Data Export Control Rule: DOJ’s Enforcement Challenges
by
July 15, 2025
As Zach blogged last week, the 90-day grace period for the DOJ’s Data Security Program (DSP) under the Data Export Control Rule expired on July 9th, but this recent Cleary memo points out that the DOJ has some challenges to deal with when it comes to investigating potential violations of the DSP and bringing enforcement actions.
Part of the problem lies in the fact that civil and criminal enforcement responsibility is vested in the Foreign Investment Review Section (FIRS), a small group within the DOJ’s National Security Division that traditionally hasn’t been involved in litigation. FIRS also has never before had criminal jurisdiction, which as the memo points out opens up a whole other bag of snakes going forward. On top of all that, this excerpt addresses what may present the greatest challenge of all – uncertainty about the investigative resources available to FIRS:
In addition to potential concerns associated with criminal enforcement of the DSP, there is also uncertainty about how FIRS will investigate potential violations. Unlike traditional sanctions and export control enforcement, which relies on the Department of Treasury’s Office of Foreign Assets Control and the Department of Commerce’s Bureau of Industry and Security, respectively, it is unclear what, if any, dedicated investigative resources or interagency cooperation FIRS will have at its disposal.
While federal prosecutors typically investigate alongside agents from the Federal Bureau of Investigation and Homeland Security Investigations, such investigative resources historically were not allocated to FIRS, and it is unclear which federal investigating agency – if any – has been tasked with leading these investigations. This raises questions about FIRS’s capacity to effectively investigate and bring enforcement actions for potential violations.
Despite the challenges that DOJ faces, companies shouldn’t be complacent. The memo says that companies should be prepared to document their good-faith efforts to demonstrate compliance with the DSP and the Data Export Control Rule to prevent early investigations and enforcement actions.