Data Industry Faces Uncertainty as DOJ Data Rule Deadline Approaches on July 8
In a recent development, the Department of Justice (DOJ) has enacted a new data transfer rule that aims to address the national security risk of foreign access to sensitive U.S. data. The rule, which specifically targets data brokerage activities, is set to have significant implications for businesses, particularly those in the targeted advertising industry.
The DOJ’s data transfer rule defines data brokerage activities as the transfer or licensing of bulk sensitive personal data of U.S. persons to foreign persons or entities, primarily those connected to "countries of concern" such as China, Russia, Iran, Cuba, North Korea, Venezuela, and Hong Kong. This rule prohibits data brokerage or data transactions with these countries or covered persons unless there are contractual safeguards to prevent the data from being subsequently transferred to a country of concern or covered person.
Moreover, transactions involving covered persons, including vendors, employees, or investment agreements, are restricted unless they meet the cybersecurity standards set by the Cybersecurity and Infrastructure Security Agency (CISA). These transactions are subject to due diligence and audits starting in October 2025.
The rule defines data brokerage as a covered data transaction where a U.S. company knowingly transfers bulk sensitive personal data to recipients who did not collect or process the data directly from individuals, such as licensing a chatbot trained on bulk sensitive U.S. personal data to a foreign entity, knowing it can access that data.
This differs from many state privacy laws, such as those in Texas and California, which focus on consumer privacy rights, data minimization, consumer consent, and transparency regarding personal data collection and use. They primarily target practices in targeted advertising through regulating the collection, processing, sharing, and selling of personal data for advertising purposes. These laws define "data brokers" more generally as businesses that collect, process, or transfer consumer data, with requirements for registration, disclosure, and opt-outs for advertising-related data use.
As a result, the DOJ’s rule is more restrictive and security-focused, while state privacy laws emphasize consumer rights and control in the advertising/data broker ecosystem domestically. This shift in focus could lead to a reevaluation of data brokerage definitions in state privacy laws by the targeted advertising industry.
Ali Jessani, a privacy attorney at WilmerHale, has discussed the potential implications of the new rule. He stated that the rule is broad and could lead to more business for privacy lawyers as companies navigate compliance. The rule could also result in additional clients for privacy lawyers, with potential new projects for current clients.
The new data transfer rule has been discussed in a recent Privacy Daily article, and many companies could be surprised to find that their business operations are defined as data brokerage activities under the new rule. As the industry adapts to this new regulation, businesses will need to carefully review their data practices to ensure compliance.
The DOJ's new data transfer rule, targeting data brokerage activities, could pose challenges for businesses, especially those in the targeted advertising industry, as it prohibits data transactions with countries of concern unless there are contractual safeguards in place to prevent data from being transferred to these countries. This rule, focused on national security and data privacy, may lead to an increase in clientele for privacy lawyers, with potential new projects for existing clients.
Given the broad scope of the rule, many companies might discover that their data practices constitute data brokerage activities, and thus, they will need to carefully assess and adjust their business operations to ensure compliance with the new regulation, within the domains of finance, industry, and business.
