DOJ Expects ‘Full Compliance’ With Data Transfer Rule by July 8

Companies are scrambling to audit international data programs after DOJ’s Friday announcement opening a 90-day grace period, in which the department won’t “prioritize” civil enforcement of its Data Security Program (DSP).

DOJ said Monday it will honor the 90-day window “so long as the person is engaging in good faith efforts to comply with or come into compliance.” On July 8, “entities should be in full compliance with the DSP,” said DOJ. “This policy does not limit NSD’s lawful authority and discretion to pursue civil enforcement if entities and individuals did not engage in good faith efforts to comply.”

Industry representatives and compliance attorneys told us DOJ’s announcement and accompanying statements make clear the Trump administration will enforce the rule to the full extent of the law, despite the rule originating with the Biden administration.

DOJ appears to be framing this within the context of President Donald Trump’s trade strategy with China, said Reed Freeman, co-chair of the ArentFox privacy and data security group. “This administration is very serious about China. So this rule is staying in place, and it’s going to be enforced.”

Said Hintze’s Sam Castic, Friday’s statement from Deputy Attorney General Todd Blanche underscores this is going to be an “enforcement priority.” Many companies have wondered about Trump’s stance, given how many Biden executive orders he has rescinded. Friday’s announcement “should really put that to bed,” said Castic. He noted DOJ’s announcement references Trump’s America First Investment Policy, an attempt to address the trade imbalance with China. “July is go-time, and between now and July, you’ve probably got a lot to do."

“This thread runs through multiple administrations and with this administration’s particular concern over competition with the Chinese on a number of fronts and their use of our personal data, this seems to be right in line with that thread,” said Software Information Industry Association President Chris Mohr.

The Information Technology Industry Council, in a statement Monday, appreciated DOJ’s 90-day commitment to limiting enforcement to “egregious or willful violations.” But ITI said it remains concerned over a lack of flexibility “for the full set of compliance requirements, especially regarding those for restricted transactions that are due to take effect later this year,” said General Counsel John Miller. “We welcome DOJ’s openness to engage with stakeholders over the coming 90-day period, and we look forward to discussing these issues in greater detail so that companies can have a clear and balanced roadmap to achieve full compliance with the program.”

In addition to the July 8 start for civil enforcement priorities, DOJ set an Oct. 6 effective date for “certain affirmative due-diligence obligations.” Mohr told us he’s not aware of further industry efforts to extend compliance deadlines. The DSP allows companies to apply for general and specific-use licenses that essentially operate as exemptions to the program, Mohr said. DOJ said in its compliance guide the NSD reserves “discretion to issue general licenses to authorize certain covered data transactions that would otherwise violate the Data Security Program,” and specific licenses “authorizing particular covered data transactions with a covered person or country of concern.”

Mohr expects the issuance of general licenses to be “relatively rare,” given the national security implications. DOJ plans to publicly release information about issuance of general licenses but not for specific licenses. Without more transparency, it could be difficult to predict the likelihood of receiving a general license, said Mohr.

Mohr said he expects the first wave of enforcement to target "bad actors," but there’s going to be a compliance burden for many companies nonetheless.

Target advertising service providers should inventory vendors and get clarity on what contract language will be needed to come into compliance, he said. “Now’s really the time to get those agreements cleaned up.”

Freeman noted DOJ's announcement includes sample contract language for compliance, which provides specific ways for companies to act. The sample language is a "helpful starting point," Castic added.