United States of America: Department of Justice implemented rule on access to Americans’ bulk sensitive personal data and government-related data by countries of concern following 90-day grace period

On 8 July 2025, the US Department of Justice (DOJ) began enforcing the rule on access to Americans’ bulk sensitive personal data and government-related data by countries of concern, following the 90-day grace period. The 90-day grace period from the initial implementation of the rule in April 2025 ended on 8 July 2025, allowing companies time to make good-faith efforts to comply with the rule without facing DOJ enforcement. The rule addresses the processing of sensitive US personal and government-related data by foreign adversaries, specifically targeting six countries of concern, namely China, Cuba, Iran, North Korea, Russia, and Venezuela. The rule does not propose a generalised data localisation requirement to store sensitive data in the US, nor does it prohibit US persons from engaging in commercial transactions. The rule imposes prohibitions and restrictions on data transactions that pose national security risks, including data brokerage, employment agreements, and investment agreements, among others.