US DOJ’s Data Security Program (DSP) Rule: Application Flowchart for Bulk Data Transfers
The US Department of Justice (DOJ) Data Security Program (DSP), commonly known as the bulk data transfer rule, took effect on April 8, 2025. As explained in the flowchart below, this DOJ regulation imposes a new regulatory regime that restricts – and in some cases prohibits – US persons from engaging in certain transactions that would enable certain foreign individuals or entities to access US bulk sensitive data. These restrictions apply when the transaction involves individuals or entities located in certain foreign countries, including China, or other entities outside the US that are controlled by such parties.
To help organizations navigate these new DOJ regulations, Cooley’s bulk data transfer rule flowchart provides a clear, step-by-step guide, outlining the key thresholds, restrictions and compliance considerations used to determine if a transaction may be subject to the DSP.
US DOJ’s DSP Rule on Bulk Transfers of US Sensitive Data – Application Flowchart
Notes:
1 “US person” means “any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. 1157 or granted asylum under 8 U.S.C. 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.” § 202.256(a).
2 “Data brokerage” means “the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” § 202.214(a).
3 “Investment agreement” means “an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to: (1) Real estate located in the United States; or (2) A U.S. legal entity.” § 202.228(a).
4 “Vendor agreement” means “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.” § 202.258(a).
5 “Employment agreement” means “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.” § 202.217(a).
6 “Government-related data” means:
“(1) Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government- Related Location Data List in § 202.1401 which the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there. Such locations may include:
(i) The worksite or duty station of Federal Government employees or contractors who occupy a national security position as that term is defined in 5 CFR 1400.102(a)(4);
(ii) A military installation as that term is defined in 10 U.S.C. 2801(c)(4); or
(iii) Facilities or locations that otherwise support the Federal Government’s national security, defense, intelligence, law enforcement, or foreign policy missions.
(2) Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.” § 202.222(a).
7 “Covered personal identifiers” means “any listed identifier: (1) In combination with any other listed identifier; or (2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data.” § 202.212(a). For a list of listed identifiers, see § 202.234.
8 “Covered person” means:
“(1) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in paragraph (a)(2) of this section; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
(2) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in paragraphs (a)(1), (3), (4), or (5) of this section;
(3) A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in paragraphs (a)(1), (2), or (5) of this section;
(4) A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or
(5) Any person, wherever located, determined by the Attorney General:
(i) To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person;
(ii) To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or
(iii) To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.”
§ 202.211(a).
This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.