‘Reasonable Steps’: What the DOJ Expects From Your Bulk Data Transfer Compliance Program

A new DOJ regulatory framework, which became effective in early April, prohibits or restricts certain transactions involving access by foreign adversaries in China, Russia, Iran, North Korea, Cuba and Venezuela to “bulk” US sensitive personal data and US government-related data. 

The data security program (DSP) imposes what are effectively export controls that prevent foreign adversaries, and those subject to their control and direction, from accessing Americans’ sensitive personal data (i.e., biometric, human ’omic, health, financial and geolocation data, as well as data linked to current or former US government employees or contractors) through various types of transactions, such as data brokerage, vendor agreements, employment agreements and investment agreements. The DSP also requires US entities engaged in certain transactions with foreign adversaries, known as restricted transactions, to comply with additional security, due diligence, auditing and reporting requirements.

The DOJ’s National Security Division (NSD) has issued a series of guidance documents, including a compliance guide and FAQs, to help covered entities understand what’s required of them. Remember that compliance with DSP’s requirements is required regardless of whether the bulk sensitive personal data is anonymized, pseudonymized, de-identified or encrypted. 

Compliance guide: Highlighting sample contractual language for data licensing

The compliance guide provides general information for compliance with the DSP’s requirements. We are highlighting how the division addresses one of the more broadly applicable legal requirements regarding common transactions, including the sale or licensing of regulated data. There are, however, various other topics addressed in the compliance guide to assist US entities subject to the DSP in understanding the scope and purpose of the rule and their legal obligations.

DSP § 202.302(a)(1) requires certain contractual provisions for data brokerage transactions with foreign persons not covered by the DSP. Data brokerage means the sale of data, licensing of access to data or similar commercial transactions, excluding an employment agreement, investment agreement or vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. The final rule does not define “sell” but through examples, it appears that there must be financial benefit or other valuable consideration exchanged to be “data brokerage.”

An example of a transaction that falls within the scope of § 202.302(a)(1) is where a US business knowingly enters into an agreement to sell bulk human genomic data to a European business that is not a covered person. Pursuant to the DSJ, in this situation, the US business is required to include in that agreement a limitation on the European business’ right to resell or otherwise engage in a covered data transaction involving data brokerage of that data to a country of concern or covered person. Otherwise, the agreement would be a prohibited transaction.

The compliance guide provides the following sample contractual language for § 202.302(a)(1):

[U.S. person] provides [foreign person] with a non-transferable, revocable license to access the [data subject to the brokerage contract]. [Foreign person] is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in the following: (a) selling, licensing of access to, or other similar commercial transactions, [such as reselling, sub-licensing, leasing, or transferring in return for valuable consideration,] the [data subject to the brokerage contract] or any part thereof, to countries of concern or covered persons, as defined in 28 CFR part 202; Where [foreign person] knows or suspects that a country of concern or covered person has gained access to [data subject to the brokerage contract] through a data brokerage transaction, [foreign person] will immediately inform [U.S. person]. Failure to comply with the above will constitute a breach of [data brokerage contract] and may constitute a violation of 28 CFR part 202.

Additionally, the guide suggests that US businesses consider including contractual certification requirements requiring foreign persons to periodically certify their compliance with the required contractual restriction on onward transfer and to obligate the foreign person not to evade or avoid, cause a violation of or attempt to violate any of the prohibitions set forth in Executive Order 14117 or 28 CFR part 202. The following sample language is provided:

[Foreign person] confirms that for [the brokerage contract], [foreign person] is in compliance with 28 CFR part 202 and any other prohibitions, restrictions[,] or provisions applicable to the [data subject to the brokerage contract]. [Foreign person] agrees to [periodically] certify to [U.S. person], in writing [foreign person’s] compliance with 28 CFR part 202. [Foreign person] agrees to not evade or avoid, cause a violation of, or attempt to violate any of the prohibitions set forth in Executive Order 14117 or 28 CFR part 202].

The compliance guide emphasizes that US businesses should not rely solely on contractual provisions or their foreign counterparties to comply with the DSP. Specifically, “NSD expects U.S. persons engaged in regulated data brokerage transactions to take reasonable steps to evaluate whether their foreign counterparties are complying with the contractual provision as part of implementing risk-based compliance programs under the proposed rule.” We expect that this will entail not only initial steps toward compliance but also ongoing diligence and potential auditing.  

US businesses will need to thoroughly evaluate their data and commercial activities to determine where § 202.302(a)(1)’s contractual language may be required and, even more importantly, when asked to agree to such language on its own behalf. The required language, along with the development and implementation of risk-based compliance programs, should be tailored to the business and its commercial activities.

Data Privacy

Your Sensitive Data Is Now a National Security Matter: The DOJ’s New Data Security Program

by Randall Cook, Vince Mekles and Rachel Woloszynski

April 29, 2025

90-day implementation window closing on regulations affecting companies with genomic, biometric, health and other personal information

Read moreDetails

Program FAQs

The program FAQs answer 108 questions on various aspects of the DSP, such as the definitions, scope, applicability, exemptions, licenses, advisory opinions and enforcement of the DSP. Most of the information is also contained in the preamble to the final rule, but the FAQ format presents a more streamlined and, therefore, simple format. NSD may update the FAQs based on additional questions received during the initial 90-day period.

The FAQs cover topics like:

• Basic program information. The FAQs provide an overview of the DSP’s purpose, effective date, enforcement policy and interaction with other regulatory frameworks, such as the Committee on Foreign Investment in the United States (CFIUS), the Department of Commerce’s Office of Information and Communications Technology and Services (ICTS), economic sanctions and export controls.
• Definitions. The FAQs explain the key terms and concepts used in the DSP, such as US person, country of concern, covered person, covered data transaction, government-related data, bulk US sensitive personal data, data brokerage, vendor agreement, employment agreement, investment agreement, access and security requirements.
• Scope and applicability. The FAQs clarify the types of transactions and data subject to the DSP’s prohibitions and restrictions, as well as the types of transactions and data that are outside the scope of the DSP or exempt from its requirements. The FAQs also address some common scenarios and examples of how the DSP may apply to different situations and industries, including research, education, healthcare, financial services, telecommunications and cloud computing.
• Exemptions. The FAQs provide more details on the types of transactions that are exempt from the DSP’s prohibitions and restrictions, such as transactions involving official business of the US government, financial services, corporate group transactions, transactions required or authorized by federal law or international agreements, telecommunications services and certain drug, biological product and medical device authorizations. The FAQs also explain the recordkeeping and reporting requirements that apply to some of these exempt transactions.
• Licensing. The FAQs describe the difference between general and specific licenses and the process and criteria for applying for a specific license. The FAQs also state that NSD applies a presumption of denial standard for all license applications. “To overcome this presumption, a license application will need to affirmatively identify compelling countervailing considerations to support the issuance of a specific license (such as an emergency or imminent threat to public safety or national security).”
• Compliance requirements. The FAQs provide guidance on how US entities can comply with the DSP, including the prohibitions, restrictions, exemptions, licenses and compliance program requirements. The FAQs also address some issues related to the security, due diligence, auditing, recordkeeping and reporting requirements for certain transactions, as well as the role and responsibilities of senior management and compliance personnel.
• Enforcement guidance. The FAQs provide information on the penalties, liability and enforcement actions for violations of the DSP, as well as the factors that NSD may consider in determining whether to pursue enforcement or grant mitigation. Violations of DSP may result in civil and/or criminal penalties “which can be substantial” including civil penalties “not to exceed the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed”. The FAQs also explain how US entities can voluntarily self-disclose or report possible violations of the DSP and how they can cooperate with NSD investigations.