1. Home
  2. Podcasts
  3. RegFi Podcast
  4. Episode 63: DOJ Issues Final Rule on International Data Transfers
orrick regfi podcast | doj issues final rule on international data transfers
Listen on Apple
Listen on Spotify

RegFi Episode 63: DOJ Issues Final Rule on International Data Transfers
 39 min listen

Orrick Partners Matthew Coleman and Jeanine McGuinness join RegFi co-hosts Jerry Buckley and Sherry Safchuk to explore the implications of the Justice Department’s recent issuance of a final rule prohibiting and restricting certain transfers of bulk personal sensitive data and U.S. government-related data. The group discusses what data transfers are restricted, what countries and individuals are implicated and what U.S. companies should do to ensure compliance.

Data Security Program Resources Links:

Orrick Links:

 

 

  • Jerry Buckley:

    		 Hello, this is Jerry Buckley, and I am here with RegFi co-host Sherry Safchuk.

    The subject we are going to explore today is perhaps the most significant development related to data and privacy protection that has happened at the federal level over a number of years. On April 8, a new Justice Department rule came into effect. It's titled "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern and Covered Persons." Now, that is a mouthful.

    So, the Department of Justice refers to the rule, and the broader administrative direction, as "Data Security Program," or DSP, and that's the term we'll use from now on. The rule addresses what the U.S. government considers to be national security risks posed by continued efforts of countries of concern to access, exploit, and weaponize Americans' bulk, sensitive, personal, and U.S. government-related data.

    To provide our listeners with an understanding of the DSP, its broad reach, and its implications for companies engaged in international commerce, we are joined by Matthew Coleman and Jeanine McGuinness, who are both partners of ours at Orrick.

    Matthew's practice focuses on complex multi-jurisdictional privacy, cybersecurity, and information government issues. He develops global privacy and cybersecurity programs to meet state, federal, and international laws. He helps to identify and mitigate risks during mergers and acquisitions. And he handles all forms of product counseling related to the processing of data.

    Jeanine concentrates on U.S. trade and investment laws applicable to cross-border transactions, focusing on U.S. economic sanctions, anti-money laundering laws, anti-boycott laws, Foreign Corrupt Practices Act, and transaction reviews by U.S. national security agencies.

    So, let's set the table for this discussion by letting Matthew and Janine describe the newly issued DOJ rule, what motivated it, what data is covered, who must comply, and the timeframe for compliance.

    Matthew, as you and I have discussed, when the EU promulgated the General Data Protection Regulation, it restricted transfers of personal data outside the EU. But I think the DSP is the first major regulatory initiative in the United States to restrict transfers of personal data outside the United States. So, Matthew, your observations.
    Matthew Coleman:  Yeah, wonderful. And thank you so much, Jerry and Sherry, for having me here today. So absolutely, this is a novel case for the United States, where there are actual restrictions around the transfer of personal data extraterritorially. We've seen examples of data localization requirements, like you mentioned, in Europe under the GDPR, in Russia, in China, even in the province of Quebec in Canada. But here is kind of a matter of first instance for the United States.

    And so, I'm going to answer some of those questions about the table setting around the law in a little bit of a different order. But I want to give a little bit of background. So, the way this regulation came to be is actually from a Biden executive order, Executive Order 14117, and it was issued under the authority of the International Emergency Economic Powers Act, which is the authorizing statute for most U.S. sanctions programs.

    So, the rule itself actually just went into effect on April 8th, on Tuesday last week. And shortly after, the DOJ issued guidance and more than 100 FAQs just this past Friday. So, we're still in the process of digesting a lot of this information. The rule's been published for a while, but as you can imagine, there were a number of questions that the DOJ has sought to answer through this guidance and through these FAQs. So, we're kind of building the airplane as we're flying it a little bit here, but we'll do our best.

    Part of that guidance includes a general 90-day deferral on enforcement. The DOJ, it provided an enforcement policy, an implementation and enforcement policy as well. That indicated there's going to be a little bit of grace provided that they're not going to prioritize civil enforcement actions against any person who's taking some good faith efforts to try and come into compliance with the data security program's requirements through July 8th. So, there's a little bit of time, but as you can imagine, there's a lot to do before that deadline.

