DOJ Rule Has Companies Rethinking Data Flows, Operations in China
Companies are considering relocating business operations from China and cutting off certain data flows in a conservative approach to complying with DOJ’s data transfer rule, privacy attorneys told us in interviews.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In April, DOJ announced it would begin full enforcement of the rule on July 8, giving companies a three-month reprieve to consider their options (see 2504140047). Many have sought further clarity on complying with a measure that spans more than 350 pages. One strategy is to wall off operations from China, the rule's primary target.
Hunton’s Michael La Marca said the rule's end goal, particularly when it comes to the Cybersecurity and Infrastructure Security Agency’s security requirements, is to ensure covered persons in China don’t access Americans’ sensitive data. “A lot of clients are trying to think through whether it’s even worth the whole compliance burden versus just walling off physically all systems from China and any other countries of concern to ensure there are no restricted data transactions happening,” said La Marca. “Then they don’t have to comply with a pretty onerous rule.”
If a company implements CISA’s requirements correctly, the “end effect” is that covered persons can't access U.S. personal data, he said: “Access to the data is completely walled off either way, so the end effect is almost the same from a data perspective. ... It’s ultimately a business decision, but I think a lot of clients are definitely considering it.”
Another approach is to focus on how DOJ defines "prohibited" and "restricted" transactions. The CISA security requirements apply to restricted transactions, covering vendor agreements, employment agreements and investment agreements with covered persons or countries of concern. Companies must implement the CISA requirements in order to execute these types of agreements.
Prohibited transactions, on the other hand, are defined as data transfers with countries of concern or covered persons that fall into one of five categories. The categories cover U.S. persons knowingly engaging in "data brokerage" activity with covered entities; transferring data to any foreign individual without a contract containing onward transfer restrictions; transferring bulk human genomic data to covered entities; transferring data with the purpose of evading rule restrictions and prohibitions; and directing any covered transaction that would be prohibited or restricted if carried out by an American.
Gibson Dunn’s Stephenie Gosnell Handler said some clients are finding the CISA requirements so complicated that they’re opting to treat all transactions as prohibited, in order to simplify compliance as much as possible. “From a compliance approach, it’s easier just to treat everything as if it were blocked, rather than differentiate,” she said. “It’s a more conservative compliance approach to say we’re going to treat all of these transactions” as prohibited.
Handler noted companies are considering a wide range of approaches. Some began compliance efforts more than a year ago, while others started “weeks ago,” following the July 8 effective date.
"There's a range in perspectives," she said. "We're seeing more companies taking much more of a binary view of: 'We're not even going to bother with trying to achieve compliance with the restricted transaction provisions.'"
The CISA security requirements are “complex,” and companies “are probably spending time getting their hands around that,” said ArentFox’s Reed Freeman. “Just trying to get a hold of what the rule is requiring and prohibiting is complicated." For example, the definition of data brokerage is difficult to apply in every instance, he said. "It's going to take DOJ a long time to figure this out." He noted DOJ's National Security Division is now responsible for enforcing a national security rule that's also part export control and part privacy.
Added Handler, DOJ “overnight has become the biggest privacy regulator” in the U.S. DOJ didn’t comment.
There are more and more questions about how the rule applies "every week," said Orrick’s Matthew Coleman. Many companies have questions about whether they need to replace vendors with support services in China or if data flows should be reworked when there are affiliates or subsidiaries located in countries of concern. It’s a "material change to the business, and it requires a lot of thinking and a lot of planning to either shift how they do business, shift the data that they get access to or move those services elsewhere."
Many questions revolve around how the rule applies to deidentified and aggregate data that can be accessed by covered entities, he said: "There's a lot of ambiguity about how broad the rule could be interpreted, and I think we could use a little more guidance, particularly on that piece."