Lawyers Urge Inventory Before Enforcement of DOJ Data Transfer Rule Begins July 8
Understanding “data flows” and “who has access" are the most important steps in making a good-faith effort to comply with the DOJ’s bulk data transfer rule before a three-month grace period ends, said privacy attorney Nancy Libin during a Davis Wright webinar Tuesday. DOJ will begin full enforcement July 8 (see 2504140047).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
President Donald Trump’s DOJ appears committed to the rule, despite its origins in the Biden administration, said Davis Wright attorney Michael Borgia. The department's April 11 press release “firmly establishes this rule as being consistent with Trump administration priorities,” tying it to prior Trump executive orders and the administration’s America First investment policy, Iran strategy and effort to combat supply-chain risks, Borgia said.
July 8 is “just a few weeks away,” noted Libin, but companies that make a good-faith compliance effort before then won’t be held liable for civil violations that occurred during the grace period. “The first order of business is to know your data and know your data flows,” she said. “The rule applies to any knowing engagement in any of these prohibited or restricted transactions. Knowing means that you know or should have known, and so you do have an obligation to understand what data you possess, what kind of data you make available to others [and] what kinds of agreements you have in place that may facilitate access to this data.”
Data brokerage agreements are “absolutely prohibited under the rule,” Libin stressed. A presentation slide during the webinar showed that prohibited data brokerage “can include U.S. companies with websites or apps using tracking pixels that transfer data to covered persons or countries of concern, expanding beyond traditional data brokerage definitions.”
Know “your vendors and [your] vendors’ vendors,” Libin recommended. “Take a good look at what cookies and other tracking technologies are on [your] websites and accessing data, and it's a good time to inventory all of that and make sure that you have processes in place to stay on top of that.” That way, she said, “you're not unwittingly allowing access to … this data to a company that provides tracking technology, a company in China or [a company] that has Chinese ownership.”
Borgia said be “very cautious when you're saying, ‘We're OK because we don't know X.’ You might learn X [later]. People talk, situations change, and you need a plan.”
Many privacy attorneys are briefing companies on the July 8 deadline. “The DOJ is readying for civil enforcement ... but there is still time to take meaningful steps toward compliance,” blogged Kim Peretti and other privacy lawyers at Alston & Bird on Monday.
By July 8, “companies should have compliance around ‘data brokerage’ transactions,” the lawyers said. By Oct. 6, “organizations that engage in ‘restricted’ transactions must build a ‘Data Security Program’ -- including by implementing certain CISA-mandated cybersecurity controls for systems accessed by ‘covered persons’ from ‘countries of concern.’”
“As the clock winds down, organizations should make sure that they are not covered by the Bulk Data Rule, which can be a difficult process given complex data flows and transactions,” the Alston & Bird lawyers said. “Or, if an organization is or might be covered, it should take action toward implementing the items in the DOJ’s Compliance Guide and develop an effective compliance program.”
During a Hunton webinar last week, lawyers suggested that U.S. companies use state privacy laws to better gauge when they’re considered data brokers under DOJ’s data transfer rule (see 2506170057). Orrick attorneys recommended a “good-faith” compliance checklist at a conference last month (see 2505070070).