    So, about the rule itself, though, what it seeks to address is what is, in the United States government's view, a mounting risk that these countries of concern could use advanced technologies like AI to process large quantities of U.S. sensitive personal data or U.S. government data and then leverage those insights for purposes like malicious cyberattacks or other destabilizing activities.

    The rule also aims to mitigate some of the perceived risks of AI-assisted tracking and development of, say, profiles about U.S. individuals or members of the military, other federal employees, and contractors for illicit purposes like blackmail or espionage or anything that could be a national security risk.

    At its core, the rule prohibits U.S. persons from engaging in what are called "covered data brokerage transactions," and we'll get into what that means in a moment, with people who are in countries of concern or with countries of concern themselves or covered persons. And it restricts rather than prohibits certain vendor employment and investor agreements with countries of concern or covered persons involving certain types of data transfers.

    So, in order to understand what that rule is, those restrictions, and what's prohibited, we have to review some of the relevant terms and background. So, we'll do some table setting. The rule is very complicated. And we're going to try and focus on what U.S. companies need to know and how to carefully review some of these requirements in light of their particular factual circumstances.

    So, I'll hand it over to Jeanine to walk through some of these definitions.
    Jeanine McGuinness:  Thank you, Matthew. And also thank you, Jerry and Sherry. I'm delighted to be here.

    So, our listeners will not be surprised to hear who some of the countries of concern are. Essentially, so far, the rule establishes China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia, and Venezuela as countries of concern, and it may be amended in the future.

    The way that the government determined who would be on this list is it would be countries that the U.S. government has determined have engaged in a long-term pattern, or serious instances of conduct that are significantly adverse to the national security of the United States or to the security and safety of U.S. persons, and that pose a significant risk of exploiting this relevant data to the detriment of U.S. national security or security and safety of U.S. persons.
    So again, not surprising, China's at the top of the list. So, in many of our examples throughout our podcast, we may just be referring to China as a primary example.

    So, "covered persons," as defined under the regulation, include both entities and individuals. And its entities that are organized or have a principal place of business in China or are 50% or more owned, whether directly or indirectly, individually or in the aggregate, by one or more countries of concern or by one or more covered persons. Covered persons also include foreign individuals, non-U.S. individuals, that are employees or contractors of a country of concern or a covered person, or who are residents of one of the countries of concern.

    There is another category of covered persons and those that are specifically designated by DOJ as a covered person. So, this will sound familiar to those who are used to dealing with OFAC. So OFAC obviously designates a number of persons, puts them on various lists. In this case, there'll be a list that DOJ maintains where they've decided that someone is a covered person on the basis of ownership or control by or because they're acting for or on behalf of a covered person or a country of concern. This will be a public list, and U.S. persons will be expected to check it, but that's not sufficient.

    As we'll talk about later, there'll be numerous things that you have to do in terms of diligence, and not all covered persons will be on the list, only those who are specifically designated by DOJ. So, you need to make sure whether a counterparty is otherwise considered to be a covered person.
    Jerry:  Let me interrupt you for one second to ask, your reference is to a list to be supplied, but obviously compliance is seemingly required now, although there'll be a grace period until July 8th. Where do you find the list?
    Jeanine:  Sure. So, there is a DOJ website. The names will be published in the Federal Register and then will be incorporated into the DOJ's National Security Division's covered persons list. And it will be available at www.justice.gov/NSD.

    But again, Jerry, even if a party is not on the list, there still could be a prohibition or restriction on doing business with or conducting certain data transactions with that party. So, it's important to realize that this is not, you know, you can't sort of just do a list-checking exercise. 
    Jerry:  It's the first place to stop, but not the only place to look.
    Jeanine:  Exactly. Yes, exactly. So, Matthew, I'll turn to you then for a discussion of what exactly is the data that we're talking about here. 
    Matthew:  So, the DSP covers two primary categories of data: bulk sensitive personal data and U.S. government-related data. So, I'll take each of those in turn.

    So bulk sensitive personal data are certain enumerated categories of personal data relating to U.S. persons, regardless of whether that data is anonymized, pseudonymized, de-identified, or encrypted. That actually goes a lot further than any of the privacy or data protection regimes we see in place today, which generally exclude anonymized or de-identified data. 
    Each of the categories, there's a numerical threshold for which the rule will come into effect. If you're processing a certain number of U.S. persons' data under these categories, the restrictions may apply. But let's talk about each of the categories, at least at a high level.

