DOJ Data Security Program — Restricting Foreign Adversary Access to Americans' Data
The DOJ Data Security Program (DSP) — codified at 28 CFR Part 202 — is the U.S. government's first comprehensive regulatory framework restricting private companies and individuals from selling, licensing, or otherwise providing access to bulk sensitive personal data and government-related data to "countries of concern" and their affiliates. Issued by the Department of Justice's National Security Division under Executive Order 14117 (February 28, 2024) and implemented pursuant to the International Emergency Economic Powers Act (IEEPA), the rule addresses the national security threat posed by foreign adversaries — particularly China — acquiring massive datasets about Americans' health, finances, location, and genetics that can be used for espionage, blackmail, influence operations, and AI-powered intelligence analysis. The six designated countries of concern are: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. The program prohibits U.S. persons from selling bulk sensitive data to covered foreign persons and restricts other data-sharing transactions through security requirements and compliance obligations.
Current Rule (2026)
| Parameter | Value |
|---|---|
| Citation | 28 CFR Part 202 |
| Issuing agency | Department of Justice, National Security Division |
| Statutory authority | 50 U.S.C. §§ 1701–1708 (IEEPA); Executive Order 14117 (Feb. 28, 2024) |
| Effective date | April 8, 2025 |
| Compliance deadline (due diligence) | October 6, 2025 |
| Countries of concern | China (incl. Hong Kong/Macau), Russia, Iran, North Korea, Cuba, Venezuela |
| Enforcement | DOJ National Security Division; civil and criminal IEEPA penalties |
| Civil penalty | Up to $368,136 per violation (or twice the transaction value, whichever is greater) |
| Criminal penalty | Up to $1,000,000 and 20 years imprisonment per willful violation |
What This Rule Does
The Data Security Program creates a two-tier system of restrictions on data transactions involving countries of concern or their affiliates:
Prohibited transactions are flatly banned — U.S. persons may not engage in them regardless of security measures. The ban covers: data brokerage (selling, licensing, providing access to, or commercially sharing data) with countries of concern or covered persons; transactions involving bulk human genomic data or human biospecimens; and any transaction structured to evade the rule's prohibitions.
Restricted transactions are permitted only if the U.S. person implements specific security measures required by DOJ. Restricted transactions include vendor agreements, employment agreements, and investment agreements that provide foreign persons from countries of concern with access to bulk sensitive personal data or government-related data. Companies engaged in restricted transactions must implement data compliance programs, conduct annual audits, and comply with reporting requirements.
The rule's bulk thresholds define when a data category becomes subject to the program's requirements — the thresholds set a floor below which transactions are generally not covered. Key thresholds, measured over the preceding 12 months:
- Human genomic data: 100 U.S. persons (or 100 human biospecimens)
- Biometric identifiers: 1,000 U.S. persons
- Precise geolocation data: 1,000 U.S. devices
- Personal health data: 10,000 U.S. persons
- Personal financial data: 10,000 U.S. persons
- Covered personal identifiers (combinations of name, SSN, driver's license, account numbers, etc.): 100,000 U.S. persons
The rule covers data regardless of anonymization, pseudonymization, de-identification, or encryption — data cannot be stripped of its national security risk by removing names if it can be re-linked through other means.
Government-related data is a special category with no bulk threshold — any amount is covered. This includes data tied to locations that DOJ has designated as sensitive government facilities (military bases, intelligence sites, nuclear facilities), plus data linkable to current or former government employees and their families.
Key Provisions
- § 202.101 — Scope: implements Executive Order 14117; applies to "U.S. persons" (U.S. citizens, permanent residents, U.S.-organized entities, and persons physically in the U.S.); the DOJ's National Security Division administers and enforces the program
- § 202.205 — Bulk thresholds: the six data-category thresholds that trigger coverage; thresholds aggregate across all covered transactions involving the same U.S. person and foreign counterparty over 12 months — repeated small transactions can accumulate into covered quantities
- § 202.209 — Countries of concern: the six designated countries; the Attorney General may designate additional countries with concurrence of the Secretary of State and Secretary of Commerce based on conduct "significantly adverse to U.S. national security"
- § 202.210 — Covered data transaction: any transaction involving access by a country of concern or covered person to government-related data or bulk U.S. sensitive personal data, through data brokerage, vendor agreement, employment agreement, or investment agreement
- § 202.211 — Covered persons: foreign entities that are 50%+ owned by countries of concern; entities organized under laws of countries of concern; individuals who are employees or contractors of countries of concern; and any person the DOJ has specifically designated
- § 202.301 — Prohibited data brokerage: flatly prohibits U.S. persons from selling, licensing, trading, or otherwise providing bulk sensitive personal data or government-related data to countries of concern or covered persons through data brokerage transactions
- § 202.303 — Prohibited genomic transactions: separately prohibits transactions involving bulk human genomic data or human biospecimens to covered persons — the lower threshold (100 persons) and the special concern about genetic data for intelligence purposes drive this stricter treatment
- § 202.501–508 — Exempt transactions: personal communications, travel-incident data, published informational materials, official U.S. government business, financial services (banking, insurance, securities), intra-corporate group transactions between affiliates, and transactions mitigated through CFIUS agreements are exempt from the prohibition and restriction requirements
- § 202.1001 — Due diligence compliance program: U.S. persons engaging in restricted transactions must implement a data compliance program by October 6, 2025, covering: identifying covered data and transactions; contractual controls on data use; technical controls (encryption, de-identification); personnel policies; and monitoring
- § 202.1002 — Annual audits: U.S. persons in restricted transactions must undergo annual independent audits of their compliance program; audit results must be retained and available to DOJ on demand
- § 202.1103 — Annual reports: covered U.S. persons must file annual reports with DOJ describing their restricted transactions, compliance program, and any violations identified
How It Affects You
<!-- pria:personalize type="impact" -->If you're a data broker, analytics company, or technology firm that sells or licenses personal data: The DSP creates a new layer of compliance obligation. You must evaluate whether any buyers, licensees, or data-access customers are: (1) entities organized in or majority-owned by countries of concern; (2) subsidiaries or affiliates of covered entities; or (3) individuals employed by or acting as agents of countries of concern. Any such customer relationship that involves bulk sensitive data triggers the prohibition (for data brokerage) or restriction requirements (for vendor, employment, or investment agreements). Data brokers who sell to aggregators that may resell to covered persons face onward-transfer liability under § 202.302 if they know or have reason to know of the downstream transfer. Begin screening your customer base now — the compliance deadline for due diligence programs was October 6, 2025.
