+44 (0) 121 582 0192 [email protected]

DOJ Introduces Proposed Regulations on US Data Transfers to High-Risk Nations

by | TueNovJ | APAC, EU, North America, Singapore, United Kingdom, United States

DOJ NPRM cross-border data transfers Formiti

Introduction

On October 29, 2024, the US Department of Justice (DOJ) issued a Notice of Proposed Rulemaking (NPRM) in the Federal Register. The NPRM proposes new regulations to govern cross-border data transfers to countries identified as potential national security threats. The publication commences a 30-day period for public consultation. Should these regulations be enacted, they will enforce strict requirements on companies engaged in sensitive data dealings with these nations, with the goal of protecting vital information and reducing security vulnerabilities.

 

Core Features and Definitions of the Proposed Regulations

Definition of Countries of Concern

The regulation, in line with the ANPRM, explicitly identifies six nations as “countries of concern”—specifically China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela—highlighting their activities deemed harmful to the national security of the United States.

Scope of Covered Entities

The rules target “covered entities,” defined as organisations operating within the US that engage in the collection, processing, or transfer of sensitive personal data to foreign jurisdictions. Businesses that manage or facilitate such transfers on behalf of others are also included.

Understanding Covered Data Transactions

A “covered data transaction” refers to any cross-border data transfers of sensitive personal data from a US-based organisation to an individual, organisation, or government in a country of concern. The rules aim to tightly regulate these transfers to ensure security and compliance.

Sensitive Personal Data: Six Categories Under Review

The proposal outlines six critical types of sensitive personal data that would trigger compliance requirements if thresholds are surpassed:

  1. Genetic Information: Any data derived from genetic testing or analysis.(Bulk threshold: 100 US persons)
  2. Biometric Data: Unique identifiers such as fingerprints, retinal scans, or facial recognition details. (Bulk threshold: 1,000 US persons)
  3. Health Information: Medical history, treatment details, or other data pertaining to an individual’s physical or mental health.(Bulk threshold: 10,000 US persons)
  4. Financial Records: Data including account numbers, payment details, or credit card information.Bulk threshold: 10,000 US persons)
  5. Geolocation Tracking: Detailed or continuous tracking of an individual’s location. (Bulk threshold: 1,000 US persons)
  6. Covered Personal Identifiers encompass four fundamental transaction types: (1) data brokerage, (2) vendor agreements, (3) employment agreements, and (4) investment agreements. (Bulk threshold: 100,000+ US persons)

Each category has specific thresholds for volume and sensitivity that, when met, would subject entities to the new regulatory requirements.

Prohibited and Restricted Cross-Border Data Transfers Transactions

The proposal separates transactions into two categories:

  • Prohibited Transactions: Transfers that involve significant national security risks or highly sensitive data would be entirely disallowed.
  • Restricted Transactions: These transfers may proceed but only under stringent due diligence and approval from relevant US authorities.

Compliance Obligations for Businesses

Due Diligence Requirements

Organisations would be required to establish comprehensive compliance programmes. This includes conducting thorough due diligence on all covered data transactions, assessing associated risks, and monitoring foreign vendors and data recipients.

Recordkeeping Standards

Covered entities must maintain meticulous records of:

  • Types of sensitive data being transferred.
  • Logs that track data flows and destinations.
  • Information on third-party vendors and partners involved in the transactions.

These records must be securely stored and retained for a minimum of 10 years, ensuring long-term accountability.

Annual Audits

Companies would need to conduct independent audits annually to confirm adherence to compliance programmes, security protocols, and other DOJ standards. These audits are designed to identify potential vulnerabilities and reinforce ongoing compliance efforts.

Next Steps to Prepare for Compliance

To prepare for the potential adoption of these regulations, businesses should:

  1. Evaluate Current Data Flows: Conduct a detailed review of international data transfers to identify exposure to countries of concern.
  2. Develop Robust Compliance Programmes: Build internal policies to address due diligence, recordkeeping, and audit requirements.
  3. Implement Employee Training: Ensure that teams across the organisation understand and are equipped to meet the new standards.
  4. Seek Expert Guidance: Partner with specialists to navigate the complexities of these new rules and integrate best practices into business processes.

Formiti: Your Strategic Partner for Compliance Success

Adapting to evolving regulatory landscapes can be challenging, especially when they intersect with national security concerns. Formiti offers tailored services to help organisations navigate complex data privacy requirements. With extensive expertise in global data protection laws, Formiti can assist in developing compliance frameworks, conducting risk assessments, and ensuring adherence to stringent regulatory demands.

Secure your organisation’s future—partner with Formiti to meet the DOJ’s proposed requirements with confidence and ease.