DOJ Publishes New Data Export Control Rules

The Department of Justice (DOJ) published new final rules in January that introduced compliance obligations for transferring sensitive data to foreign persons. Broadly, the rules prohibit any data brokerage of sensitive data with persons associated with certain countries of concern, including China. A recent memo from Wilson Sonsini provides easy steps for determining if your transaction is subject to the new rules:

• “Step 1: Is there a U.S.-related party subject to the rules?
• Step 2: Is there a dataset subject to the rules?
• Step 3: Is there a transaction subject to the rules?
• Step 4: Is there a counterparty to the transaction that is covered?
• Step 5: Is there an applicable exemption?”

Additionally, the memo gives these pointers should your transaction fall within the scope of the new rules:

• “Assess whether the transaction is prohibited, restricted, or merely subject to new requirements.
• If considering restricted transactions with covered persons, understand the new security requirements associated with the Final Rules.
• Watch for further developments.”

These new rules are complex, so a fact-intensive analysis will need to be conducted on a case-by-case basis. Additionally, the rules cover downstream transactions, so even if you’re brokering a deal with a party who isn’t associated with a country of concern, you’ll need to contractually bind that party from any further brokerage that may land sensitive data in prohibited hands. These rules apply both to data brokerages going forward and existing agreements, so it may be necessary to review current agreements and bring them into compliance with the new rules.