On October 6, 2025, the US Department of Justice's Data Security Program — promulgated under Executive Order 14117 and codified at 28 CFR Part 202 — became fully enforceable, ending the agency's 90-day enforcement forbearance window. The rule restricts US persons from engaging in certain transactions that would give 'countries of concern' — China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela — or 'covered persons' linked to them, access to bulk US sensitive personal data or US government-related data.
The program represents the most significant US intervention into cross-border data flows in a generation. It is also the clearest signal yet that Washington has joined Beijing and Brussels in treating personal data as a national-security asset rather than a commercial input. For an open-internet think tank, that shift demands close scrutiny — not because the underlying threat is imagined, but because the cure risks being disproportionate to the disease.
What the rule actually does
The Data Security Program creates two tiers of restriction. 'Prohibited transactions' — data-brokerage transactions and bulk human '-omic' data transfers to covered persons — are banned outright. 'Restricted transactions' — including vendor, employment, and investment agreements that involve bulk covered data — are permitted only if the US party complies with cybersecurity requirements published by CISA, plus auditing, recordkeeping, and reporting obligations.
The 'bulk' thresholds are deliberately low. According to the Final Rule published in the Federal Register in January 2025, the program kicks in at, among other thresholds, human genomic data on more than 100 US persons, biometric identifiers on more than 1,000, precise geolocation on more than 1,000 devices, and personal financial or health data on more than 10,000 US persons — aggregated over the prior 12 months. Government-related data — including data linked to federal personnel, contractors, or sensitive locations — has no minimum threshold.
Who feels it first
Three industries are bearing the immediate brunt:
- Data brokers — already under fire from the FTC and state attorneys general — now face categorical prohibitions on any onward sale to covered persons, with significant due-diligence obligations even for transactions with third-country intermediaries.
- Cloud and SaaS providers — particularly those with engineering teams or support centers in China or Russia — must restructure access controls, since employment arrangements granting covered persons access to bulk data are 'restricted transactions.'
- Genomics and biotech firms — including consumer DNA testing companies and clinical-trial operators — face the strictest treatment: bulk human '-omic' data transfers to countries of concern are categorically prohibited.
The DOJ's National Security Division has stood up a dedicated enforcement section and is signaling that compliance — not just intent — will be the metric. Civil penalties under IEEPA can reach the greater of roughly $377,700 or twice the transaction value per violation; willful violations carry criminal exposure of up to 20 years.
Why proportionality matters
There is a legitimate problem here. Bulk US personal data — combined with AI-driven re-identification — can enable foreign-intelligence targeting of federal employees, military personnel, and dissidents. The 2015 OPM breach demonstrated the strategic value of large US personal-data sets to adversaries. EO 14117 closes a real loophole: traditional export controls cover technology, not the data itself.
But the program's scope and extraterritorial reach create three structural concerns that policymakers should address as enforcement matures:
First, the threshold problem. A 100-person genomic threshold or a 1,000-device geolocation threshold will capture routine research collaborations, multinational HR operations, and even academic exchanges — most of which pose no national-security risk. Industry comments filed during the rulemaking — including from the US Chamber of Commerce, BSA | The Software Alliance, and ITI — flagged this concretely, and the final rule made only marginal accommodations.
Second, the extraterritoriality problem. The rule reaches 'covered persons' wherever located, including foreign subsidiaries and entities '50%-or-more owned' by countries of concern. Compliance demands beneficial-ownership diligence that even sophisticated firms struggle to perform consistently — and that smaller companies cannot perform at all.
Third, the fragmentation problem. The US is now operating one cross-border data regime; the EU's GDPR and its Schrems II adequacy logic operate another; China's PIPL and the 2024 'Provisions on Promoting and Regulating Cross-Border Data Flows' operate a third. Each treats data as territorial. The cumulative effect is to make a single global cloud architecture harder to maintain — which advantages incumbents over startups.
What a smarter version looks like
Targeted protection of genuinely sensitive datasets is defensible. Treating ordinary commercial data flows as presumptively suspect is not.
A proportionate revision of the program would: (1) raise the bulk thresholds for non-genomic categories, anchoring them to demonstrable aggregation risk rather than arbitrary counts; (2) create a clear general-license regime for routine HR, IT, and research workflows, modeled on OFAC's general licenses; (3) align definitions with the OECD's 'Trusted Government Access' principles where possible; and (4) sunset or recalibrate restrictions on jurisdictions that adopt enforceable safeguards.
Done well, the Data Security Program can plug a real national-security gap without turning every cross-border SaaS contract into an export-control exercise. Done badly, it will accelerate the splinternet — and the firms that survive will be the ones large enough to staff a compliance team, not the ones offering the best service. Congress and DOJ have time, between FAQ guidance and the first wave of enforcement actions, to choose the better path.