Clock Is Ticking For Companies To Comply With Complex Data Transfer Rule

Forbes

07-05-2025

The National Security Division of the Department of Justice has given companies 90 days to avoid civil penalties under the new Data Security Program entitled 'Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons' ( 'DSP'). By July 8, 2025, companies operating in the international arena must make 'good faith efforts' to restrict access to personal and government-related data by foreign adversaries. Although the DSP may apply to any business, regardless of size or industry, if the business makes certain sensitive data available to third parties, businesses in the financial services, life sciences, and information technology sectors are most likely to feel the impact of the DSP due to the nature of the data they handle. Data brokers who collect and sell data, as well as companies that engage in cross-border transactions are also expected to feel the effect of the DSP because of the nature of their transactions. The DSP represents a rare point of agreement between the Biden Administration, which enacted the legislation, and the Trump Administration, which finalized the DSP on January 8, 2025. The DSP has been in effect since April 8, 2025, and the DOJ does not intend to delay criminal enforcement for willful violations, which can bring up to 20 years in prison. Remarks from President Trump's former defense attorney and current Deputy Attorney General Todd Blanche have indicated that the DOJ will embrace the DSP as a necessity for combating an 'increasingly urgent' threat to national security, targeting access by certain 'countries of concern' and individuals connected to these countries. The 90-day pause may appear at first blush to signal leniency, but do not be fooled – plenty of caveats exist, including the possibility of civil enforcement for companies not working to restrict access to data by foreign adversaries during the 90 days.
The DOJ has established itself as a key regulator of data transfers, and it expects U.S. companies to determine in the coming days whether their data practices, third-party relationships, or ownership structures allow foreign governments and individuals of concern to access Americans' sensitive personal data or government-related data. The DSP extends beyond existing privacy and security law restrictions. To help companies get up to speed, the DOJ issued further guidance to provide clarification on key provisions and examples of its expectations during the enforcement hiatus, including working on a written data compliance program. The DOJ is giving companies 90 days to 'get it right' to protect sensitive data, and if not, its enforcement hammer will come down on companies demonstrating anything less than 'full compliance.'
The Who, What, Where of the Data Security Program
The finalized DSP closely aligns with the Biden Administration's proposed rule. It goes beyond traditional privacy laws to execute President Biden's order to combat the 'unusual and extraordinary threat' by foreign governments using sensitive U.S. data for purposes of 'espionage, influence, kinetic, or cyber operations.' In general, the DSP prohibits 'U.S. persons' from 'knowingly engag[ing] in a covered data transaction' that provides a 'country of concern' or 'covered person' with access to 'covered data.' Each of these terms contain complexities and carve-outs requiring careful consideration, including that 'U.S. persons' includes foreign citizens located in the United States, as well as U.S. entities.
The final Rule's knowledge standard is not a strict liability standard and instead the Rule explains that 'knowingly engage' should be interpreted to mean that an individual or entity 'had actual knowledge of, or reasonably should have known about, the circumstances, or result' of providing access to covered data by prohibited persons and governments. For example, if a company engaged in data brokerage (a 'covered transaction') and is deceived by a country of concern to provide its government with access to protected data, the company would not be liable because it did not have 'actual knowledge of, nor would they have reasonably known of, the circumstances.' The DOJ warns that despite the knowledge requirement under the DSP, companies are expected to have compliance systems in place that prevent restricted conduct by their customers, even if companies do not necessarily have 'actual knowledge' of their customers' every activity.
The term 'access' to covered data is left 'intentionally broad' to include the ability to obtain or otherwise view or receive data, including through information systems, cloud-computing platforms, and security systems or software, meaning that companies' third-party relationships may put them at risk. The DSP even applies to activity conducted between the U.S. and non-covered countries if certain links exist to a country of concern.
