As US companies grapple with the intricacies of a new Department of Justice (DOJ) rule that governs the storage and use of personal data, the clock is ticking for organizations to achieve compliance by July 8. The implications for non-compliance are severe, with potential civil and criminal penalties on the line, compelling companies to reassess their contracts, network operations, and data management protocols.
This DOJ rule, pivotal to national security, imposes restrictions and in certain instances, outright bans on US companies sharing bulk sensitive personal data with individuals or entities in countries such as China, Russia, and Iran, labeled as foreign adversaries.
Though the rule took effect on April 8, the DOJ currently allows a grace period until July 8 for companies that demonstrate “good faith” compliance efforts. During this limited window, companies are encouraged to evaluate the rule’s implications on their activities and undertake necessary compliance actions.
- Internal Data Review: Businesses must scrutinize their internal datasets to identify those potentially covered by the rule. This encompasses sensitive data types such as genomic, biometric, geolocation, health, financial, and personal identifiers.
- Government-Related Data: Companies also need to determine if they possess government-related data, including geolocation data for certain sensitive sites or personal data linked to government personnel.
- Data Brokerage Agreements: Any entity involved in data brokerage must examine their agreements, including those not limited to Chinese, Russian, or Iranian connections, to ensure they align legally, particularly concerning resale provisions.
- Vendor and Partnership Contracts: Crucially, agreements providing foreign entities access to regulated data require meticulous review. These transactions must conform to security protocols set out by the Department of Homeland Security.
In light of these requirements, the DOJ has made available a compliance guide with template language for contracts, although it emphasizes that each scenario may necessitate fact-specific legal analysis.
The rigorous compliance journey is not only a legal necessity to avert fines that may reach $1 million and prison terms up to 20 years, but is a vital stride in safeguarding sensitive national and commercial interests. As the enforcement deadline looms, businesses must act with urgency to align with the DOJ’s mandates.
The authors of the source material, John Carlin, Rush Atkinson, and Samuel Kleiner, are legal practitioners at Paul Weiss. They urge companies to swiftly assess their exposure under this new regime and proactively engage with DOJ for guidance where needed.