Think your company's everyday data collection—email addresses, IP addresses, zip codes, birth dates, or cookies—flies under the radar? Think again. A new Department of Justice rule that took effect April 8, 2025, fundamentally changes how U.S. companies handle data when foreign entities are involved.

The new Data Security Program (DSP) restricts or outright prohibits the transfer of U.S. bulk sensitive personal data and government-related information to countries of concern, including China, Hong Kong, and Macau. While positioned as a national security measure, this rule casts a much wider net than many businesses realize.

The enforcement timeline is crucial to understand. The DOJ has signalled it won't prioritize civil enforcement actions for violations occurring between April 8 and July 8, 2025—but this isn't a free pass. Companies that fail to demonstrate good faith compliance efforts during this window remain at risk. Good faith efforts include reviewing and potentially renegotiating existing contracts, conducting thorough internal audits of data flows, and implementing CISA's required security measures.

The bottom line: if your business involves any data transfers to foreign entities, the time to assess your compliance obligations is now, not later - the DOJ requires due diligence.

Full article and acknowledgement to

https://www.bakerdonelson.com/doj-final-rule-casts-wider-net-common-business-data-may-now-trigger-national-security-scrutiny