The U.S. Department of Justice has introduced its final rule aimed at safeguarding sensitive data from foreign adversaries, which is now in effect. Implemented on 11 April, this rule encompasses a blend of U.S. sanctions and cybersecurity regulations, but its complexities leave many in the legal and privacy sectors scratching their heads. A limited enforcement policy allows companies some leeway, extending non-enforcement for good faith compliance efforts until 8 July.
Key Points
- The DOJ’s final rule merges U.S. sanctions with data privacy regulations, complicating compliance for many businesses.
- Companies operating in designated countries of concern (China, Russia, etc.) face heightened scrutiny regarding their data transactions.
- Sectors like health care, finance, and IT are particularly impacted due to the sensitivity of the data involved.
- Deeper vendor due diligence is necessary, as indirect ownership by covered persons can trigger compliance issues.
- The definition of data brokerage is broadened, affecting a wide array of data-sharing arrangements.
- Exemptions provided under the rule are narrower than in other contexts, with stringent criteria for compliance.
- Companies may be viable by enhancing internal controls rather than relying solely on exemptions.
Why should I read this?
If you’re in the business world, especially in sectors like health or tech, this article is a must-read. It breaks down the new DOJ rule and its implications, helping you avoid potential pitfalls in compliance. Whether you’re drafting policy changes or just trying to understand the landscape, we’ve done the legwork for you so you can navigate these murky waters more easily.