What does the DOJ final rule on protecting Americans' sensitive data from foreign adversaries really mean for global business?

The U.S. Department of Justice's final rule on protecting Americans' sensitive data from foreign adversaries is now in effect. On 11 April, the DOJ's National Security Division took further steps to implement the final rule and also issued a limited 90-day enforcement policy promising not to take certain enforcement actions against companies engaging in good faith compliance efforts until 8 July. 

The final rule represents a novel approach to U.S. national security concerns related to sensitive personal and government-related data. It mixes elements of U.S. sanctions, foreign investment, and cybersecurity and data privacy regulations, but its concepts, definitions and objectives do not always align with those programs. As a result, the final rule is difficult to parse for legal and privacy professionals.

As multinationals undertake the challenging task of identifying and addressing potentially covered data transactions among their group operations and third parties, certain patterns have emerged. These early observations and suggestions can lead to greater efficiencies in this complicated task and also create the scaffolding for a more durable compliance program for the future.

Directly at issue: Shared service centers, processing activities in countries of concern

Companies that have placed group operations in identified countries of concern, including China, Hong Kong, Macau and Russia, will likely have more significant challenges under the final rule.