State Laws Seen as Barometer for DOJ Data Transfer Compliance
U.S. companies can use state privacy laws to better gauge when they’re considered data brokers under DOJ’s data transfer rule, Hunton privacy attorney Michael La Marca said during a Tuesday webinar.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
La Marca and fellow Hunton attorney Lisa Sotto analyzed aspects of DOJ’s Data Security Program (DSP), which the department will begin enforcing fully on July 8 (see 2504140047).
A good “rule of thumb” is that if a data transfer is considered a data sale under state privacy law, it’s “very likely” considered a data brokerage transaction under the DOJ rule, La Marca said.
He provided an example of a company that might unknowingly act as a data broker by allowing third-party advertisers, located in countries of concern like China, to drop cookies or tracking pixels on its website. The U.S. company is likely engaged in a data brokerage transaction because the recipient uses data from website visitors for purposes beyond providing direct website services to the consumer. These data collection activities often qualify as data sales under state privacy regulations, he said.
“While most companies certainly don’t think of themselves as data brokers, data brokerage is defined so broadly [under the DOJ rule] that it really encompasses any commercial transaction where you send personal data to a third party, who didn’t get that data directly from individuals,” he said. “Under the rule, anyone can be a data broker.”
However, these data brokerage transactions are only prohibited if they result in entities in "countries of concern” accessing bulk sensitive data or government data, he said.
There are different restrictions when companies allow access to other foreign entities. If the advertiser is based in the U.K., for example, the rule requires the U.S. company to enter into an onward transfer agreement prohibiting the U.K. entity from sharing the data with organizations in countries of concern, he said.
La Marca recommended two due diligence procedures: know your data and know your vendors. This could require screening software to determine if vendors are located in countries of concern or 50% or more owned by entities in those countries. He recommended documenting all data transactions in an auditable format. This means documenting specific details for restricted data transactions: types of data, data volume, identities of the entities handling data, end use of the data and transfer methods.
Starting Oct. 6, U.S. companies engaged in restricted transactions need to undergo independent audits annually, he noted. This involves examining every restricted transaction in the past year and determining whether those transactions comply with the rule, he said: Once the audit is complete, the auditor must produce a written report within 60 days.
Sotto said many companies are relying on the rule’s exemptions for certain data transactions. She noted DOJ provides “a ton of commentary” on the list of exemptions in the rule itself and its preamble. Exempted transactions include: personal communication, informational materials like news media, travel data, data related to official business of the U.S. government, financial services, corporate group transactions, investment agreements subject to review by the Committee on Foreign Investment in the United States, telecommunications services, drug and medical authorizations, clinical investigations and transactions required by federal law or international agreements.