Navigating Cross-Border Data Transfers In Technology

The DOJ just dropped a cross-border data transfer rule—and if your business handles sensitive data like it’s part of your daily intake… it's time to check where that data’s going. As of April 8, the U.S. Department of Justice’s “Countries of Concern” rule is in effect. It targets bulk transfers of U.S. sensitive personal data—think biometrics, health info, geolocation, financials, genetic data—to entities tied to China, Russia, Iran, North Korea, Cuba, or Venezuela. If your business touches national security, healthcare, defense, infrastructure—this rule probably applies to you. What’s restricted or outright prohibited? - Selling or licensing covered data to companies in these countries - Using vendors, employees, or investors linked to them without heavy-duty due diligence - Sharing “bulk” data without CISA-grade safeguards in place Yes, it’s live now. Yes, enforcement gets real on October 6 (audits, documentation, attestations, the whole works). No, “we didn’t know” isn’t a defense. So what should companies do? Map your data flows (especially across borders) - Review vendor and third-party ties - Upgrade your security protocols to DOJ/CISA expectations - Loop in legal, privacy, and security now—before the rule becomes a headline in your incident response plan Bottom line: This isn’t just another “update your privacy policy” moment. It’s the national security version of a data transfer restriction—with serious reach. Consider this your early compliance memo.

New U.S. regs banning many cross-border data flows, and restricting use of vendors incorporated in countries outside the U.S., take effect on April 8, 2025. Many U.S. companies will be impacted. Take these steps to see if your company is in-scope ⤵️ These regs prohibit: 🔸 Data brokerage transactions with countries of concern or covered persons 🔸 Certain data brokerage transactions with any foreign person or entity incorporated outside of the U.S. Other data transactions are restricted, including with certain: 🔸Vendors 🔸Employees/contractors, and 🔸Investors Restricted transactions have extensive security, diligence, audit, and recordkeeping obligations. Many business practices may trigger these regs, including: ▪️ Having websites or mobile apps ▪️ Parents or affiliates in countries of concern ▪️ Licensing or developing generative #AI solutions ▪️ Offering personal data as a product/service ▪️ Employing people or using vendors in countries of concern Terms used in the regs differ from other #privacy laws in the U.S.: 🔹Bulk U.S. sensitive personal data = sensitive personal data on U.S. people meeting certain volume thresholds (as low as 100) 🔹Countries of concern = #China, #Cuba, #Iran, #NorthKorea, #Russia, & #Venezuela 🔹 Covered person = any individual/entity with certain ties to countries of concern (e.g., based in those countries, and entities with 50% direct/indirect ownership by people/entities in those countries)   🔹Data brokerage = sale/licensing of data that the recipient didn’t collect directly from the data subjects (first party data sold/licensed can be data brokerage)  🔹Sensitive personal data = personal identifiers, geolocation, biometric identifiers, health or financial data, and more. Personal identifiers include IP addresses, advertising IDs, device ids, names, ZIP codes, and much more (it's the broadest U.S. definition of sensitive personal data). To help assess if your company is in scope: ✅ Identify Prohibited Transactions 1️⃣Check if personal data is disclosed to people/entities other than employees, investors, or vendors; this may be data brokerage. 2️⃣See if the data qualifies as sensitive under the regs 3️⃣Determine if any recipient is a covered person 4️⃣Review exemptions—if none apply, transactions are likely prohibited. ✅ Identify Restricted Transactions 1️⃣Consider where sensitive personal data is stored/transferred; focus on datasets meeting bulk volume thresholds 2️⃣Assess access by employees and investors in countries of concern 3️⃣Determine if vendors incorporated outside the U.S. receive/access the data; if so examine ownership to see if they are covered people. 4️⃣Review exemptions—if none apply the #security, diligence, #audit, and record requirements for restricted transactions may apply (some not until October 5, 2025). Check out Hansenard Piou and my analysis at https://lnkd.in/gX9Ebukf for a deeper dive.

