The DOJ’s Data Security Program: A New Era of Cross-Border Data Transfer Compliance

Addressing a Shift in U.S. Data Privacy Regulation

  • diciembre 17, 2025

The U.S. federal data privacy landscape shifted dramatically on April 8, 2025, when new regulations by the U.S. Department of Justice creating the Data Security Program (“Data Security Program”) took effect.1 The new framework, which is also referred to as the “Bulk Transfer Rule,”  has effectively established export controls for sensitive personal data and government-related data.

Framed as a national security imperative, the Data Security Program addresses foreign adversaries “using commercial activities to access and exploit U.S. government-related data and Americans’ sensitive personal data to commit espionage and economic espionage,”2 thereby transforming data transfers from routine business operations into potentially regulated activities. The rule provides volume thresholds for various types of sensitive data.3

In order to determine the applicability of the Bulk Transfer Rule and how to prepare for compliance with its requirements, organizations should frame their understanding of this regulation as an additional layer to their existing data privacy framework. As the substance of the regulation surrounds data privacy requirements, legal, compliance and privacy teams will need to focus on:

  • Ensuring sound data governance approaches.
  • Creating robust data maps.
  • Incorporating bulk data transfer controls into the broader data privacy programs.
  • Implementing third-party risk management in the context of bulk data transfer limitations.

Understanding the Regulatory Framework

The Data Security Program took effect in two parts. The main prohibitions and restrictions went into effect April 8, 2025, while affirmative due diligence and compliance program requirements took effect October 6, 2025.4

The Bulk Transfer Rule implements Executive Order 14117,5 and distinguishes among several types of data transactions and foreign entities. Six countries — China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela — are listed as within the scope of the Bulk Transfer Rule. Also, within the scope of the regulations are “covered persons,” a broad category that extends restrictions beyond foreign entities to include  four “automatic” classes:

  • Foreign entities headquartered in, organized under the laws of, or 50% or more owned by listed countries.
  • Foreign entities 50% or more owned by other covered persons (creating cascading ownership restrictions).
  • Foreign employees or contractors of listed countries or covered person entities.
  • Foreign individuals primarily resident in the listed countries.

A fifth category allows the Department of Justice (“DOJ”) to designate additional covered persons through a public process, with names published on a "Covered Persons List” in the Federal Register. This designation authority enables dynamic responses to evolving national security threats. In turn, compliance programs need to be flexible, with mechanisms to monitor ongoing updates, rather than relying on static lists of covered persons.

Central to the Data Security Program framework is the concept of “covered data transactions,” which include any transaction involving access by the listed countries or covered persons to government-related data or bulk U.S. sensitive personal data through data brokerage, vendor agreements, employment agreements or investment agreements.

The program protects six categories of sensitive personal data: covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data (e.g., genomic, proteomic, epigenomic and transcriptomic), personal health data and personal financial data. Notably, any precise geolocation data collected from within geofenced government locations is automatically treated as government-related data and subject to the Data Security Program’s restrictions, regardless of volume.

The regulatory framework also creates a tiered approach to different transaction types, including:

  • Prohibited transactions are banned entirely and include data brokerage with listed countries (“the sale of data, licensing of access to data or similar commercial transactions involving the transfer of data”)6 and any transactions involving human ‘omic data access by listed countries or covered persons.
  • Restricted transactions encompass vendor agreements, employment agreements and investment agreements with the listed countries or covered persons. These may proceed only with full compliance with federal security guidelines and comprehensive compliance programs.
  • Exempt transactions receive significant regulatory relief and represent the program’s most strategically important provisions for many businesses. Exemptions eliminate both prohibitions and compliance program requirements for qualifying transactions, though some exemptions (particularly those related to regulatory approval processes) retain recordkeeping obligations. Under the regulations, certain corporate group transactions between U.S. entities and their subsidiaries and affiliates in listed countries for administrative or ancillary business operations (e.g., human resources, payroll, professional services, taxes, risk management, travel and employee benefits) can benefit from an exemption.

Financial services transactions regulated under existing banking frameworks and investment agreements (subject to review and action) may also be exempt. Exemptions can also be granted for official business of the U.S. government, provision of telecommunications services and transactions required or authorized by federal law or international agreements or necessary to comply with federal law. Finally, pharmaceutical, biological product and medical device regulatory authorization data necessary for regulatory approval, clinical investigations and post-marketing surveillance data conducted under U.S. Food and Drug Administration oversight and certain research activities conducted pursuant to federal grants, contracts or agreements may also be exempt.