If you're a healthcare, genomics, or clinical research company: Human genomic data has the lowest threshold in the program — just 100 individuals — and is subject to an outright prohibition (not a restriction) when the counterparty is a covered person. Genomics companies, biobanks, clinical trial sponsors, and patient registries must audit any data-sharing arrangements involving foreign entities, particularly Chinese genomics companies or research institutions with ties to the PRC government. Research collaborations with universities in countries of concern that involve patient genetic data require careful evaluation — many academic institutions in China qualify as covered persons under the rule.
If you're a venture capital or private equity firm investing in data-intensive companies: Investment agreements that give covered persons (50%+ Chinese-owned funds, Russian entities, etc.) access to the portfolio company's data are restricted transactions. A Chinese sovereign wealth fund or strategic investor acquiring a stake in a U.S. health tech company that holds health data on 10,000+ Americans triggers the restriction requirements or, if structured as a data-brokerage transaction, may be prohibited. CFIUS review (see CFIUS) may provide an exemption for investments that result in a CFIUS action — but companies should not assume that CFIUS mitigation alone satisfies DSP requirements.
If you're a multinational with subsidiaries in countries of concern: Intra-group data transfers between a U.S. parent and its wholly-owned subsidiary in China are not exempt from the prohibition on data brokerage, but they may qualify for the corporate group exemption (§ 202.506) for restricted transactions if the parent retains control and the data is not further shared with unaffiliated covered persons. The corporate group exemption does not apply to prohibited data brokerage. Companies must map their global data flows and evaluate whether intra-group transfers satisfy the exemption requirements.
If you're a researcher or academic institution: Information that is published or generally available is exempt — academic publications and publicly available datasets don't trigger the rule. Research collaborations that involve transfer of non-public patient data to foreign research partners at institutions in countries of concern require analysis under the vendor-agreement restriction framework.
<!-- /pria:personalize -->Statutory Authority
This rule implements:
- 50 U.S.C. §§ 1701–1708 (IEEPA) — delegated authority to the President to regulate transactions with foreign adversaries in response to national emergency; the President delegated this authority to the Attorney General via Executive Order 14117
- Executive Order 14117 (Feb. 28, 2024) — "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" — the presidential order declaring a national emergency based on the threat from foreign adversary data acquisition
Recent Rulemakings
- 90 FR 1706 (Jan. 2025) — Final rule establishing 28 CFR Part 202; set the effective date of April 8, 2025 and the compliance deadline of October 6, 2025 for restricted-transaction due diligence programs; established the six countries of concern, bulk thresholds, exempt transaction categories, and penalty framework
- 90 FR 16466 (Feb. 2025) — Amendment clarifying specific definitions and the government-related location data list (§ 202.1401 lists the specific geographic coordinates of sensitive U.S. government facilities)
Recent Developments
- Final rule effective April 8, 2025: DOJ's data security program went live after a short wind-down period from the January 2025 Federal Register publication. The October 6, 2025 compliance deadline for full due diligence programs gave affected businesses roughly nine months to build internal compliance procedures for identifying and vetting covered data transactions.
- First major foreign-adversary data regulation: The program represents the U.S. government's first sector-neutral, volume-based restriction on sharing Americans' personal data with foreign adversary-connected entities — distinct from CFIUS (which reviews company acquisitions) and FISA (which governs government surveillance). Data brokers, genomics companies, health technology firms, and AI training data vendors all fall within scope.
- Enforcement focus on data brokers and genomics: DOJ's National Security Division has publicly signaled particular enforcement interest in data brokers selling bulk U.S. personal data to offshore buyers and genomics companies sharing sequencing data with Chinese-affiliated research institutions. DOJ is building enforcement capacity alongside the compliance ramp-up.
- Interaction with CHIPS Act and export controls: The data security program overlaps with a broader government data-localization push that includes CHIPS Act provisions restricting foreign investment in sensitive semiconductor supply chains and expanded export controls on AI chips. Covered businesses operating in multiple regulated sectors need to coordinate across legal teams tracking all three regimes.
- Pending security standards guidance: DOJ has signaled forthcoming guidance on the specific security standards required for restricted transaction compliance programs and industry-specific guidance for healthcare, financial services, and technology sectors. Companies building compliance programs ahead of that guidance must rely on the broad framework in 28 CFR Part 202.
Pending Action
DOJ is expected to issue additional guidance on:
- The specific security standards required for restricted transaction compliance programs
- Industry-specific guidance for healthcare, financial services, and technology sectors
- The DOJ licensing framework for companies that need specific authorization for otherwise-prohibited transactions