day5

As compliance professionals reflect upon the past year, many will look back with frustration on efforts taken to comply with the Department of Justice’s Data Security Program (the “DSP” or “Rule”). Not because the efforts taken were in vain, but because the DSP is one of the most complicated, amorphous, far-reaching, yet impactful U.S. government regulations in recent memory. Any organization that collects or has access to U.S. sensitive personal data—regardless of whether that data is anonymized, pseudonymized, de-identified, or encrypted—should be assessing its compliance with the DSP. In other words, nearly every organization in the U.S. and many outside the U.S. fall under the Rule.

Reflection

As an example, let’s consider what should be a simple question under the DSP:

Is a U.S. data subject’s email address “sensitive personal data” that counts towards a bulk data threshold under the Rule?

First, email address is explicitly included within “demographic or contact data” as one of the “listed identifiers” that are included under the Rule’s covered personal identifier bulk data threshold. But wait, for the Rule’s bulk sensitive personal data provisions to apply, the listed identifier (i.e., email address) must be linked with a different category of the eight listed identifiers or sensitive personal data (e.g., email + IP address but not email + another piece of demographic data like a name). But even if it is linked with another qualifying identifier like an IP address, if it was acquired through “widely distributed media,” it does not count toward the threshold. But what if the media has a paywall and is not open to the public? Then it probably does count toward the threshold. Then again, if the organization is only using this data for customer support purposes, then it likely does not count, but if the organization is sharing this data with a Chinese affiliate for customer support purposes, and those purposes do not have a nexus with China services, then it does count.

We are being tongue-in-cheek (and the above is not legal advice!) but want to illustrate why compliance professionals have been pulling their hair out all year trying to wrap their arms around the DSP. And this is just the beginning of the analysis. At the end of that examination of just one data point, it must be added to a calculation along with tens of thousands of other data points to determine if the organization has exceeded the bulk threshold of 100,000 for covered personal identifiers collected or maintained by the organization within the past 12-month lookback period (starting on April 8, 2025).

One of our major predictions for 2025 was that the DOJ would publish a DSP enforcement action. Although there is still a little time left, that has not come to pass, which has left organizations wondering how the Trump administration will approach DSP enforcement. Although we don’t have a crystal ball, we can provide insights on ways organizations can comply with the DSP and decrease the enforcement risk in 2026, based on what we have seen from advising clients this year. Below are five under-discussed considerations that compliance professionals may wish to keep in mind when assessing their organization’s DSP compliance.

