DOJ Implements New Data Security Program: Data Transfer Restrictions with a National Security Focus

May 5, 2025

Effective as of April 8, 2025, the National Security Division of the U.S. Department of Justice (DOJ) has implemented a Data Security Program (the DSP) to address national security risks associated with the transfer of certain kinds of government-related and U.S.-person related sensitive personal data to China, Russia, and other “countries of concern” within the scope of the DSP. A link to the DSP regulations are available here, and DOJ has published an accompanying compliance guide, a set of Frequently Asked Questions, and an implementation and enforcement policy.  The DSP creates new compliance challenges, and effectively establishes a broad new export control regime restricting cross-border data transfers of any U.S. person data that falls within its scope.

In many ways, the new DSP parallels the same national security concepts contained in the U.S. government’s recently implemented Outbound Investment Security program (the Firm’s prior alert on that program is available here).  It applies to any cross-border data flows that provide a “Country of Concern” or a “Covered Person” with “access” to sensitive U.S. government or U.S. person data, as defined in the DSP regulations.  Those sorts of sensitive data transfers are characterized, in turn, as either “restricted” or “prohibited” transactions.

Compliance Dates

The DSP is currently in effect, but during the first 90 days, expiring July 8, 2025, DOJ has stated that it will not prioritize civil enforcement actions for violations against any person that is engaging in “good faith efforts” to comply with or come into compliance with the DSP (excluding “egregious or willful” violations).  Generally speaking, these compliance efforts may include internal reviews of a company’s data flows and whether access to such data might fall within the DSP, reviewing vendor and employment relationships, pursuing contractual protections to prevent onward transfer of covered data, adopting applicable data security requirements for covered transactions, and evaluating investments and investment agreements in which any countries of concern or covered persons are involved.

Moreover, starting on October 6, 2025, the DSP requires any U.S. persons engaging in any “restricted transactions” to develop and implement a risk-based data compliance program, including affirmative due diligence and audit requirements for restricted transactions, and a reporting requirement for certain restricted transactions or rejected prohibited transactions.

Enforcement of Violations

Violations of the DSP will be enforced by the same statute that underpins most U.S. economic sanctions programs – the International Emergency Economic Powers Act (IEEPA).  Under that statute, DOJ may seek civil monetary penalties – on a per transaction basis – of the greater of double the value of the violating transaction, or $377,700 under the International Emergency Economic Powers Act.  For criminal violations of IEEPA, DOJ may seek a criminal fine of up to $1 million and up to 20 years’ imprisonment.

Scope of Coverage

The DSP regulations are centered around various definitions as set forth below.

Countries of Concern: The “countries of concern” currently subject to the DSP are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

Covered Persons: The categories of “covered persons” under the DSP – to whom U.S. persons may not transfer any covered data – include:

  • Foreign entities headquartered in or organized under the laws of a country of concern or 50% or more owned, individually or in the aggregate, by one or more countries of concern or other covered persons;
  • Foreign entities 50% or more owned, individually or in the aggregate, by a country of concern or another covered person;
  • Foreign individuals that are employees or contractors of a country of concern or covered person;
  • Foreign individuals who are primarily resident in a country of concern; and
  • Those persons, both Foreign and U.S. persons, that NSD designates and publicly identifies as “covered persons” after determining they meet certain criteria, such as being subject to the ownership or control of a country of concern. Unless designated as such, a U.S. person is never a covered person.

Covered Data:  The two categories of “covered data” in the DSP include “government-related data” and “bulk U.S. sensitive personal data.”

  • “Government related data” includes: (i) precise geolocation data for any location enumerated as a “Government-Related Location” in the DSP, and includes certain worksites or duty stations of U.S. government employees or contractors occupying national security positions, certain military installations, and certain facilities or locations that otherwise support the U.S. government’s national security, defense, intelligence, law enforcement, or foreign policy missions; as well as (ii) any sensitive personal data, regardless of volume, that is marketed as linked to current or recent former employees or contractors, or former senior officials, of the United States government, including the military and intelligence community.
  • “Bulk U.S. sensitive personal data” means “a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds” the bulk threshold found in the DSP.  The types of “sensitive personal data” covered by the DSP include: (i) covered personal identifiers; (ii) precise geolocation data; (iii) biometric identifiers; (iv) human ‘omic data; (v) personal health data; (vi) personal financial data; or (vii) any combination thereof. The applicable thresholds for what constitutes “bulk” data vary from 100 to 100,000 persons, depending on the kind of data subject to transfer.

