Overview of the DOJ’s rule and upcoming enforcement
The Department of Justice’s (DOJ) rule, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the Rule), entered its enforcement phase for most provisions on July 8, 2025. This follows a 90-day postponement from the original April 8 enforcement date, which was granted to allow organizations additional time to assess and implement compliance measures.
The Rule is designed to restrict the processing and transfer of certain categories of sensitive personal data – including human ‘omics data, biometric data, precise geolocation data, personal health data, and personal financial data – to designated countries of concern, unless a specific exception applies. The Rule also imposes significant privacy compliance, audit, and record retention requirements on covered entities.
Scope and applicability
Organizations subject to the Rule must carefully evaluate whether their data processing activities involve the covered categories of sensitive data and whether any data transfers or access involve countries of concern or covered entities. The Rule applies broadly to both direct transfers and indirect access by foreign entities, making it essential for organizations to map their data flows and understand all points of exposure.
Enforcement timeline and requirements
- July 8, 2025: Enforcement of most Rule obligations began. Organizations must ensure that they are not engaging in prohibited transfers or processing of covered data with countries of concern, unless an exception applies.
- October 6, 2025: The deadline for compliance with due diligence, audit, and certain reporting requirements under Sections 202.1001, 202.1002, 202.1103, and 202.1104. These provisions require organizations to conduct thorough due diligence on restricted transactions, maintain detailed records, and submit required reports to the DOJ.
Potential penalties
Violations of the Rule can result in significant civil penalties. The DOJ may impose fines of up to the greater of $368,136 or twice the value of each violative transaction. This underscores the importance of timely and comprehensive compliance efforts.
Recommended action steps for organizations
To comply with the rule, organizations should:
- Assess applicability: Determine whether the Rule applies to your organization by reviewing the types and volumes of data collected, processed, or transferred, and identifying any connections to countries of concern.
- Map data flows: Conduct a thorough review of data flows, including data shared with third parties, vendors, and affiliates. Pay particular attention to cross-border transfers and access by foreign entities.
- Review contracts: Examine contracts with third parties to ensure they include appropriate data protection and compliance provisions, and update them as necessary to address the Rule’s requirements.
- Implement compliance measures: Develop and implement policies, procedures, and technical controls to prevent unauthorized transfers or access to covered data.
- Prepare for audits and reporting: Establish processes for due diligence, recordkeeping, and reporting in anticipation of the October 6, 2025 deadline.
- Train staff: Educate relevant personnel on the Rule’s requirements and the organization’s compliance obligations.
Conclusion
As the DOJ’s enforcement of the Rule began on July 8, 2025, organizations handling sensitive personal data or large amounts of any personal data should act now to assess their exposure and implement necessary compliance measures. The significant penalties for non-compliance, combined with the complexity of the Rule’s requirements, make proactive preparation essential. Organizations should prioritize reviewing their data practices, updating contracts, and establishing robust compliance programs to mitigate risk.
Client Alert 2025-181
