Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This article accompanies a primer on the U.S. Department of Justice final rule on protecting Americans' sensitive data from foreign adversaries.
The U.S. Department of Justice's final rule on protecting Americans' sensitive data from foreign adversaries is now in effect. On 11 April, the DOJ's National Security Division took further steps to implement the final rule and also issued a limited 90-day enforcement policy promising not to take certain enforcement actions against companies engaging in good faith compliance efforts until 8 July.
The final rule represents a novel approach to U.S. national security concerns related to sensitive personal and government-related data. It mixes elements of U.S. sanctions, foreign investment, and cybersecurity and data privacy regulations, but its concepts, definitions and objectives do not always align with those programs. As a result, the final rule is difficult to parse for legal and privacy professionals.
As multinationals undertake the challenging task of identifying and addressing potentially covered data transactions among their group operations and third parties, certain patterns have emerged. These early observations and suggestions can lead to greater efficiencies in this complicated task and also create the scaffolding for a more durable compliance program for the future.
Directly at issue: Shared service centers, processing activities in countries of concern
Companies that have placed group operations in identified countries of concern, including China, Hong Kong, Macau and Russia, will likely have more significant challenges under the final rule.
Examples include shared services centers, artificial intelligence scientist teams, cloud or other vendors, or other group operations in countries of concern that support U.S. business operations or otherwise have access to data about U.S. persons.
Such companies may find it difficult to navigate the relatively low thresholds and fast triggers for covered data transactions and may also find that exemptions or exclusions do not adequately cover business as usual.
Certain industries more impacted than others
Companies in sectors such as health care, life sciences and medical devices, financial services, information technology, adtech, data brokers, defense/government contracting and consumer industries seem to have relatively greater exposure to the final rule than other industry verticals due to the sensitivity of their data and business operations.
Refreshed approach to due diligence, cross-functional collaboration needed
The final rule implicates data privacy compliance functions as well as supply chain and trade compliance functions. Data privacy, which will have greater familiarity with the types and movements of data, could take a lead with respect to data mapping for the final rule — for example, analysis of records of processing activities and data flow maps, interviewing stakeholders, and the like.
Supply chain and trade, which will have greater familiarity with the know your customer and know your provider due diligence processes for a company, could take a lead role in assessing and monitoring ownership of vendors and third parties and consultation with the DOJ covered persons list.
Deeper look at ownership of vendors and third parties required
The final rule requires a deeper analysis on vendors and third parties than might be expected. Companies may initially think, "We have checked our vendor lists and confirmed there are no Chinese companies there, so we're done and fine."
"We're fine" might end up being accurate, but "we're done" is not.
Covered persons include companies located outside countries of concern if they are owned 50% or more by covered persons — for example, a Singaporean service provider with a Chinese parent company.
Supply chain and trade teams are likely better prepared than privacy professionals to identify these types of business partners given their prior experience with sanctions and other issues.
Everyone is a data broker
The definition of data brokerage agreement is surprisingly broad and does not align with data broker concepts utilized under many privacy laws. It includes scenarios where a company discloses its own first party data — data about its own direct customers — as well as third party data — data obtained from a third-party source — to a business partner or third party in the context of a data sale, licensing of access to data, or similar commercial transactions.
The concept of data brokerage is so broad that, from a data privacy perspective, it arguably encompasses many "controller to controller" data sharing arrangements. Companies are prohibited from engaging in such data brokerage transactions with covered persons and countries of concern.
Moreover, companies that engage in such transactions with foreign recipients in other jurisdictions, such as the EU, must implement contractual terms prohibiting any onward transfers to covered persons and countries of concern, and address certain breach notification duties for violations.
Notably, these broad definitions present challenges for companies engaging with third parties in the adtech context, where the transactions tend to rely on standard terms and many of the players in the ecosystem are still adapting and changing to address these new requirements.
Exemptions are narrower than expected
The exemptions are deceptively narrow when interpreted in light of examples in the final rule. For reference, the financial services exemption applies by its terms to data transactions that "are ordinarily incident to and part of the provision of financial services."