'Covered data' includes six categories of 'bulk sensitive personal data.' The term 'bulk' refers to the volume of sensitive data that triggers application of the DSP, and the triggering threshold amounts vary based on the type of the data. The categories of data and their thresholds are as follows: (1) covered personal identifiers (data collected or maintained on more than 100,000 U.S. persons); (2) precise geolocation data (data collected or maintained on more than 1,000 U.S. devices); (3) biometric identifiers (data collected or maintained on more than 1,000 U.S. persons); (4) human genomic (data collected or maintained on more than 100 U.S. persons) and other ˋomic data (epigenomic, proteomic, and transcriptomic data collected or maintained on more than 1,000 U.S. persons); (5) personal health data (data collected or maintained on more than 10,000 U.S. persons); and (6) personal financial data (data collected or maintained on more than 10,000 U.S. persons). Data meeting the specified thresholds is covered under the DSP regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. U.S. government-related data is also covered, with any amount of data triggering DSP rules.
The DSP restricts access to covered data by 'countries of concern' (China, including Hong Kong and Macau; Russia; Iran; North Korea; Cuba; and Venezuela) identified for their perceived long-term pattern or serious instances of conduct significantly adverse to the United States. Additionally, the DSP also encompasses access by 'covered persons,' meaning: (1) foreign entities headquartered in or organized under the laws of a country of concern; (2) foreign entities 50% or more owned by a country of concern or covered person; (3) foreign individuals primarily resident in a country of concern; and (4) foreign individuals who are employees or contractors of a covered person entity or a country-of-concern government. The DOJ can designate, at any time, a 'covered person.'
Big Consequences for Regulated Transactions
If a company handles data covered by the DSP and employs or otherwise has relationships with countries of concern or covered individuals, the DSP will restrict, or completely prohibit, certain categories of transactions. The DSP restricts transactions that involve a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person. Restricted transactions are subject to strict 'Security Requirements' established by the Cybersecurity and Infrastructure Security Agency and essentially mandate companies to 'fully and effectively prevent access to covered data' through data minimization and masking, encryption, and privacy-enhancing technologies.
The final Rule includes a few examples of restricted transactions, including a U.S. wealth-management services company that collects bulk personal financial data on U.S. clients and decides to appoint an individual from a country of concern that resides in the country of concern to the company's board. Because the company allows board members access to bulk personal financial data in connection with data security and cybersecurity responsibilities that the board handles, the appointment of the director is a restricted employment agreement. In contrast, a U.S. institution that conducts medical research at its own laboratory in a country of concern and sends a U.S. citizen-employee to assist with the research does not engage in a covered transaction because no data is being accessed by a covered person or government.
Prohibited transactions include data brokerage transactions with a country of concern or covered person, or any foreign person unless certain contractual requirements are in place. Data brokerage is defined as the selling, licensing or other sharing of covered data. The DSP also prohibits any data transaction involving access to human `omic data (human genomic, epigenomic, proteomic, and transcriptomic data) or to human biospecimens from which `omic data could be derived. Additionally, transactions with the purpose of evading or avoiding or causing a violation, or U.S persons knowingly directing a prohibited or restricted transaction are prohibited under the DSP.
Some examples of prohibited transactions include a U.S. organization that maintains a database of bulk U.S. sensitive personal data and offers annual memberships (including to covered persons) for a fee so that members receive a license to access the data, or a U.S. company that owns a mobile app containing tracking pixels knowingly installed into the app and those pixels transfer bulk U.S. sensitive data of U.S. users to a covered person-owned social media app for targeted advertising. Additionally, a U.S tech company that operates an autonomous driving platform that collects the precise geolocation data of its cars operating in the U.S. and then sells this data to its parent company headquartered in a country of concern to help develop other technological advances is prohibited under the DSP.
The DSP threatens penalties up to the amounts provided for under the International Emergency Economic Powers Act(IEEPA). As for civil penalties, the IEEPA's amounts are subject to adjustment pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990, so the DSP today provides for maximum civil penalties of $377,700 (based on a statutory amount of $250,000 established in 2007 that is subject to inflation adjustments) or an amount that is twice the amount of the transaction at issue, whichever is greater. For criminal liability for willful conduct, violators of the DSP may face imprisonment of up to 20 years and a $1,000,000 fine. The Final Rule took into consideration that DOJ's approach to criminal violations should be consistent with criminal penalties under the IEEPA.