Covered Data Transactions: “Covered data transactions” are any transactions that provide access by any country of concern or covered person to either “government-related data” or “bulk U.S. sensitive personal data”, where that data involves one of four broadly defined categories of information: (1) data brokerage transactions; (2) vendor agreements; (3) employment agreements; and (4) investment agreements.

Prohibited and Restricted Transactions

Prohibited Transactions: A U.S. person may not knowingly engage in a Prohibited Transaction absent a license granted by the DOJ.

  • Data brokerage. “Data brokerage” transactions, in particular, are subject to sweeping prohibitions. “Data brokerage” includes any transaction involving “[t]he sale of data, licensing of access to data, or similar commercial transactions … where the recipient did not collect or process the data directly from the individuals” linked to the data.
  • Unless such a transaction falls within one of the DSP’s exemptions or is authorized by a general or specific license, no U.S. person may knowingly engage in a covered data transaction involving data brokerage with a country of concern or a covered person.
  • In a separate prohibition, no “U.S. person” may knowingly engage in any data brokerage transaction with any “foreign person” (i.e., anyone that is not a U.S. person), without obtaining a contractual requirement that the foreign person refrain from engaging in a subsequent data brokerage transaction with any country of concern or covered person, and who agrees to report any known or suspected violations of this contractual requirement to DOJ.
  • This effectively seeks to prohibit any U.S. person involvement in international data brokerage transactions that may reach China, Russia or the other identified countries through one or more third-country intermediaries.
  • Human ‘omic data. The DSP prohibits any transfer of “human ‘omic data” or human biospecimens from which bulk human ‘omic data could be derived.  See 28 CFR 202.224 and 202.303.  Human ‘omic data includes human genomic data, human epigenomic data, human proteomic data, and human trascriptomic data.
  • Knowingly directing a prohibited or restricted transaction. No U.S. person may knowingly direct any covered data transaction that would be prohibited or restricted if engaged in by a U.S. person, without complying with the DSP.
  • Evasion and “causing” liability. Finally, among other things, the DSP includes prohibitions on “causing” a U.S. person to violate the regulations, as well as attempts to evade or avoid the prohibitions, which resemble many existing secondary sanctions programs and which apply to U.S. and non-U.S. persons alike.

Restricted Transactions: Restricted transactions are prohibited unless U.S. persons meet rigorous security requirements published by the Cybersecurity and Infrastructure Security Agency (CISA), and comply with the affirmative recordkeeping, due diligence and audit requirements in the DSP. Specifically, U.S. persons are prohibited from knowingly engaging in a covered data transaction that involves a vendor agreement, an employment agreement, or an investment agreement with a country of concern or covered person, unless the transaction is in compliance with the DSP or subject to one of the DSP’s exemptions.

The DSP again takes a broad approach with these agreements: under the regulations, an employment agreement means “[a]ny agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person”; a vendor agreement means “[a]ny agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person”; and an investment agreement means “[a]ny arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to U.S. real estate or a U.S. legal entity.”  With respect to “investment agreements,” there is an explicit exclusion for certain kinds of passive investments, but diligence will be required to confirm that a particular investment arrangement does not fall within the bounds of the DSP.

Exemptions

There are eleven exemptions contained in the DSP, including transactions that are ordinarily incident and necessary to financial services; corporate group transactions; and transactions required or authorized by Federal law or international agreements, or necessary for compliance with Federal law, among others.  But given that this is a newly formed program, there are ambiguities in the scope and reach of these exemptions and how they may be enforced.  For example, DOJ’s guidance concerning the “financial services” exemption states that financial institutions are not “categorically exempt” despite the existence of several exemptions for particular financial services-related activities, and provides that U.S. persons must evaluate whether a particular data transaction (such as a transaction involving data brokerage or a vendor, employment, or investment agreement) is “ordinarily incident to and part of” the provision of financial services to determine whether it will be treated as an exempt transaction.

For more information, please contact one of the partners listed below or your primary Seward & Kissel attorney.