On April 11, 2025, the DOJ, through its National Security Division (NSD), issued a Data Security Program Compliance Guide, along with a list of more than 100 Frequently Asked Questions (FAQs) and an Implementation and Enforcement Policy, to assist entities in understanding rule compliance and enforcement.

Below we discuss the key components of the DSP and offer thoughts about compliance.

The DSP provides for:

• prohibitions on covered data transactions by U.S. persons that involve data brokerage with countries of concern, covered persons or other foreign persons (unless certain requirements intended to prevent onward transfer of data are met) or involve access to bulk human ‘omic data (i.e., large-scale, molecular-level biological datasets) to countries of concern or covered persons;
• restrictions on covered data transactions that involve a vendor, employment or investment agreement with a country of concern designated by the DOJ or a “covered person” as defined under the regulations; and
• exemptions for certain covered data transactions.

Below we discuss the key components of the DSP and offer thoughts about compliance.

Covered Data Transactions. Under the DSP, “covered data transactions” are specific categories of commercial relationships that involve any access by countries of concern or covered persons to government-related data or bulk U.S. sensitive personal data, and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.

• “Government-related data” encompasses any precise geolocation data for any location within any area on the Government-Related Location Data List in § 202.1401; and any sensitive personal data that a “transacting party” markets as linked or linkable to current or recent former employees, contractors or senior officials” of the United States Government.
• “Bulk U.S. sensitive personal data” means a “collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable bulk threshold set forth in § 202.205.” There are six categories of “sensitive personal data”: “(1) covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human ‘omic data; (5) personal health data; and (6) personal financial data.”

Countries of Concern and Covered Persons. Section 202.209 of the regulation defines a “country of concern” as a foreign government with a long-term pattern or serious instances of conduct adverse to the national security of the United States or to the security and safety of U.S. persons who poses a significant risk of exploiting protected data. As determined by the DOJ, with the concurrence of the U.S. Departments of State and Commerce, the countries of concern under the DSP currently include: (1) China (including Hong Kong and Macau), (2) North Korea, (3) Cuba, (4) Russia, (5) Iran and (6) Venezuela. These countries are also designated as countries of concern by the Department of Commerce under its Information and Communications Technology Services (ICTS) program.

In addition, there are five categories of covered persons defined in § 202.211(a):

• Foreign entities headquartered in or organized under the laws of a country of concern, or 50% or more owned by one or more countries of concern or other covered persons;
• Foreign entities 50% or more owned by a person who is a covered person;
• Foreign individuals that are employees or contractors of a country of concern or other covered person;
• Foreign individuals who are primarily resident in a country of concern; and
• Persons, foreign or U.S., that NSD designates and publicly identifies as:
• to be, to have been or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person;

-  to act, to have acted or purported to act, or to be likely to act, for or on behalf of a country of concern or covered person; or

-  to have knowingly caused or directed, or to be likely to knowingly cause or direct, a violation of this part.

The NSD plans to add designated covered persons to a Covered Persons List, with notice identifying such covered persons published in the Federal Register.

Prohibited, Restricted and Exempt Transactions. The DSP describes three types of transactions: prohibited, restricted and exempt. Prohibited transactions are banned unless exempt or otherwise authorized by a general or specific license. Restricted transactions are permissible only when adhering to specific compliance and security requirements. Finally, the DSP lists specific exempt transactions, such as personal communications or official U.S. government business, among others discussed below.

• Prohibited Transactions. Prohibited transactions under the DSP include covered data transactions that involve data brokerage with a country of concern or covered person, where data brokerage means the “sale of data, licensing of access to data, or similar commercial transactions” (excluding an employment, investment or a vendor agreement), “involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” The DSP Compliance Guide provides as an example of prohibited data brokerage a “U.S. company maintaining a website or mobile application that contains ads with tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company.”

  Also prohibited are covered data transactions involving data brokerage with foreign persons, even that are not covered persons, unless the data brokerage transaction includes a contractual prohibition on resale of any such data and the U.S. person reports any known or suspected violation of this contractual requirement as described in the regulations. This prohibition is intended to address concerns regarding the onward transfer of data to countries of concern or covered persons.

  The DSP prohibits covered data transactions with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived. The DSP also prohibits any transaction that has the purpose of evading or avoiding, causes a violation, or attempts to violate the prohibitions under the DSP; any conspiracy to violate the prohibitions under the DSP; or knowingly directing a prohibited or restricted transaction (without meeting additional requirements for restricted transactions).

• Restricted Transactions. Certain data-related transactions, including with respect to vendor, employment and investment agreements, are permissible only if the U.S. person or entity complies with specific compliance and security requirements. To lawfully engage in a restricted transaction, the U.S. person must:

-  adhere to cybersecurity requirements issued by the Cybersecurity and Infrastructure Security Agency (CISA);

-  establish and maintain an individualized, risk-based and written data compliance program, which meets several minimum requirements, including, among other things, establishing and implementing risk-based procedures for verifying data flows involved in any restricted transaction (including the types and volumes of data involved in the transactions, the identity of the transaction parties and the end-use of the data); a written policy describing the program that is annually certified by an officer, executive or other employee responsible for compliance; and the implementation of CISA’s security requirements;

-  conduct independent audits on an annual basis that address the requirements of the DSP; and

-  comply with applicable recordkeeping and reporting obligations​.