Reading Between the Lines of the Exemptions and Exclusions
Exemptions and exclusions to the DSP's prohibitions exist, but the general categories of exempt transactions in the Rule actually are limited by the details. Personal communications, informational materials, and travel information, are classified by the IEEPA as exempt transactions, but the U.S. Department of the Treasury Office of Foreign Assets Control ('OFAC') is known to interpret these exemptions narrowly. The DOJ is expected to follow in OFAC's footsteps.
The DSP also includes broad categories of 'financial services' and 'corporate group transactions,' but restrictions limit the exemptions. Financial services are limited to transactions 'ordinarily incident to and part of the provision of financial services,' such as banking, capital-markets, or financial-insurance services, or the transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services. Similarly, 'corporate group transactions' are limited to data transactions that are '[b]etween a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern' and '[o]rdinarily incident to and part of administrative or ancillary business operations.'
Similarly, telecommunications services are exempted but limited to data transactions 'ordinarily incident to and part of the provision of telecommunication services.' The DSP warns that a U.S. telecommunications service provider that collects precise geolocation data on its U.S. subscribers that then sells the data to a covered person for the purpose of targeted advertising is not exempt from the DSP since the sale is 'not ordinarily incident to and part of the provision of telecommunications services.'
DOJ's Great Expectations for DSP Regulated Companies
The DSP imposes a number of requirements on companies that engage in restricted and prohibited transactions, including recordkeeping, reporting, audit, and due diligence requirements, as well as implementation of a formal compliance program tailored to the entity's risk profile. The latest Compliance Guidance clarifies that companies engaged in restricted transactions must implement a written 'Data Compliance Program' that meets several minimum requirements to comply with the DSP. Failure to maintain such a program may constitute a DSP violation in itself.
In general, the DOJ will look for a risk-based compliance program that includes procedures for verifying data flows involved in restricted transactions, such that a company may want to complete ongoing risk assessments to determine coverage of the DSP against the company's current data holdings and vendor, employee, or investment agreements, as well as examine the company's current security measures, offered products and services, and geographic locations of its third party relationships. The Guidance further explains that a company's Data Compliance Program is expected to include policies and procedures that will 'identify, escalate, and report activity,' including for bringing newly acquired entities into compliance with the Program. Throughout finalization of the DSP, the DOJ declined to allow for contractual language or consent to share data to eliminate the requirement of a formalized Data Compliance Program.
DOJ Gives the Gift of (Limited) Time
The DOJ has given companies an extra 90 days, until July 8, 2025, to avoid civil enforcement in recognition that individuals and companies 'may need to take steps to determine whether the DSP's prohibitions and restrictions apply' and 'to implement changes.' The 90-day enforcement hiatus, however, is limited since the DOJ still plans to pursue criminal enforcement and civil enforcement is paused 'so long as the person is engaging in good faith efforts to comply' during that time. Accordingly, the DOJ has made clear that now is the time to come into compliance with the DSP, and starting July 8, enforcement is coming.
The Implementation and Enforcement Policy provides instructive examples of 'good-faith efforts' the Department expects of companies during the 'pause.' Such efforts, some of which may be costly and time consuming, include transferring products and services to new vendors, conducting internal review of access to covered data, adjusting employees' work locations and their roles or responsibilities to prevent their access to covered data, evaluating investments from and renegotiating investment agreements with countries of concern or covered persons, as well as implementing the strict Security Requirements. The July 8 date is fast approaching, and promptly implementing good faith efforts to comply with the DSP will be critical to avoid the serious penalties and reputational harm DSP violations can bring.
To read more from Robert Anello , please visit www.maglaw.com .
Emily Smit , an associate at the firm, assisted in the preparation of this blog.