Written by: Haim Ravia, Dotan Hammer
Starting April 8, 2025, organizations and individuals in the United States are required to comply with the U.S. Government’s Data Security Program, a legal framework intended to address the efforts of “foreign adversaries to access, exploit, and weaponize U.S. Government-related data”. The program is the regulatory implementation of a Biden-era executive order issued in February last year that has since been removed from the White House website.
The Program covers data transactions to persons or countries of concern (China, Cuba, Iran. North Korea, Russia, and Venezuela) which includes government-related data or sensitive personal data such as geolocation, biometric, or medical data. These include transfers of anonymized or encrypted data.
Generally, any data transfers to “foreign persons” are prohibited unless they include a contractual limitation on secondary data transfers, and a sensitive data transfer to persons or countries of concern is fully prohibited. Americans are also subject to new transaction recording and retention requirements, various reporting obligations, and expected practices of data protection, security, and data due diligence. Certain transactions may be preemptively exempted or licensed by the NSD, on a case-by-case basis.
Click here to read the Department of Justice’s Data Security Program Compliance Guide.
