Department of Justice establishes guidelines for handling large amounts of confidential information

The Department of Justice (DOJ) has issued a new Data Security Program (DSP) rule, effective from April 8, 2025, aimed at safeguarding sensitive personal data and government-related data from potential threats posed by certain countries.

The DSP rule defines a covered person as an entity or individual that is 50 percent or more owned, directly or indirectly, by one or more countries of concern or persons, is organized or chartered under the laws of, or has its principal place of business in, a country of concern, is an employee or contractor of a country of concern or of an entity identified by the DSP rule, is an individual who is primarily a resident in the territorial jurisdiction of a country of concern, or any person, wherever located, determined by the Attorney General to be owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person.

The rule prohibits or restricts certain transactions involving bulk sensitive personal data or government-related data between U.S. persons and the countries of concern (China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia, and Venezuela) or covered persons. The DSP rule covers two categories of data: US bulk sensitive personal data and US government-related data.

US bulk sensitive personal data is comprised of six categories each with its own defined 'bulk' threshold, including human 'omic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and covered personal identifiers. US government-related data is comprised of precise geolocation data for any area specifically designated as posing a heightened risk of exploitation and any sensitive personal data that is marketed as linked or linkable to current or former U.S. government employees or officials, including from the military or intelligence community.

The National Security Division (NSD) issues licenses to authorize transactions that would otherwise violate the DSP. There are two types of licenses: general licenses and specific licenses. The Compliance Guide, released by the DOJ, provides 'best practices' for complying with the DSP, offering guidance on key definitions, prohibited and restricted transactions, and the elements of a 'robust' data compliance program.

The Compliance Guide lists steps for companies to ensure compliance with the DSP, including creating or revising internal policies and procedures, modifying contracts with vendors, and clarifying management and employee responsibilities for compliance. It also specifies that a Data Compliance Program for Restricted Transactions should be tailored to the US person's risk profile, but should include affirmative requirements such as risk-based due diligence procedures, vendor management and validation procedures, written data compliance program policy, and written security requirements policy.

The Compliance Guide offers sample contract language for Prohibited Transactions, including provisions that U.S. persons can include in contracts to prevent the foreign person from engaging in certain commercial transactions with countries of concern or covered persons. It also emphasizes the importance of U.S. persons understanding their data and the risks associated with foreign access.

The DOJ's Implementation and Enforcement Policy, which is in place only through July 8, 2025, offers a 90-day window during which the DOJ will not prioritize civil enforcement actions against any person for violations of the DSP Rule that occur from April 8 through July 8, 2025, so long as the person is engaging in good faith efforts to achieve compliance with or come into compliance with the DSP Rule during that time. This policy aims to allow the private sector to focus its resources and efforts on promptly achieving compliance and to allow the DOJ to prioritize its resources on facilitating compliance.

The countries of concern are identified by the DOJ as posing a threat to U.S. national security, including through espionage, economic espionage, surveillance, coercion, influence, blackmail, foreign malign influence, curbing dissent, targeting journalists, political figures, members of marginalized communities, and engaging in nefarious, cyber-enabled activities. The Compliance Guide, released by the DOJ, provides further guidance on these matters.

Department of Justice establishes guidelines for handling large amounts of confidential information