A new U.S. Department of Justice (DOJ) rule intended to restrict foreign access to Americans’ sensitive personal data is now in full effect, ending a 90-day grace period and ushering in one of the most consequential national security compliance obligations in recent years.

The rule, which went live in April under Executive Order 14117 and became enforceable as of July 9, targets bulk transfers of personal data to so-called "countries of concern"—including China, Iran, Russia, and others. Companies in industries ranging from health research and genomics to advertising and financial services must now implement rigorous data transfer controls or risk steep civil and criminal penalties.

These penalties include fines up to $368,136 per civil violation—or double the value of the sanctioned transaction—and up to 20 years imprisonment for willful criminal violations. Affected data categories include biometric identifiers, geolocation information, genomic data, and any data related to U.S. government activities or personnel.

Legal experts say the rule reflects growing concerns in Washington over the use of U.S. data by foreign adversaries for intelligence, surveillance, and potentially AI development. “It’s important to create rules of the road that companies can follow to ensure that they’re balancing national security concerns against business considerations,” said Eun Young Choi, a partner at Arnold & Porter and former DOJ official.

The DOJ has issued some guidance, such as examples of covered transactions—fitness app logs, for instance—but the business community remains wary of potential enforcement surprises. “Enforcement is a tool that promotes accountability,” said Loyaan Egal of Morgan Lewis, a former DOJ national security attorney. “Companies are going to have to wait and see how this actually plays out.”

In response, firms like location data provider Unacast are tightening internal controls, including enhanced “know your customer” procedures that now include employee residency screening. “Now it’s where employees are located,” said Jason Sarfati, Unacast’s chief privacy officer. Covered employees or ownership links to foreign adversaries are now red flags that can halt transactions entirely.

Trade associations such as the National Advertising Initiative are lobbying for additional clarity. “We’re actively working with members to understand and clarify the relevant requirements,” wrote NAI’s Kate Cox-Nowak in an email to Bloomberg Law.

A key area of uncertainty lies in the forthcoming release of the DOJ’s “covered persons” list—anticipated to include individuals and entities linked to countries of concern, directly or through significant ownership. The DOJ has not provided a timeline for its release, further complicating compliance planning for multinational organizations.

By October 6, companies engaging in restricted data transactions will be required to implement full compliance programs, including third-party audits, data flow tracking, and identity verification of data recipients. The National Security Division is expected to issue more guidance, including potential advisory opinions, to help interpret ambiguities in the rule.

Still, legal counsel across sectors are advising corporate clients to take proactive steps now. “This rule gives DOJ the ability to bring enforcement quickly and effectively,” said Egal. “I would take this very seriously.”