    So, the first is the most general: covered personal identifiers about an individual, which could include government identification numbers, financial account numbers, device-based or hardware-based identifiers. It could include advertising identifiers. So, it's fairly broad. But among these pieces of information, it's when they're combined with either each other or with information disclosed in the relevant transaction in a way that the identifier is linked or linkable to certain of the other listed identifiers that we're going to get into in a moment or other sensitive personal data.

    Otherwise, precise geolocation is one of the categories. Biometric identifiers, including facial images, fingerprints, voice prints, gait analysis, things like that. A category called human-omic data, which includes genomic data, epigenomic data, proteomic data, transcriptomic data. All of those are defined separately, but you can imagine what some of those categories include. General personal health data, information about people's health conditions. And then I think most relevant to the audience here: personal financial data, including credit card and bank account information, purchases, payment history, information from financial statements, and credit or consumer reports.

    And again, each of those categories has a slightly different category threshold in order for the rules and restrictions to apply, depending on the type of data. And those thresholds range from 100-plus U.S. persons in the case of human genomic data or all the way up to 100,000-plus U.S. persons in the case of just general covered personal identifiers.
    Jeanine:  Sorry, I was going to say, Matthew, on that point, for this audience, the threshold for personal financial data is over 10,000 U.S. persons. So, you'll have to keep that one in mind as you're going forward. 
    Matthew:  Right, exactly. And as regards to government-related data, the couple enumerated categories of government-related data, including precise geolocation data. Data for any location within specified geofenced areas associated with like military, government, or other sensitive locations.

    And then sensitive personal data, that is, regardless of volume. There's no bulk quantity here, but that's marketed or is linked to or linkable to current or recent former U.S. government employees or contractors or former senior officials, including military and intelligence personnel.

    And so, once you have that background of what the type of data is, what's important to understand is whether any transactions that a company is engaging in might be prohibited or restricted or exempt. And I'm going to hand it over to Jeanine to walk through that.
    Jeanine:  Sure. Thank you, Matthew. First, we'll go through prohibited transactions. The rule prohibits three categories of these very highly sensitive covered data transactions. The first are what are called data brokerage transactions that involve access by a country of concern or a covered person to covered data, and that is data in one of the categories that Matthew just discussed.

    So, "data brokerage" is defined under the rule as the sale of data, licensing of access to data, or a similar commercial transaction, excluding employment agreements, investment agreements, or vendor agreements, that involved the transfer of data from one person, considered the provider, to another person, the recipient, where the recipient did not itself collect or process the data directly from the individual that's linked or linkable to the data.

    The rule also prohibits data brokerage transactions with non-covered foreign persons. So, for example, just with a European company, unless the U.S. person enters into a contract that requires the foreign person to refrain from engaging in a covered data transaction involving that data with, say, China or another covered foreign person.

    And it also requires U.S. persons to report to the National Security Division any violations by their foreign counterparties of those contractual undertakings. So, if you enter into an agreement with a European company and you learn that they go ahead and send the data on to someone in China, then you would need to report that to the U.S. government.

    And finally, the last category of prohibited transactions are transactions that provide a country of concern or a covered person access to bulk human-omic data or human biospecimens from which human bionomic data can be derived.

    The second category are restricted transactions. So, the rule permits these other types of covered data transactions only if they comply with security requirements that were recently issued by CISA. And these restrictions apply to covered data transactions that involve any of the following: Vendor agreements, which we mentioned before, are any agreement or arrangement, except an employment agreement, in which any person provides goods or services to another person, including cloud computing services, in exchange for payment or other considerations.

    The other types of restricted transactions involve employment agreements or investment agreements. And by October 6th of this year, any U.S. person that engages in any type of restricted transaction is required to develop and implement a very strict data compliance program as specified in the rule. And any U.S. persons that engage in restricted transactions after that date are required to conduct annual independent audits that examine their compliance programs.

    And so, there is a separate link to the CISA requirements, which are quite onerous in terms of requiring anonymization and encryption, et cetera, so that the actual personal information cannot be forwarded to the party of concern.

    And lastly, there are certain exempt transactions, certain data transactions, including, among others, those that involve personal communications, the importation or exportation of information or informational materials, or those that are ordinarily incidents to travel to or from any country.

