On April 11, 2025, the US Department of Justice National Security Division (“DOJ”) took steps to implement its December 2024 Final Rule on Protecting Americans’ Sensitive Data from Foreign Adversaries (“Final Rule”). Specifically, the DOJ issued answers to more than 100 Frequently Asked Questions (“FAQs”), published a Compliance Guide, and issued a Limited Enforcement Policy for the first 90 days of the Final Rule. This Baker McKenzie Client Alert outlines key points regarding the FAQs, Compliance Guide, and Limited Enforcement Policy.
The Final Rule represents a key pillar of the evolving US national security regulatory regime, focusing on (i) U.S. Government-related data and bulk sensitive personal data of US persons, if transferred to, or accessed by (ii) China/Macau/Hong Kong, Cuba, Iran, Russia or Venezuela, or (iii) companies in third countries that are owned 50% or more by persons in these listed countries/territories. For further background on the Final Rule, please see our January 2025 client alert here.
1. Compliance Guide. The DOJ Compliance Guide outlines best practices for complying with the Data Security Program (“DSP”) established by the DOJ’s National Security Division to implement the Final Rule and Executive Order 14117. The Compliance Guide:
- Explains the Administration’s policy that the DSP comprehensively and proactively addresses the continued efforts of foreign adversaries to access, exploit, and weaponize U.S. Government-related data and Americans’ bulk sensitive personal data.
- Provides guidance on key definitions, prohibited and restricted data transactions, exemptions, and recommendations for building a robust compliance program.
- Provides model contract language and other key provisions for companies to limit the risk of onward transfer in data brokerage and other situations. Such language could become a default standard in contracts implicated by the relevant data transactions. And,
- Contains best practices for complying with the DSP’s audit and recordkeeping requirements.
2. FAQs. The DOJ provides answers to more than 100 FAQs on a variety of topics related to the DSP.
- Key answers relate to the scope of the DSP, the processes for requesting specific licenses and advisory opinions, guidance on making disclosures about violations, and reporting rejected prohibited transactions.
- The DSP signals the use of concepts and constructs similar to those deployed in other regulatory regimes issued under the same statutory authority and from which the legal basis for the DSP is derived (the International Emergency Economic Powers Act or “IEEPA“). This includes various US economic sanctions programs, such as the issuance of general and specific licenses, the presence of IEEPA-mandated exemptions, a requirement to report certain rejected transactions, and the extension of prohibitions/restrictions not only to targeted countries and persons but also to third-country companies that are 50% or more owned by targeted countries/persons.
- The FAQs also include other information, such as a comparison between the DSP and the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”), further information on penalties and National Security Division (“NSD“) enforcement, and descriptions of how the DOJ expects companies to adhere to certain “know your data” requirements (FAQ 79).
3. Limited Enforcement Policy for the First 90 Days. The DSP went into effect on April 8, 2025, following a short implementation time from the January 8, 2025 date of its publication in the Federal Register.
- The DOJ has indicated that it will limit its enforcement efforts during the first 90 days of the effective date (i.e., through July 8, 2025) to allow U.S. persons (e.g., individuals and companies) additional time to implement the changes required by the DSP, provide additional opportunities for the public to engage with the DOJ, and to minimize potential disruptions for businesses. Specifically, the DOJ has indicated that it “will not prioritize civil enforcement actions against any person for violations of the Data Security Program that occur from April 8 through July 8, 2025, so long as the person is engaging in good faith efforts to comply with or come into compliance with the Data Security Program during that time.”
- The DOJ has also clarified that such good faith efforts include “engaging in compliance activities described in that policy, such as amending or renegotiating existing contracts, conducting internal reviews of data flows, deploying the CISA security requirements, and so on.”
- Importantly, the DOJ has also specified that, at “the end of this 90-day period, individuals, and entities should be in full compliance with the DSP.” Note that the October 6, 2025 effective date for compliance with the due diligence and audit requirements, as well as the requirement to report rejected transactions, remain unchanged.
4. Next steps. Several observations on the documents that the DOJ issued on April 11, 2025 and recommendations on next steps:
- 90-day limited enforcement policy is welcomed. The DSP is a new, complex, and rigorous set of outbound data transaction regulations. The short duration between the issuance of the Final Rule and its effective date was not sufficient for most companies to assess the requirements and implement changes to business operations.
- DOJ takes the DSP seriously. Given that the DSP had been issued in the closing days of the Biden Administration, there had been some question as to whether the Trump Administration would wish to revise or otherwise change the DSP. The DOJ has now confirmed that the current Administration is focused on implementation of these new requirements.
- Companies should be acting now. Companies need to proceed with deliberate speed to assess applicability, develop and implement a compliance plan, and engage in ongoing monitoring, in order to be able to demonstrate that they are engaging in “good faith efforts.” As noted, this is a new, complex, and rigorous outbound data transaction regulation. Since the purpose of the DSP is national security (not commercial privacy), many terms used in data privacy regimes are defined differently in the DSP, and risk remediation measures that have been sufficient under data privacy regulations might not be fit for purpose under the DSP. More generally, many companies consider the definitions to be complex, the structure to be complicated, the exemptions to be narrow, and the designated security requirements to be strict. Compliance for many companies will require cross-functional input and support, and often may absorb some or all of the 90-day limited enforcement policy provided.
We will post additional updates as this is a rapidly developing new area of regulation.
