The Department of Justice (DOJ) has initiated a new data security program (DSP) focused on regulating access to specific categories of bulk sensitive U.S. personal data and government information, especially concerning “countries of concern,” such as China. The program officially commenced on April 8, accompanied by an enforcement policy that provides a 90-day leniency period for civil enforcement ending on July 8. This period is supposed to allow entities to transition towards compliance, although criminal enforcement remains active. The DSP’s policy documentation also offers a compliance guide and addresses frequently asked questions.
The DOJ has provided some clarity on compliance expectations, particularly regarding the use of risk-based compliance programs, even when dealing with non-covered foreign persons. Detailed contractual language templates are also part of the guidelines, although bespoke language may be necessary for specific risks.
However, several key areas remain ambiguous, particularly around audits and recordkeeping. The compliance guide asserts the importance of audits to detect compliance gaps but stops short of mandating them universally. Furthermore, the whether internal audit functions can be effectively utilized remains somewhat unclear, although other guidance indicates that they are permissible, albeit with caution.
Recordkeeping presents another gray area. The DSP imposes a broad 10-year requirement on record retention, which could be burdensome for many entities. Despite this, these requirements apply only in limited scenarios and may not be necessary when operating under most exemptions. Given the DOJ’s broad subpoena power, entities are advised to maintain affirmative compliance records as a precautionary measure.
Interestingly, the program discourages formal advisory opinion or license submissions before July 8, except in emergencies, and states that there will be a “presumption of denial” standard for such requests, demanding compelling public interest justifications. The DOJ has opened avenues for informal question submissions but cautions that these may not be confidential and could be used for enforcement actions.
Further complicating compliance efforts, the Financial Crimes Enforcement Network’s whistleblower program will cover the DSP, which both provides opportunities for individuals aware of violations and increases enforcement risks for organizations.
While the DSP guidance clears some uncertainties, numerous gray areas persist, particularly regarding which domestic activities may require compliance measures. Engaging with counsel experienced in similar regulatory scenarios can aid organizations in navigating this complexity, balancing feasibility against DOJ’s compliance expectations. For further details on the DOJ’s data security program and its implications, you can read the complete article on Bloomberg Law.