DOJ Data Rule Creating ‘Seismic’ Shift for US Privacy Compliance
DOJ’s new data transfer rule fundamentally changes how American companies should assess global data compliance, particularly concerning Chinese-related business, attorneys said in interviews.
Sign up for a free preview to unlock the rest of this article
The rule goes into effect April 8. It carries criminal and civil penalties for companies failing to safeguard personal and government-related data against access in countries of concern, including China and Russia (see 2501070056). Any major American brand engaged in digital-targeted advertising should be aware of the rule and its obligations, said Hintze’s Sam Castic.
Companies using third-party tracking tools need to restrict access to entities in these countries, he said. For example, companies will most likely need to stop using TikTok tracking pixels due to national security concerns, said Castic: The rule essentially “upends” a common understanding of “sensitive data,” which typically encompasses information like social security numbers, biometric data and confidential trade secrets. The rule applies broadly to data previously treated as widely available, he said.
Violators face civil penalties up to about $370,000 per violation, criminal fines of $1 million max and up to 20 years in prison. Attorneys said this combination makes the rule unique because U.S. privacy rules have historically not included criminal penalties. “What scares people is criminal penalties,” said Davis Wright Tremaine’s Michael Borgia. “Clients act differently when there are criminal penalties.”
The new rule has been a “non-stop” point of discussion for global clients, said Hogan Lovells' Scott Loughlin. The compliance burden represents a “seismic shift” in how U.S. privacy rules apply to global data transfers, he said.
To this point, privacy regulations for American companies have focused on data coming into the country, not going out, said Wilmer Hale’s Ali Jessani: For instance, U.S. companies have had to comply with European standards under the General Data Protection Regulation when handling Europeans’ personal data.
Borgia noted that even deidentified and anonymized data falls within the scope of the rule, which has a “surprise” for some clients. There are national security concerns related to general patterns of activity, which can be derived from anonymous data, he said.
He agreed the focal point of the rule is China and, by extension, Hong Kong. It applies to Russia to a lesser extent because Americans conduct less business there than in China, he said.
Loughlin called the rule an interesting combination of data privacy, cybersecurity and international trade regulation: “It’s really all three of those coming together.” It includes data privacy mandates, cybersecurity standards and restrictions on international business. He said it’s going to be a significant undertaking for any global American company doing business in China or in the other countries of concern. Companies are now thinking “long and hard” about whether certain business relationships are worth the new compliance burden, he said.
Loughlin noted the bipartisan nature of the concept. DOJ released the rule in response to President Joe Biden’s executive order 14117, which built on EO 13873, a directive President Donald Trump signed in 2019. The rule also incorporates language from Congress’ 2024 foreign aid package, which includes bipartisan, China-related restrictions on business. While the Trump administration has worked to freeze and reconsider many regulations, the outgoing administration finalized the DOJ rule. Castic said he’s seen no indication Attorney General Pam Bondi wants to delay or reconsider the rule.