    Those first few that I mentioned, those are based on certain exemptions that have been for many years built into the IEPA program, the International Emergency Economic Powers Act.

    Very importantly, though, for this audience, there is an exemption for data transactions that are ordinarily incident to and part of the provision of financial services. And so, we'll discuss those in a little more detail in a little bit.
    Matthew:  And I wanted to note that the DOJ rules and the FAQs that were provided, they do provide examples of each of these exemptions, and the contours of them aren't always clear. And so, in a lot of cases, there may be some factual circumstances that are on the edge of whether or not an exemption applies.

    So, it's worth exploring those in detail to see whether or not any transactions a company is undertaking may end up falling into an exemption or may ultimately be restricted or prohibited.
    Sherry Safchuk:  Thank you so much for joining us, Jeanine and Matthew. The podcasts focusing on privacy are some of my favorites, so I appreciate you joining us.

    So, turning to my question, as you know, privacy and data security rules for financial service providers at the federal level are derived mostly from two statutes, the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, both of which are more than 25 years old. Most of the new initiatives around privacy and data security are not focused on general federal privacy law, even though Congress has tried but has been unsuccessful in adopting such law.

    Now along comes this DSP that, it seems, will have a large impact on U.S. financial services firms and other U.S. companies that transfer personal data outside the United States. Jeanine, what would you advise financial service providers and other companies whose business involves transfers of personal information abroad?
    Jeanine:  Sure. Thank you, Sherry. It's important to note that the rule defines data brokerage transactions much more broadly than common sense might suggest or that other laws specifically targeting the data brokerage industry do. So, therefore, the rule could impact any industry where a threshold amount of sensitive personal data is transferred, although we would expect certain industries to be impacted more than others, particularly in terms of transactions involving sensitive personal data and human biospecimens. So, for example, the financial services industry, life sciences and pharmaceuticals, and traditional data brokers and social media companies and advertising technology providers.

    But specifically in terms of impacts to financial services companies, I noted earlier that data transactions are exempt to the extent that they are ordinarily incident to and part of the provision of financial services. And financial services include things like banking, capital markets, financial insurance services.

    The rule refers to financial activity that's defined in like OCC regulations and related statutes, as well as Federal Reserve regulations and the underlying statute. It also includes the transfer of personal financial data or covered personal identifiers incident to the purchase and sale of goods or services, such as purchase, sale, and transfer of consumer products and services through online shopping or e-commerce marketplaces. As well as provision or processing of payments or funds transfers, such as P2P, business-to-person, and government-to-person transfers that involve the transfer of personal financial data or covered personal identifiers, or providing services that are ancillary to processing payments and funds transfers.

    It's important to analyze whether a particular data transaction is ordinarily incident to and part of the provision of the financial services being provided in order to determine whether the exemption applies. And the rule includes several examples that suggest that in order to take advantage of this financial services exception, the financial services must involve a party in China or another country of concern.

    So, an example of an exempt transaction that the rules give is where a U.S. bank, as ordinarily incident to and part of facilitating payments to U.S. persons in China, stores and processes those customers' bulk financial data using a data center operated by a third-party service provider in China. And that service provider and the working with that service provider, that's pursuant to a vendor agreement, involves access by a covered person to personal financial data, but it's exempt because it's ordinarily incident to and part of facilitating the international payment to that person in China.

    In contrast, another example under the rule provides that if the underlying payments are between U.S. persons in the United States and don't involve China, the use of that service provider in China, even though it's a vendor agreement, is not exempt because it involves access by that covered person to this bulk personal financial data. And the use of that person in China is not ordinarily incident to facilitating this type of financial transaction.

    And one of the new FAQs also addresses this, one of the ones that was issued last week. It provides that this financial services exemption doesn't include all data transactions that are part of the operations of financial services entities that are regulated by federal and state banking or insurance regulators.

    They emphasize that the type of activity rather than the type of entity is what is relevant to determining whether or not the exemption applies. So just because you're a financial services company or a financial institution, everything you do doesn't automatically fall within this exception.

    For example, an employment agreement, including hiring a board member, or a vendor agreement, including contracting a cloud service provider that gives a Chinese person, for example, access to bulk U.S. sensitive personal data, that's not ordinarily incidental and part of that providing financial services for the financial institution's wholly domestic operations would not qualify for the exemption.

