DOJ Issues Guidance on Foreign Data Access Rule, Announces Conditional 90-Day Enforcement Pause for "Good Faith Efforts"

The Department of Justice (DOJ) has issued guidance on its recently effective rule targeting foreign adversaries that "use commercial activities to access, exploit, and weaponize U.S. Government-related data and Americans' bulk sensitive personal data." This past Friday, April 11, 2025, DOJ published three documents addressing its rule, "Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern and Covered Persons" (the Final Rule): an Implementation and Enforcement Policy, a Compliance Guide, and 108 FAQs. The guidance summarizes key provisions of the Final Rule and addresses the Final Rule's requirements for implementing a Data Security Program (DSP).

The Final Rule, which we analyzed in a prior post and webinar, was issued in December 2024. The Final Rule's core prohibitions and restrictions on covered transactions involving sensitive U.S. data went into effect on April 8, 2025. Additional requirements, including those related to due diligence, auditing, and reporting, go into effect on October 6, 2025.

Under the Implementation and Enforcement Policy, DOJ's National Security Division (NSD), which is responsible for issuing and enforcing the Final Rule, will deprioritize certain enforcement efforts during the first 90 days that the Final Rule is in effect. For any violations of the Final Rule occurring between April 8 and July 8, 2025, NSD will deprioritize civil enforcement against persons engaged "in good faith efforts to comply with or come into compliance with the" Final Rule for violations occurring between April 8 and July 8, 2025, thus allowing NSD to prioritize its resources on facilitating compliance. The Implementation and Enforcement Policy provisions list various examples of good-faith efforts, including conducting reviews of sensitive data flows and datasets to determine whether they may be subject to the Final Rule, renegotiating vendor agreements or engaging new vendors to comply with the Final Rule, adjusting employee work locations, roles, or responsibilities, and implementing the Security Requirements issued by the Cybersecurity and Infrastructure Security Agency in conjunction with the Final Rule.

During the 90-day targeted enforcement period, NSD will pursue penalties and other enforcement actions for "egregious, willful violations." After July 8, 2025, NSD expects "full compliance" with the Final Rule.

Companies that may engage in prohibited or restricted transactions under the Final Rule should carefully review DOJ's recently issued guidance. We summarize the guidance and provide some key insights below.

Alignment to Trump Administration Priorities

DOJ issued the Final Rule on December 27, 2024, in the waning days of the Biden Administration. Since then, many have questioned whether the Trump Administration would significantly amend the rule, delay its enforcement, or even rescind the rule altogether. The Final Rule implements President Biden's Executive Order 14117 of February 28 2024, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," and the Trump Administration has reversed many Biden-era policies and orders, including many related to international trade and national security. Moreover, amending or rescinding the Final Rule would not require formal notice and comment under the Administrative Procedure Act because the Final Rule was issued under the International Emergecy Economic Powers Act (IEEPA). In February, a coalition of companies from numerous industries requested a non-enforcement period until the end of 2026.

In publishing its guidance, DOJ made clear that the Final Rule is in line with the Trump Administration's policies, including its America First Investment Policy, its "Maximum Pressure" strategy for Iran, and President Trump's Executive Order 13873 of May 15, 2019, "Securing the Information and Communications Technology and Services Supply Chain." President Biden expressly cited and built upon EO 13873 in issuing EO 14117. The Final Rule appears to be moving forward in its current form, at least for the foreseeable future.

Key Insights From the Compliance Guide and FAQs

NSD's Compliance Guide and FAQs largely summarize and restate key portions of the Final Rule. Even so, those documents provide some helpful insights. In addition to addressing various issues about the Final Rule's applicability—e.g., the types of data and transactions covered by the Final Rule, the definition of a covered person, etc.—the Compliance Guide and FAQs discuss many of the rule's detailed compliance requirements, including requirements to maintain a "data compliance program" for restricted transactions. Many companies have been highly focused on the threshold question of whether they engage in covered transactions at all and, therefore, have given relatively little attention to how they will meet the Final Rule's compliance requirements for such transactions. Those companies may benefit from reviewing the Compliance Guide and FAQs' discussion of those compliance requirements closely as they begin building out their compliance programs.

