
Last year, we wrote about updates from the Department of Justice (DOJ) and the DOJ’s proposed enforcement efforts and regulations implementing Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Data by Countries of Concern” (Rule).
A year later, the DOJ has finalized the Rule and developed guidance on what companies handling (i) bulk U.S. sensitive personal data or (ii) U.S. Government-related data must know, especially when interacting with persons and entities in ”Countries of Concern,” which currently include:
- China (includes Hong Kong and Macau)
- Cuba
- Iran
- North Korea
- Russia
- Venezuela
In April of this year, the DOJ’s National Security Division (NSD) issued its Data Security Program and corresponding Compliance Guide (DSP) and Frequently Asked Questions (FAQs) providing information that all U.S. entities must understand and follow to comply with the Rule. The NSD’s stated primary mission with respect to the implementation and enforcement of the DSP is to protect U.S. national security from Countries of Concern that may seek to collect and weaponize both government data and Americans’ most sensitive personal data.
As we have written previously, the DSP will require U.S. organizations to look deeply into their data collection and data sharing practices to determine whether they are (i) providing covered data to a Country of Concern and (ii) subject to the DSP’s requirements.
All U.S. organizations handling government-related data and bulk U.S. sensitive personal data must make good-faith efforts to comply with the DSP by July 8, 2025. Continue Reading One Month to Go: What You Need to Know about the U.S. Department of Justice’s Data Security Program