April 17, 2025
The Department of Justice’s National Security Division (NSD) released several documents on April 11, 2025, to assist entities that must comply with the Final Rule regulating or prohibiting the transfer of bulk U.S. sensitive personal data to certain covered persons or countries, or countries of concern. These include a Data Security Program Compliance Guide, Frequently Asked Questions Document and an Implementation and Enforcement Policy. The Final Rule became effective on April 8, 2025, although certain reporting, due diligence and auditing requirements will not take effect until October 6, 2025.
The Implementation and Enforcement Policy provides guidance on how it will enforce the Data Security Program (DSP) implemented by the NSD under the Final Rule during the first 90 days. The policy says it “will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025, so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.” Such efforts can include:
Beginning July 9, 2025, these limitations are no longer in effect, and “individuals and entities should be in full compliance with the DSP and should expect NSD to pursue appropriate enforcement with respect to any violations.”
While the guide does not provide any new regulations, it does offer some practical suggestions for compliance.
Given concerns around onward transfers, the Final Rule requires that entities which are transferring data outside the United States for the purpose of data brokerage (e.g., sale of data or licensing of data) include contractual language that could prevent the onward transfer of data to a country of concern. While the Final Rule does not mandate certain legal provisions, the guide provides recommendations on what should be included in such contractual language, including:
All entities engaging in restricted or prohibited transactions that have been approved by NSD must abide by requirements developed by the Cybersecurity and Infrastructure Agency. The guide recommends steps that entities should take to comply with these requirements, including:
The FAQs are intended to assist individuals and companies in complying with the “legal requirements and to facilitate an understanding of the scope and purposes of the DSP.” In doing so, the FAQs provide general information about compliance with the Final Rule while also providing specific guidance on certain data transactions, how the DSP interacts with the Committee on Foreign Investment in the United States and other regulatory regimes, and compliance requirements. NSD notes that it will periodically update the FAQs.
NSD is expected to continue releasing information throughout the year that will guide compliance with the Final Rule. The Paul Hastings Data Privacy and Cybersecurity practice is closely monitoring these developments. If you have any questions, please do not hesitate to contact any member of our team.
Data Privacy and Cybersecurity
Privacy and Cybersecurity Solutions Group