The Department of Justice (DOJ) implemented a new regulatory regime (Data Security Program) addressing access to, and transfer of, sensitive personal data to countries and persons of concern, including Russia, China and Venezuela. Finalized on January 8, 2025, and effective April 8, 2025, the Data Security Program has since been subject to a enforcement policy deferment until July 8, 2025, to give companies more time to come into compliance with these rules. That deadline is fast approaching.
The Data Security Program created what are effectively export controls that prohibit or restrict U.S. persons from engaging in certain categories of data transactions with countries of concern and persons subject to the jurisdiction, ownership, control or direction of countries of concern (covered persons) that can give countries of concern or covered persons access to U.S. government-related data or bulk sensitive personal data about U.S. individuals. The Data Security Program addresses national security risks identified in Executive Order 14117 of February 2024 (“Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government Data by Countries of Concern”) and Executive Order 13873 of May 15, 2019 (“Securing the Information and Communications Technology Supply Chain”). Of note, the Data Security Program also addresses risks related to covered data being resold or transferred through non-covered-person third parties to countries of concern.
More information about what the Data Security Program encompasses can be found in our December 17, 2024, client alert. Generally, the Data Security Program identifies classes of covered data transactions that are prohibited, restricted or exempt from the program, depending on the type of transaction and data involved. Prohibited transactions involve two classes: data brokerage and access to human ’omic data or human biospecimens from which human ’omic data can be derived. Restricted transactions involve three classes: vendor, employment or investment agreements. Restricted transactions are not permitted unless the U.S. person has an adequate cybersecurity program in place and takes additional compliance steps, including complying with audit and recordkeeping requirements.
Covered data includes six different categories of data relating to health, financial, biometric, human biospecimen and human ’omic data and geolocation and certain categories of personal identifiers in combination with demographic or other personal identifiers. Covered data is subject to the Data Security Program if it meets bulk thresholds set forth in the Program, regardless of whether the data is anonymized, pseudonymized or de-identified. Bulk thresholds range from 100 persons to 100,000 persons, depending on the category of data at issue.
The Data Security Program exempts certain transactions from coverage. Exemptions are afforded for personal communications, official U.S. government activities, facilitation of commercial financial transactions, telecommunication services, international and federally sponsored activities, drug and device approvals, corporate group transactions, and investment agreements subject to CFIUS action.
Although U.S. persons subject to the Data Security Program were required to comply with certain aspects of the Program by April 8, 2025, including certain aspects of the cybersecurity requirements required for restricted transactions, the DOJ issued an enforcement policy that delayed enforcement of the Program for U.S. persons engaging in good faith efforts to comply with or come into compliance with the Program. The enforcement delay was designed to provide additional time to come into compliance with the rules.
The enforcement policy lists several actions that the DOJ will consider when evaluating whether a U.S. person is engaged in good faith efforts, highlighting the broad scope and impact of the Data Security Program on those that fall under its purview. Such actions include:
- Renegotiating vendor agreements or negotiating contracts with new vendors that take into account the Data Security Program requirements;
- Transferring products and services to new vendors;
- Establishing due diligence programs on new vendors;
- Adjusting employee work locations, roles and responsibilities;
- Evaluating and renegotiating investment agreements with countries of concern;
- Putting in place adequate cybersecurity measures in accordance with CISA requirements.
It will be critical for companies to show they are engaged in good faith efforts to assess whether data collected, stored, maintained and transferred is covered data and, if so, to determine what if any actions are required to come into compliance with the Data Security Program to avoid potential enforcement liability. Companies that discover they are engaged in restricted data transactions should implement a cybersecurity program consistent with the requirements in the Data Security Program, including by completing a data risk assessment for certain cybersecurity controls. With a 10-year statute of limitations, this International Emergency Economic Powers Act (IEEPA)-based authority carries a long look-back time to target companies that fail to comply.
See the Executive Briefing publication
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.