DOJ Publishes Guidance, Announces Additional 90-Days for Good Faith Efforts to Comply with Sensitive Data Rule

• On April 11, 2025, the DOJ National Security Division published new guidance regarding the U.S. Sensitive Personal Data and Government-Related Data final rule that took effect on April 8, 2025. 

• Notably, the DOJ announced a 90-day period during which it will exercise enforcement discretion for individuals and organizations making a “good faith effort” to come into compliance.

On April 11, 2025, the Department of Justice (“DOJ”) released guidance and additional information regarding the implementation of the final rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which took effect on April 8, 2025 (now codified at 28 C.F.R. §§202.101 et seq.).  As we outlined in our earlier article, this regulation restricts or prohibits sharing certain types of bulk sensitive personal data and U.S. government-related data with some individuals or entities that are located in and/or controlled by a country of concern. Countries of concern currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 

In the new guidance, the DOJ describes the new regulation as a part of a new “Data Security Program” (“DSP”) within its National Security Division (“NSD”).  The DOJ elaborates, “the DSP establishes what are effectively export controls that prevent foreign adversaries, and those subject to their control and direction, from accessing U.S. Government-related data and bulk U.S. sensitive personal data.”  The new guidance and implementation documents include an Implementation and Enforcement Policy through July 8, 2025, a Compliance Guide, and a set of Frequently Asked Questions.  All three documents emphasize that U.S. individuals and entities should “know their data,” consistent with the national security priority of keeping covered data out of the hands of designated adversaries. 

Implementation and Enforcement Policy through July 8, 2025

Notably, the DOJ announced it would exercise its enforcement discretion to give individuals and organizations making a “good faith effort” to come into compliance an additional 90 days to do so. 

With this announcement, the DOJ appeared to recognize the scale of the undertaking the new regulation entails for some organizations.  The DOJ noted that measures organizations may need to take “could include revising or creating new internal policies and processes, identifying data flows, changing vendors or suppliers, adjusting employee roles or responsibilities, deploying new security requirements, and revising existing contracts.”  It also provided the following examples of “good faith efforts” to come into compliance:

• Conducting internal reviews of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage;

• Reviewing internal datasets and datatypes to determine if they are potentially subject to DSP;

• Renegotiating vendor agreements or negotiating contracts with new vendors;

• Transferring products and services to new vendors;

• Conducting due diligence on potential new vendors;

• Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions;

• Adjusting employee work locations, roles or responsibilities; or

• Implementing the Cybersecurity and Infrastructure Agency (“CISA”) Security Requirements, including the combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transactions.

This announcement does not delay the effective date of the regulation; it only indicates an exercise of enforcement discretion for those making a “good faith effort” to comply. 

Data Security Program: Compliance Guide

The Compliance Guide largely restates information contained in the regulation itself, and the DOJ notes that the Guide does not alter any of the obligations of the regulation.  There are two areas, however, where the Compliance Guide provides information that may be particularly useful to institutions of higher education working to come into compliance with the regulation.

• Sample Contract Language for Transactions Involving Data Brokerage with Foreign Persons.  The regulation prohibits U.S. persons from engaging in transactions that involve data brokerage with foreign persons (who are not covered persons) unless the U.S. person (1) imposes contractual restrictions, consistent with the regulation, prohibiting the foreign person from engaging in any onward data brokerage transactions involving access to the covered data by a country of concern or covered person and requiring the foreign person to inform the U.S. person if such access is gained through a data brokerage transaction; and (2) reports any known or suspected violations of that contractual requirement.  The Compliance Guide provides sample contract language to (1) impose these compliance obligations on the foreign person contracting party and (2) require the foreign person to agree to periodically certify to the U.S. person its compliance with the regulation and the contractual language. 

• Vendor Due Diligence for Restricted Transactions.  The regulation also prohibits U.S. persons from engaging in vendor agreements, employment agreements, or investment agreements with a country of concern or covered person, unless the U.S. person implements the CISA Security Requirements, establishes a Data Compliance Program, and meets certain recordkeeping and reporting requirements.  One aspect of managing such restricted transactions is the obligation to screen current and prospective vendors to ensure that they are not covered persons.  The Compliance Guide clarifies the extent of the due diligence required in screening vendors, noting “U.S. persons engaging in vendor agreements with foreign person entities ordinarily would not be expected, as part of their Data Compliance Program, to conduct due diligence on the employment practices of the foreign person entity to determine whether the foreign person entity’s employees qualify as covered persons.”

Data Security Program: Frequently Asked Questions

Though the FAQs document largely restates information already contained in the regulation or preamble to the Federal Register publication, it also offers a few minor clarifications. 

• Definition of “covered person.”  Though the regulation defines “foreign person” as “any person that is not a U.S. person,” FAQ 14 reiterates the exclusion of U.S. persons from the four “self-executing categories of covered persons” included under the definition of “covered person”: “(1) foreign entities headquartered in or organized under the laws of a country of concern; (2) foreign entities 50% or more owned by a country of concern or covered person; (3) foreign individuals primarily resident in a country of concern; and (4) foreign individuals who are employees or contractors of a covered person entity or a country-of-concern government.”  Note that, unlike other export control programs, the definition of “U.S. person” under the DOJ Data Security Program includes “any person in the United States.” 

• Clarification on initial determination of data thresholds.  The regulation provides that the timeframe for meeting the relevant thresholds to qualify as bulk U.S. sensitive personal data is “at any point in the preceding 12 months.”  FAQ 38 clarifies that for the purpose of determining whether a threshold is met, an organization need not include time that elapsed before the regulation’s effective date.  Instead, the determination should include only “covered data transactions initiated, pending, or completed on or after the applicable effective date.” 

  
  

Implications for IHEs

The DOJ’s announcement that it will exercise its enforcement discretion for 90 days to deprioritize enforcement against those making a good faith effort to come into compliance will likely come as welcome news for many institutions. 

Institutions in the early stages of compliance initiatives should move quickly to assess their potential exposure. Our earlier article provides some tips to help get such institutions started.

All institutions, including institutions in more advanced stages of their compliance initiatives, should strongly consider:

• Reviewing the clarifications highlighted above to ensure the scope of their review of existing agreements related to countries of concern is calibrated to the regulation’s requirements;

• Utilizing the Compliance Guide’s suggested contract language in their revisions to existing contracts involving potentially prohibited data brokerage transactions; and

• Leveraging the guidance to build awareness among internal stakeholders not only of the regulation’s specific compliance obligations, but also of the broader expectation that institutions will “know their data.”