DOJ’s Final Rule on Bulk US Sensitive Data Transfers
MWE Logo
|

Key Takeaways | 2025 Enforcement Outlook | Compliance Strategies for the DOJ’s Final Rule on Bulk US Sensitive Data Transfers

Overview

Updated July 10, 2025: The enforcement “grace period” for the DOJ’s final rule on bulk sensitive data transactions ended on July 8, 2025, so entities should be particularly conscious about compliance with the complex rule. For any questions about or help navigating the rule, contact your regular McDermott lawyer or the speakers below.

The US Department of Justice’s (DOJ’s) final rule on bulk US sensitive data transfers aims to prevent or restrict the transfer of bulk US sensitive personal data to countries the US government deems high-risk. The Final Rule is operationalized through the United States Data Security Program (DSP) which took effect April 8, 2025, with civil enforcement penalties for entities operating in good faith stayed until July 8, 2025, and with most audit and record keeping requirements taking effect on October 5, 2025.

In this webinar, members of McDermott’s cross-practice team provided a comprehensive overview of the DOJ’s final rule, its practical implications for businesses, and some tips for achieving compliance.

Key takeaways included:

  • The final rule clarifies key terms such as “bulk US sensitive personal data,” “countries of concern,” and “covered persons,” providing clarity on the scope of regulated data
  • Certain data transfers, including data brokerage of bulk sensitive data to countries of concern, are prohibited, while others are allowed under specific conditions and security requirements
  • Restricted data transfers require compliance with specific security measures to prevent unauthorized access to covered data
  • Companies must comply with reporting requirements and record-keeping mandates, including maintaining detailed records and conducting annual risk assessments and audits
  • Specific exemptions and exclusions apply, including personal communications, financial services information, and certain research activities, which are not subject to the final rule’s prohibitions
  • To ensure compliance, companies should include essential contractual clauses in their agreements and conduct due diligence to assess their risk profile and mitigate potential risks

McDermott’s Enforcement Outlook webinar series is designed to keep you up to date on the enforcement trends that might impact your organization’s compliance strategy. For more materials related to past episodes, visit our Enforcement Outlook Series hub.

Webinar Materials

Webinar Slides

Stay Connected

Subscribe Follow Us on LinkedIn Get in Touch

Dig Deeper

Los Angeles, CA / Speaking Engagements / June 25, 2025

A Conversation With the Los Angeles District Attorney: What’s Next for White-Collar Enforcement?

Webinar / McDermott Webinar / June 18, 2025

2025 Enforcement Outlook | The DOJ's Strategic Shifts in White-Collar Crime Enforcement

Chicago / Speaking Engagements / June 11, 2025

PLI's Internal Investigations 2025

Webinar / Speaking Engagements / May 28, 2025

Outlook for Tariffs & Healthcare Impact

Washington, DC / Speaking Engagements / May 12-14, 2025

SIFMA AML 25: Surveying the Sanctions Landscape

Webinar / McDermott Webinar / May 14, 2025

Key Takeaways | Navigating Cookie Compliance in 2025: Insights and Strategies

Get In Touch