Department of Justice Provides New Guidance on Bulk Sensitive Data Transfer Rules

The Department of Justice’s National Security Division (NSD) released several documents on April 11, 2025, to assist entities that must comply with the Final Rule regulating or prohibiting the transfer of bulk U.S. sensitive personal data to certain covered persons or countries, or countries of concern. These include a Data Security Program Compliance Guide, Frequently Asked Questions Document and an Implementation and Enforcement Policy. The Final Rule became effective on April 8, 2025, although certain reporting, due diligence and auditing requirements will not take effect until October 6, 2025.

Implementation and Enforcement Policy Takeaways

The Implementation and Enforcement Policy provides guidance on how it will enforce the Data Security Program (DSP) implemented by the NSD under the Final Rule during the first 90 days. The policy says it “will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025, so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.” Such efforts can include:

• Conducting vendor due diligence.
• Renegotiating vendor agreements or new contracts with new vendors.
• Adding in contractual provisions that would restrict onward transfers of data to countries of concern.
• Evaluating investments from countries of concern or foreign persons.
• Adjusting employees work locations, roles or responsibilities.
• Undertaking a data mapping to understand what types of data are subject to the Final Rule.

Beginning July 9, 2025, these limitations are no longer in effect, and “individuals and entities should be in full compliance with the DSP and should expect NSD to pursue appropriate enforcement with respect to any violations.”

DSP Compliance Guide Takeaways

While the guide does not provide any new regulations, it does offer some practical suggestions for compliance.

Contractual Safeguards for Data Brokerage Transactions

Given concerns around onward transfers, the Final Rule requires that entities which are transferring data outside the United States for the purpose of data brokerage (e.g., sale of data or licensing of data) include contractual language that could prevent the onward transfer of data to a country of concern. While the Final Rule does not mandate certain legal provisions, the guide provides recommendations on what should be included in such contractual language, including:

• Foreign Access Prohibitions: Include clauses that explicitly prohibit contractors, vendors or cloud providers from transferring data to foreign adversary jurisdictions.
• Audit Rights: Grant the U.S. entity the right to require foreign vendors or partners handling data to certify that they are transferring data to countries of concern.
• Termination Clauses: Allow contracts to be terminated if the foreign entity becomes subject to adversary control or poses a national security risk.
• Flow-Down Requirements: Require subcontractors to comply with the same data protections.

Security Safeguards

All entities engaging in restricted or prohibited transactions that have been approved by NSD must abide by requirements developed by the Cybersecurity and Infrastructure Agency. The guide recommends steps that entities should take to comply with these requirements, including:

• Risk Assessment: Conduct a cybersecurity risk assessment at least annually against a well-established standard to identify gaps and make remediation efforts as appropriate.
• Vendors: Maintain a register of third-party service providers and conduct initial due diligence against their data handling practices and country affiliations.
• Training: Develop regular training for employees responsible for handling sensitive personal data that explains the Final Rule and their responsibilities for ensuring their company complies with it.
• Policies: Draft and annually update an information security policy.
• Governance: Appoint a responsible official to oversee compliance and liaise with NSD when necessary.
• Recordkeeping: Maintain documentation of due diligence, vendor assessments, mitigation measures and compliance certifications.

FAQ Takeaways

The FAQs are intended to assist individuals and companies in complying with the “legal requirements and to facilitate an understanding of the scope and purposes of the DSP.” In doing so, the FAQs provide general information about compliance with the Final Rule while also providing specific guidance on certain data transactions, how the DSP interacts with the Committee on Foreign Investment in the United States and other regulatory regimes, and compliance requirements. NSD notes that it will periodically update the FAQs.

NSD is expected to continue releasing information throughout the year that will guide compliance with the Final Rule. The Paul Hastings Data Privacy and Cybersecurity practice is closely monitoring these developments. If you have any questions, please do not hesitate to contact any member of our team.