DOJ Releases FAQs and Compliance Guidance for Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and other Countries of Concern

Introduction

On April 11, 2025, the Department of Justice (“DOJ”) released additional detail regarding the Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”), which went into effect on April 8, 2025. The release included additional guidance, frequently asked questions, and an enforcement policy for the first 90 days. Much of the material re-articulated language in the Final Rule, but the release did include some notable new information for organizations assessing their compliance, key points of which we summarize below.

Earlier this year, Ropes & Gray published an Alert providing an overview of the Final Rule, material changes from the DOJ’s Notice of Proposed Rulemaking (“NPRM”), and guidance on steps organizations should take to come into compliance. (Ropes & Gray also published Alerts on the NPRM and the Advance Notice of Proposed Rulemaking).

Takeaways

Implementation and Enforcement Policy through July 8, 2025

The DOJ released an enforcement policy for the first 90 days from the effective date of April 8, 2025 (so through July 8, 2025). The enforcement policy states that the DOJ “will target its enforcement efforts during the first 90 days to allow U.S. persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the [Final Rule] and provide additional opportunities for the public to engage with [the DOJ] on [Final Rule]-related inquiries.”

Importantly, the enforcement policy states that the DOJ “will not prioritize civil enforcement actions against any person for violations of the [Final Rule] that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the [Final Rule] during that time.”

The enforcement policy provides some examples of good faith efforts to comply such as:

• Conducting internal reviews of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage;
• Reviewing internal datasets and datatypes to determine if they are potentially subject to [the Final Rule];
• Renegotiating vendor agreements or negotiating contracts with new vendors;
• Transferring products and services to new vendors;
• Conducting due diligence on potential new vendors;
• Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions;
• Adjusting employee work locations, roles or responsibilities;
• Evaluating investments from countries of concern or covered persons;
• Renegotiating investment agreements with countries of concern or covered persons; or
• Implementing the Cybersecurity and Infrastructure Agency (“CISA”) Security Requirements, including the combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transactions.

The enforcement policy does make clear, however, that the DOJ will “pursue penalties and other enforcement actions as appropriate for egregious, willful violations” during this 90-day period.

Compliance Guide

The DOJ released a compliance guide, which “is intended only as general information to assist individuals and entities in complying with legal requirements and to facilitate an understanding of the scope and purposes of the Final Rule.” The compliance guide makes clear that the Final Rule is controlling and that “failing to adhere to this guidance shall not be deemed to violate” the Final Rule.

The compliance guide lists some steps that organizations may be making to comply with the Final Rule such as “revising or creating new internal policies and processes, identifying data flows, changing vendors or suppliers, adjusting employee roles or responsibilities, deploying new security requirements, and revising existing contracts.” Organizations should already be assessing if they need to make these changes, but this language is a good reminder that these are the types of remediations that the DOJ will be looking for when assessing an organization’s compliance.

The compliance guide also discusses the covered persons list, which is those persons, regardless of physical location or nationality, that the DOJ designates and publicly identifies as “covered persons.” As of the publication of this alert, the DOJ has not yet published the covered persons list.

The compliance guide includes an example of the type of contractual language that the Final Rule requires U.S. persons engaging in data transactions involving data brokerage with foreign persons (who are not covered persons) to include in their contracts with such foreign persons to prohibit the foreign person from engaging in the onward transfer or resale of government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons. While the compliance guide makes clear that this exact language is not required, generally any contractual language should cover the same subject matter.

Here is the language provided in the compliance guide:

[U.S. person] provides [foreign person] with a non-transferable, revocable license to access the [data subject to the brokerage contract]. [Foreign person] is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in the following:

(a) selling, licensing of access to, or other similar commercial transactions, [such as reselling, sub-licensing, leasing, or transferring in return for valuable consideration,] the [data subject to the brokerage contract] or any part thereof, to countries of concern or covered persons, as defined in 28 CFR part 202;

Where [foreign person] knows or suspects that a country of concern or covered person has gained access to [data subject to the brokerage contract] through a data brokerage transaction, [foreign person] will immediately inform [U.S. person]. Failure to comply with the above will constitute a breach of [data brokerage contract] and may constitute a violation of 28 CFR part 202.

The compliance guide also suggests U.S. persons include in their contracts language that requires foreign persons to periodically certify their compliance with this contractual restriction on onward transfer and to obligate the foreign person not to evade or avoid, cause a violation of, or attempt to violate any of the prohibitions set forth in Executive Order 14117 or 28 CFR part 202.”

Here is the language provided in the compliance guide:

[Foreign person] confirms that for [the brokerage contract], [foreign person] is in compliance with 28 CFR part 202 and any other prohibitions, restrictions or provisions applicable to the [data subject to the brokerage contract]. [Foreign person] agrees to [periodically] certify to [U.S. person], in writing [foreign person’s] compliance with 28 CFR part 202. [Foreign person] agrees to not evade or avoid, cause a violation of, or attempt to violate any of the prohibitions set forth in Executive Order 14117 or 28 CFR part 202].

Frequently Asked Questions (“FAQs”)

The FAQs largely provide the information already included in the Final Rule and the Final Rule’s preamble in a more digestible format for public consumption. In a few areas, particularly in discussing the effective date of the Final Rule and the definition of “covered persons,” the FAQs provide some additional clarity beyond what was provided in the Final Rule and its preamble. The Ropes & Gray team has previously published an overview of the Final Rule here.