Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

in , ,

On Friday April 11, 2025, the DOJ released a Compliance Guide and more than 100 FAQs on the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule (the “DOJ Rule”).  It also released an Implementation and Enforcement Policy, which indicates it will not prioritize enforcement against companies making good faith efforts to comply until July 8, 2025. 

If your company is subject to the DOJ Rule, it should review the Compliance Guide and FAQs, which contain a fair amount of guidance about what DOJ staff is expecting companies to do to comply.  Here are ten takeaways from these new resources:

1️⃣Enforcement is a priority.  The new guidance suggests that the DOJ Rule will be an enforcement priority for the “urgent threat” it addresses, including the threats posed to national security when “foreign adversary” countries obtain data on Americans.  The Trump Administration is embracing the Rule, including it as a tool that helps advance its America First Investment Policy.  Deputy Attorney General Todd Blanche is quoted in the press release announcing the new resources: “If you’re a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access? The Data Security Program [required by the DOJ Rule] makes getting that data a lot harder.”  If your organization was hoping that the DOJ Rule’s ties to a Biden executive order would make it a target for repeal or non-enforcement, that now seems unlikely.  The FAQs also note that whistleblowers for non-compliant companies may be compensated, so employees, contractors, and partners may be emboldened to report companies that are not fully compliant.

2️⃣ Full compliance expected by July 8.  Companies are expected to get into compliance by July 8, 2025.  The Implementation and Enforcement Policy notes that at “the end of this 90-day period, individuals and entities should be in full compliance with the [DOJ Rule] and should expect [the DOJ National Security Division] to pursue appropriate enforcement with respect to any violations.”  Between now and then, companies will not be targeted for enforcement if they engage in good faith efforts to comply.  The Implementation and Enforcement Policy notes a number of good faith efforts for companies to consider.  These include:

  • Reviewing datasets and data types to determine if they are regulated by the DOJ Rule (tip: review this closely—many data types that aren’t typically thought as sensitive are covered)

  • Reviewing what stakeholders have access to sensitive personal data

  • Assessing whether data transactions involve data brokerage under the DOJ Rule

  • Renegotiating vendor contracts

  • Moving services to new vendors

  • Conducting due diligence on new vendors

  • Amending contracts to address onward transfer provisions with foreign person counterparties to data brokerage transactions (i.e., any non-U.S. incorporated entity)

  • Changing employee work locations, roles, or responsibilities

  • Evaluating investments and renegotiating investment agreements from covered persons or countries of concern, and

  • Implementing the Cybersecurity and Infrastructure Agency (“CISA”) Security Requirements for restricted transactions, including to prevent any covered person from accessing in-scope data.

3️⃣ Know your data.  Companies are expected to know their data practices, including the types and volumes of data handled, how the data is used, whether the company engages in restricted transactions (with vendors, employees, etc.), the identities of parties they engage in data transactions with, and how data is ultimately used by recipients they disclose data to.  Both the Guide and FAQs refer to these as companies’ “know their data” obligations, which require effective data governance practices for sensitive data and government-related data throughout its lifecycle, including with respect to internal access and external disclosures. 

4️⃣ Anonymized and aggregated data is included.  The guidance emphasizes that sensitive data that has been anonymized and aggregated is still sensitive data.  While these security techniques are good data privacy and data security tactics, they will not be very helpful in avoiding application of the DOJ Rule.  The guidance also emphasizes that some sensitive personal data categories should be interpreted broadly.  For example, sensitive “financial data” includes purchase and payment history companies have, so any company that has a record of its customer’s purchases or transactions may have sensitive financial data.  Sensitive “health data” includes fitness, wellness, and other data held by any company—not just medical or healthcare institutions—mirroring a similar trend under U.S. privacy laws that’s taken a broad view of what constitutes health data. 

5️⃣ Some website tracking technologies are prohibited.  The guidance emphasizes that some cookies, pixels, and software development kits (SDKs) on your company’s website or mobile app may be prohibited data brokerage.  Most companies with consumer-facing websites and apps use these technologies to enable and measure targeted advertising campaigns. This underscores the need to keep an up-to-date understanding of the current tracking technologies a company’s websites and apps use.  Processes to add new ones may need to be enhanced to stay in-line with these data brokerage requirements, which will be an obligation of companies that choose to use them (not the third parties that provide the tracking technologies).

