To keep pace with this evolving regulatory landscape, companies with operations in the U.S. should take proactive steps to assess and mitigate cross-border data transfer compliance risks. This starts with identifying what types of data they hold, including data about individuals, technical materials related to product development, and information about national security-sensitive matters. Next, companies should determine where that data is stored, processed, or accessed from, and to whom the data is disclosed. Companies should map data flows across their staff members, affiliates, vendors, research collaborators and other business partners, with particular attention to transfers that could involve parties located in jurisdictions that the U.S. government has designated as “countries of concern” (see above). Companies must then assess the data flows based on applicable regulations and potentially update their compliance policies, due diligence procedures, data security measures and contractual arrangements. Ultimately, companies may conclude that they need to terminate certain data flows to avoid contravening the law.

In more detail

Americans’ Personal Data and U.S. Government Data: The U.S. Department of Justice (DOJ) explains in its Data Security Program Compliance Guide that the intent of the DSP is to prevent foreign adversaries from “weaponizing … Americans’ bulk sensitive personal data.” The term “sensitive personal data” may give the misleading impression that the DSP only targets highly confidential or intimate information. In reality, “sensitive personal data” is defined so broadly that it almost encompasses any personal data. It includes common identifiers such as names, email addresses, and phone numbers, as well as pseudonymous data such as IP addresses, cookie data, and advertising identifiers.

The DSP applies when a U.S. person collects certain types of personal data about Americans above certain thresholds — such as precise geolocation data about 1,000 or more devices linkable to Americans, or health or financial data about 10,000 or more Americans—and plans to make the data available to a “covered person.” “Covered persons” include: (1) foreign entities headquartered in or organized under the laws of a country of concern; (2) foreign entities owned 50% or more by a country of concern or a covered person; (3) foreign individuals primarily resident in a country of concern; and (4) foreign individuals who are employees or contractors of a covered person entity or a country-of-concern government. The DSP also applies to transfers involving U.S. government-related data of any volume.

Although the DSP distinguishes between “prohibited” and “restricted” transfers, the U.S. person cannot in either case let the covered person access Americans’ bulk sensitive personal data or U.S. government-related data. The DSP includes numerous other requirements, as well various exceptions.

Critically, data subject consent is not a defense. Consequently, many companies with operations in the U.S. will need to continuously diligence their business partners to assess whether they are owned or controlled by covered persons, and may need to terminate or fundamentally restructure their arrangements if so.

Violations may carry substantial penalties. Civil fines may reach the greater of $368,136 (adjusted annually for inflation) or twice the value of a covered transaction. Willful violations can trigger criminal penalties, including up to 20 years in prison and USD 1 million in fines. Although the DOJ has announced a limited enforcement policy through July 8, 2025, this is best understood as a brief runway for companies to demonstrate good-faith compliance and not a grace period that defers legal obligations. The DOJ has made clear that criminal enforcement remains available now and that all covered parties are expected to be fully compliant once the 90-day implementation period ends.

Export Controls and Technical Data: There are two key U.S. export control regimes: military and “dual-use.”  Military export controls are implemented primarily under the International Traffic in Arms Regulations (ITAR). Dual-use controls — applicable to items that have both civilian and military applications — are implemented under the Export Administration Regulations (EAR). These regulations apply to both U.S. and non-U.S. companies dealing in and transferring controlled technology or technical data, software (both object and source codes), or hardware subject to ITAR or EAR jurisdiction.

Under both sets of regulations, U.S. and non-U.S. companies must ensure that exports, reexports, and transfers of controlled technology, technical data, software, or hardware comply with the ITAR or EAR, as applicable. (U.S. export controls also apply to “releases” of controlled technology/technical data or software source code to foreign nationals in the U.S. or third-country nationals outside the U.S.)

Under the ITAR and EAR, the concept of technology or technical data is broad. Examples may include proprietary information contained in blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, production processes, manuals or documentation, and electronic media. That said, not all U.S. technology/technical data or software source code is controlled under U.S. export controls.

Broadly speaking, the ITAR captures broad categories of technical data related to defense articles, and a license is virtually always required to transfer technical data between countries or parties. By contrast, controlled technology for EAR purposes typically is proprietary information that is required for the development or production of controlled hardware. Determining whether an EAR authorization is needed to transfer controlled technology depends on the end-destination, end-user, and/or end-use involved. It is considered a best practice for companies dealing with controlled technology/technical data or software to implement technology control plans to ensure compliance with the ITAR and/or EAR.

U.S. export control violations may carry substantial penalties, and there is active civil and criminal enforcement of these U.S. regulations. Civil fines for ITAR violations may reach the greater of USD 1,271,078 (adjusted annually for inflation) or twice the value of a covered transaction, per violation. Civil fines for EAR violations may reach the greater of USD 374,474 (adjusted annually for inflation) or twice the value of a covered transaction, per violation. Like the DSP, willful violations of the ITAR or EAR can trigger criminal penalties of up to 20 years in prison and USD 1 million in fines.

Patent Law Restrictions: Technical information is “exported” when U.S. patent applicants apply for inventions overseas, by virtue of technical disclosures and drawings included in patent applications filed outside of the U.S. For inventions made in the U.S., patent applicants must be aware of export restrictions on this technical information. Specifically, for inventions made in the U.S., and unless authorized by a license obtained from the Commissioner of Patents, U.S. law prohibits applicants from filing for patent, utility, or design rights on such inventions in any foreign country prior to six months after filing first in the United States. This is to allow time for review of patent disclosures for sensitive information before they are filed outside of the U.S.

All provisional, non-provisional, and design patent applications are reviewed for the purposes of a foreign filing license. These applications are screened upon receipt at the USPTO for sensitive subject matter that may impact the national security of the U.S. To the extent any such sensitive subject matter is found, the USPTO refers those applications to the appropriate agencies for further consideration of restrictions on the disclosure of the subject matter. In that case, the agencies will notify the USPTO, and the USPTO will order that the invention be kept secret and shall withhold the publication of the application or the grant of the patent as long as national interests so require.

U.S. patent applications are deemed to include a request for a foreign filing license when they are filed with the USPTO. Assuming the patent application is not referred for further consideration of restrictions and made subject to a secrecy order, U.S. patent applications typically receive a foreign filing license in six months. Patent applicants can also apply for a foreign filing license by filing a petition, which is usually granted much sooner. Once the applicant has a foreign filing license, they may file the patent application in a foreign country or with an international authority. The failure to obtain a foreign filing license can result in invalidation of the subject patent rights, and also can lead to fines of up to $10,000, imprisonment of up to two years, or both. Applicants should also be careful to comply with any limitations stated in the foreign filing authorization.

Outlook: Compliance will require close coordination across legal, privacy, cybersecurity, export control, and intellectual property functions. Governance teams should ensure that appropriate due diligence, vendor screening, and access controls are in place—not only to meet specific requirements of the DSP, but also to align with broader controls under the EAR, ITAR, U.S. patent law and other industry-specific regulations that impose cross-border data transfer restrictions. Importantly, organizations should avoid siloed approaches. A transaction that may not trigger a red flag under one regime (e.g., because the data is not personal or is not classified as controlled technical data) may still raise issues under another if it enables foreign access to data about U.S. persons, technologies, or government functions. Cross-functional compliance strategies will be essential to manage legal exposure and ensure operational continuity as these data transfer regimes continue to expand and converge.