In a Press Release issued April 11, 2025, the U.S. Department of Justice (“DOJ”) indicated that it would prioritize “facilitating compliance” over civil enforcement actions for the first 90 days of its new US-China data export rules. DOJ also released several guidance documents designed to help the private sector comply with the new rules. DOJ’s final rule implementing Executive Order 14117 (“Final Rule”) that restricts certain data transfers to China and other countries of concern went into effect on April 8, 2025. Following DOJ’s updated guidance, companies effectively have until July 8, 2025 to come into full compliance with the Final Rule, so long as they are making good faith efforts to do so between now and July 8, 2025.
In the guidance released on April 11, DOJ clarified that its enforcement priorities will allow companies more time to implement compliance policies and bring their operations into conformity with the Final Rule. In its announcement, DOJ recognized that compliance may be difficult and time consuming for many companies. DOJ emphasized that it retains discretion to bring civil and criminal enforcement actions for reckless, willful, or knowing violations, or where companies attempt to avoid or evade the requirements of the Final Rule.
DOJ acknowledged that key compliance steps may require an extensive amount of due diligence and internal preparation. DOJ suggests that the following compliance measures may be necessary, and that taking such measures would be indicative of good faith efforts to comply with the Final Rule:
- Creating an inventory of the categories of data processed by the company;
- Assessing data access from countries of concern or other covered persons, and whether such access is permissible under the Final Rule;
- Negotiating vendor agreements or contracts that conform to the Final Rule;
- Performing due diligence of potential vendors;
- Determining whether foreign person contracts may involve onward transfers of restricted data to countries of concern;
- Adjusting employee work locations or responsibilities to comply with restrictions;
- Evaluating certain investments with persons from countries of concern and whether any access to sensitive data is permissible under the Final Rule; and
- Implementing the Cybersecurity and Infrastructure Security Agency (“CISA”) data security requirements that can permit certain restricted transactions with countries of concern and persons of concern under the Final Rule.
We provided a comprehensive summary of DOJ’s Final Rule in an earlier eUpdate, and the DOJ rulemaking process in a recent eUpdate. As part of DOJ’s April 11th guidance, it also released a Compliance Guide, and Frequently Asked Questions providing additional clarity on the requirements of the Final Rule.
