DOJ Data Security Program

DOJ-DSP: Data Transfers to Adversaries Are a Crime

The Department of Justice Data Security Program imposes criminal penalties on US persons and companies that transfer covered data to adversarial nations — intentionally or inadvertently.

Effective April 2025: DOJ-DSP enforcement is active. Violations carry $1M+ fines and up to 20 years imprisonment per violation.

The Five Titles in the DOJ's Crosshairs

The Department of Justice's enforcement priorities have moved past the corporation and onto the individual. The willful violation standard is designed to reach decisions made at the executive level — but the specific exposure depends entirely on the title on your business card. This briefing breaks down what each C-suite role actually risks, why "I delegated it" no longer works, and what a defensible posture looks like under current enforcement patterns.

Educational Videos, PDFs and Podcasts

DOJ Prosecutor Formula for Regulatory Negligence

Optimal Strategy to Mitigate DOJ DSP Prosecution Risks

Regulatory Analysis: How PQC+™ Minimizes DOJ DSP Liability

DOJ DSP liability analysis · 7 pages

Regulatory Analysis: How PQC+™ Minimizes DOJ DSP Liability — enlarged view
Regulatory Analysis: How PQC+™ Minimizes DOJ DSP Liability — thumbnail
DOWNLOAD PDF

What Is the DOJ-DSP?

Issued under Executive Order 14117 and codified in 28 CFR Part 202, the DOJ Data Security Program is a national security regulation that restricts US persons and companies from transferring "covered data" — sensitive personal information about US citizens — to countries of concern.

Unlike HIPAA or GDPR, DOJ-DSP is a national security statute enforced by the National Security Division of the DOJ. There are no cure periods, no warning letters, and no administrative exhaustion requirements. Violations go straight to criminal grand jury investigation.

The rule became effective April 8, 2025, with full enforcement beginning immediately. The DOJ has stated it will pursue both corporate and individual criminal liability for willful violations.

Countries of Concern

China (PRC)Includes Hong Kong and Macau
CRITICAL
RussiaIncluding state-owned cloud providers
CRITICAL
IranIncluding Iranian-linked entities
HIGH
North KoreaAll transfers strictly prohibited
HIGH
CubaOFAC sanctions apply additionally
HIGH
VenezuelaGovernment-linked entities
HIGH

What Data Is Covered?

Bulk genomic data (>100 US persons)
Biometric identifiers (>1,000 US persons)
Precise geolocation data (>1,000 US devices)
Personal health data (>10,000 US persons)
Personal financial data (>10,000 US persons)
Personal communications metadata (>100,000 US persons)
Government-related personal data (any volume)

Common Violation Scenarios

Cloud Service Provider

Using a cloud provider that routes or stores covered data through data centers in restricted countries — even if the provider is a US company — may constitute a prohibited data transfer.

Offshore Development Teams

Development or IT teams in restricted countries with access to covered US person data triggers DOJ-DSP restrictions. Access controls and architectural separation are required.

AI Training Data

Sending covered personal data to AI platforms, training pipelines, or analytics services with adversarial-country ownership or control falls within DOJ-DSP scope.

M&A Data Rooms

Sharing covered data in virtual data rooms accessible to adversarial-country investors or acquirers requires DOJ review and potentially CFIUS filings.

TransformativIP PQC+™ — DOJ-DSP Compliance

Our platform provides the cryptographic controls, data residency enforcement, and audit trails required for DOJ-DSP compliance — including real-time monitoring for unauthorized data egress to restricted jurisdictions.

Data Residency Control

Enforce geographic boundaries on all covered data at the cryptographic layer

Access Monitoring

Real-time alerts when restricted-country IPs or entities attempt data access

Audit Evidence

Automated compliance documentation for DOJ-DSP due diligence defense

ASSESS YOUR DOJ-DSP EXPOSURE