Compliance Advice
De-identified and anonymous data are not exempt
  • The Rule explicitly states that “[t]he term bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted…” Many U.S. organizations are shocked by this, having relied on de-identification in accordance with GDPR/HIPAA standards. This underscores that the DSP is not just a privacy regulation, it is a national security regulation, and the U.S. DOJ determined that “anonymized data is rarely, if ever, truly anonymous, especially when anonymized data in one dataset can become identifiable when cross-referenced and layered on top of another anonymized dataset.” And that even “[a]nonymized data itself can present a national security risk, as can pattern-of-life data and other insights that harm national security…” Bottom line: Even if your organization has de-identified sensitive personal data, you should still assess whether the access to that data complies with the DSP
Carefully consider who to provide with access to U.S. sensitive personal data“covered person” is broadly defined
  • Another common misconception is that the Rule does not apply to organizations with no relationships to persons in a country of concern (i.e., Chinese customers or service providers). Unfortunately, that is not the case. Any organization with its principal place of business in a country of concern or organized under the laws of a country of concern is a covered person (even if affiliated with U.S. organizations). And importantly, the term “covered person” is expansive. It includes any non-U.S. persons that are “50% or more owned, directly or indirectly, individually or in the aggregate” by a covered person. This means that a U.S. organization’s European or Indian service provider or customer could be a covered person if it is owned by a Chinese entity. Bottom line: If a covered person entity has the ability to access an organization’s sensitive personal data, the organization should evaluate its compliance with the Rule, but the assessment does not stop there.
  • If a U.S. organization engages in a data brokerage transaction involving a non-U.S. person, the U.S. organization must contractually prohibit the non-U.S. person from further sharing any bulk U.S. sensitive personal data received from the U.S. organization with a covered person. Again, the definitions are important here: a data brokerage transaction includes any commercial transaction where the non-U.S. person “did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” This is not a typical understanding of data brokerage; it is much broader. Bottom line: Any sharing of U.S. sensitive personal data with a non-U.S. person should be evaluated to determine whether the data brokerage transaction rule applies.
  • Lastly, there appears to be confusion about whether individuals are covered persons under the Rule. An individual who is located in the U.S. or is a U.S. national located anywhere in the world will never be a covered person unless they are separately designated by the Attorney General. But an employee or contractor of a covered person will be a covered person unless they are located in the U.S. or a U.S. national. The same is true of an individual who is primarily a resident of a country of concern.  Bottom line: Covered person organization employees are themselves covered persons unless they are U.S. nationals or primarily located in the U.S.
Foreign organizations still need to consider compliance
  • Even if an organization is not a U.S. person (i.e., a German company), there are still obligations for such organizations under the Rule. As mentioned above, contractual provisions may be imposed on non-covered person foreign organizations, but the thrust of the Rule only imposes obligations directly on U.S. persons. However, the DSP also prohibits U.S. persons from “knowingly direct[ing] any covered data transaction that would be a prohibited transaction…if engaged in by a U.S. person.” In practice, this means that if a U.S. national is an “officer, senior manager, or equivalent senior-level employee” at a foreign organization, and the U.S. national knowingly directs a transaction that violates the Rule if engaged in by a U.S. person, that U.S. national’s action is covered by the Rule. Bottom line: It is critical for foreign organizations—and senior level employees at foreign organizations—to understand their DSP obligations.
Receiving investment from covered persons can trigger the DSP
  • U.S. organizations receiving investment from non-U.S. persons should also be conducting an evaluation under the DSP. If the non-U.S. person investor is a covered person and the U.S. organization maintains or has access to bulk U.S. sensitive personal data, that investment will often be considered a covered transaction. Regardless of whether the investor actually has the ability to access bulk U.S. sensitive data—and even if the investment agreement contractually forbids the investor from access—that investor will be deemed to have access to any bulk U.S. sensitive personal data maintained by the U.S. organization receiving the investment. There is an exception for passive investments, but to qualify, the investor must have less than a 10 percent ownership stake and no board seats or board observer seats. And the obligation is ongoing: If, at the time of the investment, the U.S. organization does not maintain bulk U.S. sensitive personal data but then acquires bulk U.S. sensitive personal data after the investment, the investment becomes a covered transaction under the Rule. Lastly, the obligation is on the U.S. organization receiving the investment to identify this issue, because the U.S. entity will be responsible for violating the rule if it is party to an investment agreement in violation of the Rule. Bottom line: Investments from covered persons can create ongoing compliance obligations.
Corporate group and financial services exemptions are not a panacea
  • Many U.S. organizations rely on the corporate group and financial services transaction exemptions to the DSP, for good reason. These exemptions, however, are specific to transactions and do not provide entity-level immunity. U.S. organizations need to evaluate each covered transaction separately to determine if exemptions apply. An example from the preamble to the Rule is instructive here. A commentor asked, in relation to the corporate group transaction exemption, whether a situation in which “a U.S. company has a foreign affiliate that is a covered person and that provides customer support services to U.S. customers as part of global customer support operations” and receives bulk U.S. sensitive personal data as part of those services, would be covered by the exemption. In response, the DOJ wrote that it would not consider the exemption applicable to the above situation because “the foreign subsidiary appears to be providing customer support to the U.S. company’s customers in all instances—including instances in which customer support is being provided to U.S. persons located in the United States—and not just in instances that involve a country of concern or a covered person.” The DOJ explains that “[t]his view aligns with the Department’s view on the inapplicability of the financial-services exemption to vendor agreements where the underlying financial services being provided by the vendor do not involve a country of concern or a covered person…” Bottom line: For these exemptions to apply, the specific services provided must have a nexus to a country of concern or covered persons.
Conclusion

Unlike other Biden administration regulations, the DSP does not appear to be going away any time soon. In fact, the Trump administration may take an even more aggressive posture with respect to countries of concern or covered persons obtaining access to U.S. data. For example, in September the National Institutes of Health placed additional restrictions on data transfers to countries of concern and covered persons (which the Ropes & Gray team discussed in an alert). While we have not yet seen a DSP enforcement action, it is likely only a matter of time. Organizations should reflect on their DSP compliance to date, look for ways to refine such compliance in the new year, and keep an eye out for Trump administration developments, enforcement or otherwise.

We will be watching this space closely, so make sure you subscribe to get alerts about the latest posts.