    So, you have to be very, very careful as you go through it. As Matthew said, these are complicated, and you're going to want to look example by example to see whether your activities fall within the exception.
    Sherry:  That's really very interesting because right now, the financial services privacy laws are also based on the activity versus the type of entity. So, for example, the Gramm-Leach-Bliley Act, it applies to any information you obtain to provide a financial product or service. And so, I think it's really interesting that this rule also kind of looks at it from the activity as opposed to the entity.
    Jeanine:  Right. And as I said, Sherry, like one of the examples suggests that, conversely, not everything a financial institution does is under this exception. But you don't have to be a financial institution to qualify for this exception in certain circumstances, like where we talked about the online shopping or e-commerce marketplaces, if you're dealing with, you know, depending on the facts and circumstances.
    Jerry: Well, you know, I may not have a representative sample, but from what I've heard, some companies have anticipated this rule, which, after all, was promulgated as a proposed rule over a year ago. But there seem to be quite a few companies that haven't focused on the fact that the rule will require them to put a compliance program in place rather quickly.

    One thing our podcast listeners may want to look at is their international operations and think about how the rule applies to them. Matthew, how would you advise a company that is just beginning to become aware of its potential impact of the rule? How should they proceed?
    Matthew:  Thanks, Jerry. It's a great question.

    So, there are a number of different things that an organization likely already has in place that they can leverage. And I think the first thing that I would remind any of the listeners is that while most of the DSP has taken effect, as we mentioned, the DOJ indicated that it's not going to prioritize civil enforcement actions against any person for violations that occur between April 8th and July 8th, so long as they're engaging in some good faith efforts to get there, to comply with, or come into compliance with those requirements of the DSP in time.

    So now is the time that companies should, if they haven't yet, start looking at the rules, analyzing how the regulation is going to affect them, and evaluating their cross-border data transfers to see whether or not they're engaging in any covered transactions. And what that requires is a certain level of diligence.

    And again, these are diligence practices that most global organizations or organizations, particularly in financial services, that have to deal with things like sanctions compliance may already have in place, and just a matter of expanding those existing structures to fit the bill for these requirements as well.

    So one thing is I would echo what Jeanine had said before about analyzing the types of transactions and seeing whether or not any of those transactions are going to be subject to any of the covered elements, prohibited transfers, restricted transfers, or any of the exemptions, and then figuring out exactly who the counterparties are going to be on the other side.

    So if we can break that down a little bit, some examples of diligence activities that companies in the U.S. may already be familiar with include doing data mapping, conducting a thorough examination of the data a company is processing so they can understand what type of data they're processing, whether any of that data is covered data, and then whether covered data may be implicated in any vendor engagement, any customer transaction, any cross-border data transfer by tracking cradle-to-grave what is the flow of that data through not only the company systems, but also through its vendor systems or any third-party recipient of that data.

    So, they can flag, draw some lines around particular processing activities or vendor relationships or vendor systems that might involve either covered data or be covered transactions that require some additional diligence. 

    Jeanine has a background in doing KYC for the purposes of international sanctions compliance. So, I'm going to kick it over to her to talk a little bit about how companies can leverage that process.
    Jeanine: Sure. Yeah. So, you should be looking at your "know your customer" and "know your vendor" processes. And, if you discover pursuant to the first exercise of data mapping that, yes, we do have this type of data and we are sending it to vendors or otherwise just engaging in data brokerage, then you're going to start saying, "OK, well, who are our counterparties?"

    And you want to conduct diligence on your customers and your vendors, employees, investors where any covered data transactions may be implicated, to see if the recipient is potentially a country of concern or owned by a country of concern or a covered person or controlled by one. And so financial services providers should leverage their existing KYC processes.
    Importantly, unlike OFAC, which is a strict liability regime, the DOJ rule has a knowledge standard. So, it prohibits U.S. persons from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or a covered person. And the FAQs cover the level of diligence U.S. persons are expected to conduct.

    They expect that U.S. persons conduct due diligence on persons with which they do business to determine, as Jerry said before, you first start with that covered persons list and then delve deeper if they're not on the list to see whether they're, are they foreign persons? And if so, do they fall within one of the categories? So, you know, again, leveraging the information you've collected for AML purposes, for example, may be useful here.

