Many “good government” initiatives continue to be enacted or implemented on Capitol Hill or in the Executive Branch — notwithstanding changes in political control. While working on Capitol Hill, the bulk of the legislative and oversight work was bipartisan in that both parties were committed to sensible initiatives needed to be keeping the government operational and effective. Of course, there were partisan issues but at least three quarters of the work was bipartisan.
Even with the tumultuous change occurring in the federal government right now, some initiatives continue.
The Justice Department in early January 2025 issued a final rule implementing Executive Order 14117, which was directed at preventing access by certain countries to sensitive personal and government data. No one would question the need for this initiative, and the Trump Administration recently enacted these regulations to block countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela from gaining access to sensitive data.
Effective April 8, 2025, the “Data Security Program” (“DSP”) prohibits or restricts U.S. persons and companies from engaging in any transaction involving U.S. Government-related data or bulk U.S. sensitive personal data and restricts certain data . The new rules include additional requirements that need to be enacted by October 6, 2025. To assist companies in compliance, DOJ issued compliance guidance and FAQs. Interestingly, DOJ defined a 90-day hiatus on enforcement, ending on July 8, 2025 so that companies can focus on compliance.
The DSP identifies classes of prohibited and restricted transactions (“covered data transactions”) and exempt transactions; identifies countries of concern and classes of covered persons; defines key terms, identifies numeric thresholds above which a data set is considered bulk, establishes a process to issue (including to modify or rescind) general and specific licenses authorizing otherwise prohibited or restricted transactions and to issue advisory opinions; and addresses recordkeeping and reporting of transactions to inform NSD’s investigative, enforcement, and regulatory efforts.
The DSP applies to all U.S. persons and companies that engage in covered data transactions involving countries or persons of concern, which include: China, Cuba, Iran, North Korea, Russia and Venezuela, and any entity or individual fifty (50) percent or more owned by a country of concern, any entity organized under the laws of a country of concern, an entity that has its primary place of business in a country of concern, an entity that is fifty (50) percent or more by a covered person, a foreign person who is an employee or contractor of, or a resident of, a country of concern.
The DSP applies to U.S. Sensitive Personal Data and U.S. Government-Related Data.
U.S. Sensitive Personal Data includes: Human ‘omic Data (human genomic, epigenomic, proteomic, and transcriptomic data); Biometric Identifiers (e.g. facial images, voice prints, retina scans and fingerprints); Precise Geolocation Data (identifies the location of an individual or device to within 1,000 meters); Personal Financial Data; and Personal Identifiers (e.g. government ID numbers, device identifiers, demographic or contact data, network identifiers and call-detail data).
The prohibitions are keyed to the amount of data collected in any format over a 12-month period, whether it is one data transfer or multiple transfers:
Human Genomic Data 100+ U.S. persons
Human Epigenomic Data 1000+ U.S. persons
Human Proteomic Data 1000+ U.S. persons
Human Transcriptomic Data 1000+ U.S. persons
Biometric Identifiers 1000+ U.S. Persons
Precise Geolocation Data 1000+ U.S. persons
Personal Health Data 10,000+ U.S. persons
Personal Financial Data 10,000+ U.S. persons
Covered Personal Identifiers 100,000+ U.S. persons
Combined Data Lowest Applicable Number
U.S. Government-Related Data includes: Precise Geolocation Data; and Sensitive Personal Data Linked to Government Employees (e.g. sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government).
Depending on the nature and category of a data transaction, the DSP prohibits, restricts or exempts the transaction.
Prohibited Transactions: (1) Data Brokerage, that is, the sale, licensing, or similar commercial transactions involving the transfer of data from a provider to a recipient who did not collect or process the data directly and (2) Human ‘Omic Data, that is, transactions involving access to bulk human ‘omic data (genomic, epigenomic, proteomic, and transcriptomic data) or human biospecimens from which such data could be derived.
Restricted Transactions – Subject to certain exemptions, the following transactions and types of agreements may be permitted conditioned on security and compliance conditions:
(1) Vendor Agreements where a person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration. These transactions must comply with security requirements to prevent unauthorized access to covered data.
(2) Employment Agreements where an individual performs work directly for a person in exchange for payment or other consideration. This includes board service and executive-level arrangements.
(3) Investment Agreements where a person gains direct or indirect ownership of a U.S. legal entity or real estate. Passive investments, such as publicly traded securities, are excluded. These transactions must adhere to security measures and due diligence requirements.
Exempt Transactions include: (1) Personal communications; (2) Information or informational materials; (3) Travel; (4) Official business of the U.S. Government; (5) Financial services; (6) Corporate group transactions; (7) Transactions required or authorized by U.S. federal law or international agreements, or necessary for compliance with federal law; (8) Investment agreements subject to CFIUS action; (9) Telecommunications services; (10) Drug, biological product and medical authorizations; (11) Other clinical investigations and post-marketing surveillance data.
During the 90-day enforcement pause period, individuals and companies are expected to make good faith efforts to comply with the DSP, including (1) Conducting internal reviews of sensitive data access; (2) Reviewing datasets for DSP applicability; (3) Renegotiating vendor agreements; (4).Transferring products to new vendors; (5) .Conducting due diligence on new vendors; (6) .Negotiating transfer provisions with foreign counterparts; (7) Adjusting employee roles or locations; (8) Evaluating investments from countries of concern; (9) Renegotiating investment agreements; and (10).Implementing CISA Security Requirements.
Violations of the DSP can lead to civil and/or criminal penalties, including fines up to $377,700 (adjusted for inflation) or twice a transaction’s value. Intentional or willful violations can result in fines up to $1,000,000, imprisonment for up to 20 years, or both.
Companies should conduct DSP data assessments to identify sensitive personal data and government-related data, and calculate whether such data reaches DSP bulk threshold levels. As a second step, companies should assess security protocols and capabilities like encryption, masking and other privacy enhancements.
Companies should document and monitor restricted transactions so that full compliance is achieved no later than October 6, 2025. In addition, companies should review their contracts that may be covered by the prohibitions or restrictions.
Like any compliance program, companies need to train employees with access to or responsible for handling data, and develop appropriate auditing and monitoring programs.
