(a) Records. Except as otherwise provided, U.S. persons engaging in any transaction subject to the provisions of this part shall keep a full and accurate record of each such transaction engaged in, and such record shall be available for examination for at least 10 years after the date of such transaction.

(b) Additional recordkeeping requirements. U.S. persons engaging in any restricted transaction shall create and maintain, at a minimum, the following records in an auditable manner:

(1) A written policy that describes the data compliance program and that is certified annually by an officer, executive, or other employee responsible for compliance;

(2) A written policy that describes the implementation of any applicable security requirements as defined in § 202.248 and that is certified annually by an officer, executive, or other employee responsible for compliance;

(3) The results of any annual audits that verify the U.S. person's compliance with the security requirements and any conditions on a license;

(4) Documentation of the due diligence conducted to verify the data flow involved in any restricted transaction, including:

(i) The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;

(ii) The identity of the transaction parties, including any direct and indirect ownership of entities or citizenship or primary residence of individuals; and

(iii) A description of the end-use of the data;

(5) Documentation of the method of data transfer;

(6) Documentation of the dates the transaction began and ended;

(7) Copies of any agreements associated with the transaction;

(8) Copies of any relevant licenses or advisory opinions;

(9) The document reference number for any original document issued by the Attorney General, such as a license or advisory opinion;

(10) A copy of any relevant documentation received or created in connection with the transaction; and

(11) An annual certification by an officer, executive, or other employee responsible for compliance of the completeness and accuracy of the records documenting due diligence.

(a) Reports. Every person is required to furnish under oath, in the form of reports or otherwise, from time to time and at any time as may be required by the Department of Justice, complete information relative to any act or transaction or covered data transaction, regardless of whether such act, transaction, or covered data transaction is effected pursuant to a license or otherwise, subject to the provisions of this part and except as otherwise prohibited by Federal law. The Department of Justice may require that such reports include the production of any books, contracts, letters, papers, or other hard copy or electronic documents relating to any such act, transaction, or covered data transaction, in the custody or control of the persons required to make such reports. Reports may be required either before, during, or after such acts, transactions, or covered data transactions. The Department of Justice may, through any person or agency, conduct investigations, hold hearings, administer oaths, examine witnesses, receive evidence, take depositions, and require by subpoena the attendance and testimony of witnesses and the production of any books, contracts, letters, papers, and other hard copy or electronic documents relating to any matter under investigation, regardless of whether any report has been required or filed in connection therewith.

(b) Definition of the term “document.” For purposes of paragraph (a) of this section, the term document includes any written, recorded, or graphic matter or other means of preserving thought or expression (including in electronic format), and all tangible things stored in any medium from which information can be processed, transcribed, or obtained directly or indirectly, including correspondence, memoranda, notes, messages, contemporaneous communications such as text and instant messages, letters, emails, spreadsheets, metadata, contracts, bulletins, diaries, chronological data, minutes, books, reports, examinations, charts, ledgers, books of account, invoices, air waybills, bills of lading, worksheets, receipts, printouts, papers, schedules, affidavits, presentations, transcripts, surveys, graphic representations of any kind, drawings, photographs, graphs, video or sound recordings, and motion pictures or other film.

(c) Format. Persons providing documents to the Department of Justice pursuant to this section must produce documents in a usable format agreed upon by the Department of Justice. For guidance, see the Department of Justice's data delivery standards available on the National Security Division's website at https://www.justice.gov/nsd.

(a) Who must report. An annual report must be filed, except as otherwise prohibited by Federal law, by any U.S. person that, on or after October 6, 2025, is engaged in a restricted transaction involving cloud-computing services, and that has 25% or more of the U.S. person's equity interests owned (directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise) by a country of concern or covered person.

(b) Primary responsibility to report. A report may be filed on behalf of a U.S. person engaging in the data transaction described in § 202.1103(a) by an attorney, agent, or other person. Primary responsibility for reporting, however, rests with the actual U.S. person engaging in the data transaction. No U.S. person is excused from filing a report by reason of the fact that another U.S. person has submitted a report with regard to the same data transaction, except where the U.S. person has actual knowledge that the other U.S. person filed the report.

(c) When reports are due. A report on the data transactions described in § 202.1103(a) engaged in as of December 31 of the previous year shall be filed annually by March 1 of the subsequent year.

(d) Contents of reports. Annual reports on the data transactions described in § 202.1103(a) shall include the following:

(1) The name and address of the U.S. person engaging in the covered data transaction, and the name, telephone number, and email address of a contact from whom additional information may be obtained;

(2) A description of the covered data transaction, including:

(i) The date of the transaction;

(ii) The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;

(iii) The method of data transfer; and

(iv) Any persons participating in the data transaction and their respective locations, including the name and location of each data recipient, the ownership of entities or citizenship or primary residence of individuals, the name and location of any covered persons involved in the transaction, and the name of any countries of concern involved in the transaction;

(3) A copy of any relevant documentation received or created in connection with the transaction; and

(4) Any other information that the Department of Justice may require.

(e) Additional contents; format and method of submission. Reports required by this section must be submitted in accordance with this section and with subpart L of this part.

(a) Who must report. A report must be filed, except as otherwise prohibited by Federal law, by any U.S. person that, on or after October 6, 2025, has received and affirmatively rejected (including automatically rejected using software, technology, or automated tools) an offer from another person to engage in a prohibited transaction involving data brokerage.

(b) When reports are due. U.S. persons shall file reports within 14 days of rejecting a transaction prohibited by this part.

(c) Contents of reports. Reports on rejected transactions shall include the following, to the extent known and available to the person filing the report at the time the transaction is rejected:

(1) The name and address of the U.S. person that rejected the prohibited transaction, and the name, telephone number, and email address of a contact from whom additional information may be obtained;

(2) A description of the rejected transaction, including:

(i) The date the transaction was rejected;

(ii) The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;

(iii) The method of data transfer;

(iv) Any persons attempting to participate in the transaction and their respective locations, including the name and location of each data recipient, the ownership of entities or citizenship or primary residence of individuals, the name and location of any covered persons involved in the transaction, and the name of any countries of concern involved in the transaction;

(v) A copy of any relevant documentation received or created in connection with the transaction; and

(vi) Any other information that the Department of Justice may require.

(d) Additional contents; format and method of submission. Reports required by this section must be submitted in accordance with this section and with subpart L of this part.