In-house counsel are still struggling to understand how to comply with a Justice Department rule requiring companies to restrict data transfers to countries deemed as national security risks—months after the rule went into effect.
The rule took effect in April and the DOJ began enforcing it in July. It’s the first US regulation to restrict outbound transfers of sensitive personal data from US companies.
“What’s groundbreaking about this rule is that now we can no longer say there are no data transfer restrictions upon US personal information,” said Corey Dennis, chief privacy officer and assistant general counsel at Legend Biotech Corp., a life sciences firm with a presence in China.
“And now we have to comply with this complex law, which is very difficult to understand and very difficult to implement practically,” he said.
That’s a major change for in-house counsel, whose privacy concerns are more typically focused on mapping data transfers into the US, thanks to laws like the EU’s General Data Protection Regulation.
“Very few people care what data goes out, unless it’s health data or heavily regulated data,” said Vivien Peaden, shareholder at Baker Donelson. “The DOJ data security program is really asking companies to closely review what sensitive information is transferred to these particular countries.”
Sensitive data is broadly defined to include personal identifiers, precise geolocation, biometric identifiers, genomic data, personal health data, personal financial data and government-related data.
Auditing obligations required by the rule went into effect Oct. 6.
Putting Together a Puzzle
Six months after the Justice Department’s compliance guidance came out, some in-house counsel are just now “gaining visibility,” Peaden said. Companies still must do due diligence before sending information overseas, she said.
“That’s on in-house counsel to do that analysis and document it appropriately,” she said.
In-house counsel in the life sciences industry face even greater scrutiny. Transferring human genomic data, epigenomic data and biological specimens are prohibited by the rule, though there are some exemptions.
Dennis said Legend Biotech began working on a new compliance program prior to the effective enforcement date.
“Some companies are saying, ‘Oh, we’re just going to cut off access to China,’” Dennis said. “That’s harder when you’re working for a company that has offices and operations in China.”
Complying with the new standards requires a multi-pronged approach, Dennis said, working across IT, HR, research and development and other departments to know where data sits in an organization.
Loyaan Egal, partner at Morgan, Lewis & Bockius LLP advised companies to play it safe in implementing security requirements under the rule, published in January by the Cybersecurity and Infrastructure Security Agency.
Even if companies aren’t sure the rule applies to them, “it’s just good cybersecurity hygiene,” he said. Pointing to use of the guidance can give companies some cover in the event of enforcement actions, he noted.
Enforcement Future
Enforcement could be stymied by the ongoing government shutdown, which has led to furloughs across the Justice Department.
Egal previously served as deputy chief in the Foreign Investment Review Section within the Justice Department’s National Security Division—the same division responsible for enforcing the sensitive bulk data rule. He said the shutdown could affect the “enforcement tempo, the investigative tempo and the ability to identify and marshal resources” for a new program that has no test cases yet.
Peaden said that healthcare and research institutions are obvious targets for enforcement, but she warned that the rule’s broad scope means many more possible targets. The regulation covers a wide range of “personal identifiers,” including advertising IDs and other data that—when combined—could potentially identify individuals. This broad definition means companies across various sectors, including ad tech and e-commerce, should assess their data-sharing practices around cookies.
“I would be very vigilant in terms of implementing not only opt-out mechanisms to comply with US state privacy laws, but to also mitigating your risk of inadvertently sharing information with foreign actors,” she said.
While the Justice Department hasn’t yet announced any enforcement actions related to the rule, the Trump administration continues to signal a strong interest in protecting genomic data. The National Institutes of Health published a policy on biospecimen transfers last month stemming from the same executive order as the bulk data transfer rule.
The DOJ also introduced a data security whistleblower program with financial incentives in September.
“The fact that they put out additional notice as late as September indicates this is something that’s still going to be a priority,” Egal said. “I wouldn’t be lulled with a false sense of security.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.