Compliance Attorney Breaks Down Complexities Surrounding DOJ Rule
Many American advertising technology companies could be “surprised” to find their transactions fall within the scope of DOJ’s data transfer rule due to the presence of Chinese adtech entities, Nancy Libin, a compliance attorney at Davis Wright Tremaine, said Friday (see 2504140047).
Sign up for a free preview to unlock the rest of this article
Speaking during a webinar with Future of Privacy Forum CEO Jules Polonetsky, Libin said the complex, 400-page rule has gotten the attention of U.S. general counsels, as well as privacy, cybersecurity and export control specialists at companies. It carries criminal penalties of up to 20 years in prison and up to $1 million in fines for violators.
“Know your data,” she said.
The first thing compliance teams should do is review data flows and determine if company transactions involve two types of covered data under the rule, she said: government-related data and U.S. bulk sensitive personal data. Companies need to determine if they meet the data volume thresholds, if they’re sharing such data with third parties and if those third parties are tied to China, Russia or other countries of concern.
DOJ’s FAQ document and compliance guide make clear that bulk sensitive data includes IP addresses, device IDs, advertising IDs and cookie data, all typically available to third-party advertising networks and analytics companies, she said. If vendors are located in countries of concern, “you are engaging in a prohibited transaction,” which covers many U.S. companies in the adtech space. “Because it’s such a complicated ecosystem, I think that really requires companies to do some due diligence to determine who some of these third parties are.”
An entity is covered under the rule if it’s 50 percent or more owned, directly or indirectly, by an individual or entity in a country of concern. Given ownership can be indirect or aggregate, companies might need to “dig deeper” than they imagine in identifying owners' origins, she said.
Libin noted there’s a lack of clarity concerning due diligence required to determine the origin of individual employees at companies when ownership doesn’t cross the 50 percent threshold. DOJ’s FAQ 58 attempts to come to an answer on this issue, but it’s not “satisfactory” in conveying 100 percent clarity, she said. Libin's interpretation is that due diligence isn’t required for determining the origin of individual employees when company ownership doesn’t cross the 50 percent threshold.
Libin and Polonetsky discussed the requirement for companies to report when they reject a potential transaction because that transaction would violate the rule. Companies are in a way “deputized” in helping DOJ identify entities of concern, she said.
Libin highlighted the rule’s three restricted transactions: investment agreements, employment agreements and vendor agreements. If a company is involved in any of these, it must take steps to mitigate the national security risks associated with them, she said. This involves complying with security measures determined by the Cybersecurity and Infrastructure Security Agency. CISA has issued organization-level, system-level and data-level requirements. Libin recommended designating a point person to implement a CISA-compliance program.
Another provision of note, she said: All anonymized, encrypted and aggregated data falls within the scope of the rule. “If your data is encrypted, don’t assume” it falls outside the scope of the rule.