Is your business complying with the new international data transfer rules issued by the US Attorney General? (see the “Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (the “Bulk Data Transfer Rule”)).
As a business, you may be thinking: I don’t transfer my data to other countries. However, when is the last time you performed due diligence on your third-party Service Providers (i.e., your data processors)? When is the last time you looked at where they stored the data your business provides them? It’s easy for data to cross international borders—there’s no virtual border that data must clear in order to leave or enter the United States. Additionally, absent specific contractual terms, it’s easy for one of your Service Providers (i.e., one of your data processors) to change their own service providers (i.e., their subprocessor) to a subprocessor that is located in another country and who will thus process your company’s data in their country.
The Bulk Data Transfer Rule is significant in that it regulates the transfer of certain types of data (e.g., government-related date or bulk U.S. sensitive personal data) to certain covered countries or persons. To avoid civil or criminal consequences, your business should be aware of the Bulk Data Transfer Rule and comply with it, which entails ensuring your business has certain due diligence processes in place.
This blog provides a quick summary of the Bulk Transfer Rule.
- First and foremost, does the Bulk Data Transfer Rule apply to my Business?
The Bulk Data Transfer Rule applies where both of the following Is true:
- Are you a “U.S. Person” (e.g., a U.S. resident, a U.S.-based company, etc.); and
- Is your U.S. Business entering into a Covered Data Transaction? A Covered Data Transaction is: any transaction:
- that involves any access by a country of concern or covered person to
- any government-related data, or
- bulk [and] U.S. sensitive personal data; and
- that involves:
- data brokerage;
- a vendor agreement;
- an employment agreement; or
- an investment agreement.”
We have highlighted certain key words that the Bulk Data Transfer Rule defines.
“Access” is defined very broadly and includes any ability to “obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software.” For those from the European Union, this definition of “access” is similar to the broad definition of “process” under the European Union GDPR.
“Countries of concern” include China, Cuba, Iran, North Korea, Russia, and Venezuela (as well as any other country that the Attorney General determines poses a significant risk). Likewise, “covered person” includes residents of countries of concern.
“U.S. sensitive personal data” includes, “covered personal identifiers, precise geolocation data, biometric identifiers, human `omic data, personal health data, personal financial data,” or any combination of these categories.
Lastly, the term “bulk” refers to any amount of “sensitive personal data that meets or exceeds [certain thresholds] at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions . . .” The Rule then lists certain numerary thresholds ranging from 100 U.S. persons to 100,000 U.S Persons, depending on the type of data concerned.
- What are some Examples?
Unfortunately, legalese can get complicated. Here are some examples of Covered Data Transactions:
- Example #1 – IT Support from a Resident in a Country of Concern. Your business is located in Norfolk, Virginia, and your business designs and operates an app that helps Americans track their purchases from their bank accounts, and you hire a Chinese resident to provide internal, production-data IT support (i.e., such resident would have access to each American customer’s bank account purchase history). Assuming you have personal financial data records of more than 10,000 Americans, your engagement of this Chinese resident would likely be a Covered Data Transaction.
- Example #2 – Healthcare AI using Foreign Servers. You business is a Virginia Beach startup that uses Chinese-based DeepSeek artificial intelligence to create a healthcare-related Chatbot that is trained on the personal health data of more than 10,000 Americans. Assuming that the DeepSeek model is being run on Chinese servers, and such U.S. personal health data is being sent to these Chinese servers, then this example would also likely be a Covered Data Transaction.
- Example #3 – Ad Tracking Pixel Data Transfers. Your business is a popular Chesapeake, Virginia website operator that sells luxury custom-made candles nationwide. Your website contains tracking pixels that sends covered personal identifies of more than 100,000 website visitors (who are U.S. residents) to a Chinese data brokerage company for ad purposes. This example would also likely be a Covered Data Transaction.
- Example #4 – Employee Monitoring with Biometric Data. Your business provides Virginia employers certain employee monitoring software that functions by (a) monitoring each employee’s keyboard usage patterns to create a biometric profile of each such employee and (b) then using such biometric profile to detect whether or not that employee is working at their computer at the relevant time. Arguably, this biometric profile would constitute “biometric identifiers” under the Bulk Data Transfer Rule.
Further imagine that (a) your company assists more than 100 employers in the DC, MD, and VA area; (b) your company stores approximately 10,000 employees’ biometric identifiers at any given time; (c) your Virginia company contracts with a local Maryland IT company that hosts the biometric identifiers on a secure server located in Maryland; and (d) for backup proposes, the Maryland company syncs its server data to a server located in China; this is likely also a Covered Data Transaction.
Note that there are certain transactions that are exempt from being a Covered Data Transactions.
- What happens if my business enters into a Covered Data Transaction?
There are two types of Covered Data Transactions: (a) Prohibited, and (b) Restricted Covered Data Transactions.
Prohibited Covered Data Transactions include those Covered Data Transactions that involve (a) data brokerage transactions (defined generally as the sale of data, licensing of access to data, or similar commercial transactions), or (b) bulk human ‘omic data (or human biospecimens from which bulk human `omic data could be derived). These Covered Data Transactions are outright prohibited.
Restricted Covered Data Transactions include those Covered Data Transactions that involve a vendor agreement, employment agreement, or investment agreement without compliance with certain security requirements. What this means is that your company must comply with the security rules contained in the Bulk Data Transfer Rule before engaging in the Transaction. This involves developing, implementing, and routinely updating an individualized, risk-based, written Data Compliance Program (DCP).
Having a DCP involves, at the minimum, (a) implementing a due diligence program that verifies and logs data flows involving any restricting transaction; (b) verification of the identity of vendors; (c) maintaining a written document that describes the DCP; (d) training employees; (e) certain auditing requirements; and (f) implementing certain recordkeeping and reporting requirements.
Note that we can request an advisory opinion on whether a Covered Data Transaction is prohibited or restricted, and your company may be able to apply for a license to engage in certain Covered Data Transactions.
- What if my Company receives an Offer to engage in a Prohibited Transaction?
If your Company receives an offer to engage in a prohibited transaction involving data brokerage, and it has affirmatively rejected such offer, then there is a requirement to file a report within 14 days of such rejection.
- What are the Consequences for non-compliance?
If your business violates the Bulk Data Transfer Rule, there are civil and even criminal penalties.
The maximum civil penalty is the greater of $368,136 or twice the value of the transaction, and willful violations can result in criminal fines up to $1,000,000 and/or imprisonment of up to 20 years.
- Tips for Business Owners
The first step to any privacy program is to create an internal data compliance program. When is the last time you have updated yours?
As a business owner, you should be mapping your data’s lifecycle and tracking which third parties have access to your data. For example, is your service provider / subprocessor list updated? You should also be coordinating your compliance with your cybersecurity and IT teams.
Davis, Burch & Abrams is a business law firm that helps companies develop practical, compliant data-governance and export-controls programs tailored to evolving privacy and data-transfer laws. If you have any questions about this article—or if your business needs guidance to stay current with privacy and data exportation laws in the United States or Canada—please reach out to the author, Savvas Daginis, at [email protected].
This article is for informational purposes only and should not be seen as legal advice. You should consult with a lawyer before you rely on this information.