Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe Now
Recently enacted federal guidelines involving some data transactions outside of the United States could put companies large and small at legal risk.
The Data Security Program, or DSP, under the National Security Division of the U.S. Department of Justice, restricts certain bulk data transactions involving sensitive or personal user data–both for regular U.S. citizens and U.S. government data–with companies based in or majority-owned by six countries of concern.
The regulations and prohibitions therein have been in various stages of pre-enforcement since April, but the measures went into full effect Oct. 6.
It’s a “sea change,” said Zachary Myers, partner at the Carmel office of law firm McCarter & English LLP, marking the first time the United States has instituted a broad, nationwide data privacy regulation.
“Companies that have never had to think about these sorts of things and thought that they were doing everything right in terms of even complying with existing privacy laws” could be affected, said Myers, the former U.S. Attorney for Indiana’s Southern District. “I worry that a lot of people … are going to be caught by surprise and potentially facing some significant scrutiny and enforcement liability.”
The DSP builds on measures instituted during both the former Trump administration and the former Biden administration, essentially establishing regulations for how and when Americans’ data is shared with companies based in China, Iran, North Korea, Russia, Venezuela and Cuba.
It involves bulk transactions, generally involving a minimum of 1,000 people, of sensitive personal data, including biometric identifiers (such as a fingerprint or face scan), precise geolocation data, financial and health data.
“It’s essentially export controls for the data of either large numbers of U.S. persons or of the U.S. government and its personnel,” Myers said. “And the controls apply to anyone who might have that information.”
And that includes businesses in central Indiana.
Myers offered a hypothetical: Say there’s a central Indiana company that constructs backyard pools and it has a website encouraging people to submit information via an interest form, and more than 1,000 people submit their information. Then that pool company, in an effort to convert leads into sales, turns over that user data to a contracted marketing company. But that marketing company is a U.S.-based subsidiary of a Chinese-owned company.
“All of a sudden,” he said, “you have violated the regulations that the Department of Justice is now looking to enforce.”
Violations can result in civil and sometimes criminal penalties. The DSP is based on the International Emergency Economic Powers Act, or IEEPA, using the same standards for penalties imposed. The current maximum fine, which will be readjusted annually for inflation, is $368,136. A person who willfully violates or aids in the violation of regulations issued under IEEPA–including the new DSP framework—are subject of fines up to $1 million and up to 20 years in prison.
Myers made a distinction between knowingly violating and willfully violating the requirements. Willfully means the person or company is aware of the law and completes the covered transactions regardless. But a knowing violation simply means that a company knows they completed the transaction—regardless of whether they knew about the law.
Myers encouraged companies to do their due diligence—learn about the law, understand what data they collect, where it’s stored and how it’s used and learn as much as you can about the companies they contract with.
“You have the requisite data and you engage in a covered transaction with that data, and you might think you did it the right way, that you got the consent of the customer, you gave them notice, you sent the data in an encrypted form, even anonymized form to a vendor that you had covered with a contract,” he said. “But depending on the specifics there, you may still have fun afoul of these new regulations.”
To learn more about the Data Security Program, go to justice.gov/nsd/data-security. An extensive list of Frequently Asked Questions is available via the Department of Justice here.
Please enable JavaScript to view this content.