Like any new regulatory and enforcement scheme, companies face a number of new  risks that require understanding.  The DSP framework is new, comprehensive and raises significant risks and requires careful design and implementation of effective compliance strategies.  Companies will face different risk levels based on their handling of data, specific market practices and security measures.

In this post, I will explore some of the interesting initial important questions that are unlikely to be addressed in the near-term.  Legal requirements and nuances may develop over time and new wrinkles are likely to arise.  Reviewing DOJ’s FAQs and Compliance Guide for the new DSP program, companies face a large, holistic regulatory and enforcement framework that borrows administration and enforcement rules from OFAC’s sanctions regime.  This match — sanctions and data security — while facially appealing is just a first step; instead, the DSP requirements are significant, require careful study and quick implementation of a compliance program. 

As explained in Part I of this III-Part series, the DSP regulates:

         (1) “covered data transactions”;

         (2) bulk transactions (the thresholds of which can be triggered by one or a series of transactions over a 12 month period) involving:

                  (a) “U.S. sensitive personal data;” or

                  (b) “government-related data;” and

                  (c) providing such data to a “covered person” or “country of concern.”

The DSP Scope

The new DSP does not apply to domestic data transactions unless one of the U.S. parties is a prohibited person or company. Similarly, a U.S. person is not prohibited from gaining access to a covered country or person’s data since the DSP’s intent is to prohibit or restrict transactions from the United States to a foreign country or person.

The Justice Department’s National Security Division is responsible for administering and enforcing the DSP.  As announced in the FAQ, the DOJ-NSD will maintain a Covered Persons List, which may include persons or entities that fall outside the definitions. FAQ 14.

Prohibited Transactions

There are five categories of prohibited transactions (FAQ 16):

         1.       U.S. persons knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person (§ 202.301)

         2.      U.S. persons knowingly engaging in a covered data transaction involving data brokerage with a foreign person (that is not a covered person) unless the U.S. person (1) contractually requires that the foreign person refrain from onward sale with a country of concern or covered person; and (2) reports any known or suspected violations of this contractual requirement (§ 202.302)

         3.      U.S. persons knowingly engaging in a covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived (§ 202.303)

         4.      Transactions with the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions set forth in the DSP or any conspiracy formed to violate the prohibitions in the DSP (§ 202.304)

         5.      U.S. persons knowingly directing any covered data transaction that would be a prohibited transaction or unauthorized restricted transaction if engaged in by a U.S. person.

Restricted Transactions: Vendor, Employment or Investment Agreements

Aside from these five specific prohibitions, under § 202.246, U.S. persons are prohibited from knowingly engaging in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person (a “restricted transaction”), unless the U.S. person complies with Cybersecurity and Infrastructure Security Agency (“CISA”) security requirements and other applicable requirements.

If a U.S. person engages in a restricted transaction without complying with the security requirements and other applicable requirements, such activity would be considered an unauthorized restricted transaction and a violation of the DSP, pursuant to § 202.304. FAQ 17.

Countries of Concern and Covered Persons

As an initial matter, the DSP apply to U.S. persons who provide access to covered data to a “country of concern” or “covered person.”

“Countries of concern” include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela.

“Covered Persons” include (a) non- U.S. entities headquartered in or organized under the laws of a country of concern; (b) non-U.S. entities 50 percent or more owned by a “country of concern” or “covered person”; (c) non-U.S. individuals primarily resident in a country of concern; (d) non-U.S. individuals who are employees or contractors of a “covered person” entity or “country-of-concern” government; and any person designated in DOJ’s Covered Person List, which will be released shortly and then updated regularly.

General and Specific Licenses

Interestingly, like OFAC sanctions regulations, DOJ’s DSP program authorizes general and specific licenses for data transactions.  A general license authorizes a particular type of transaction for a class of persons. General licenses are self-executing, meaning they allow persons to engage in certain transactions involving the United States or U.S. persons without needing to apply for a specific license, provided the transactions meet certain terms and conditions as described in the general license. Persons cannot apply for a general license.

DOJ-NSD may issue a specific license to particular individuals or entities, authorizing a particular transaction or transactions in response to a written license application. A specific license is not transferable, is limited to the facts and circumstances specific to the application, and is subject to the provisions of the DSP and Executive Order 14117.

Consistent with the DSP, persons may seek administrative reconsideration of their status as a designated covered person. NSD will release more information concerning the process for seeking such removal. Please refer to the removal petition procedures set forth in § 202.702.

To address retransfer risks by foreign third parties to countries of concern or covered persons, the DSP only allows a U.S. person to engage in a covered data transaction involving data brokerage with a foreign person that is not a covered person if the U.S. person satisfies certain conditions, including (1) using contractual language in which the foreign person agrees not to resell or give access to a country of concern or covered person to the bulk U.S. sensitive personal data or government-related data, and (2) disclosing to NSD any known or suspected violations of this contractual provision.

If a U.S. person  has declined to engage in a suspected prohibited transaction, the U.S. person may inform the covered person or country of concern representative that they rejected the offer and will be reporting it to DOJ-NSD.  Under the DSP, a U.S. person has 14 days to report a rejected transaction.

With respect to certain restricted transactions, the DSP permits U.S. persons to hire citizens of countries of concern, wherever located, or non-Americans living in countries of concern, provided that the U.S. persons engaged in these transactions comply with certain conditions — most significantly, implementing the CISA security requirements to ensure that those covered person employees or vendors cannot access government-related data or bulk U.S. sensitive personal data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and countries of concern. Covered data transactions that involve a vendor, employment, or investment agreement and involve access by countries of concern or covered persons to bulk human genomic data or human biospecimens from which such data can be derived are prohibited transactions—not restricted transactions—and are subject to the prohibitions in § 202.303.

For example, a U.S. business that holds bulk U.S. sensitive personal data could accept an investment from a covered person or hire a covered person as a board director (a restricted transaction) by complying with the security requirements to deny or otherwise mitigate the covered person’s access to that data. The covered person in those restricted transactions could perform their responsibilities without access to that data (or with access to that data if the entities subject to the DSP have instituted adequate data-level requirements, in addition to the organizational and system-level requirements).