    The guidance specifically says that the DSP does not require U.S. persons to ascertain the extent to which an entity or individual is subject to the influence or control of a country or concern or a covered person, because control or influence is not relevant in the actual definition of covered person, except to the extent that they are then designated by DOJ or put on the list.

    So, absent evasion, U.S. persons who engage in vendor agreements and other classes of data transactions with foreign persons are generally not expected to conduct a second-level due diligence on, for example, what are the employment practices of these foreign persons, in order to determine whether those counterparties' employees qualify as covered persons.

    So that's, again, looking at all these FAQs and guidance that has come out, they provide some background on what the expectations are. We'd also encourage you to review the OFAC framework for compliance commitments, given that DOJ has modeled the compliance program expectations on OFAC's approach for screening vendors and transaction counterparties.

    Looking again, what are you doing for sanctions compliance? What are you doing for AML compliance? What do other regulators expect? Those should give you some good guidance. And then when we get to the CISA security requirements, I'll turn that back to you, Matthew, to go through some of those requirements.
    Matthew:  Thanks, Jeanine. So, yeah, absolutely. So for those restricted transactions involving countries of concern or covered persons, where there's a requirement to comply with the CISA security rules that have been promulgated, those rules are fairly extensive in terms of the level of data manipulation that's required in order to prevent access to the bulk sensitive personal information to those third parties in the countries of concern or the covered persons.

    And so, for any restricted transaction, the CISA rules, there's organizational rules and then there's data-level rules. And those data-level requirements mandate a combination of mitigations that, taken together as a whole, are sufficient to fully and effectively prevent access to covered data so that it's not linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern.

    In some cases, restricted transactions with a vendor processing personal data will effectively be prohibited, because if the purpose of providing that data to the vendor is so that they can process it on an identifiable-level basis, it might just defeat the purpose of a transaction because complying with those rules will obfuscate the data, will render the data in a way that the vendor can only process it on an aggregate or non-identifiable basis. So, again, could just defeat the purpose of using that vendor in the first place.

    So, if the U.S. person needs that foreign vendor to have access to unencrypted and identifiable covered data of U.S. persons, they just may not be able to work with that vendor. They may be encouraged or forced to try and find an equivalent vendor within the U.S. or that isn't in a country of concern or not covered by a covered person.
    Sherry:  You know, unlike privacy statutes that allow a consumer to consent to their data being shared, the DOJ rule provides a strict limit on transfers of information because the focus is on national security. Can you tell us a bit more about the penalties for noncompliance and the approach that the DOJ is likely to take if there's a failure to comply, despite a good faith effort at compliance? 
    Jeanine:  Sure. Well, first, the rule is promulgated again under IEEPA, the International Emergency Economic Powers Act. And the civil penalty amounts under IEEPA, the maximum is currently a little over $368,000 per violation or twice the amount of the violative transaction, whichever is larger. Those are indexed for inflation, and so that maximum penalty will go up to over $377,000 this year.

    Criminal violations could trigger fines up to a $1 million and imprisonment of up to 20 years. In terms of how the government would go about enforcing and what the process would be, the rule does include a pre-penalty notice that would have to be given to a person and an opportunity for the individuals or companies to respond before the agency makes a final determination. 
    Matthew:  And I also just want to echo, so yeah, you're absolutely right that there is no kind of consent requirement that gets a company out of needing to comply with these requirements. So, it's a little bit different. It's really focused on what is the purpose of the actual activity and what is the purpose of the transfer.

    And so, given that, again, we have the DOJ's enforcement policy that they issued last week. And so, we have a good sense of what they're going to be looking for as part of their enforcement priorities and what's going to get companies into trouble. And so, as we noted previously, the rule prohibits U.S. persons from knowingly violating the rule and does require that first-order diligence, that first level of diligence.

    So, while you can't stick your head in the sand, the DSP doesn't require a boil-the-ocean approach to diligence either. And we're pretty confident, at least at this point or in early days, that good-faith efforts are going to go a long way in any kind of investigation that happens.

    So the other thing to note that may kind of mitigate some risk and give companies a little bit of comfort around enforcement risk is that, based on the recent FAQs, the DOJ has said that they're tolling the amount of, when they start counting for when bulk transfers are going to hit a particular threshold, it's only go-forward.