Key insights from the Compliance Guide and FAQ include:

• "Know Your Data": The Compliance Guide and responses to multiple FAQs (including numbers 50 and 60) reiterate important language from the Final Rule's preamble that DOJ expects U.S. persons to "know their data." The Compliance Guide states that U.S. persons are expected to know the kind and volume of data they collect or maintain concerning U.S. persons, how they use that data, and whether they engage in covered data transactions with covered persons or countries of concern under the Final Rule. Based on this guidance, U.S. persons cannot argue that they did not "knowingly" engage in covered transactions under the Final Rule because they were unaware of the type or volume of their data involved in a transaction with a covered person or country of concern. At the same time, examples in the Final Rule indicate that cloud service providers are not required to know their customers' data in most circumstances and, thus, do not knowingly engage in covered transactions simply because their customers engage in such transactions using their services.
• No Requirement to Decrypt or Aggregate: The Compliance Guide and the response to FAQ 80 state that U.S. persons do not need to decrypt or aggregate their data to comply with DOJ's "know your data" expectations. For example, if a U.S. person maintains a set of encrypted data, it does not need to decrypt that data and count the number of individual records to determine whether the data is of the type or volume to be considered bulk U.S. sensitive personal data subject to the Final Rule. NSD recommends using other metrics, such as user statistics and "order of magnitude" evaluations to assess whether the encrypted dataset may be covered by the Final Rule.
• "Inferences" Generally Are Not Covered Data: The response to FAQ 33 states that the definition of "personal financial data" (a subcategory of "sensitive personal data") does not include "inferences" derived from that data. For example, while information about hotel purchases may be covered personal financial data, "inferences" from that data (e.g., the person frequently travels for business) is not included. While this FAQ is specific to personal financial data, the response is broader, stating that the Final Rule restricts only certain categories of transactions involving bulk U.S. sensitive personal data and government-related data, "neither of which include inferences on their own."
• Breadth of Prohibited Data Brokerage: The Compliance Guide emphasizes that prohibited data brokerage transactions under the Final Rule may be different than what one might normally think of a data brokerage. Referencing one of the Final Rule's examples for the definition of "data brokerage," the Compliance Guide states that a U.S. company may be engaged in prohibited data brokerage where it maintains a website or mobile app that contains tracking pixels or other technology that transfers data to covered persons or countries of concern.
• Model Contract Language Prohibiting Onward Transfers of Data: The Compliance Guide provides model contract language that U.S. persons can use to impose the required restrictions on data transfers in brokerage transactions with foreign persons involving bulk U.S. sensitive personal data or government-related data. The Final Rule prohibits a U.S. person from entering into a brokerage transaction with a foreign person—even if that foreign person is not a "covered person"—unless that foreign person is contractually prohibited from engaging in a subsequent data brokerage transaction with a covered person or country of concern. This model language is exemplary, and "[p]arties may wish to tailor their contractual language based on several factors, including the relevant business activity, risk appetite, the contract counterparties, the products and services involved," and covered data type at issue. The Compliance Guide also suggests that U.S. persons include contract language requiring data brokers to certify their compliance with the Final Rule's prohibitions on onward sale and evasion.
• U.S. Persons Responsible for Assessing Counterparties' Compliance With Prohibition on Onward Data Transfers: Notwithstanding the inclusion of appropriate language restricting onward data transfers, parties must still take reasonable steps to evaluate whether their foreign counterparties are complying with the contractual provision as part of implementing risk-based compliance programs.
• Obligations To Identify Covered Persons: The Compliance Guide makes clear that U.S. persons are expected to screen their counterparties to determine whether those counterparties are covered persons. This means that U.S. persons must perform diligence on their vendors and others to determine where the counterparty is headquartered and whether it is 50 percent or more owned by a covered person or country of concern. U.S. persons also are expected to periodically check DOJ's Covered Persons List as it is updated to determine whether a potential counterparty has been designated by DOJ as a covered person.
• No Obligation To Identify Counterparties' Employees: At the same time, the Compliance Guide and the response to FAQ 58 states that U.S. persons are not expected to perform diligence on their counterparties' employees. If a U.S. person or vendor enters into a vendor agreement with a non-covered person, the U.S. person is generally not expected to determine whether that vendor employs covered persons (absent evasion, see FAQ 58).
• No Obligation To Identify "Control" of Entities but Caution Advised: U.S. persons do not need to assess whether an entity is "controlled" by a covered person or country of concern (separate from the question of ownership). Under the Final Rule, "control" is distinct from ownership and is akin to an ability to influence the entity's activities. While DOJ may designate an entity as a covered person because it is controlled (even if not owned) by a covered person or country, the Compliance Guide and response to FAQ 59 make clear that control is not a relevant factor that U.S. persons must consider when assessing whether a counterparty is a covered person. Even so, the response to FAQ 59 warns that U.S. persons "should exercise caution" when considering a transaction with an entity that, although not itself a covered person, is minority owned by covered persons or that is otherwise controlled by covered persons. The response notes that ownership interests may fluctuate (such that the entity becomes a covered person), the entity could be designed by the NSD as a covered person, or the transaction could be viewed as unlawful evasion of the Final Rule.
• Data Compliance Program for Restricted Transactions: The Final Rule requires U.S. persons to adopt a Data Compliance Program that focuses on risk-based procedures to verify data flows in restricted transactions. The Compliance Guide emphasizes the need for auditable verification and logging of covered data types and volumes, transaction party identities, and data transfer methods. The Compliance Guide states that U.S. persons should conduct periodic ("ideally, at least annual") risk assessments to evaluate potential issues based on business activity and risk appetite. The Guide advises using risk assessment results to refine policies, procedures, training, and internal controls. A robust assessment should identify risk areas such as transactions with covered persons or countries of concern, examining security measures, vendors, investors, employees, products, services, licenses, exemptions, and geographic locations. A company's Data Compliance Program also must include internal controls with written policies to identify, escalate, and report activities, minimizing assessed risks, and procedures for integrating newly acquired entities into compliance. The Compliance Guide further addresses audit requirements for restricted transactions, including requirements that the auditor be sufficiently qualified and independent.
• Senior Management Engagement: The Compliance Guide states that the involvement of senior management is vital in promoting accountability and ensuring compliance with the DSP requirements. U.S. companies should appoint a compliance leader with authority and expertise, supported by adequate resources, to integrate DSP controls into daily operations and train employees. The Final Rule requires that a company employee responsible for compliance with the Final Rule sign annual compliance certifications.

