Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

DOJ Releases Guidance and FAQs on New Bulk Data Rule and Delays Most Enforcement Through July 8

Data Privacy 1 May 2025

On April 11, 2025, the U.S. Department of Justice (DOJ) issued a statement of implementation and enforcement for companies regarding its Final Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (Bulk Data Rule). The DOJ Statement makes clear that the Trump Administration intends to enforce the Bulk Data Rule introduced under the Biden Administration—one of a number of relatively new U.S. national security tools. That said, recognizing the need for parties to adapt to the new data security requirements, DOJ announced that it will effectively allow a 90-day grace period on enforcement (through July 8, 2025) so long as companies are "engaging in good faith efforts to comply with or come into compliance with the Data Security Program during that time." DOJ also released a Compliance Guide and a set of FAQs regarding the Bulk Data Rule to help entities better understand their obligations and how the rule interacts with other regulatory frameworks such as the Committee on Foreign Investment in the United States (CFIUS) process, export control regulations, and the Information and Communications Technology and Services (ICTS) rules.

While neither the guidance nor the DOJ Statement is binding, the information provided is useful to gain insight into how DOJ is interpreting and planning to enforce the rules. 

Background: The Bulk Data Rule

On December 27, 2024, DOJ issued the Bulk Data Rule. The Rule regulates certain data transactions with "countries of concern" and covered persons involving U.S. bulk sensitive data or government-related data.  The Rule: (1) prohibits certain highly sensitive transactions in their entirety; and (2) restricts certain categories of transactions, unless they comply with predefined security requirements developed by the Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA), and implement additional compliance measures contemplated by the Bulk Data Rule.

For a more detailed breakdown of the rule see our previous article: DOJ Final Rule on National-Security Risks Posed by Countries’ of Concern and Covered Persons’ Access to U.S. Sensitive Data

Compliance, Implementation, and Enforcement Updates:

First 90-Day Policy: Enforcement Reprieve; No Licenses or Advisory Opinions

Addressing concerns from companies struggling with compliance, DOJ explained that, as an exercise of its prosecutorial discretion, it would not "prioritize civil enforcement actions" against entities for violations that occur through July 8, 2025, so long as the entity is engaging in "good faith efforts to comply" with the Bulk Data Rule.

The objective of this policy is to provide individuals and entities with sufficient time to assess whether the Bulk Data Rule is relevant to their operations, and to make necessary adjustments to ensure compliance. However, DOJ has made clear that it expects companies to actively work towards compliance (with examples of how to do so described below), stating that it will still pursue penalties for not working in good faith to comply.

The guidance also provides some insight into how DOJ will administer the Bulk Data Rule during this 90-day period. In its statement of policy, DOJ encourages entities and persons to share "informal" inquiries regarding the Bulk Data Rule, while noting that DOJ may not be able to respond to all such inquiries due to resource constraints. More notably, DOJ also discouraged companies from seeking formal advisory opinions or applying for licenses during this 90-day period, explaining that it would not review or adjudicate such requests absent an extreme situation (e.g., an imminent threat to public safety or national security).  Notably, this puts companies seeking to engage in prohibited transactions in a difficult position, since they will not be able to seek licenses to conduct such transactions lawfully—leaving them the tough choice of ceasing such transactions or accepting the possibility of a DOJ enforcement action. 

Best Practices: Good Faith Efforts to Comply

DOJ has cautioned that, for the purposes of the 90-day enforcement policy, "good faith efforts to comply" will vary depending on the unique circumstances and risks of a particular entity. However, the guidance enumerates examples of best practices, including:

  • Conducting internal reviews of access to U.S. sensitive personal data and government-related data;
  • Reviewing internal datasets and data types to determine whether they are subject to the Bulk Data Rule;
  • Renegotiating vendor agreements or negotiating contracts with new vendors to comply with Bulk Data Rule restrictions;
  • Transferring products and services to new vendors to avoid restricted or prohibited transactions;
  • Conducting due diligence on potential new vendors to determine whether engagement would risk violating the Bulk Data Rule;
  • Evaluating investments from countries of concern (which currently includes China, Cuba, Iran, North Korea, Russia, and Venezuela) or covered persons to determine whether they are subject to the Bulk Data Rule;
  • Implementing the CISA Security Requirements with respect to covered data in order to prevent access by covered persons or countries of concern.

Sample Contractual Language

In addition to prohibiting U.S. persons from engaging in data brokerage transactions with countries of concern or covered persons, the Bulk Data Rule also requires data brokerage transactions with non-U.S. persons to include contractual language prohibiting the non-U.S. person from engaging in the onward transfer or resale of government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

DOJ guidance provides examples of contractual language (pgs. 5-7), though it makes clear that this language is not a set of "magic words" that must be included in agreements—or that would automatically satisfy the requirement. This does, however, provide an example for parties on ways to comply with this requirement.  

DOJ guidance also provides additional sample contractual language that says U.S. persons should consider including in applicable transactions with non-U.S. persons. Such language would (i) require the non-U.S. persons to periodically certify their compliance with restrictions on onward transfer; and (ii) prohibit them from not to evading, causing, or attempting to violate any prohibitions set out in the Bulk Data Rule.

As the guidance acknowledges, this type of contractual language is not strictly required under the Bulk Data Rule. In practice, seeking such language may create challenges with counterparties that might resist the additional obligations imposed. However, the indication is that DOJ views such additional language as prudent—and it could be informative of what DOJ would consider reasonable diligence and compliance steps on third-party data brokerage agreements. 