Although this may seem potentially broad, the reality is that the examples demonstrate how the DOJ almost appears to require "necessary to support underlying transactions" as an additional mandatory element. For example, where needed to support financial payments to a U.S. person in a country of concern, the exemption applies, but where back-office processing in a country of concern would analyze data about transactions between U.S. customers and the U.S. company, it would not.
The DOJ commentary to the corporate group transaction exemption also expressly notes that it declined to "expand the exemptions to include data sharing required for global business operations or services."
General exemptions narrower than in other sanctions contexts
A supply chain and trade professional might logically think, "We regularly leverage the informational materials and travel exemptions in the U.S. sanctions administered by the (Office of Foreign Assets Control). Those exemptions are in the final rule as well, so we're fine and don't need to worry about the final rule."
At least in relation to the informational materials exemption, that is a myth. The final rule provides a narrower definition of informational materials — focusing on "expressive content — than OFAC's longstanding and published rules, guidance and advisory opinions, which clearly treat nonexpressive content as exempt informational materials.
As for the travel exemption, it remains to be seen whether the DOJ will adopt the OFAC view, which is already quite narrow in covering cross-border but not domestic travel, or narrow it even further, to cover only payment-related data for specific eligible travel but not, for example, customer-specific data that is retained for other purposes, like loyalty programs, account registration or targeted marketing.
Better to rely on exemptions and exclusions, and enhance controls for nonaccess
To maintain a durable compliance program over time, it might be more secure to assure that any potentially covered data transactions rely on exemptions and exclusions, or to simply enhance technical and policy controls to prevent access from countries of concern entirely.
In contrast, positions that seek to rely on data transaction levels that remain below "bulk" thresholds could be less reliable, particularly where the ability to track specific volumes over a rolling 12-month period is challenging.
The path to 'restricted transactions' requires additional measures
For covered data transactions that do not qualify for exemptions or exclusions, and are not otherwise prohibited, a company can in principle proceed with those transactions if it complies with certain requirements for "restricted transactions."
The key requirements are to implement the Cybersecurity and Infrastructure Security Agency's security requirements, to develop and implement a written data compliance program that includes risk-based procedures for verifying data flows involved in restricted transactions, and to conduct annual independent — internal or external — audits for each calendar year in which such restricted transactions occur.
The application of the CISA security requirements would effectively prevent the intended recipient in a country of concern from processing personal data in fully identified form. That outcome may or may not be palatable depending on the nature of the transaction — for example, an investment by a covered person in a U.S. company versus access needed by a back-office service function in a country of concern.
Even in instances where fully restricted access in a country of concern or by a covered person is not fatal to a transaction, the documentation and auditing requirements are rigorous. Accordingly, whether companies might find use cases where it would be logical to proceed with restricted transactions will depend on the specific circumstances of each such transaction.
Senior management may need to make strategic decisions
For companies with significant exposure to the final rule, senior management may need to make strategic decisions about changes to business as usual — such as migrating data centers or teams outside of countries of concern. Depending on the context, it may be important to take final decision-making out of the hands of the specific business or functional unit impacted by such strategic decisions and ensure senior management is considering the situation from an enterprise level.
Empowering senior leadership should involve advice about the scope of the final rule and the potential consequences for noncompliance, including potential civil and criminal penalties. It should also involve a realistic assessment of the outlook that these types of restrictions are unlikely to go away any time soon.
In practice, there is not a one-size-fits-all approach to this analysis across all organizations. Companies that have a business strategy that is committed to retaining access to the markets, resources and talent in countries of concern may have more difficulty making changes that impact local operations, activities and investments in such countries.
The road ahead
This relatively new area of outbound data transfer regulations, motivated by national security concerns, is likely going to be here to stay for at least the short to medium term. The geopolitical risks are likely to continue to intensify and the rules are going to become increasingly complex.
Compliance efforts here are well-placed, as global businesses will need to remain closely attuned to these regulatory changes and enforcement activities in the coming months and years.
Brian Hengesbaugh is a partner and chair of global data privacy and security, and Janet Kim is a partner in outbound trade and investment compliance, with a focus on navigating geopolitical risks, at Baker McKenzie.
