United States of America: Audit, compliance and reporting requirements in Department of Justice rule on access to Americans’ bulk sensitive personal data and government-related data by countries of concern enter into force

On 6 October 2025, the Department of Justice rule on access to Americans’ bulk sensitive personal data and government-related data by countries of concern including audit and reporting requirements enter into force. The rule addresses the processing of sensitive US personal and government-related data by foreign adversaries, specifically by six countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela. The rule applies to entities handling government-related or bulk-sensitive personal data and mandates risk-based due diligence measures, including verification of data flows, transaction parties, and data end-use. It also introduces recordkeeping obligations for at least 10 years and requires independent audits assessing compliance with security requirements. The rule incorporates risk-based flexibility, allowing streamlined measures for lower-risk transactions and permitting companies to use existing audit reports for compliance. The audit process must cover transaction records, security measures, and compliance effectiveness, with reports detailing vulnerabilities and recommended improvements.