Industry Lacking Clarity Ahead of July 8 Deadline for DOJ Data Rule

"Companies are looking at a lot of the vague language in the rule and wondering: How far does this go?” said Reed Freeman, co-chair of the ArentFox privacy and data security group. “There’s going to need to be a lot more meat on the bone of this thing to help companies figure out what to do.”

DOJ in April released a compliance guide and FAQs and announced it would start full enforcement on July 8. The department didn’t comment Thursday on the possibility of releasing additional materials for compliance guidance.

Hintze’s Sam Castic, co-chair of its Cybersecurity and Breach Response Group, said many companies believe they might be working through compliance issues well after July 8. This is particularly true when it comes to shifting operational and employee functions when there are ties to countries of concern like China, he said.

WilmerHale privacy attorney Ali Jessani said many companies could be surprised that their business operations are defined as data brokerage activities under the rule. The targeted advertising industry will need to take a hard look at those definitions, which differ from data brokerage definitions, in state privacy laws, he said. “I think it’s definitely leading to more business for privacy lawyers as a result of how broad the rule is,” whether that’s additional clients or new projects for current clients, he said.

The rule allows companies to apply for general and specific-use licenses that essentially operate as exemptions to the program. DOJ said in its compliance guide the department reserves “discretion to issue general licenses to authorize certain covered data transactions that would otherwise violate the Data Security Program,” and specific licenses “authorizing particular covered data transactions with a covered person or country of concern.”

Freeman said DOJ has discouraged applications for those licenses until July 8, as it sorts through ongoing compliance questions. There could be a lot of interest in those licenses, said Freeman, noting the estimated review for each license application is at least 45 days. “No one in the world knows what DOJ is expecting or how that process is going to work.”

Freeman added that DOJ compliance documents to this point haven’t provided the same level of detail other agencies share, noting the FTC's guidance for rules like the Children’s Online Privacy Protection Act. “They’re a new regulator in the data space,” he said. “They’re a brand-new regulator here, so nobody knows what they’re expecting, what they’re prioritizing, what they think a program should look like and must have.”

One compliance challenge is identifying foreign entities or persons subject to the rule, said Castic: It becomes complicated when looking at the percentage of ownership, either direct or indirect ownership from shareholders, private owners and parent companies, he said: “There isn’t a lot of publicly available information that reveals all of that.”

For example, a company with 10,000 customers and 1,000 vendors might find it difficult to identify all the covered persons and entities involved, especially when shareholders change every day, he said.

Freeman and Castic said that because the rule was intended to address national security, they expect initial enforcement to focus on egregious behavior enabling foreign access to sensitive information like geolocation, biometric and genetic data.

“That’s where I have to imagine they’ll focus, but it remains to be seen” if they’ll target a company trying to do the right thing but has compliance issues “on the edge,” said Castic.