6️⃣ Companies have to identify covered persons.  The guidance emphasizes that U.S. companies are accountable for determining whether the vendors, employees, investors, customers, or partners they work with are “covered persons” under the DOJ Rule. This is challenging when it comes to understanding the direct and ownership of an entity; challenging or not, the guidance makes clear that this is an obligation that every U.S. company has.  The DOJ will also maintain a new “Covered Person List” that companies will regularly need to scrub against, but use of this list will not excuse companies from their obligation to determine whether entities are covered persons.  The FAQs have some guidance on expectations for identifying covered persons, and FAQ #60 contains a number of examples for how to determine if an entity is a “covered person” based on complex ownership structures.  The examples suggest the kind of ownership details DOJ staff may expect companies to assess in connection with the Rule:

7️⃣ CISA requirements must prohibit data access.  The CISA Security Requirements for restricted transactions must be implemented to prohibit all access to in-scope data by covered persons—including vendors, employees, and contractors. Complying with these CISA Security Requirements doesn’t bring data or systems out of scope from the DOJ Rule.  If your company will use “covered person” vendors, contractors, or employees, significant changes to systems and processes may be needed to address these requirements. 

8️⃣ Recordkeeping requirements are significant.  The recordkeeping requirements for restricted transactions with employees, contractors, vendors, and investors that take effect in October may require significant changes to existing practices. Required records need to be created and maintained in an auditable manner and can be requested by the DOJ at any time.  With audits and annual certification requirements about the completeness and accuracy of records, companies that will engage in restricted transactions should be focused now on planning for how the required records will be created and maintained.

9️⃣ Plan for proactive reporting.  The guidance also addresses the reporting requirements under the DOJ rule, including emphasizing obligations that companies have to report to the DOJ when prohibited transactions are rejected (i.e., not engaged in). These reporting requirements will require new processes for most companies, as all U.S. companies will be expected to report on rejected prohibited transactions, even where rejections happen automatically. Consider and plan for how to address reporting obligations in different contexts, such as when a covered person (1) corporate affiliate wants to do research, development, or AI training with in-scope data; (2) targeted advertising partner offers services or a tracking technology for incorporation into a company website or app; or (3) potential customer wants to use a company’s data products or services.  Each (1)-(3) are examples of data brokerage that are in the DOJ Rule or this new guidance. Reports must be made within 14 days, and must address the requirements in Section 202.1104 of the Rule.

🔟 Robust compliance programs are expected.  An extensive data compliance program is required for companies that engage in any restricted transactions under the DOJ Rule. The Guide emphasizes that support and buy-in of senior leadership is expected for the compliance program. Companies should appoint a senior-level individual to build and maintain the program, and they should have the authority, expertise, personnel, and other resources needed to implement the program. The program needs to be embedded into the company’s actual operations, and the controls used to do this should be regularly tested. The Guide contains new insights into what officer, executive, or responsible employee certifications for program should address, including:

  • Whether there are processes to establish, maintain, review, test, and modify compliance policies and supervisory procedures to comply with the DOJ Rule;

  • The compliance certification is supported in a report that has been reviewed by the CEO and provided to the Board of Directors Audit Committee;

  • Whether compliance personnel has met with the CEO to discuss compliance with the DOJ Rule in the prior 12 months; or

  • Consultations between the CEO and compliance officer, other officers, consultants, lawyers, auditors, and others as appropriate to verify the statements made in the certification.

The Implementation and Enforcement Policy underscores that violations can be prosecuted criminally and civilly, with civil penalties up to $368,136.00 or twice the value of a non-compliant transaction, and up to 20 years in prison and a $1,000,000.00 fine for willful violations.

For background on the DOJ Rule, see our prior post.  Also, here are some key questions that can help you to assess whether a particular data transaction is in scope for the DOJ Rule.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.