Facade Flags Justice Department Building Washington DC

DOJ emphasizes need to come into full compliance with its new rule by July 8.

By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn

On April 11, 2025, the US Department of Justice (DOJ) released guidance regarding its final rule, known as the “Data Security Program” (DSP). The DSP, originally issued on December 27, 2024, and effective on April 8, 2025 (with certain diligence, auditing, and reporting requirements not taking effect until October 6, 2025), restricts data transactions that could grant “covered persons” with connections to “countries of concern,” such as China, access to US sensitive personal data.

The new guidance consists of an implementation and enforcement policy, compliance guide, and extensive FAQs designed to elevate awareness and activate compliance among US persons who are subject to the sweeping and novel data security regulations. The guidance also announces that DOJ will not target any civil enforcement for 90 days — through July 8, 2025 — if companies can show that they are making good-faith efforts to comply with the DSP.

We encourage any US company in an impacted industry or that may have a data nexus with covered persons or countries of concern to review Latham’s more detailed Client Alert, which includes a list of top takeaways and an overview of the DSP’s obligations.

Considerations for Certain Industries

The DSP applies broadly to US persons engaging in covered data transactions, but its practical impact varies significantly based on an organization’s sector, data sensitivity, and corporate structure. As a result, certain industries may be impacted more than others.

Investing

The DSP impacts investments in which a covered person gains sufficient ownership interest of a US entity to be involved in substantive business and strategy decisions and the US entity possesses bulk sensitive data. Importantly, the DSP assumes the covered person has “access” to the sensitive data by nature of their ownership interest, regardless of intent or technical/contractual measures to prevent access. The DSP includes a passive investment exclusion, but it is narrowly defined to less than 10% ownership and other unique factors.

Technology

Technology companies often operate globally and rely on distributed data infrastructure, including foreign affiliates and third-party vendors. The DSP will likely necessitate changes to vendor vetting, data handling protocols, and access controls, especially for artificial intelligence, cloud, digital advertising, and data analytics services. The DSP covers even anonymized or pseudonymized datasets, meaning existing privacy engineering practices may need to be updated to align with CISA’s heightened security requirements.

Healthcare and Life Sciences

Healthcare and life sciences companies frequently handle sensitive health data, such as genomic and other ‘omic data, and human biospecimens from which such data could be derived. At the right thresholds, these types of data fall squarely within scope of “bulk US sensitive personal data,” and in many cases risk qualifying under Subpart C for Prohibited Transactions. Companies collaborating with foreign CROs or data processors, especially those located in countries of concern, may want to carefully assess their compliance posture and be prepared for potential licensing obligations or mitigation planning under the DSP.

E-Commerce

Many e-commerce platforms collect and process large volumes of user data, including geolocation, browsing habits, and financial information. While the DSP includes an exemption for certain routine e-commerce transactions, companies may want to verify that their specific data flows — particularly cross-border analytics, customer support outsourcing, or cloud hosting — fall within scope of the exemption.

Banking and Finance

The DSP provides a financial services exemption under § 202.208(a)(1), which excludes transactions that are “ordinarily incident to and part of the provision of financial services.” This exemption is designed to ensure that routine financial transactions, which are already subject to comprehensive final regulation, are not unduly burdened by the DSP. However, entities in the financial sector may want to assess whether their services fall within scope of the exemption.

For more detailed information on the DSP, see our Client Alert, which provides initial enforcement considerations, top takeaways, and an Appendix summarizing the DSP.