DOJ-Durchsetzung im Rahmen des Datensicherheitsprogramms der Abteilung für nationale Sicherheit

Protecting sensitive data has never been more important. In a globalized world of advanced cyber threats, sophisticated espionage techniques, and external data monetization, increased security is crucial to safeguard sensitive information from theft and misuse. The recent implementation of the Department of Justice’s (DOJ) Data Security Program (DSP) demonstrates how seriously the government considers the threat posed by foreign adversary access to such data. U.S. persons and companies who aggregate the personal data of Americans or collect any information linked to U.S. government personnel now face mandatory restrictions and prohibitions when transferring this data to identified countries and persons of concern. With the leniency period for enforcement of the program officially over as of July 8, 2025^[1], failure to come into immediate compliance creates exposure to stiff civil and criminal penalties.

Hintergrund

The DSP essentially establishes export control restrictions that prevent foreign adversaries, and those subject to those adversaries’ control and direction, from accessing U.S. government-related data and bulk U.S. sensitive personal data.

The DSP was issued under the International Emergency Economic Powers Act (IEEPA) and in accordance with Executive Order 14117, related to Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.^[2] Although the effective date for the program was April 8, 2025, the DOJ’s National Security Division (NSD) announced a delay in enforcement efforts for 90 days to allow additional time for U.S. individuals and companies to implement the necessary changes to comply and engage with NSD on DSP-related issues.

Now that the grace period has ended, individuals and entities are expected to be in full compliance, and the NSD may begin to pursue enforcement of potential violations. The DSP is meant to address the continued efforts of foreign adversaries to use commercial activities to access, exploit, and weaponize covered categories of U.S. government and sensitive personal data. As the program is in line with various Trump Administration priorities, U.S. companies should anticipate aggressive enforcement and ensure they are compliant.^[3]

Covered Countries and Persons

The DSP restricts and prohibits U.S. persons and entities from engaging in certain transactions surrounding U.S. government data and the personal data of Americans with “countries of concern” or “covered persons.”

On April 11, 2025, the NSD issued a compliance guide related to the DSP, which identified each of the following countries as a “country of concern”:

China (including Hong Kong and Macau)
Cuba
Iran
North Korea
Russia
Venezuela

These countries were identified as demonstrating an intent and capability to use government-related data and Americans’ sensitive personal data to threaten U.S. national security through various specified means.^[4]

“Covered persons” are described in the Final Rule as (1) foreign entities headquartered in or organized under the laws of a country of concern or majority owned by one or more countries of concern or other covered persons, (2) foreign entities that are majority owned by a country of concern or another covered person, (3) foreign individuals who are employees or contractors of a country of concern or covered person, (4) foreign individuals who are primarily a resident in a country of concern, and (5) those persons the NSD designates and publicly identifies.^[5] As it pertains to subcategory (5), the NSD will designate and add persons to a published Covered Persons list following a determination that such persons meet certain criteria such as being subject to the ownership and control of a country of concern.^[6]

Covered and Exempt Data Transactions

In determining whether the requirements of the DSP apply to a particular U.S. person or entity, it is essential to understand the type of data at issue and the transactions covered by the program. If a company handles data covered under the program, they will be restricted or even prohibited from transferring such information in certain circumstances.

Covered Transactions: Any transaction that involves access by one of the countries of concern or covered persons to any government-related data or bulk U.S. sensitive personal data is subject to DSP restrictions. To be a “covered transaction,” the transaction must also involve (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.^[7]

“Government-related Data”: Certain geolocation data related to government activities,^[8] and any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors of the United States Government, such as a U.S. company that advertises the sale of a set of sensitive personal data as belonging to “government employees.”^[9]

“Bulk U.S. Sensitive Personal Data”: A collection or set of sensitive personal data relating to U.S. persons, in any format.^[10] “Sensitive personal data” includes (1) covered personal identifiers, (2) precise geolocation data, (3) biometric identifiers, (4) human genomic data, (5) personal health data, and (6) personal financial data or any combination thereof.^[11]

Under the DSP, there are two general categories of covered transactions: 1) Prohibited Transactions and 2) Restricted Transactions.

Prohibited Transactions: Generally involve data brokerage with a country of concern or covered person and prohibit any U.S. person from engaging in a covered transaction subject to certain exemptions, and transactions that involve access by a country of concern or covered person to certain bulk U.S. sensitive data.^[12]

Restricted Transactions: Generally cover data transactions under vendor agreements, employment agreements, or investment agreements, subject to certain exemptions, that are restricted unless the U.S. person complies with specific security requirements.^[13]

Exempt Transactions: Several transactions are exempt from the otherwise applicable prohibitions and restrictions. Such exemptions include but are not limited to:

Information or informational materials;
Financial services;
Corporate group transactions (ordinarily incident to and part of administrative or ancillary business operations);
Transactions required or authorized by federal law or international agreements;
Investment agreements subject to a CFIUS action;
Telecommunications services;
Drug, biological product, and medical device authorizations; and
Other clinical investigations and post-market surveillance data (ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration or the collection and processing of certain clinical care data or post-marketing surveillance data).^[14]

