Skip to Main Content

Parker Poe

Keeping you informed

Key Compliance Measures Start This Fall for Companies Under New DOJ Data Security Program

    Client Alerts
  • August 11, 2025

Earlier this spring, the U.S. Department of Justice’s National Security Division (NSD) launched the data security program (DSP). The program is designed to address national security risks posed by foreign adversaries' access to U.S. government-related data and Americans' bulk sensitive personal data. Following a 90-day implementation period, enforcement began on July 9, 2025, with additional compliance obligations scheduled to take effect on October 6, 2025.

For companies, the program covers data transactions that might provide access to sensitive U.S. personal or government-related data to persons/entities affiliated with "countries of concern." Companies must be aware of key compliance measures, exemptions, and potential penalties associated with the new program.

Background

The DSP was created in response to an executive order issued by the Biden administration titled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concerns." The DSP was launched under the International Emergency Economic Powers Act (IEEPA) and responds to growing concerns that foreign adversaries are leveraging commercial relationships to access and exploit sensitive U.S. data. This data — ranging from genomic and biometric information to financial and geolocation records — can be used to conduct surveillance, enable espionage, develop military and artificial intelligence (AI) capabilities, and undermine U.S. national security.

To mitigate these risks, the DSP establishes new export controls that prohibit or restrict certain data-related transactions involving "countries of concern," including China (this includes Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. The program applies to both direct transactions and those involving entities subject to the jurisdiction, ownership, or control of these countries. The list of "countries of concern" is now fixed and will be used to assess compliance and enforcement risk.

What the April 2025 Program Entails

 The DSP defines two categories of data transactions:

1. Prohibited Transactions

  • Brokering of Americans' bulk sensitive personal data.
     
  • Any transaction that causes bulk human genomic, geolocation, biometric, health, financial, or other sensitive personal data to be held in — or accessed from — countries of concern.

2. Restricted Transactions

  • Vendor, employment, and investment agreements that involve bulk sensitive personal or government related data and a counterparty subject to a country of concern’s jurisdiction, ownership, or control.
     
  • These transactions remain lawful only if the U.S. party complies with cybersecurity standards issued by the Cybersecurity and Infrastructure Security Agency (CISA).

The rules apply only when a dataset exceeds defined volumetric thresholds (e.g., more than 10,000 U.S. individuals' health or financial records). Smaller datasets fall outside the program.

Licensing and Exemptions

  • General and specific licenses — issued by DOJ’s NSD and modeled on traditional export control authorizations — are available for otherwise prohibited or restricted activities. Any NSD issued license must remain active and be expressly cited in each covered transaction.
     
  • Exemptions exist for personal communications, public government records, U.S. based research, and expressive materials.

Looking Ahead: Compliance Milestones Set for This Fall

Beginning October 6, 2025, U.S. entities that engage in restricted transactions must:

  • Conduct up front due diligence and complete an annual third-party audit of DSP compliance.
     
  • Submit annual reports covering each restricted transaction.
     
  • File rejection reports for any prohibited transaction declined after July 9, 2025.
     
  • Retain records for 10 years documenting due diligence, audit, and reporting activities.

The program requires companies to maintain an adaptive compliance program that includes documented policies, board level oversight, and recurring training.

Potential Penalties

Violations of the DSP can result in significant civil and criminal penalties:

  • Civil Penalties: Up to $368,136 per violation or twice the value of the transaction, whichever is greater.
     
  • Criminal Penalties: Up to 20 years imprisonment and fines up to $1 million for willful violations.

Key Actions You Can Take Now

  • Review all data-sharing agreements with foreign-connected parties to determine whether they fall under the DSP’s prohibited or restricted categories.
     
  • Map data volumes to assess whether they meet the "bulk" thresholds that trigger compliance obligations.
     
  • For restricted transactions:
    • Implement CISA-aligned security controls.
       
    • Prepare for audit readiness.
       
    • Track reporting obligations ahead of October 6.
       
  • Terminate or restructure prohibited transactions, or apply for specific licenses if continued access is essential.
     
  • Document compliance programs and board-level oversight, including certifications and audit planning.
     
  • Monitor for further guidance, including the anticipated release of a public "Covered Persons List" and additional FAQs from NSD.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights

×
By using this website, you agree to our use of cookies.