Data Defense: Justice Department Issues Compliance Guidance and Delays Civil Enforcement of New “Data Security Program”

Enforcement Edge: Shining Light on Government Enforcement

By Olivia Lu Emily A. Dorner Jami Vibbert Nancy L. Perkins Murad Hussain Deborah A. Curtis Lee M. Cortes, Jr.

In January 2025, the U.S. Department of Justice (DOJ) issued a final rule restricting transfers of Americans’ bulk sensitive personal data, as well as certain U.S. government-related data, to foreign adversaries (referred to as the Data Security Program, or DSP). On April 11, 2025, DOJ issued guidance about how it would enforce this novel and complex rule. First, it unexpectedly announced that it would delay enforcing portions of the rule. Second, DOJ issued a Compliance Guide and a set of answers to “Frequently Asked Questions” (FAQs) designed to facilitate compliance with the DSP. As the Compliance Guide underscores, DOJ plans to prioritize the DSP as a countermeasure against foreign adversaries’ ability to obtain U.S. government-related or sensitive personal data via commercial transactions for the purpose of committing espionage, engaging in surveillance and counterintelligence activities, and advancing artificial intelligence and military capabilities.

Companies Have Some Breathing Room, but Not for “Willful” Violations. DOJ’s National Security Division (NSD) announced it will not prioritize civil enforcement actions for DSP violations occurring between April 8 and July 8, 2025, as long as the violator is making good faith compliance efforts, such as by developing new internal policies, changing vendors or suppliers, implementing new security requirements, and revising existing contracts. During this 90-day grace period for civil enforcement, affected parties are encouraged to reach out to the NSD for compliance guidance. Notably, however, there is no grace period for criminal enforcement of willful violations of the DSP. Companies must fully comply with the due diligence, audit, and reporting obligations under the DSP by October 6, 2025.

DOJ’s new guidance contains several helpful clarifications, including:

The DSP Extends to Both U.S. and Non-U.S. Entities and Individuals. The DSP does not only apply to U.S. entities and individuals. Non-U.S. entities and individuals are also prohibited from causing a violation, conspiring to create a violation, and evading the DSP.
“Know Your Data” via Data Compliance Programs. The DSP’s “know your data” requirement provides that U.S. entities and individuals engaging in transactions subject to the DSP must be aware of the volume and types of data that are in their possession and involved in those transactions. To do so, U.S. persons engaging in restricted transactions must adopt written, risk-based compliance programs that can verify data transactions, the identities of the parties to the transaction, and the data’s end use. The development and adjustment of organizational compliance programs should take into account the DSP’s 10-year recordkeeping requirement for covered data transactions, as well as its reporting requirements.
Timely Voluntary Self-Disclosure May Be a Mitigating Factor in Enforcement Actions. Voluntary self-disclosure may be a mitigating factor in enforcement actions provided that it is timely and sufficiently detailed. A report describing, in full, the violation’s circumstances should either be included in the voluntary self-disclosure or within 180 days of the initial notification.
Foreign Proxies May Not Be Used to Evade DSP’s Requirements. Contracts in data brokerage transactions with foreign entities or individuals who are neither “countries of concern” nor “covered persons” must include language prohibiting those foreign entities and individuals from onward transfers, that is, transferring or reselling U.S. government-related or sensitive personal data to “countries of concern” or “covered persons.” In addition, U.S. entities or individuals engaging in such transactions are also responsible for conducting due diligence on their foreign counterparts’ compliance with the contractual language.
Additional Guidance Is Forthcoming. Looking more like an export control regime than ever, NSD’s forthcoming guidance will include a Covered Persons List, NSD’s general framework for DSP enforcement, and information about mitigating factors. While the NSD prefers informal inquiries over requests for advisory opinions during the 90-day grace period, it will review and adjudicate advisory opinion requests afterwards.

Affected parties should promptly map the flows of the data they handle that could comprise U.S. government-related or U.S. sensitive personal data (including data collected through online tracking technologies). Based on an analysis of those data flows, the next steps would be to review and revise relevant contractual provisions and begin developing a “country of concern” risk-based data compliance program. The compliance program should include procedures for verifying data flows, logging data, and screening vendors; implementation and documentation of the systems-based security controls; and data-based privacy controls required for restricted transfers. The program should also restrict transactions and apply Cybersecurity and Infrastructure Security Agency security requirements, audits, recordkeeping, reporting, training, and ongoing monitoring.

If you have questions about the DSP, compliant data transfers, development of data compliance programming, export controls, or sanctions matters, please contact the authors or any of their colleagues in Arnold & Porter’s White Collar Defense & Investigations, Privacy, Cybersecurity, and Data Strategy, or Export Control & Sanctions practice groups.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.