The Department of Justice’s (“DOJ”) Data Security Program (“the Program”, 28 C.F.R. Part 202) went into effect on April 8 with a 90-day period of limited enforcement. With DOJ now expecting full compliance, with additional data security measures and due diligence requirements going into effect on Oct. 6, and with potential civil and criminal liability for violations, here’s what you need to know about the changing data privacy landscape.
1. Background
The Program is a set of rules designed to protect sensitive U.S. data from being accessed by foreign governments or people connected to them. While the Program’s regulatory scheme is complex, it generally prohibits or restricts certain types of commercial transactions — such as data sales and access licenses, vendor agreements, employment agreements and certain investment agreements — that make specific categories of data (namely “government-related data” and “bulk U.S. sensitive personal data”) accessible to either countries of concern [China (including Hong Kong and Macau], Cuba, Iran, North Korea, Russia and Venezuela] or covered persons (including entities based in and individuals residing in those countries).
“Government-related data” includes precise geolocation information for a list of geofenced coordinates near government facilities and sensitive personal data linked or linkable to current or recent federal government employees and contractors. “Bulk U.S. sensitive personal data” includes six categories of data relating to U.S. persons — personal identifiers, personal health data, personal financial data, human ‘omic data (including genetic testing results), biometric identifiers and precise geolocation data — if the quantity of such data, alone or in combination, meets or exceeds specific thresholds in a single transaction or aggregated transactions over a 12-month period. Bulk U.S. sensitive personal data is defined without regard to whether the underlying data is anonymized, pseudonymized, de-identified or encrypted.
2. Prohibitions and Restrictions
Prohibitions: The Program prohibits “data brokerage” (e.g., data sale and access license) arrangements that involve a country of concern or covered person’s access to government-related data or bulk U.S. sensitive personal data. The Program further prohibits specific commercial transactions that involve a country of concern or covered person’s access to bulk human ‘omic data or human biospecimens from which bulk human ‘omic data can be derived. Importantly, the Program takes the additional step of prohibiting data brokerage with any foreign person — beyond countries of concern and covered persons — that involve access to government-related data or bulk U.S. sensitive personal data unless the underlying brokerage agreement contains certain contractual prohibitions on the subsequent use of that data.
Restrictions: In addition to the above prohibitions, the Program also restricts vendor agreements, employment agreements and certain investment agreements that involve a country of concern or covered person’s access to government-related data or bulk U.S. sensitive personal data. To lawfully engage in those transactions, a U.S. person must (1) comply with the organizational-, system- and data-level security requirements set forth in the Cybersecurity and Infrastructure Agency’s Security Requirements for Restricted Transactions; (2) develop and implement a data compliance program that meets the regulatory requirements; (3) conduct specific audits for each calendar year in which a restricted transaction takes place; and (4) satisfy recordkeeping and, in some cases, reporting requirements to DOJ.
Exemptions: Certain transactions are exempted from the Program’s scope, including, among others, “data transactions to the extent they are for the conduct of the official business of the United States Government by its employees, grantees, or contractors... or transactions conducted pursuant to a grant, contract, or other agreement entered into with the United States Government.” Some data relating to transactions involving U.S. citizens in and with countries of concern is also exempt. As with prohibited and restricted transactions, however, questions about whether transactions are exempt from the Program’s requirements are fact-specific and require thorough analyses.
3. Key Takeaways
Identify Your Data: At its core, the Program implicates specific data, transactions and access. The first step toward compliance is knowing your data, which can include the kinds of data (personal health and financial, ‘omic and government-related data) that is often collected and maintained by health care providers, financial institutions, federal grantees and federal contractors.
Know How Your Data Is Used: Just as important is knowing how your data is collected, stored, shared and used. In a world of electronic health records, financial and payment processing records, outsourced and offshored corporate functions, expanding cloud storage and extensive international collaboration, having sophisticated knowledge of your data management and security practices and your vendors and contractors is crucial, as is ensuring appropriate contractual provisions are in place to protect this data.
Know Who Has Access: While the Program affirmatively requires specific due diligence for restricted transactions, the broader regulatory definition of knowledge — which imputes information that a person “reasonably should have known” — makes it imperative you take steps to evaluate the entities and individuals that may have access to covered data. For entities, this means taking steps to investigate their ownership interests, management structures, corporate affiliations and primary markets.
Reporting Requirements: The Program requires “any U.S. person” to report, within 14 days, rejected offers from any individual or entity that involves solicitation of a prohibited data brokerage transaction.
Steep Penalties: The civil penalties for knowingly engaging in unlawful acts (again, under the broad definition of “knowingly”) are up to the greater of $368,136 or twice the value of each unlawful transaction. Willful violations are subject to criminal fines of up to $1,000,000 and, in cases involving individuals, imprisonment for up to 20 years. The Program is nuanced and imposes requirements beyond existing data privacy regimes, such as HIPAA, the California Consumer Privacy Act and the General Data Protection Regulation.
