DOJ Data Security Program Update: Active Enforcement Begins This Week

The U.S. Department of Justice’s (DOJ) reprieve on civil enforcement of its Data Security Program (DSP), which imposes sweeping restrictions on bulk data transfers by U.S. entities to certain “countries of concern” and “covered persons,” is set to expire on July 8, 2025.

DSP Refresher

The DOJ created the DSP to establish rules for U.S. persons and entities engaging in certain “covered data transactions” that the U.S. Government has determined pose an unacceptable risk of giving “countries of concern” or “covered persons” access to U.S. government-related data or bulk U.S. sensitive personal data. (We refer to relevant foreign entities collectively as “entities of concern.”) Among other requirements, the DSP identifies classes of prohibited, restricted, and exempt transactions; identifies entities of concern to whom its restrictions apply; and establishes processes to issue licenses authorizing certain prohibited or restricted transactions. Many have equated the DSP to an unofficial export control program for certain sensitive personal data.

Key Compliance Dates

The DOJ explained in its DSP Implementation and Enforcement Policy of April 2025 that it would not “prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.” Since then, the DOJ has focused on facilitating the private sector’s compliance with the DSP. But starting this week on July 8, we expect the DOJ to begin shifting its focus to enforcement.

While most DSP requirements entered into effect on April 8, 2025, and will thus be ripe for enforcement, three provisions will not be effective or enforced until October 6, 2025:

• Due diligence and audit requirements for “restricted transactions” (i.e., bulk data transactions that are permitted only if specific mitigations are implemented by the U.S. entity proposing to engage in the transaction under) (see 28 CFR 202 Subpart J);
• Reporting requirements for U.S. entities that have at least 25% equity held by entities of concern and are engaged in restricted transactions involving cloud-computing services (see 28 CFR § 202.1103); and
• Reporting requirements for U.S. entities that have rejected an offer to engage in a prohibited transaction involving data brokerage (see 28 CFR § 202.1104).

Key Actions for US Entities 

Looking ahead, U.S. entities should continue maturing their compliance initiatives, with an eye toward the specific due diligence, auditing, and reporting requirements that come into force in October 2025. The DOJ has been clear that, by October, it expects “full compliance” with the DSP’s first wave of requirements. Entities should also focus attention on the internal mechanisms that ensure ongoing compliance. Key elements that U.S. entities should consider when building a strong compliance program include:

• Written policies and procedures addressing bulk data transfers and data security.
• Risk assessments tailored to specific data flows and business operations.
• Regular employee training and awareness campaigns.
• Response protocols and escalation procedures for addressing potential or confirmed violations.
• Ongoing monitoring and internal audits.

For more guidance on navigating the DSP as it comes into enforcement, Crowell & Moring and its consulting affiliate Crowell Global Advisors have provided analysis of the DOJ’s implementation guidance, the DSP’s operational impacts and broader geopolitical concerns, and related FDA restrictions on transferring sensitive data used in gene editing clinical trials.

As clients navigate compliance obligations under the Rule, Crowell & Moring and Crowell Global Advisors offer a breadth of regulatory and legal expertise to support each stage of the process collaboratively. We can provide applicability assessments under the Rule; submit FAQs and facilitate license applications and petitions for formal advisory opinions to the DOJ; design compliance programs, including CISA requirements and program support; and manage investigations and response to civil demands and investigations.

Should you have questions about how we can further support your compliance efforts, please contact one of the attorneys listed below.