    So once the rule has gone into effect, they're not going to be counting retroactively or historically any transfers of U.S. sensitive personal information before the effective date towards whether or not a company has tripped those bulk thresholds, but it is going to be calculating those on a go-forward basis.

    So again, reasons for companies to, if they haven't yet, start considering these rules and requirements now, but also that's not necessarily going to introduce risk of historical noncompliance. 
    Sherry:  Thanks so much, Matthew.

    Jeanine, I have a question for you. Your practice spans the range of compliance with international trade laws, including sanctions, tariffs, and restrictions on investments into U.S. companies by foreign entities, as well as this data export limitation. I know you're pretty busy right now, and we're very grateful for you, for taking the time out of your day to share your insights with our listeners.

    Because Orrick has both a major tech practice and one of the largest consumer financial practices in the country, and data is the lifeblood of both sectors, the policy shifts that are taking place have the potential to reshape the way international business is conducted. Do you have any thoughts you'd like to share on this?
    Jeanine:  Sure. So, really just taking a step back, this is just one more tool. This data security program is just one more tool the U.S. government has implemented to prevent China, Russia, Iran, and other foreign adversaries from engaging in activities that it believes undermine U.S. national security and, in particular, exploit U.S. government-related data and American sensitive personal data.

    So, in that sense, this is consistent with the policies that we've seen from multiple administrations, particularly targeting China and the deep concerns that administrations have had about how they're trying to get access to and using data.
    So, for example, the statute that authorizes the Committee on Foreign Investment in the United States, or CFIUS, was last amended in 2018 during the first Trump administration, and it expanded CFIUS's jurisdiction.

    Previously, CFIUS had jurisdiction over controlling investments in U.S. companies. This statute was expanded to cover certain non-controlling investments by foreign persons and U.S. businesses that, among other things, maintain or collect certain types of sensitive personal data of U.S. citizens.

    And CFIUS can impose mitigation conditions on the parties to grant clearance of an investment transaction. For example, it has, in certain circumstances, required transaction parties to adopt controls to protect sensitive personal data, such as mandating that certain facilities or equipment or operations are located only in the United States.

    Another example from the Commerce Department side, so you know, CFIUS is chaired by Treasury. It's a multi-agency committee. But the Commerce Department in December 2024 issued a final rule to formalize its Information and Communications Technology and Services, or ICTS, program. And that's under Executive Order 13873, which President Trump issued during his first term. It's called Securing the Information and Communications Technology and Services Supply Chain.

    That rule authorizes the Secretary of Commerce to review, prohibit, or impose mitigation measures on certain transactions that involve ICTS that's designed, developed, and manufactured or supplied by persons that are connected to foreign adversaries, including China and Russia, if they pose an undue or unacceptable national security risk.

    And ICTS includes a number of things, but sensitive personal data is implicated because it includes software, hardware, or any other product or service integral to data hosting, computing, or storage that uses, processes, or retains sensitive personal data. So that's another program, U.S. government program targeting the protection of sensitive personal data, among other things.

    And then in addition, in January of 2025, the Commerce Department issued a specific ICTS rule that, starting in several years, will prohibit the import or sale in the U.S. of certain software and hardware that's designed, developed, manufactured, or supplied by persons who are connected to Russia or China that directly enable connected vehicle automated driving systems, called ADS, or vehicle connectivity systems, or VCS.

    And the rationale the Commerce Department put forth was that the rule was designed to safeguard U.S. national security and protect Americans' privacy by keeping foreign adversaries from manipulating these technologies to access sensitive or personal information.

    So, we're coming at this in many ways from many different angles. And this data rule is just the latest salvo in this continuing effort.
    Jerry:  Well, I'm afraid we're running out of time, maybe a little beyond our time. But this has been a great first step in informing our listeners about what to me appears to be a fairly challenging and complex regulation, especially for firms that haven't had as much focus on this in the past as they might have.

    So, thank you so much to both of you for joining us. We'll probably be revisiting these issues again, and we really appreciate your taking the time to share your insights with our listeners.
    Matthew:  My pleasure. Thanks for having us. Yeah, this is definitely an evolving space, so look forward to more conversations.
    Jeanine:  Absolutely. Thank you again.
    Sherry:  Thank you.