Rule Protecting Sensitive Data From Foreign Threats Takes Force

Companies must comply with a Justice Department rule meant to ensure that bulk transfers of sensitive data are safeguarded from China, Iran, and other countries that pose national security concerns, after a temporary reprieve ended Tuesday.

The rule impacts a wide range of sectors from health research to financial services. It went into effect in April, but with a 90-day grace period giving companies making good-faith efforts time to come into compliance.

The final rule, drafted to implement Biden-era Executive Order 14117, established export controls to prevent foreign adversaries and parties under their influence from accessing US government-related data and bulk sensitive personal data through commercial means.

Sensitive data is broadly defined as personal identifiers, precise geolocation data, biometric identifiers, genomic data, personal health data, personal financial data, and government-related data. The “countries of concern” defined in the rule include Russia, Cuba, North Korea, and Venezuela as well as China and Iran.

Failure to comply risks civil and criminal liability under the International Emergency Economic Powers Act and other laws. Civil violations can result in fines of up to $368,136,or an amount equal to twice the sanctioned transaction. Criminal penalties for individuals found liable for violations include a $1 million fine and imprisonment of up to 20 years.

The rule sends the message that the data transfers have a variety of national security concerns including for counterintelligence and the race for AI, said Eun Young Choi, partner at Arnold & Porter and a former deputy assistant attorney general at DOJ.

It’s “important to create rules of the road that companies can follow to ensure that they’re balancing the national security concerns against business considerations,” she said.

The Justice Department provided additional guidance in April, including examples of covered transactions—such as logs of users’ exercise habits collected by fitness apps. Still, companies will have to “wait and see” how enforcement plays out, said Loyaan Egal, partner at Morgan, Lewis & Bockius LLP.

“Enforcement is a tool that promotes accountability, balance, compliance and deterrence,” Egal said. “Enforcement allows for compliance, because it shows you this is what companies need to do to comply with the regulation or rule.”

Seeking More Guidance

Location data firm Unacast has added a more in-depth level of “know your customer” screening in response to the rule’s requirements, said Jason Sarfati, the company’s chief privacy officer and vice president of legal. He said the DOJ’s Data Security Program requires a “much higher standard” than other sanctions compliance.

“Previously the diligence ended around ownership and maybe location, he said. “Now it’s where employees are located.”

Any covered ownership or employees are an automatic “red flag” in their screening now he added.

The National Advertising Initiative, an online trade group, is “actively working with our members to understand and clarify the relevant requirements” and to determine what additional guidance would be helpful, Kate Cox-Nowak, director of operations and strategy, wrote in an email to Bloomberg Law.

Another gray area that companies will have to contend with is impending release of a list of “covered persons”—entities organized under the laws of countries of concern, entities with 50% or more ownership by these countries or covered persons, and individuals residing in countries of concern. US Attorney General Pam Bondi also has the discretion to include individuals or entities determined by her office to be controlled by, or acting on behalf of, countries of concern.

The Justice Department didn’t respond to a request for comment about when the covered persons list would be released.

Companies can expect to see continued, iterative guidance from the Justice Department’s national security division, including potential advisory opinions, said Choi.

“There is going to be a effort from NSD to ensure that they are understanding what the pain points might be for companies and seeing what the path forward might be to provide clear guidance where there is ambiguity in the rule,” said Choi.

Companies conducting restricted transactions will be required to establish data compliance programs by Oct. 6, including a means of identifying and verifying data flows and the identity of recipient vendors. They must also have in place an annual independent audit by the October deadline.

Egal, who previously served as a deputy chief in the DOJ’s National Security Division responsible for enforcing the sensitive bulk data rule, said it has the “ability to very quickly bring to bear the capabilities that DOJ has to enforce this program.”

“So I would take a look at this very seriously,” he said.