Privacy & Information Security Law Blog

On April 11, 2025, the U.S. Department of Justice (“DOJ”) issued a compliance guide, FAQs and an Implementation and Enforcement Policy to assist organizations to comply with the DOJ’s final rule implementing Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The guidance comes just days after certain of the final rule’s provisions became effective on April 8, 2025.

Compliance Guide

The compliance guide identifies best practices for complying with the final rule and offers guidance on defined terms, prohibited and restricted transactions and requirements for building a compliance program. The guide also provide best practices for complying with the final rule’s audit and recordkeeping requirements, which go into effect on October 6, 2025.

FAQs

The FAQs aim to provide further clarity on the DOJ’s final rule. In particular, the FAQs provide general information about the DOJ final rule and address a number of different issues related to the rule, including prohibited, restricted and exempt transactions, compliance requirements and DOJ advisory opinions under the rule. The FAQs reflect feedback and common issues the DOJ addressed through the rulemaking process. The DOJ will update the FAQs as necessary to address additional questions raised by the public.

Implementation and Enforcement Policy

Under the new Implementation and Enforcement Policy, the DOJ recognizes that companies may need to take steps to determine whether the final rule applies to their activities and to create new or update existing policies and other compliance processes. While certain of the rule’s provisions became effective on April 8, 2025, the DOJ will not prioritize civil enforcement actions against any person for violations of the rule that occur from April 8 through July 8, 2025, provided the person is taking measures to comply with the rule during that time.