DOJ Confirms April 8 as Effective Date for Global Data Transfer Rule

The Global Data Alliance, a coalition of companies ranging from AT&T, Samsung and FedEx to GM and Netflix, requested a deadline extension through 2026, citing potential complications in complying with the 400-page rule (see 2503180058).

“As indicated in the federal register, the rule is scheduled to go into effect on April 8, 2025,” the department said in a statement. “We’ll decline to comment further at this time."

The alliance, which was launched by the Business Software Alliance in 2020, on Wednesday continued urging the department to suspend enforcement so the public and private sectors can "understand the complex and unprecedented legal framework underpinning the rule."

The rule "will require significant work to retool systems including work to recode software programs, alter service offerings in different markets, develop systems to identify covered persons, and change contractual relationships to meet the conditions in the final regulations," said Joseph Whitlock, executive director. The alliance is hopeful the department will "reflect a non-enforcement period through December 31, 2026, to allow both the government and private sector to address these shared challenges.”

The alliance reiterated its previous request for implementation guidance and FAQs, which it believes are needed to "clarify key areas of implementation and compliance with the rule."

The prior administration’s DOJ wrote the rule in response to President Joe Biden’s February 2024 executive order. The EO directed the department to address the threat of bulk data transfers of U.S. sensitive personal data and U.S. government-related data to countries of concern, including China and Russia. The rule carries criminal and civil penalties for companies failing to safeguard personal and government-related data against access in countries of concern.

The Cybersecurity and Infrastructure Security Agency developed security requirements for the rule. A wide range of industry associations commented on CISA’s public proceeding, including the U.S. Chamber of Commerce, Consumer Technology Association, Information Technology Industry Council, ACT | The App Association, Interactive Advertising Bureau, CTIA-NCTA and the National Foreign Trade Council.

The App Association said in a statement Wednesday: "We are extremely disappointed that DOJ did not extend the effective date for its data transfer rule given the legitimate outstanding implementation concerns raised by small businesses and other stakeholders. We remain willing to work with the administration to ensure that implementation protects our national security while maintaining secure data transfers, preserving encrypted communications, and minimizing unintended harm to small and mid-sized companies operating globally.”

The other associations didn’t comment.

The rules impact “most U.S. companies,” said Hintze’s Sam Castic in an email Wednesday. “Even companies that don’t have operations in China, Russia, or other targeted countries will need to adjust vendor, contractor, employee, and investor practices to stay in compliance with the rules.”

The criminal and civil penalties apply to “many common practices that companies engage in every day to run and grow their business,” added Castic. “All U.S. companies should assess how the rules impact their business, and what ongoing compliance efforts will be needed to avoid the criminal and civil risk.”