Overview
The United States Data Security Program (DSP) represents a significant regulatory undertaking by the US government to control the flow of bulk sensitive data to specific foreign countries, for national security purposes.
In Depth
The DSP came into effect 8 April 2025, operationalised through a Final Rule promulgated by the US Department of Justice (DOJ), which introduced a framework of prohibitions and restrictions on certain data transactions. Specifically, the DSP regulates the transfer of, or provision of access to, bulk US sensitive personal data and US government-related data to “countries of concern.”
US Data Security Program Scope
A key aspect of the Program is its designation of “countries of concern,” which the US government has identified as presenting heightened risks to national security.
The current list names China (including Hong Kong and Macao), Cuba, Iran, North Korea, Russia, and Venezuela. However, the scope of the DSP extends beyond these countries to apply to “covered persons,” a category defined within the DSP to encompass specific individuals and entities sufficiently connected to these countries, such as by a foreign individual residing in a country of concern or a foreign entity organised under the laws of a country of concern.
To ensure the Program’s adaptability to evolving threats, the DSP empowers the US Attorney General to designate, on a case-by-case basis, any individual or entity, regardless of location, as a “covered person.” Such designations will be made public through official announcements in the Federal Register, maintaining a transparent record within the National Security Division’s list of covered persons.
The establishment of the DSP and the implementation of the DOJ Final Rule is rooted in a national emergency declared by Former President Biden in a 2019 Executive Order. The declaration acknowledged the “…unusual and extraordinary threat… to the national security and foreign policy of the United States…” posed by the access of foreign adversaries to “…vast amounts of sensitive information…” pertaining to Americans.
The DOJ has specifically addressed the national security risks associated with “countries of concern” exploiting advanced technologies. Of particular concern is the potential use of technologies like artificial intelligence (AI) to analyse and manipulate bulk sensitive personal data, which the government fears could enable foreign adversaries to engage in activities detrimental to US interests, such as espionage, influence campaigns, and kinetic or cyber operations, and could lead to the pursuit of other strategic advantages.
Of particular concern is the potential use of technologies like artificial intelligence.
Sensitive Data Covered by the DSP
Under the DSP, US businesses are prohibited from engaging in “data brokerage,” which is defined to include the sale or licensing of access to certain bulk data. The DSP establishes specific thresholds for determining what constitutes “bulk” sensitive personal data, and these thresholds vary depending on the level of sensitivity the US government associates with each data type. Thresholds for all sensitive data, including health, biometric, financial, and location data, especially for multinational companies with a large corporate presence, are fairly low and reflect the government’s fears regarding how such data, even at low thresholds, can be leveraged against the United States and its residents.
Under the DSP, US businesses are prohibited from engaging in “data brokerage.”
The types of “sensitive personal data” covered by the DSP are similar to those set forth in regulations issued by the Committee on Foreign Investment in the United States (CFIUS), an inter-agency body responsible for reviewing foreign investments in US businesses for potential national security concerns. The DSP, however, has a broader scope of what constitutes “sensitive personal data” compared with CFIUS, and has much lower thresholds as CFIUS generally focuses on investments in businesses that collect the sensitive personal data of one million or more US persons.
The DSP’s prohibitions and restrictions on data transfers to countries of concern are intentionally broad and industry-agnostic. The DSP provides a limited set of narrow exemptions for certain transactions, including, but not limited to, those typically associated with business operations, or required or authorised by law; investment agreements; and drug, biological product, and medical device authorisations. Because of the wide scope of the DSP and its narrow exemptions, the DSP will have a particularly outsized impact on healthcare and health-related data transactions, financial services and financial-related data transactions, and intercompany and vendor data transactions.
Companies engaging in prohibited data transactions must cease those practices, while those engaging in similar transactions subject to vendor, employee, and investment agreements, which intend to continue engaging in such transfers, must utilise system and data-level protections outlined by the US Cybersecurity and Infrastructure Security Agency (CISA). Companies seeking to engage in restricted transactions by leveraging CISA’s requirements may find that, in implementing these strict security controls, the resulting end data may be impractical or unhelpful to the intended data recipient.
Companies engaging in prohibited data transactions must cease those practices.
Penalties for Violating the DSP
US persons and entities in violation of the DSP may find themselves subject to both civil and criminal penalties, with penalties for wilful violations of up to US $1 million (subject to inflation adjustment) and 20 years in prison. The severity of the penalties is a clear message that the US government is serious about protecting sensitive data, and companies must take proactive and comprehensive measures to ensure compliance.
The Big Picture on Handling Sensitive Data
While the United States is implementing these new restrictions, numerous other countries have already established their own regulations governing cross-border data transfers and the interplay of data protection and national security. For instance, the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018, includes stringent rules on transferring personal data outside the European Economic Area (EEA), requiring specific safeguards or adequacy decisions for companies intent on transferring European personal data outside the EEA. Similarly, countries like China and Russia have implemented data localisation laws, mandating that certain types of personal data must be stored and processed within their national borders.
These examples highlight a global trend towards greater scrutiny and control over the international movement of personal information. Alongside the DSP, they underscore the delicate balance every government is attempting to strike between fostering international commerce and safeguarding its national security interests.
For US businesses or foreign businesses with a US presence, the DSP signals a more protectionist stance on data, potentially influencing future international data transfer agreements and raising questions about reciprocity from the targeted countries. It necessitates a fundamental reassessment of international data handling practices, impacting everything from vendor relationships and employment agreements to investment strategies, research collaborations, and the location of operations.
The restrictions and the accompanying cybersecurity and compliance obligations will likely lead to increased operational complexities and costs for businesses with ties to these nations.