Proposed 'Bulk Sensitive Personal Data' Rule and the DOJ’s Comprehensive National Security Regulations

In the Legal Intelligencer article “Proposed 'Bulk Sensitive Personal Data' Rule and the DOJ’s Comprehensive National Security Regulations,” business litigation partner Craig Heeren and associate Angela Lam and international trade partners Mollie Sitkowski and Christopher Monahan and counsel Diego Ortega provided insights into the Department of Justice’s (DOJ) new proposed rule regulating bulk sensitive personal data transactions.

The authors note that the rule would implement a complex regulatory framework, with civil and criminal enforcement, that is similar to sanctions and export licensing regimes. They advised businesses that work with large amounts of sensitive personal data, as well as those that handle any amount of certain U.S. government data, to ensure they are prepared for these new potential regulations. The rule would prohibit or restrict the transfer of “bulk sensitive personal data” or “government-related data” to certain “countries of concern” and “covered persons,” unless the transaction meets certain cybersecurity requirements or a license allowing the transaction is provided by the DOJ.

“The proposed rule contains numerous defined terms and consists of more than 100 sections in fourteen subparts,” the authors write. “Despite the exemptions, it has the potential to cover a broad array of transactions. In contrast to [Committee on Foreign Investment in the United States] authority to review certain foreign investments in U.S. businesses that maintain or collect sensitive personal data, this proposed rule would categorically cover any transfer of bulk sensitive data or government-related data that meets the rule’s definitions. Accordingly, careful review of the final rule is warranted for those that may be affected.”