Screening of Vendors

The guidance says that, in accordance with the Bulk Data Rule requirements, companies should screen their vendors against a forthcoming Covered Persons List to be issued by DOJ. Of course, companies cannot actually complete this screening before the list is published. However, in the meantime, companies should continue screening vendors against other lists, as appropriate and in line with a company's other regulatory obligations—for example:

  • The Specially Designated Nationals and Blocked Persons list (SDN List);
  • The Sectoral Sanctions Identification List (SSI List);
  • Other sanctions-related lists administered by the Department of the Treasury’s Office of Foreign Assets Control;
  • The Entity List administered by the Department of Commerce’s Bureau of Industry and Security;
  • The Federal Communications Commission’s Covered List;
  • NDAA for Fiscal Year 2021 1260H list, as administered by the Department of Defense;
  • Persons subject to Securing the Information and Communications Technology and Services Supply Chain review; and
  • Persons subject to a removal or exclusion order pursuant to the Federal Acquisition Supply Chain Security Act.

Indeed, DOJ guidance explicitly makes this comment, cautioning that screens against the forthcoming Covered Persons List alone will not be sufficient.

FAQs Insights

The FAQs provide valuable insights into various aspects of the Bulk Data Rule, potentially highlighting where DOJ will emphasize compliance—as well as where it is anticipating confusion. Some noteworthy points discussed include:

  • The Bulk Data Rule regulates transactions involving covered persons or countries of concern, but it does not prohibit all data transactions between the U.S. and non-U.S. entities. Instead, it applies to third-country transactions by imposing conditions to prevent the resale of sensitive data to countries of concern, as well as by prohibiting transactions that evade its rules, including using non-U.S. entities as proxies (see FAQs #11 and #62).
  • U.S. persons are required to take reasonable measures, within a risk-based compliance framework, to determine if other individuals and entities are included as covered persons within the scope of the Bulk Data Rule. The FAQs emphasize that it is not expecting unreasonable diligence—for example, FAQ #58 states, "absent evasion, U.S. persons…are generally not expected to conduct “second-level” due diligence on the employment practices of those non-U.S. persons to determine whether their employees qualify as covered persons" (see FAQs #14, #43, #46, and #58).
  • U.S. persons must comply with the Bulk Data Rule by creating, implementing, and updating compliance programs tailored to their specific risk profiles. These programs should resemble those for economic sanctions and export controls and will vary based on factors such as the entity's size, sophistication, products, services, customers, counterparties, and geographic locations. The FAQs advise entities to consult the CISA's Security Requirements guidance and the Bulk Data Rule's Compliance Guide for further compliance guidelines (see FAQ #78).
  • Whether DOJ imposes a penalty for an inadvertent violation will depend on the circumstances. The Bulk Data Rule prohibits U.S. persons from knowingly engaging in certain data transactions unless they meet CISA's Security Requirements. The term "knowingly" implies that the person had actual knowledge or reasonably should have known about the conduct. Unlike some other regulatory regimes, the Bulk Data Rule does not impose strict liability, and DOJ will consider of the "totality of the circumstances" surrounding any violation—Including notably voluntary self-disclosure, which may earn cooperation credit (see FAQ #107).

Key Takeaways

Here are key takeaways from DOJ's guidance on the Bulk Data Rule that businesses should consider when creating a plan for compliance.

1.       Understand the 90-day enforcement policy in DOJ Statement and make good-faith efforts to comply:

  • DOJ will not prioritize civil enforcement actions for violations of the Bulk Data Rule from April 8 to July 8, 2025, provided that entities are making good-faith efforts to comply.
  • Examples of good-faith efforts include conducting internal reviews, renegotiating vendor agreements, and implementing CISA Security Requirements.
  • Despite this grace period, DOJ may still pursue penalties for egregious or willful violations.

2.       Review the example contractual language in Compliance Guide for data brokerage transactions and incorporate similar language into contracts:

  • The guide provides sample contractual language for data brokerage transactions with non-U.S. persons who are not covered persons, emphasizing the need to prevent data access by countries of concern.
  • U.S. persons must implement a Data Compliance Program, including regular risk assessments and vendor management processes.
  • Training on the Bulk Data Rule and CISA Security Requirements for relevant employees is recommended.

3.       During the initial 90-day licensing period DOJ will not review specific license requests:

  • DOJ will not review specific license requests during the initial 90-day period unless there is an emergency or imminent threat to public safety or national security. U.S. persons can seek specific licenses for otherwise prohibited transactions, but DOJ will apply a "presumption of denial" standard, requiring compelling countervailing considerations to overcome this presumption. 
  • As a corollary, engage in prohibited transactions at your own risk—it may be prudent to look for alternatives as soon as possible. 

4.       Use the FAQs to gain better understanding of what DOJ considers reasonable diligence expectations for U.S. persons, the need for tailored compliance programs, and the approach to penalties for inadvertent violations:

  • The FAQs reiterate the need for ongoing compliance and the importance of internal controls to identify and report potential violations.
  • The FAQs provide examples that, while not providing a safe harbor, provide guidance as to what DOJ expects companies to be doing. 

Conclusion

The 90-day enforcement reprieve is a welcome relief, particularly as companies had been wrestling with whether and how to comply with the Bulk Data Rule. Indeed, some had wondered whether the Bulk Data Rule would be modified or rescinded by the new administration, amidst shifting policies and areas of focus. The guidance provides some clarity, and makes clear that DOJ intends to enforce the Bulk Data Rule—especially once the enforcement reprieve ends. This clarity means that companies should work quickly to take steps to come into compliance with the rule

 

Toolkits & Client Log-in