Data Mapping as The Compliance Foundation

Data mapping emerges as the cornerstone requirement under the Data Security Program. The DOJ expects companies to know their data. This is no longer optional preparation but rather is a regulatory mandate that requires companies to understand not just what they collect and from whom, but how it flows through their organization and into external relationships.

Companies need to map covered data within their organization to understand how data is processed within the organization and how such data may be used in sales or other transactions with any listed country or covered person. In other words, data mapping is a fundamental exercise for compliance and strategic business planning.

Essential data mapping components include cataloging all six categories of sensitive personal data across all of a company’s systems, with particular attention to any geofenced government locations that trigger automatic restrictions. Companies must track how data moves through vendor agreements, employment relationships and investment structures, to identify potential covered data transactions, determine whether data holdings meet “bulk” thresholds and map data processing locations against the six listed countries and covered persons.

Data mapping can also help address exemption applicability. Assessing applicability requires careful analysis of both a transaction structure and the business purpose. For example, a data transfer to a subsidiary in a listed country for payroll processing could qualify for a corporate group exemption, while the same transfer for product development purposes might not. Similarly, pharmaceutical companies may benefit from broad regulatory approval exemptions, while technology companies may face full compliance requirements.

Additional Compliance Requirements

Companies engaging in cross-border data transfers must also implement data compliance programs with risk-based procedures for verifying data flows, systematic vendor screening against the covered persons list and other sanctions lists, annual independent audits by qualified non-covered persons and senior management certification of program implementation. The compliance architecture established by the Bulk Data Transfer Rule is notably risk-based, allowing companies to tailor approaches based on their specific exposure to listed countries and covered persons.

The vendor screening requirements under the Bulk Data Transfer Rule deserve particular attention given the definitions of covered persons. Companies must verify whether their vendors fall into any of the four automatic covered person categories or appear on the supplemental list. This screening must account for complex ownership structures, subsidiary relationships and employee or contractor classifications, while also monitoring ongoing changes to supplemental lists.

Implementation Strategy and Next Steps

Operational impacts of these new requirements will vary significantly based on an organization’s exemption status and business model. Companies without qualifying exemptions face potential vendor relationship or data flow restructuring, enhanced investment screening and substantial compliance costs, particularly in technology and data-intensive sectors. As an initial matter, companies should assess whether their transactions qualify for exemptions, as this determination shapes regulatory obligations.

Additional priority actions include conducting comprehensive data flow assessments, reviewing and potentially restructuring vendor relationships with foreign entities or implementing required contractual protections, and implementing cybersecurity requirements where applicable. Third-party risk management will be critical.

A company’s long-term strategy should integrate Bulk Data Transfer Rule compliance into its business development and mergers and acquisitions processes, with early exemption analysis becoming standard practice. Companies should develop data governance frameworks that anticipate regulatory expansion beyond current requirements and consider supply chain and vendor restructuring to maximize protection under existing exemptions where appropriate.

The Data Security Program’s tiered regulatory approach to bulk data transfers, from complete prohibition to broad exemption, demands sophisticated compliance strategies that begin with understanding which rules apply to specific business operations. The era of treating cross-border data transfers as routine business operations has ended, and data governance has been solidly recognized by the U.S. government as a strategic imperative. As enforcement ramps up and the regulatory framework matures, companies that invest early in comprehensive compliance programs will improve risk resilience and their competitive advantage. 

Footnotes:

1: “Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries,” U.S. Department of Justice (April 11, 2025).

2: Ibid.

3: Ibid.

4: “Data Security Program: Frequently Asked Questions,” U.S. Department of Justice (Sept. 24, 2025).

5: Executive Order No. 14117,  89 Federal Register 15421 (Feb. 28, 2024), Federal Register :: Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.

6: “Data Security Program: Frequently Asked Questions,” U.S. Department of Justice (Sept. 24, 2025).

Artículos relacionados

Publicado

diciembre 17, 2025

temp Contactos clave

Bryce Snape

Senior Managing Director

Jeff Bockus

Managing Director

Elizabeth Kwok

Managing Director

Dera Nevin

Managing Director

Insights más visitados

  1. Navigating Tariffs: 10 Strategies to Protect the Bottom Line
  2. The Hidden Risk for Data Centers That No One is Talking About
  3. It’s La La Land Again in Financial Markets
  4. Geopolitical Risk Management: No Longer Just a “Nice to Have”, But a Corporate Imperative
  5. Corporate Sustainability Report

Regístrate para acceder a los insights de FTI Consulting

Suscríbete