Businesses Face Uncertainty Approaching July 8 DOJ Data Rule Cutoff

Businesses Face Uncertainty Approaching July 8 DOJ Data Rule Cutoff

The Department of Justice's new Data Security Program (DSP), also known as the Bulk Data Rule, has far-reaching implications for companies, particularly those involved in data brokerage activities. According to WilmerHale Counsel Ali Jessani, the rule broadens the scope of data brokerage, targeting not only direct sales or licenses of personal data but also indirect data transactions through complex ownership or contractual arrangements.

The DOJ’s rule prohibits data brokerage transactions involving countries of concern (such as China, Russia, Iran) and covered persons without exemptions or licenses. This means companies that trade, sell, or license large sets of U.S. personal data must carefully vet counterparties and maintain strict compliance to avoid violating the rule.

Moreover, the rule includes indirect or routine data brokerage agreements, such as licensing databases to overseas analytics partners with foreign ties, as potential violations. This broad application greatly expands the kinds of transactions subject to regulation and enforcement, requiring companies to assess complex ownership structures and contractual relationships carefully.

Companies engaged in restricted transactions, such as vendor or employment relationships granting access to bulk data, are required to implement cybersecurity controls, conduct independent audits, due diligence, and maintain extensive recordkeeping. This raises compliance costs and operational burdens.

As a result, the DOJ’s data transfer rule can be seen as broadening data brokerage activities’ regulatory scope by scrutinising all modes of data transfer, direct or indirect, expanding the definition and oversight of risky data brokerage beyond traditional models. This heightens legal and compliance risks for companies collecting, handling, or transferring bulk U.S. sensitive personal data, necessitating rigorous governance and transparency measures to prevent civil and criminal penalties.

Ali Jessani, a privacy attorney at WilmerHale, stated that many companies could be surprised to find their business operations defined as data brokerage activities under the rule. The article emphasises that the new data transfer rule from the Department of Justice is expected to have significant implications for companies. Jessani made these comments in a recent Privacy Daily article, which delves into the challenges faced by companies in navigating compliance with the new rule and the potential impact on the targeted advertising industry. The article also suggests that the targeted advertising industry will need to re-evaluate the definitions of data brokerage in state privacy laws.

1. The new Data Security Program (DSP) from the Department of Justice, aimed at scrutinizing data brokerage activities, has expanded its reach to include both direct and indirect data transactions, such as companies licensing databases to overseas analytics partners with foreign ties in the finance, business, and industry sectors.
2. Companies involved in the targeted advertising industry could face significant challenges in navigating compliance with the DOJ's data transfer rule, as the revised definition of data brokerage activities under the rule may encompass their business operations, potentially leading to increased legal and compliance risks.

Read also: