Companies in sectors ranging from manufacturing to cloud storage and genetic engineering are struggling to comply with a federal rule going into effect Tuesday meant to safeguard bulk transfers of sensitive data outside the US.
The Justice Department’s bulk data transfer rule restricts or prohibits the transfer of US sensitive and government-related data involving “countries of concern” that pose national security concerns—including China, Russia, Iran, Cuba, North Korea and Venezuela. Sensitive data is broadly defined as personal identifiers, precise geolocation data, biometric identifiers, genomic data, personal health data, personal financial data and government-related data.
Justice officials released a fact sheet about the final rule in December. But trade groups say they don’t have sufficient guidance for a rule that will require building out costly and time-consuming compliance programs.
“Companies are really almost begging for implementation guidance from the Department of Justice so they can do this more efficiently,” said John Miller, Senior Vice President of Policy for Trust, Data, and Technology and General Counsel, at the Information Technology Industry Council, a group whose members include
The Justice Department declined to comment on the outlook for additional guidance. The Federal Register’s January notice of the final rule states that it anticipates releasing further guidance without giving a time frame.
Restricting Foreign Data Transfers
The new rule, pursuant to a February 2024 Biden administration executive order, prohibits selling or licensing bulk sensitive data to an covered foreign entity or person that did not directly collect the data.
Some other commercial transactions—including employment, vendor and investment agreements—are restricted; they require companies to adopt new security measures to minimize access by covered entities. These transactions cover, for instance, a US business sharing covered data with a Canadian or German vendor who has Chinese investors. Restricted transactions must adhere to a January 2025 framework issued by the Cybersecurity and Infrastructure Security Agency.
It’s these restricted transactions that trade groups say will affect millions of companies across a variety of sectors.
“This is a very novel and complex legal framework that is untested. And it impacts every sector of the economy,” said Joseph Whitlock, executive director at the Global Data Alliance, a Business Software Alliance-led trade coalition whose members include
Tech Groups Seek Clarity, Time
In February, Global Data Alliance and a coalition of other trade groups wrote letters to the Justice Department requesting additional clarification of definitions and procedures. Global Data Alliance also requested extending a proposed non-implementation period to Dec. 31, 2026 for regulated companies.
Companies need time to prepare for a process that, as currently described, will take significant resources and personnel, the group argues.
“I don’t think it’s 100% crystal clear to a lot of companies exactly how they’re supposed to comply with this fairly comprehensive, complicated and novel approach to data regulation,” said ITI’s Miller, whose group has also requested clarification from the Justice Department.
Trade groups and attorneys have also raised concerns about how the rule will interact with other statutes, including a rule from the Trump administration requiring the Commerce Department to review transactions involving information and communications technology services developed by “foreign adversaries.” The rule also overlaps with the “Protecting Americans’ Data from Foreign Adversaries Act of 2024,” enforced by the Federal Trade Commission, that went into effect in June 2024.
Trade groups praise efforts to eliminate direct data broker sales to countries of concern and extending baseline security requirements for restricted transactions. But without further guidance, the measures could have unintended consequences, they say. For instance, the rule implicates AI training data, which could have repercussions for US innovation, Miller said.
In the absence of clearer guidance, attorneys are advising companies to carefully map their data flows to evaluate what might be covered by the rule and if data needs to be stored elsewhere.
“We’ve been advising our clients to take the conservative approach, but there is some guesswork in there for sure,” said Nan Sato, a partner at Fisher & Phillips LLP who advises international companies, including clients with business with China.
International companies that fail to comply could “significantly jeopardize” their US operations, she stressed.
Penalties for non-compliance include civil penalties up to $377,700 per violation, or double the value of the covered transaction. Intentional violations risk criminal fines of up to $1 million and two years in prison.
Rethinking Privacy
The rule’s focus on a sanctions-like regime, similar to the Treasury Department’s Office of Foreign Assets Control, means that things will be a “little different from what a privacy compliance professional might be used to be doing,” said Duane Pozza, a former Federal Trade Commission attorney and partner at Wiley Rein LLP. Privacy professionals will have to take a “cross-disciplinary” approach to make sure they’re conducting due-diligence on who is receiving covered data, he said.
Companies need to stretch their understanding of existing data security compliance and “put on the lens of the government” when it comes to assessing their risks under the new rule, said Loyaan Egal, partner at Morgan, Lewis & Bockius LLP.
Egal previously served as deputy chief in the Foreign Investment Review Section in the DOJ’s National Security Division—the same division responsible for enforcing the sensitive bulk data rule. Balancing the need for clear compliance guidelines with the flexibility to respond to new national security concerns will take time, he said.
“There are potentially going to be some growing pains,” said Egal. “It’s going to be an iterative process.”
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.