than 10,000 U.S. Persons	More than 10,000 U.S. Persons	More than 100,000 U.S. Persons

c. Do you have Government-Related Data?

Government-Related Data belongs to one of two categories: Precise Geolocation Data related to the locations on a Government-Related Location Data List that is included in the DSP, and Sensitive Personal Data that a company "markets as linked or linkable to current or recent former employees or contractors, or former senior officials" of the U.S. Government. Unlike Bulk U.S. Sensitive Data, there is no threshold for government-related data-any amount will be subject to the DSP.

3. Do You Engage in Covered Data Transactions or Transactions with Foreign Persons That Are Subject to the DSP?

U.S. Persons that handle U.S. Bulk Sensitive Personal Data or Government-Related Data need to be on the lookout for any "Covered Data Transactions"-defined to mean "any transaction that involves any access by a Country of Concern or Covered Person to any government-related data or bulk U.S. sensitive personal data" that falls within one of four specified transaction categories. Notably, the DSP broadly defines "access" to mean "logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive" data, "without regard for the application or effect of any security requirements" that might be applied to that data.

The inquiry as to whether a given data transaction is a "Covered Data Transaction" or is otherwise regulated by the DSP involves two steps: determining the nature of the transaction and determining the status of the recipient.

1. Determine the nature of the transaction.

The DSP identifies four classes of Covered Data Transactions that can be prohibited or restricted, depending on the classification of the transaction and the identity of the recipient:

• Data Brokerage: any sale, licensing of access, or other similar commercial transaction involving the transfer of data from a provider to a recipient, where the recipient did not collect or process the data directly from the individuals linked or linkable to the data, but excluding vendor agreements, employment agreements, and investment agreements.
• Vendor Agreement: any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.
• Employment Agreement: any agreement or arrangement in which work or job functions are performed by an individual in exchange for payment or other consideration, excluding independent contractor relationships (which could be Vendor Agreements). The definition extends to employment on a board or committee, executive-level arrangements or services, and operational employees.
• Investment Agreement: an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to: (1) Real estate located in the United States; or (2) A U.S. legal entity.

b. Determine the status of the recipient

The DSP prohibits or restricts transactions that fall within any of the categories above in which the recipient is a "Country of Concern" or a "Covered Person," and also restricts Data Brokerage Transactions in which the recipient is any "Foreign Person."

• Country of Concern: The DSP defines Countries of Concern to include China (including the Special Administrative Regions of Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. Political subdivisions, agencies, and instrumentalities of these countries are also considered Countries of Concern.
• Covered Person: The DSP defines Covered Persons to include:
  • Entities headquartered in or organized under the laws of a Country of Concern;
  • Foreign entities 50% or more owned by one or more Countries of Concern or another Covered Person;
  • Foreign employees or contractors of a Country of Concern or Covered Person;
  • Foreign individuals who primarily reside in a Country of Concern; and
  • Any person, wherever located, that has been specifically designated by the Attorney General as a Covered Person.

U.S. Persons (including the U.S.-organized subsidiary of a foreign parent company), are not Covered Persons unless they have been specifically designated as such by the Attorney General.

• "Foreign Person" accessing U.S. Bulk Sensitive Personal Data or Government-Related Data in transactions involving Data Brokerage: The DSP also prohibits any transaction that involves any access by any "Foreign Person" to Government-Related Data or Bulk U.S. Sensitive Personal Data and that involves Data Brokerage unless the U.S. Person (i) contractually prohibits the foreign person from engaging in a subsequent Covered Data Transaction involving Data Brokerage of the same data (i.e., an onward transfer) with a Country of Concern or Covered Person; and (ii) reports any known or suspected violations of those requirements to the DOJ. That requirement means that even if a company isn't doing business with a Country of Concern or a Covered Person, it could still have DSP obligations arising from a broad swath of transactions with Foreign Persons, if those transactions fall within the DSP's broad definition of "Data Brokerage."

4. Is the Transaction Subject to Any Specified Exemptions?

The DSP includes tailored exemptions that allow for certain transactions that would otherwise be prohibited or restricted by the DSP. Notable examples include:

• Data transactions between a U.S. Person and its subsidiary or affiliate in a Country of Concern, to the extent they are "ordinarily incident to and part of administrative or ancillary business operations" such as HR, corporate finance, customer support, and intra-company communications;
• Data transactions that are ordinarily incident to and part of the provision of financial services, including banking, capital markets, or financial-insurance services, and the transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces); and
• Data transactions that involve transfers of de-identified or pseudonymized data that is required to be submitted to a regulatory entity, or is required by a regulatory entity to be submitted to a Covered Person, to obtain or maintain authorization or approval to research or market a drug, biological product, device, or combination product, including in relation to post-marketing studies and post-marketing product surveillance activities.

Scenarios to which the DSP Could Apply

The DSP includes examples of scenarios in which the DSP can apply to prohibit or restrict a U.S. Person's business activities, and that demonstrate the breadth of its application. Those examples include:

• A mobile app operator's sale of mobile app advertising inventory to an ad exchange based in a Country of Concern, where the sale involves the provision of more than 100,000 users' IP addresses and advertising IDs in a 12-month period (Prohibited Data Brokerage Transaction under the DSP);
• A website operator's installation of tracking pixels on its website that transfer or otherwise provide access to Bulk U.S. Sensitive Personal Data relating to its users (e.g., IP addresses and advertising IDs) to a social media app owned by a Country of Concern or Covered Person for targeted advertising (Prohibited Data Brokerage Transaction under the DSP);
• A medical facility's contract with a company headquartered in a Country of Concern to provide IT-related services that involve access to the medical facility's systems containing the bulk personal health data (Restricted Transaction-Vendor Agreement under the DSP);
• A U.S. financial services company's employment of a data scientist who is a citizen of, and primarily resides in, a Country of Concern, and who would have administrator rights that allow that individual to access, download, and transmit bulk quantities of personal financial data not ordinarily incident to and part of the company's underlying provision of financial services to its customers (Restricted Transaction-Employment Agreement under the DSP);
• A mobile app operator's sale of mobile app advertising inventory, where the sale involves the provision of bulk precise geolocation data, IP addresses, and advertising IDs of its U.S. users' devices to an ad exchange based in Europe that is not a Covered Person (Prohibited Transaction-Data Brokerage under the DSP, unless the operator obtains a contractual commitment from the advertising exchange not to engage in any covered data transactions involving data brokerage of that same data with a Country of Concern or Covered Person).

Conclusion

In summary, the DSP imposes sweeping prohibitions and restrictions on U.S. businesses that handle bulk sensitive personal data or government-related data. Those restrictions apply mainly to transactions involving Countries of Concern or Covered Persons. But the DSP's restrictions on "Data Brokerage" transactions that involve other foreign persons could affect a much broader range of engagements, including with vendors and business partners in otherwise "friendly" foreign countries.

The DSP's broad definitions mean that many companies may be subject to its requirements, even if they do not traditionally view themselves as handling sensitive data or engaging with foreign entities. And if a company does engage in these activities, it should seek additional support to identify restricted and prohibited transactions and understand the scope of the compliance program required by the rules-before the 90-day grace period for good faith compliance expires on July 8.