• Exempt Transactions. Finally, the DSP provides a list of transactions that are exempt from regulation, including:

-  personal communications that do not involve the transfer of anything of value;

-  importation or exportation of any information or informational materials (which is limited to expressive material);

-  ordinarily incident to travel from any country and related transactions;

-  conducted for official U.S. government business;

-  ordinarily incident to the provision of financial services described in the regulations;

-  corporate group transactions to the extent that they are ordinarily incident to and part of administrative or ancillary business operations (such as, among other things, payroll transactions or business taxes);

-  transactions required or authorized by federal law or international agreement, or necessary to comply with federal law;

-  investment agreements subject to a Committee of Foreign Investment in the United States (CFIUS) action defined under the regulations. DSP obligations apply until and unless CFIUS takes action;

-  ordinarily incident to telecommunications services, including the provision of voice and data communications services, but not all internet-based services, like cloud computing. This exemption does not apply for transactions involving data brokerage; and

-  certain drug, biological product and medical device authorizations, and other clinical investigations and post-marketing surveillance data.

Licenses
As is the case with Office of Foreign Asset Control (OFAC) sanctions regimes, there are two types of licenses available under the DSP: general licenses and specific licenses. General licenses authorize a particular type of transaction that would otherwise violate the DSP. Persons or entities may engage in transactions authorized under general licenses without applying for a license. General licenses may allow, for example, the wind-down of covered transactions. A specific license is issued by NSD to a person or entity, authorizing a particular transaction in response to a license application by the person or entity. NSD has advised that it will consider specific licenses on a case-by-case basis and that such licenses will be subject to a “presumption of denial” standard. This presumption could be overcome by considerations “such as an emergency or imminent threat to public safety or national security.” NSD will “issue, modify, or rescind a general or specific license with the concurrence of the Departments of State, Commerce, and Homeland Security and in consultation with other relevant agencies.”

Recordkeeping and Reporting Requirements. The DSP includes significant recordkeeping requirements. In general, U.S. persons are required to keep records provided in the regulations of any transaction they have engaged in that is subject to the DSP and make those records available for examination for at least 10 years after the date of the transaction. The recordkeeping requirements apply to any non-exempt transactions, certain exempt transactions and transactions authorized by a general or specific license.

In addition, the DSP requires every person to furnish under oath as may be required by DOJ “complete information relative to any act or covered data transaction.” In the case of prohibited transactions involving data brokerage, the DSP also requires U.S. persons that affirmatively reject engaging in such conduct to report the transaction to DOJ within 14 days of the rejection. Also, the DSP requires any U.S. person that is “engaged in a restricted transaction involving cloud-computing services, and that has 25% or more of the U.S. person’s equity interests owed” by a country of concern or covered person to file an annual report describing such transactions engaged in during the previous calendar year.

Enforcement and Penalties. The DSP is enforced by the NSD, using a combination of administrative, civil and criminal enforcement tools under the authority of the International Emergency Economic Powers Act (IEEPA). The NSD may take action against U.S. persons in cases involving:

• prohibited transactions;
• evasion, conspiracy or facilitation of prohibited conduct;
• failure to comply with due diligence, security, audit or recordkeeping requirements for restricted transactions; or
• knowingly directing a prohibited or non-compliant restricted transaction—even if not directly executing it​.

Violations may result in civil penalties of up to the greater of $368,136 or twice the value of the violative transaction, per violation, and criminal penalties of up to 20 years of imprisonment and $1 million fines for willful violations.​

DSP Compliance Requirements
As highlighted in Pillsbury’s April 2024 client alert regarding the convergence of social media, data brokerage and national security concerns—the federal government’s scrutiny of data transfers has been steadily intensifying.

Effective April 8, 2025, entities and individuals are required to comply with a range of DSP prohibitions, restrictions and provisions; however, the NSD has instituted a 90-day enforcement discretion period to facilitate an effective transition to the new regulatory framework. During this window, the NSD signaled an intent to focus on outreach and education, encouraged submission of inquiries about the DSP and guidance that has been released, and indicated that it will not prioritize civil enforcement actions for violations of the DSP for companies making good-faith efforts to comply with enforcement while willful violations may still be pursued.

NSD has provided the following examples of good-faith efforts to comply:

• Conducting internal reviews of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage;
• Reviewing internal datasets and datatypes to determine if they are potentially subject to DSP;
• Renegotiating vendor agreements or negotiating contracts with new vendors;
• Transferring products and services to new vendors;
• Conducting due diligence on potential new vendors;
• Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions;
• Adjusting employee work locations, roles or responsibilities;
• Evaluating investments from countries of concern or covered persons;
• Renegotiating investment agreements with countries of concern or covered persons; or
• Implementing the CISA Security Requirements, including the combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transactions.

Conclusion

The DSP represents a significant expansion of national security regulation into the commercial data ecosystem, imposing rigorous obligations on U.S. persons who engage in certain data transactions with foreign entities. With the initial compliance deadline already in effect and broader obligations approaching in October 2025, organizations must act swiftly to assess their data flows, counterparties and existing compliance infrastructure. Companies that proactively implement robust risk-based compliance programs will be best-positioned to mitigate regulatory risk and respond effectively to enforcement scrutiny under this evolving framework.

Our team at Pillsbury is actively advising clients on DSP requirements, interactions with other regulatory regimes, such as ICTS and CFIUS, compliance strategy, risk assessments, contract structuring and audit readiness. We are well-positioned to help your organization navigate this complex regulatory landscape.