As of July 8, 2025, the Department of Justice’s Final Rule on protecting U.S. sensitive personal and government-related data from foreign adversaries is no longer just a regulatory announcement, it is an enforceable reality. DOJ is now entering full enforcement mode following a three-month grace period, the Rule is poised to reshape how U.S. companies manage international data flows, structure vendor relationships, and assess cybersecurity practices.
Initially introduced to counter growing national security concerns about foreign access to sensitive U.S. data, the Rule targets six countries (China, Russia, Iran, North Korea, Cuba, and Venezuela) by restricting how certain categories of personal data can be accessed, transferred, or shared with people or entities tied to those nations. The regulation not only targets known state actors, it also casts a wide net across business functions and industries, capturing common activities such as outsourcing, licensing, research collaboration, employment arrangements, and even marketing practices that depend on third-party data.
At the heart of the regulation is a new legal distinction: “covered persons.” This designation includes foreign entities or individuals with ties to the named countries and their access to “bulk U.S. sensitive personal data” or “government-related data.” This data is purposefully defined far more broadly than under most existing U.S. privacy laws to accomplish DOJ’s security objectives. It encompasses not only biometric and health data, but also more routine identifiers such as IP addresses, geolocation, advertising IDs, and combinations of names, ZIP codes, and login credentials. Any aggregation of this information at sufficient volume, such as over 100,000 unique identifiers or 10,000 health records, triggers a “bulk” classification and subjects transactions to the Rule’s strictest provisions.
As of July, the DOJ has officially ended its initial period of non-prioritized enforcement, which it had offered to organizations demonstrating good-faith efforts to comply. That window closed on July 8, 2025. Companies are now expected to have completed their initial risk assessments, identified cross-border data exposures, and begun implementing internal processes to meet the Rule’s requirements. From this point forward, failure to comply is no longer a matter of mere technical oversight. It is a legal and regulatory liability, with civil penalties of up to $368,136 per violation and the possibility of criminal enforcement for willful misconduct.
The Rule splits data transactions into two primary categories: prohibited and restricted. Prohibited transactions include data brokerage agreements (e.g. sales or licenses of personal data) that involve covered persons or entities in countries of concern. These are banned outright. U.S. companies may not knowingly engage in these transactions, and the Rule applies even to deals that might seem low-risk or routine, such as licensing a user database to an overseas analytics partner with indirect ownership ties to a restricted country. The DOJ is particularly focused on these types of indirect transactions, where ownership structures or contractual arrangements obscure the ultimate destination of the data.
Restricted transactions, on the other hand, are permitted only if certain cybersecurity and compliance measures are met. These include vendor agreements, employment relationships, and investment arrangements with foreign persons or entities, particularly those that grant access to systems handling bulk U.S. sensitive personal data. Beginning October 6, 2025, businesses engaged in such transactions must implement robust due diligence and recordkeeping processes, conduct annual audits through independent third parties, and adopt cybersecurity controls based on federal frameworks from NIST and CISA. This includes managing access permissions, maintaining IT asset inventories, monitoring for known vulnerabilities, and enforcing strict data minimization and encryption practices. Documentation must be retained for at least ten years and certified annually by a responsible corporate officer.
Certain activities are exempt under the new Rule. Personal communications, lawful financial transactions, routine intercompany data transfers for administrative purposes, and specific categories of regulatory and research data (particularly in the context of FDA approval processes) are carved out from the Rule. However, the exemptions are narrow, and organizations must be cautious in assuming coverage without detailed analysis.
The Rule’s implications reach across a wide spectrum of industries. For advertising and marketing companies that rely on third-party cookies or mobile SDKs, even basic user tracking could constitute a data brokerage transaction if the recipient is based in or ultimately owned or controlled by interests in a covered country. Life sciences companies conducting genetics research or using overseas labs must now account for biospecimen handling and storage in ways that weren’t previously regulated under federal data transfer law. AI developers must evaluate whether their training data includes bulk sensitive personal data, and if their models can reproduce that information, especially before licensing tools abroad.
The Rule also poses significant challenges for multinationals with corporate affiliates, employees, or contractors in China or other covered countries. Internal data sharing, once presumed a low-risk activity within a corporate group, now requires close review. For example, if a U.S.-based autonomous vehicle company shares real-time driving data with its China-based parent for AI development, the DOJ may classify the arrangement as a prohibited data brokerage transaction.
With enforcement now active and new requirements becoming mandatory in October, legal and compliance teams face a critical window. Companies must ensure they’ve mapped their data flows, confirmed whether any foreign parties have access to sensitive or bulk data, and reviewed all relevant contracts for compliance with the Rule’s restrictions and reporting obligations. This includes not only terminating or restructuring high-risk relationships, but also putting in place internal reporting procedures for suspected violations and updating cybersecurity policies to align with federal standards.
In sum, the DOJ’s Rule represents a major shift in how national security concerns are now embedded into the legal framework governing data governance. Its scope is expansive, its definitions are broader than many anticipate, and its penalties are serious. As enforcement accelerates through the second half of 2025, organizations that have not yet completed their compliance programs must act immediately. For privacy and legal professionals, this new Rule represents a major shift in how data streams must be managed and monitored end-to-end in the data life cycle.
If you need assistance evaluating your organization’s exposure, developing response plans, or preparing for upcoming audit and recordkeeping requirements, now is the time to act. And Campbell Teague’s team is here to help.
