Breaking Down the DOJ Bulk Data Transfer Rule

Sheila Colclasure, CIPP/US, Global Chief Digital Responsibility and Public Policy Officer, IPG Interpublic Group
D. Reed Freeman, CIPP/US, Partner, Privacy and Data Security Group Chair and CPO, ArentFox Schiff

The Department of Justice's final bulk data transfer rule is a game-changer. Its wording has echoes of the GDPR as it takes the U.S. into the pantheon of countries now regulating at least some cross-border transactions involving personal data. The rule's breadth captures a wide variety of transactions, and its definitions pull within its ambit a broad variety of data. With the operative sections of the rule regarding prohibited transactions, restricted transactions and exemptions taking just a few pages, the meat of the rule is in an intertwining set of complicated definitions. What is “data brokerage” and what are “vendor agreements” and “investment agreements?” What is “bulk,” “sensitive personal data” and what are “listed identifiers?” What does “ordinarily incident” mean in the context of this rule, and to what extent is data collected in connection with e-commerce exempt? How do these terms apply in the real world, and what does a compliance program look like? Dive into a discussion of this new rule's application, requirements, exemptions, and enforcement.

What you will learn:

• The scope of the rule's coverage, including key definitions.
• Which activities are exempted, which are prohibited and which are restricted. 
• What compliance and enforcement look like.