DOJ Data Security Program: Insights on the Government-Related Location Data List
On January 8, 2025, the Department of Justice (DOJ) issued a Final Rule, now referred to as the Data Security Program (DSP), that establishes sweeping new restrictions on access to sensitive personal data and government-related data by countries of concern and covered persons.1 A key feature of the DSP is the introduction of a public Government-Related Location Data List (the “GRLD List” or the “List”), codified at 28 C.F.R. § 202.1401. The GRLD List designates 736 geofenced locations—defined by latitude and longitude coordinates—as posing heightened national security risks, if precise geolocation data2 from within those areas is accessible to foreign adversaries. Notably, any precise geolocation data collected from within a designated area is automatically treated as government-related data and subject to the DSP’s restrictions, regardless of volume, which renders potentially routine location data from government sites into highly regulated information. Recently, we used artificial intelligence (AI) to identify the 736 sites on the GRLD List. In this Legal Update, we share our key takeaways on the locations identified in the current GRLD List.
Background & Significance
Under the DSP, any precise geolocation data originating from within an area identified on the GRLD List is automatically classified as “government-related data” and restricted—regardless of volume, as no bulk threshold applies. Unlike sensitive personal data, government-related location data does not need to be linked or linkable to a person. And unlike the other subcategory of government-related data, which concerns sensitive personal data that is “market[ed]” as linked or linkable to federal employees or contractors (reflecting knowledge and intent by the data collector), precise geolocation data from within the GRLD List locations ipso facto carry heightened protection under the DSP—regardless of how one “markets” or labels it.3
Knowingly permitting access to this protected data by countries of concern or covered persons is prohibited, at least in the absence of mitigation measures (such as compliance with DHS’s Security Requirements) and in all cases involving data brokerage. For companies in industries where voluminous geolocation data is collected—such as mobile applications, advertising, logistics, and connected devices—the DSP introduces a new compliance obligation. Even entities outside the traditional data economy, such as defense contractors, may be affected if they collect location data in proximity to sensitive government sites (e.g., from devices of employees meeting with government clients). These businesses must now assess whether they are collecting precise geolocation data within the areas identified on the GRLD List, and they may need to implement controls either to avoid collecting this data in the first place or to take additional steps to prevent access to it by covered persons (such as their vendors and suppliers or through commercial arrangements involving access to that location data). Even if they sell or lease that location data to foreign persons who are not covered persons, the DSP requires onward-transfer clauses and reporting of known or suspected violations of those clauses.4
Methodology
We wanted to understand more about the locations on the GRLD List, but we found that efforts to reverse geocode or precisely map the geofenced areas would be costly and time-consuming. Instead, we used an AI resource to analyze the GRLD coordinates and prompted it to identify publicly-known Department of Defense (DoD), intelligence, or other national-security related facilities that it could associate with each set of coordinates. After more than an hour of “work,” it produced named locations for all 736 sets of coordinates.
To verify the accuracy of the list, we conducted a random sample of several entries and found the AI’s output to be generally accurate. Perhaps the most common issue we identified was the misidentification of facilities located near one another, where the listed coordinates were mistakenly attributed to the wrong site due to their close proximity. In addition, we could not verify the accuracy of some locations with open-source information alone. For example, our AI system identified some national guard “training areas” that we could not find online.
Key Takeaways from the GRLD List:
Broad Scope of Locations: The GRLD List is composed primarily of Department of Defense sites, including installations, ranges, and training areas. It includes not only well-known Air Force, Army, and Navy installations, but also encompasses national guard installations and training areas as well as additional facilities such as ammunition plants and research centers. The List further includes certain notable Intelligence Community locations, such as the Office of the Director of National Intelligence, but by no means all of them. For example, CIA headquarters is not currently included, and only one FBI facility appears on the List. The List only identifies two sites in Washington, DC—the Naval Observatory and the Washington Navy Yard—while omitting the White House and other federal agencies. DOJ has acknowledged in the Rule that the current list is not comprehensive and will consider adding more locations.
Broad Geographic Coverage: The GRLD List includes locations in all 50 states, the District of Columbia, Puerto Rico, and Guam. The states with the most locations on the List are California (74), Virginia (52), Florida (39), Hawaii (35), and Alabama (30).
Extensive Geofences: From our sampling, the geofences provided by DOJ often correspond to large physical perimeters that exceed the expected boundaries of the identified site. In multiple instances, a single identified location (e.g., an Air Force Base) has been assigned two distinct Area IDs, each linked to a different set of coordinates. One set typically covers the primary footprint of the installation, while another encompasses a neighboring or overlapping area, including publicly accessible areas.
Conclusion:
DOJ’s 90-day enforcement “pause” ends on July 8, at which time companies are expected to be in full compliance with the DSP, save for a limited number of recordkeeping and auditing requirements that become effective on October 6. Companies that either collect precise geolocation data or that operate in proximity to sensitive government facilities, such that they may incidentally collect such data within the geofences on the GRLD List, should take immediate action to address the DSP’s requirements pertaining to this data. Depending on their specific circumstances, these companies should review and, if necessary, modify their current data flows to prevent any inadvertent restricted or prohibited transactions. Additionally, they should update their internal controls to ensure proper handling of data collected within the designated locations.
1 For background on the DSP, see our prior Legal Updates on the Final Rule and on DOJ’s compliance and enforcement guidance. Also see our webinar on DSP compliance.
2 The term precise geolocation data means data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters (28 C.F.R. § 202.242).
