US Implements Sweeping New Data Security Regulations Amidst Public Scrutiny

Washington D.C. – The U.S. Department of Justice (DOJ) has officially rolled out its comprehensive Data Security Program (DSP), with new regulations taking effect on April 8, 2025. These stringent measures aim to prevent foreign adversaries, including China, Russia, and Iran, from accessing and exploiting bulk U.S. sensitive personal data and government-related information. The initiative, largely a bipartisan effort, seeks to address growing national security concerns stemming from potential espionage, economic espionage, and the development of artificial intelligence capabilities by hostile nations.

The new rules, outlined in 28 C.F.R. §§202.1001-202.1201, broadly prohibit or restrict transactions with "countries of concern" or "covered persons" that involve the transfer of sensitive data. Notably, these restrictions extend to data that is anonymized, pseudonymized, de-identified, or encrypted, marking a significant expansion beyond previous regulations. "Bulk" data thresholds have been defined, covering categories such as human omics, biometric, geolocation, personal health, and financial data.

The DSP stems from President Joe Biden's Executive Order 14117, issued on February 28, 2024, which expanded upon earlier executive orders addressing the security of information and communications technology supply chains and sensitive data. Concurrently, the Cybersecurity and Infrastructure Security Agency (CISA) has issued security requirements for restricted transactions, mandating NIST-based security measures for systems handling sensitive data accessible to covered persons.

Despite the broad scope of these new regulations, public commentary and expert opinion reflect a degree of skepticism regarding their absolute effectiveness. As commentator Jeffrey Westling questioned on social media, > "Ok so it’s not a national security risk or it is but they paid off the regulator so it’s fine?" This sentiment highlights concerns that, despite the robust framework, potential loopholes or undue influence could undermine the program's intent. The DOJ has stated that during the initial 90 days post-implementation (until July 8, 2025), penalties will be reserved for "egregious, willful violations," indicating a period of initial leniency that some might view critically.

The new regulations also interact with the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), which went into effect on June 23, 2024, prohibiting data brokers from transferring "personally identifiable sensitive data" to foreign adversary countries or controlled entities. While PADFAA is enforced by the Federal Trade Commission (FTC), the DOJ asserts its DSP is necessary for a more comprehensive approach, suggesting that existing legislation alone does not fully mitigate national security risks. The coming months will reveal how effectively these layered regulations are enforced and whether they truly address the complex challenges of data security in an interconnected world.