Licenses

The DOJ, through the NSD, may issue either general or specific licenses to engage in a covered data transaction that would otherwise violate the DSP. A general license will authorize a particular type of transaction, subject to prohibitions or restrictions without the need to apply for a specific license.^[15] A specific license is a document issued by the NSD to a particular person or entity, authorizing a particular transaction.^[16]

DOJ Implementation & Enforcement

The DSP is administered and enforced by the Foreign Investment Review Section (FIRS) of the NSD, which is responsible for the DOJ’s non-prosecutorial efforts to address and manage national security risks to cross-border transactions, business, and technology that are posed by threats such as foreign adversaries. The FIRS also may handle requests for advisory opinions submitted by potentially regulated parties regarding the application of the DSP to specific transactions, which is a mechanism embedded within the Final Rule pertaining to the DSP.^[17]

Any civil or criminal prosecutions related to violations of the DSP likely will be handled by the NSD or will be referred to the appropriate U.S. attorney’s office. U.S. companies should expect enforcement under the DSP to largely mirror traditional export control or sanctions violations actions. Both the DSP and U.S. economic sanctions regimes derive their authority from the IEEPA. Civil and criminal liability under the IEEPA can be significant, with civil penalties of up to the greater of $386,136, or twice the value of each violative transaction, and criminal penalties of up to 20 years in prison, a $1,000,000 fine, or both.^[18] As such, U.S. persons or companies whose activities may fall within the ambit of the DSP should engage with counsel early and often to ensure appropriate compliance and reporting requirements are met.

Key Takeaways and Recommendations

U.S. persons and companies that have not already begun planning for full implementation of the DSP should come into compliance immediately. Such impacted companies may include:

Cloud service providers

Virtual service providers

Data processing centers

Medical device manufacturers

Academic institutions

Data analytics firms and consultants

Government contractors in the defense or health care sectors

Like export control compliance measures, these U.S. persons and entities should engage counsel experienced in this area to undertake the following:

Conduct internal reviews and audits to identify potential access to covered data or transactions involving the flow of such data to covered countries or persons.

Implement policies, procedures, and trainings addressing data security and the transfer or access to any U.S. government-related data or bulk U.S. sensitive personal data.

Determine the applicability of any general licenses or the need to apply for specific licenses for any prohibited or restricted transactions.

Implement a compliance program to track transactions, perform regular due diligence, and maintain accurate records.

Engage counsel to draft or revise vendor contracts as necessary, conduct due diligence, and interface with government agencies such as the DOJ when necessary.

Adjust employee work locations, roles, or responsibilities depending on proximity or exposure to countries of concern or covered persons.

Implement the Cybersecurity and Infrastructure Agency (CISA) Security Requirements.

Taking these measures will assist U.S. companies and persons to adequately prepare for enforcement action likely to come.

Affected companies and persons should also take note of October 6, 2025. Starting on that date, entities and individuals must comply with due diligence and audit requirements for restricted transactions, and reporting requirements for restricted transactions and rejected prohibited transactions.

Wenn Sie Fragen zu diesem Thema haben, wenden Sie sich bitte an einen der Autoren oder Ihren Anwalt bei Foley & Lardner. Wenn Sie über zukünftige Aktualisierungen zu „Was jedes multinationale Unternehmen wissen sollte“ über die Geschäftstätigkeit in der heutigen komplexen Welt des internationalen Handels informiert werden möchten, melden Sie sich bitte für unseren Blog zu Zöllen und internationalem Handel an – Klicken Sie hier, um sich zu registrieren.

***

[1] “DATA SECURITY PROGRAM: IMPLEMENTATION AND ENFORCEMENT POLICY THROUGH JULY 8, 2025,” Department of Justice (April 11, 2025), https://www.justice.gov/opa/media/1396346/dl?inline

[2] See 50 U.S.C. § 1705; see also Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (February 28, 2024), https://www.federalregister.gov/documents/2024/03/01/2024-04573/preventing-access-to-americans-bulk-sensitive-personal-data-and-united-states-government-related

[3] The White House, “American First Investment Policy,” (February 21, 2025), https://www.whitehouse.gov/presidential-actions/2025/02/america-first-investment-policy/; The White House, “Fact Sheet: President Donald J. Trump Restores Maximum Pressure on Iran,” (February 4, 2025), https://www.whitehouse.gov/fact-sheets/2025/02/fact-sheet-president-donald-j-trump-restores-maximum-pressure-on-iran/

[4] “DATA SECURITY PROGRAM: COMPLIANCE GUIDE,” Department of Justice (April 11, 2025), https://www.justice.gov/opa/media/1396356/dl

[5] See §§ 202.211(a)(1)-(5)

[6] See § 202.701

[7] See §§ 202.214, 202.258, 202.217, & 202.228

[8] See § 202.222(a)(1)

[9] See § 202.222(b)