✅ Less than 2 months before DOJ prohibits/restricts sharing US bulk sensitive data with China / countries of concern. What should you be doing right now? ✅ ✅ For decades we’ve learned that unlike the EU, the US doesn’t restrict crossborder data transfers. No more. Starting April 8, the DOJ’s rules come into force under Biden’s EO on “Preventing Access to Americans' Bulk Sensitive Personal Data”. See our piece here: https://lnkd.in/g9u6akzN ✅ The Rules set forth three kinds of *prohibited* transactions: 1️⃣ data brokerage (licensing/selling SPI, including via pixels/SDKs) with covered persons (entities owned 50% or more by, organized within, or having a principal place of business in a country of concern, or persons primarily resident there); 2️⃣ data brokerage with *any* non-US person absent specific contractual protections and DOJ reporting; 3️⃣ transactions providing covered persons access to human ‘omic data or biospecimens. ✅ There is *no* exception for pseudonymized or even anonymized data. ✅ Data brokerage includes sale/licensing of first party data. ✅ Heads up: biotech companies, pharmas, CROs, and anyone using pixels/SDKs (who are you sharing data with?) ✅ There are also *restricted* transactions: vendor, employment, or investment agreements making SPI accessible to covered persons. These are allowed only subject to prescriptive diligence, security, audit and reporting requirements. ✅ There are exemptions: particularly in the context of regulatory approvals for drug development and pharmacovigilance. ✅ Immediate steps: 1️⃣ Are you using third party trackers? Who are you sharing data with? 2️⃣ Sharing PII? Know your customers, vendors, employees and investors; 3️⃣ Update contracts, policies and procedures; 4️⃣ Implement CISA security requirements and initiate recordkeeping and audits. https://lnkd.in/gHJsswdq ✅ The Rules carry criminal sanctions. They are dense. Consult a lawyer. With Richard Matheny, Jacob Osborn, Justin Pierce, Peter Marta, Carrie M., Jason Wilcox, Gozde Guckaya, Justin Shields, Gabe Maldoff

DOJ Crackdown: Privacy Teams must restrict data flows before April 8, 2025! The U.S. Department of Justice (DOJ) has finalized a sweeping ban on data transactions that expose Americans' sensitive personal data and government-related data to foreign adversaries. This is one of the most aggressive data security moves in recent years. What’s covered? a) Prohibited data transactions: Selling, licensing, or sharing sensitive U.S. data with countries of concern or covered persons is now restricted. b) Data brokers in the crosshairs: The rule bans U.S. persons from selling or licensing access to bulk personal data to specific countries. This also applies to cloud, fintechs, health tech, and adtech vendors. c) Vendor & employment agreements are impacted: The rule imposes security requirements on vendors, employment agreements, and investments to prevent indirect data access. Which data elements are protected? The DOJ has identified specific high-risk data types that are now restricted: - Precise Geolocation Data (Within 1,000 meters, tracking patterns of life) - Personal Financial Data (Bank accounts, card details, investment records) - Human ‘Omic Data (Genomic, epigenomic, proteomic - critical for biometric surveillance & biosecurity threats) - Biometric Identifiers (Facial images, voiceprints, retina scans, fingerprints) - Listed Identifiers (Social Security numbers, driver’s licenses, MAC addresses, IMEIs, SIM card numbers, advertising IDs, IP addresses) - Government-Related Data (Employee records, security clearances, government contractors’ data) What should privacy professionals do? With April 8, 2025 as the enforcement deadline, privacy teams need to track and restrict cross-border data flows while ensuring compliance: 1) Scan websites & mobile apps - Identify third-party integrations, tracking pixels, SDKs, and APIs that collect protected data types and transmit them internationally. 2 ) Monitor network traffic for cross-border data flows -Analyze where sensitive data is sent, including cloud providers, analytics tools, and ad networks. 3) Review vendor & employee agreements - Ensure third-party vendors, foreign employees, and offshore teams cannot access restricted data or transfer it to high-risk jurisdictions. 4) Block unauthorised data transfers - Implement geo-blocking, access controls, and encryption to restrict data sharing with countries of concern. How prepared is your organization for these changes? What challenges do you foresee in tracking data flows? #privacy #datasecurity #DOJ #databrokers #AI