On April 11, the Department of Justice's National Security Division (NSD) published new guidance on recent measures to restrict the ability of adversarial foreign governments and other foreign entities of concern to access personal data about Americans. The DOJ's documents include a Compliance Guide, Frequently Asked Questions (FAQs), and Implementation and Enforcement Policy (including a 90-day delay in enforcement for entities engaging in good faith compliance) that help explain how the Data Security Program (DSP) implements the "Bulk Data Rule."
The Bulk Data Rule adds to, but does not supplant, other legal requirements for foreign data transfers such as the requirements of the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), which is enforced by the Federal Trade Commission (FTC). The Bulk Data Rule prohibits or restricts transactions that would result in the transfer of specified data types related to U.S. persons to any of six "countries of concern," and entities and employees controlled by or domiciled or established in those countries.
The rule took effect on April 8, with certain requirements coming into effect on October 6. For more information on the Bulk Data Rule, please refer to our past alerts on the proposed rule, the Final Rule, and key considerations for compliance programs.
"Good Faith" Data Security Program Compliance Extension Through July 8, 2025
The DOJ's enforcement policy states that NSD will adopt a 90-day grace period (through July 8) during which it will not prioritize civil enforcement actions, provided entities show good-faith efforts to comply with the rule's provisions. NSD notes, however, its ongoing authority to prosecute willful violations of the rule's requirements during this grace period. During this period, NSD encourages companies to assess and adapt their policies, contracts, vendors, data practices, and cybersecurity protocols to come into compliance with the rule. After July 8, NSD expects companies to comply fully with the DSP.
DOJ Instructs Companies to "Know Their Data" and Details Other Obligations
Collectively, these new publications provide important guidance on applicable definitions and requirements, offer model contractual language, address the prospect of general and specific licenses to authorize otherwise restricted transactions, and respond to common questions about the applicable rules. They also highlight DOJ's prioritization of and commitment to enforcing this rule.
Among other topics, NSD's new materials provide best practices for how companies can "know their data" to identify covered data and transactions. The Compliance Guide states that companies should understand:
- The types and volume of data they collect or maintain about U.S. persons or U.S. devices
- Their use of such data
- How they market such data
- Whether they engage in covered data transactions under the rule
The Compliance Guide discusses key definitions under the Bulk Data Rule and how to identify prohibited transactions. Additionally, the guide discusses restricted transactions, detailing specific data security, compliance, and audit requirements for those restricted transactions. It summarizes contracting requirements for data brokerage transactions with foreign persons and provides model contract language for use in data brokerage with those non-covered foreign persons. The guide also addresses:
- Recordkeeping and reporting requirements
- Exempt transactions
- Specific and general licenses
- The process for obtaining advisory opinions
The NSD's FAQs contain 108 questions and answers regarding the DSP that collectively provide companies with more information on how to comply and provide insight into specific factual scenarios.
Companies Should Take Advantage of the Enforcement Delay
As discussed in prior alerts, the DSP requires companies to assess their data flows and engage in a broad assessment of data transfer arrangements to avoid enforcement risk. U.S. companies should take advantage of the enforcement delay to review internal processes, contracts, clients, vendors, and data maps to identify potentially prohibited or restricted transactions.
Companies should also take steps to create a data compliance program for restricted transactions, which the Bulk Data Rule requires no later than October 6. Additionally, all foreign data transfer contracts will need to meet new restrictions. Companies should begin preparing now.
Please reach out to us to learn more about Venable's Data Privacy and Security Group's tools to help with compliance.