[10] See § 202.206

[11] See § 202.249

[12] See §§ 202.301-303

[13] See § 202.401

[14] See §§ 202.501-511

[15] See § 202.801

[16] See § 202.802

[17] See § 202.901

[18] See § 202.1301; see also 50 U.S.C. § 1705

Haftungsausschluss

Dieser Blog wird von Foley & Lardner LLP ("Foley" oder "die Kanzlei") ausschließlich zu Informationszwecken zur Verfügung gestellt. Er soll weder die Rechtsposition der Kanzlei im Namen eines Mandanten wiedergeben, noch soll er eine spezifische Rechtsberatung vermitteln. Die in diesem Artikel geäußerten Meinungen spiegeln nicht notwendigerweise die Ansichten von Foley & Lardner LLP, ihrer Partner oder ihrer Mandanten wider. Handeln Sie daher nicht aufgrund dieser Informationen, ohne sich von einem zugelassenen Anwalt beraten zu lassen. Dieser Blog ist nicht dazu gedacht, ein Anwalts-Mandanten-Verhältnis zu begründen, und der Erhalt dieses Blogs stellt kein solches dar. Die Kommunikation mit Foley über diese Website per E-Mail, Blogpost oder auf andere Weise begründet kein Anwalts-Mandanten-Verhältnis in einer rechtlichen Angelegenheit. Daher wird jegliche Kommunikation oder jegliches Material, das Sie über diesen Blog an Foley übermitteln, sei es per E-Mail, Blogpost oder auf andere Weise, nicht als vertraulich oder urheberrechtlich geschützt behandelt. Die Informationen in diesem Blog werden ohne Gewähr veröffentlicht und es wird nicht garantiert, dass sie vollständig, richtig oder aktuell sind. Foley gibt keinerlei ausdrückliche oder stillschweigende Zusicherungen oder Gewährleistungen in Bezug auf den Betrieb oder den Inhalt der Website. Foley lehnt ausdrücklich alle anderen ausdrücklichen oder stillschweigenden Garantien, Gewährleistungen, Bedingungen und Zusicherungen jeglicher Art ab, unabhängig davon, ob sie sich aus einem Gesetz, einer Rechtsvorschrift, der kommerziellen Nutzung oder anderweitig ergeben, einschließlich der stillschweigenden Gewährleistungen der Marktgängigkeit, der Eignung für einen bestimmten Zweck, des Eigentumsrechts und der Nichtverletzung von Rechten Dritter. In keinem Fall sind Foley oder seine Partner, leitenden Angestellten, Mitarbeiter, Vertreter oder verbundenen Unternehmen direkt oder indirekt unter irgendeiner Rechtstheorie (Vertrag, unerlaubte Handlung, Fahrlässigkeit oder anderweitig) Ihnen oder anderen gegenüber haftbar für Ansprüche, Verluste oder Schäden, direkte, indirekte, besondere, zufällige, strafende oder Folgeschäden, die sich aus der Erstellung, der Nutzung oder dem Vertrauen auf diese Website (einschließlich Informationen und anderer Inhalte) oder Websites Dritter oder den Informationen, Ressourcen oder Materialien, auf die über solche Websites zugegriffen wird, ergeben oder dadurch verursacht werden. In einigen Rechtsordnungen kann der Inhalt dieses Blogs als Anwaltswerbung angesehen werden. Falls zutreffend, beachten Sie bitte, dass frühere Ergebnisse keine Garantie für ein ähnliches Ergebnis sind. Die Fotos dienen nur zur Veranschaulichung und können Modelle enthalten. Die Abbildungen implizieren nicht notwendigerweise einen aktuellen Mandanten-, Partner- oder Mitarbeiterstatus.

Mann in marineblauem Anzug und Krawatte, der vor einem unscharfen Hintergrund einer Anwaltskanzlei steht, in die Kamera schaut und lächelt.

[email protected]

Washington, D.C. 202.295.4110

[email protected]

Tampa 813.225.4161

[email protected]

Milwaukee 414.297.5519

Ein Mann in dunklem Anzug, weißem Hemd und roter Krawatte steht in einem hell erleuchteten Büroflur einer Anwaltskanzlei, schaut in die Kamera und lächelt leicht.

[email protected]

Washington, D.C. 202.295.4103

DOJ-Durchsetzung im Rahmen des Datensicherheitsprogramms der Abteilung für nationale Sicherheit

Hintergrund

Covered Countries and Persons

Covered and Exempt Data Transactions

Licenses

DOJ Implementation & Enforcement

Key Takeaways and Recommendations

Autor(en)

John F. Korba

Joseph W. Swanson

David W. Simon

Christopher Swift

Verwandte Einblicke

Was jedes multinationale Unternehmen wissen sollte über … die Wahrung des Rechts auf IEEPA-Zollrückerstattungen

Was jedes multinationale Unternehmen wissen sollte ... Bewährte Praktiken für eine Zollanmeldung im neuen Zollumfeld

Die Benennung ausländischer terroristischer Organisationen gibt dem DOJ neue zivilrechtliche Einziehungsbefugnisse und Möglichkeiten