You are currently viewing The U.S. Department of Justice’s Final Rule on the Data Security Program: A Comprehensive Guide
Representation image: This image is an artistic interpretation related to the article theme.

The U.S. Department of Justice’s Final Rule on the Data Security Program: A Comprehensive Guide

The Data Security Program, a comprehensive set of regulations aimed at protecting the sensitive personal data of U.S. individuals and sensitive data related to the U.S. government, came into effect on April 8, 2025. The program was announced on January 8, 2025, as part of Executive Order 14117. The new regulations are designed to prevent access to Americans’ bulk sensitive personal data and government-related data by countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela. Covered Data and Covered Persons

Covered Data is broadly defined as two primary categories of data: U.S. sensitive personal data and U.S. government-related data. The new rules restrict, prohibit, or exempt certain data transactions involving Covered Data that could give countries of concern or Covered Persons access to such data. Examples of Covered Persons include:

• An entity that is 50% or more owned by a Country of Concern

• An entity that is organized or chartered under the laws of a Country of Concern

• An entity that has its primary place of business in a Country of Concern

• An entity that is 50% or more owned by a Covered Person

• A foreign person, as an individual, who is an employee or contractor of a Country of Concern

• A foreign person, as an individual, who is primarily a resident in the territorial jurisdiction of a country of concern

• Any entity or individual that the Attorney General designates as a Covered Person

Covered Data itself includes:

• U.S. sensitive personal data

• U.S. government-related data

The DSP sets forth prohibitions and restrictions on certain data transactions that pose national security risks. The rules are designed to address identified risks to U.S. national security, rather than privacy regulations designed to protect privacy or other individual interests. The DSP applies to U.S. persons and entities engaging in transactions that provide access to Covered Data to Countries of Concern or Covered Persons associated with those countries in specified ways. Countries of Concern currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, but this list is subject to future change. Telecommunications Services Exemption

The DSP includes a “telecommunications services” exemption. This exemption applies to data transactions that are ordinarily incident to and part of the provision of telecommunications services. Specifically, Rule Section 202.252, the new DOJ rule definition of “telecommunications service” means:

* The provision of voice and data communications services regardless of format or mode of delivery

* Communications services delivered over cable, Internet Protocol, wireless, fiber, or other transmission mechanisms

* Arrangements for network interconnection, transport, messaging, routing, or international voice, text, and data roaming

The exemption specifically applies to activities directly related to the technical and operational aspects of delivering telecommunications services. It does not extend to ancillary services like marketing or data analytics. Examples of exempt and non-exempt transactions:

• Example 1: A U.S. telecommunications service provider collects covered personal identifiers from its U.S. subscribers. The provider shares these identifiers with a local telecommunications service provider in a country of concern for the purpose of international roaming. This data transfer is typically incident to and part of the provision of telecommunications services and is thus exempt. • Example 2: A U.S. telecommunications service provider collects precise geolocation data on its U.S. subscribers. The provider sells this data in bulk to a covered person for the purpose of targeted advertising. This transaction is not typically incident to the provision of telecommunications services and remains a prohibited transaction. Challenges and Considerations

The scope of the “telecommunications services” definition in the rule is a challenge for providers without further clarification from the DOJ. This is particularly true for integrated offerings by providers that clearly include telecommunications services but also include integrated components that may be outside the scope of the telecommunications services definition. The DOJ has stated that the definition is limited to the listed telecommunications services and does not include all internet-based services like cloud computing. Recently issued FAQs also reinforce this point, stating that the definition is “limited to communications services and does not include all internet-based services like cloud computing.”

Providers should note that data transactions that are not essential to the core function of telecommunications, such as partnerships involving user data for non-service-related purposes, may fall outside the exemption. Implications of Limitation to Telecommunications Service Exemption

The limitation of the telecommunications services exemption to only communications services poses implications for providers of integrated offerings that include telecommunications services and non-telecommunications services, such as cloud computing or data center services. For example, if a provider offers a bundled service that includes cloud computing and telecommunications services, the cloud computing component would not be exempt under the current definition. Telecommunications providers must closely examine their service offerings, data sharing arrangements with third parties, and identify whether transactions may trigger prohibited or restricted data transactions involving countries of concern or Covered Persons. Conclusion

In conclusion, the U.S. Department of Justice’s final rule on the Data Security Program represents a significant shift in the way the government protects sensitive data and related information. The program is designed to prevent access to Americans’ bulk sensitive personal data and government-related data by countries of concern. By understanding the definition of telecommunications services, the scope of the exemption, and the implications for integrated offerings, telecommunications providers can ensure that they are complying with the new regulations. The DOJ’s final rule provides a comprehensive framework for implementing the DSP and provides a clear outline of the risks and challenges associated with non-compliance. By carefully examining their service offerings and data sharing arrangements, telecommunications providers can ensure that they are taking all necessary steps to comply with the Data Security Program regulations. The DOJ has established a 90-day limited enforcement period to facilitate compliance, and the actual enforcement period is expected to begin on July 8, 2025. Providers should carefully review their services and ensure that they comply with the DSP regulations as soon as possible. Failure to comply with the DSP regulations can result in significant civil and criminal penalties, underscoring the importance of thorough understanding and adherence to these rules, where applicable. The U.S. Department of Justice’s final rule on the Data Security Program represents a significant step forward in the protection of sensitive data and related information. By understanding the implications of this rule and the steps that must be taken to comply, telecommunications providers can ensure that they are protecting the sensitive data of their customers.

Leave a Reply