Other Notable FAQs

Other FAQ responses of note include:

• Personal Health Data: Personal health data, as defined in the Final Rule, is "sensitive personal data" subject to the Final Rule and includes any data meeting the definition, regardless of who collects or holds it, or the transaction type. The definition includes, for example, exercise logs from fitness apps. Data does not need to have been collected or held by or belong to a health care provider or medical institution to constitute personal health data under the Final Rule.
• U.S. Branch of Covered Person: Branches of companies are considered extensions of their parent companies and are not independent entities. Consequently, a U.S. branch of a foreign covered person is not organized solely under U.S. laws and would not meet the definition of a U.S. person.
• Covered Person Status and U.S. Presence: An individual covered person (other than those designated as covered persons by DOJ) who is physically present in the United States is considered a U.S. person and, therefore, is not a covered person while in the United States. Upon leaving the U.S., that person again becomes a covered person. The NSD warns that structuring transactions to bypass the Final Rule prohibitions, such as by instructing a covered person to enter the U.S. for the purpose of receiving sensitive data, may be seen as evasion and violate the Final Rule.
• Compliance With CISA Security Requirements: Implementing the CISA security requirements is crucial to prevent covered individuals, whether employees or vendors, from accessing government-related data or bulk U.S. sensitive personal data. This includes data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and countries of concern. Even after implementing CISA's security measures to reduce the risk of unauthorized access to relevant data, U.S. persons must still adhere to the Final Rule's additional requirements for restricted transactions.

The Compliance Guide and FAQs leave many important questions unanswered. As just one example, while both documents state that U.S. persons are not required to perform diligence on the employees of their transactional parties (i.e., they do not need to determine whether a vendor or other counterparty that is not a covered person employes covered persons), neither provides any guidance on what U.S. persons are expected to do if they inadvertently learn in the course of a vendor or other relationship that the counterparty has covered person employees. The NSD encourages companies to submit informal inquiries to nsd.firs.datasecurity@usdoj.gov about the DSP requirements or the NSD guidance during the 90-day prioritized enforcement period. At the same time, the NSD says it will not process formal requests for licenses or opinions during the 90 days' implementation period unless there is an emergency.

+++

DWT's Privacy & Security and International Trade, Investment & National Security practices will continue to monitor developments related to the Final Rule, including during the current 90-day prioritized enforcement period. The NSD states that it will continue to issue further FAQs and may issue updated guidance in the future.