The Department of Justice’s new data security program took effect on April 8. A few days later, the agency issued an implementation and enforcement policy that provides a 90-day leniency period for DSP civil enforcement through July 8, along with a compliance guide and frequently asked questions.
The DSP regulates access to certain types of bulk sensitive US personal data and government-related data, in particular—but not only—where “countries of concern” such as China are involved.
This new guidance about the DSP offers some clarity regarding contractual language, compliance expectations, and how stakeholders can engage with the DOJ. But a number of ambiguities remain about how key requirements of the DSP will be applied.
Leniency Period
The implementation and enforcement policy’s leniency only applies to those engaged in good-faith efforts to come into full compliance with the DSP during the 90-day period that began on April 8. Criminal enforcement will continue, and even civil enforcement is a possibility for those not moving toward full compliance in good faith.
Additionally, full compliance is expected by July 8, subject to a delayed Oct. 6 effective date for certain elements of the DSP.
Contractual Language
In the compliance guide, the DOJ has provided specific language that can be used in contracts involving data brokerage with non-covered foreign persons—that is, counterparties in third countries without the types of links to countries of concern that trigger most of the DSP’s restrictions and prohibitions.
Bespoke language may be warranted where specific risks are present, but the DOJ has provided a helpful starting point.
Compliance Expectations
Contractual language alone generally isn’t a sufficient compliance approach under the DSP. The DOJ has emphasized that a risk-based compliance program is the standard—even in situations of data brokerage with non-covered foreign persons, when the contractual language referenced above is to be used.
Traditional expectations that apply under other regulatory frameworks based on the International Emergency Economic Powers Act, or IEEPA, such as US economic sanctions, can inform how to craft a DSP compliance program.
Gray Areas
The DOJ still hasn’t clarified some of the toughest issues that organizations will face under the DSP, and several of its statements may appear confusing or even contradictory.
Audits. The compliance guide states that, “[t]o detect compliance gaps, U.S. persons must audit their Data Compliance Program.” But audits aren’t required in all circumstances.
Also, the compliance guide seems to cast doubt on whether internal audit functions can be used for the DSP. However, other DOJ guidance makes clear that internal audit can be used for this purpose, though the agency has included heavy words of caution about relying on internal auditors.
Recordkeeping. The DSP has a broad 10-year recordkeeping requirement that will be highly burdensome for many organizations. While the DOJ has been somewhat unclear about their applicability, the recordkeeping requirements only apply in limited cases—for example, they aren’t applicable when operating pursuant to most of the exemptions.
Still, organizations impacted by these rules should consider keeping affirmative compliance records as a protective measure, even when not required, because the DSP gives the DOJ broad subpoena authority.
Domestic activity. In general, organizations can focus compliance efforts on covered data access outside the US. But the DOJ has set out a few exceptions, with the clearest being when an individual or entity is specifically designated on the DSP’s forthcoming covered persons list, which could include covered persons located in the US.
The DOJ has even said that a person in the US “is never a covered person unless designated as such by” the agency on the list. But other DOJ guidance may be in tension with that statement.
For instance, an example under the definition of US person states that a US branch of an entity based in a country of concern is a foreign person and therefore a covered person, even though a US branch is by definition in the US.
This underscores that including purely domestic activity within a DSP compliance program may be necessary in some cases.
Enhanced due diligence. The DOJ has indicated that due diligence on the individual representatives of entity counterparties may sometimes be necessary to assess if the individuals are covered persons even when their organizations aren’t. This is a familiar concept under US economic sanctions, and undertaking such enhanced due diligence can be considered as a function of risk.
Similarly, when entities that aren’t covered persons are controlled by—or minority-owned by—covered persons, the DOJ has laid out an expectation that tracks with compliance principles under US economic sanctions, explaining the considerations that drive when enhanced due diligence should be conducted on minority owners, control parties, and any person whose involvement may provide access to covered data.
Engaging With DOJ
The DOJ has said it discourages the submission of formal advisory opinion or license requests prior to July 8, except in cases of “emergency or imminent threat to public safety or national security.” Further, license requests will be subject to a “presumption of denial” standard, which the agency has indicated will require the applicant to identify compelling public interests supporting its request.
While the DOJ is open to informal questions, it has warned that these communications may not be treated as confidential (and could even potentially be used for enforcement purposes).
The DOJ has said that a voluntary self-disclosure may be treated as a mitigating factor in a civil enforcement action under the DSP.
The agency has confirmed that the Financial Crimes Enforcement Network’s whistleblower program covers the DSP. This presents opportunities for individuals who are aware of violations in which they weren’t significantly involved, but may generate more enforcement risk for organizations.
Outlook
While there are answers to some of the key questions under the DSP, many of the gray areas we see today will persist. Counsel with deep experience in risk-based compliance under similar regulatory frameworks based on IEEPA can assist with shaping a compliance approach that is neither overinclusive nor underinclusive—and that balances feasibility with satisfying the DOJ’s expectations.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Peter E. Jeydel is a partner at Troutman Pepper Locke, where he leads the sanctions and trade controls team and helps clients navigate complex national security, trade, and technology regulations.
James Koenig is a partner at Troutman Pepper Locke who advises clients—from startups to Fortune 500s—on privacy, cybersecurity, AI, data governance, and monetization.
David J. Navetta is a partner at Troutman Pepper Locke who blends legal, business, and technology expertise to advise clients.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.