New DOJ Rule Offers Privacy and Security Protections for Global Data Flow, Experts Say
Though the global flow of data and information is the basis for so many systems, having protections that ensure foreign adversaries and other bad actors can’t gain access to the data is crucial, said a panel of privacy lawyers and security experts at the American Bar Association's Privacy and Emerging Technology National Institute Friday. Accordingly, Justice's new data transfer rule is playing a major role, panelists said.
Sign up for a free preview to unlock the rest of this article
“The volume of two-way data flows between Europe and the United States is the largest in the world,” said Paul Lanois, director at the Fieldfisher law firm. “This is why we're talking about it today, because if there is any blockage, any obstacle to data flow, well, this is going to have a huge impact for organizations around the world.” These data flows are more at risk after the recent firings of two Democratic FTC commissioners, some privacy experts say (see 2503190046).
It's clear that “everything runs on data nowadays,” Lanois said. “If you don't have data flowing from the EU to the U.S. and the other way around … it impacts a lot what organizations are able to do.” The emerging technologies sector, in particular, relies on data flowing between nations, Lanois added.
Beyond that, the global information flow is critical to the Department of Justice, said Deborah Curtis, partner at Arnold and Porter and former CIA deputy general counsel. “While this information is so valuable to companies ... it is also the lifeblood of foreign intelligence," she said.
The DOJ’s new data transfer rule (see 2503100057) helps manage the data flow, said Devin DeBacker, chief of the foreign investment review section of the National Security Division in the U.S. Department of Justice. “If I had to give you a tagline for the rule, it's ‘export controls on data,’” he said. “We're talking about a program that, very much like sanctions, very much like export controls, sets up what are intended to be clearer requirements for U.S. persons when they engage in certain kinds of transactions involving sensitive data of Americans with” primarily foreign adversaries, both governments and companies based in those countries.
The rule is so important because “for the better part of the last decade, we've been doing this in what I would call a whack-a-mole, piecemeal, case-by-case fashion,” DeBacker said. “The problem is that you're doing the same thing over and over again to protect data from foreign adversaries,” you just “happen to be doing it in this one kind of relationship that exists in the world, which is an investment relationship. But …that's hardly the only kind of relationship that gives rise to concerns about access to sensitive data.”
DeBacker said that geolocation data and genomic data in particular could have extreme consequences if accessed by the wrong people.
Anthony Rapa, partner at Blank Rome, agreed. “The reason why these rules exist is because it's important to control the data,” he said. “Just in the same way that we control technical data under export controls … these forms of data in the wrong hands ... could end up leading to very bad outcomes.”
As such, DeBacker said, “we can't just be reactive about [compliance], we have to be proactive.” When coming up with the DOJ rule, we realized “this data lives everywhere, and so it's not a sector-specific regime that we're standing up here."