DOJ Issues Guidance, FAQs and Implementation Policy on Bulk Transfers of Sensitive U.S. Personal and Government Data
Time 2 Minute Read
Categories: U.S. Federal Law, Information Security, International, Cybersecurity

On April 11, 2025, the U.S. Department of Justice (“DOJ”) issued a compliance guide, FAQs and an Implementation and Enforcement Policy to assist organizations to comply with the DOJ’s final rule implementing Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The guidance comes just days after certain of the final rule’s provisions became effective on April 8, 2025.

Compliance Guide

The compliance guide identifies best practices for complying with the final rule and offers guidance on defined terms, prohibited and restricted transactions and requirements for building a compliance program. The guide also provide best practices for complying with the final rule’s audit and recordkeeping requirements, which go into effect on October 6, 2025.

FAQs

The FAQs aim to provide further clarity on the DOJ’s final rule. In particular, the FAQs provide general information about the DOJ final rule and address a number of different issues related to the rule, including prohibited, restricted and exempt transactions, compliance requirements and DOJ advisory opinions under the rule. The FAQs reflect feedback and common issues the DOJ addressed through the rulemaking process. The DOJ will update the FAQs as necessary to address additional questions raised by the public.

Implementation and Enforcement Policy

Under the new Implementation and Enforcement Policy, the DOJ recognizes that companies may need to take steps to determine whether the final rule applies to their activities and to create new or update existing policies and other compliance processes. While certain of the rule’s provisions became effective on April 8, 2025, the DOJ will not prioritize civil enforcement actions against any person for violations of the rule that occur from April 8 through July 8, 2025, provided the person is taking measures to comply with the rule during that time.

Tags: Cross-Border Data Flow, Data Transfer, Department of Justice, National Security, Personal Data, Personal Information, Trump Administration
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page