New DOJ Rule Restricts Deidentified Data Transfer

No Safe Harbor: New DOJ Data Export Rule Restricts Deidentified Data Transfer

This article outlines new requirements from the Department of Justice regarding “bulk sensitive data”, including de-identified, anonymized, and encrypted data, aimed at drastically limiting sensitive data access by foreign governments whose interests are opposed to the United States to protect national security. The DOJ Final Rule “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” came into effect on April 8. Companies processing health information on Americans, including clinical trial data, should carefully assess both data transfer activities and financial relationships against the new rule.

Understanding the New Rule

The rule focuses on managing the risks associated with exporting sensitive data on Americans and government-related data to countries (“countries of concern”) or persons (‘covered persons”) designated by the DOJ. Sensitive data includes “sensitive personal data” such as personal health data, genomic (and other ‘omic) data, geolocation data, biometric identifiers, personal financial data, covered personal identifiers, and combined data mixing these data types, as well as certain government-related data.

In a significant departure from many data protection laws, the rule applies to de-identified and anonymized personal data, regardless of encryption (§202.206):

The term bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold set forth in § 202.205.

The rule restricts what are called “covered data transactions”, which is any transaction involving access by a country of concern or covered person to any government-related or bulk U.S. sensitive personal data via data brokerage, vendor agreement, employment agreement, or investment agreement. The rule aims to prevent entities and persons with interests contrary to U.S. national security interests from gaining access to the personal data of Americans or certain government-related data.

Violations may result in civil and/or criminal penalties under 50 U.S.C. § 1705, including significant fines or imprisonment.

Implications for Life Sciences and Pharmaceutical Companies

The rule directly impacts life sciences companies who often rely on cross-border data sharing for clinical trials, drug development, regulatory submissions, and other operations. Such companies may also rely on foreign investments also impacted by the rule. These organizations must take steps to meet the DOJ’s requirements which are already in effect. Customers of these organizations are beginning to perform pre-contractual diligence asking life sciences companies about their compliance with the rule.

Companies should evaluate vendor, employment, and investor relationships for connections to covered persons and countries of interest and take steps to avoid prohibited data transactions.

Paul Rothermel, Senior Attorney at Gardner Law says:

“A significant aspect of the new rule is its applicability to anonymized data, which goes further than the General Data Protection Regulation in Europe. Life sciences companies should take care to assess their compliance, reviewing not only internal and external data flows, but also company ownership interests.“

Exceptions to the Rule

Some exceptions are outlined in the Rule, including:

• A very limited exemption for “regulatory approval data” which must be submitted to obtain or maintain regulatory approval for drugs, biological products, and medical devices.
• An exemption for clinical trial data that are “ordinarily incident to and part of” clinical investigations regulated by FDA or that support applications to the FDA.
• An exemption for clinical care data indicating real-world performance or safety of products or post-market surveillance data, as such are necessary to support or maintain authorization by the FDA.

The exact application of these exceptions is narrow based on the language used in the Rule. Life sciences companies should carefully evaluate any data transfers that would otherwise fall under the Rule to ensure they fully align with any applicable exception.

The DOJ is also able to issue a general license, under appropriate terms and conditions, to permit certain transactions that are restricted by the Rule. If no general license is issued for a type of transaction, there is also the option to seek a specific license for a data export, by submitting an application to the DOJ.

The Takeaway

The DOJ’s new rule on bulk sensitive data export is a major development for life sciences companies and requires impacted companies to take stock of their data transfers, including for de-identified or anonymized data, and investment arrangements. 

If you have questions about compliance with the DOJ Bulk Data Export Rule, structuring or assessing your privacy or cybersecurity programs, or if you’d like assistance navigating other privacy or cybersecurity challenges, contact us today.