About

DOJ Bulk Data Rule enforcement begins after grace period ends, triggering class actions

Published
Score
14

Why it matters

The Department of Justice has begun full enforcement of the Bulk Sensitive Data Rule, a regulation codified at 28 C.F.R. Part 202 and mandated by Executive Order 14117. The rule prohibits or restricts the transfer of Americans' bulk sensitive personal data and government-related data to designated countries of concern—China, Russia, Iran, and Cuba. A three-month grace period that began April 8, 2025 has now expired. Companies face civil penalties up to $368,136 per violation and criminal exposure of up to 20 years imprisonment for willful breaches.

The first enforcement actions have targeted technology and data firms including Xandr Inc., Index Exchange Inc., and Lenovo (United States) Inc. through class action lawsuits alleging violations of the Electronic Communications Privacy Act. The rule applies broadly to data brokers, consumer app developers, genomic firms, and financial services companies that meet specific data volume thresholds—such as handling data on 100,000 U.S. persons or precise geolocation information on 1,000 devices. The DOJ finalized the regulation on January 8, 2025, with mandatory security, audit, and reporting requirements set to begin October 6, 2025.

For in-house counsel and compliance teams, the enforcement wave signals a fundamental shift in how federal authorities regulate data transfers. The BSD Rule reframes routine data privacy issues as national security matters, creating export-control-style restrictions that extend beyond traditional consumer protection frameworks. Companies handling sensitive personal data should immediately audit cross-border data flows, review vendor agreements, and assess exposure under both the BSD Rule and ECPA. The convergence of DOJ enforcement and civil litigation creates substantial liability risk for any organization that has transferred bulk sensitive data to adversary nations without explicit compliance measures in place.

Sources

mail Subscribe to Privacy email updates

Primary sources. No fluff. Straight to your inbox.

Also on LawSnap