Attorneys Recommend ‘Good-Faith’ Checklist for DOJ Data Compliance

“The clock is ticking” on the 90-day window DOJ offered in delaying civil enforcement, said Jeanine McGuinness, a lawyer who focuses on cross-border transactions. “Now is the time to start evaluating what data you have” and possibly reconsider certain foreign business activity.

Matthew Coleman, a privacy attorney at Orrick, said the list of “good-faith” tasks includes internal reviews of data-flow mapping; inventories of data broker transactions; and negotiating onward transfer provisions in vendor, investor and employment agreements.

If companies are doing business with foreign entities, including those outside the countries of concern, they need to have onward transfer restrictions in agreements, he said. In addition, companies should ensure they follow the Cybersecurity and Infrastructure Security Agency's compliance requirements, Coleman added.

The department will likely exercise discretion when imposing penalties starting in July, but the statutory terms are clearly laid out in the International Emergency Economic Powers Act (IEEPA), said McGuinness. She noted IEEPA sets the maximum civil penalty at twice the value of the illegal transaction, or $368,000, whichever is greater. Willful violations carry penalties of up to 20 years in prison and fines as large as $1 million. “There will be a lot of discretion on the part of the government in terms of whether to take enforcement action and, if so, which sort of penalty to propose.”

Coleman and McGuinness acknowledged there are complicated questions about when a transaction is covered under the rule. Hypothetical scenarios involving Chinese employees working for U.S. companies or U.S. citizens working for Chinese companies and subsidiaries, along with other questions about the type of data transferred, have created compliance confusion, they said.

“You’ve got to kind of look back to the purpose of this rule, which is national security,” said Coleman. Compliance is going to be challenging, which encourages companies to "invest more in the U.S. or at least in resources that aren’t based in countries of concern.”

A second panel on Wednesday tried to provide clarity. If an employee resides in the U.S., even if the person is Chinese, he or she is defined as a U.S. person under the rule, said Covington attorney Julia Post. A Chinese person passing through the U.S. on a short-term basis wouldn’t be considered a U.S. person, however. Notably, Covington’s Ingrid Price said DOJ can name anyone to its covered-person list.

The origin of ownership is key, said Joseph Whitlock, senior policy director at Business Software Alliance. As a hypothetical, he said, if a U.S. company is working with a Danish entity, owned by a Danish contractor, owned by another Danish company that is 50% or more Chinese-owned, all entities in the chain are “covered persons” under the rule.

Whitlock also highlighted the fact that DOJ is developing a covered-person list, with entities and individuals designated by the attorney general as covered under the rule: So, companies need to test whether they’re working with entities tied to individuals on DOJ’s rolling list.

Coleman and McGuinness recommended companies extensively document their business relationships, should any unexpected ties to countries of concern arise. Companies are not expected to determine whether an individual is subject to the influence or control of a country of concern, said McGuinness. The covered transactions are based on where business partners are located, their principal place of business and potential ownership from people in countries of concern, she said. Nor are companies expected to dig into their partners’ “unofficial associations” with countries of concern, she said: That lessens the burden “a little bit” for U.S. companies.