[00:00:00] Speaker A: Hi everyone. In this special Ethicast Reacts episode, we'll cover the DOJ's recently issued final rule regulating bulk data transfers. I'm your host, Bill Coffin and this is the Ethicast.
On April 8, right as the Global Ethics Summit was coming to a close, I might add, the U.S. department of justice implemented its final rule preventing access to US sensitive personal data. The rule was published on January 8, putting into effect an executive order issued by President Biden last February. The final rule prohibits or significantly restricts the transfer of US Government related data and bulk US personal data to countries that the US deems as high risk. That means China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia and Venezuela. What's driving the rule are concerns over unfriendly actors using US personal bulk data to train AI and thereby gain insight on Americans everyday behaviors. Specifically using advanced technologies including AI to quote, analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic or cyber operations or to identify other potential strategic advantages over the United States, end quote. The broad scope of this rule will force businesses across the board to reassess their data handling practices and reevaluate third party due diligence, risk management and data security, healthcare, global operations and any entity handling sensitive personal data and has connections to the listed countries or covered persons will be affected. Most of the rules, audit, recordkeeping and reporting requirements will take effect on October 6, 2025. With us today to lend her insight on this important topic is Ethisphere Chief Strategy Officer Erica Salmon Byrne. Erica, as always, welcome to the show. It's great to see you.
[00:01:55] Speaker B: It is good to see you as well, Bill, and especially to talk about something as interesting as this and as timely as this. Coming right after the great conversation that you had with David Newman from MOFO at the Global Ethics Summit.
[00:02:06] Speaker A: Oh my gosh. It was a, it was a fantastic interview. It was actually one of my highlights of the show. And David Newman, who is with MOFO and until recently was at the doj, he offered some really insightful remarks on what we can expect from the DOJ going forward. And he mentioned this issue particularly with bulk data transfers. So Eric, I'd love to know, you know, for you, why is the DOJ making this such a priority?
[00:02:27] Speaker B: Yeah, so it's, it's interesting if you look at, if you read some of the commentary from the Justice Department around the release of this particular rule, a lot of the comments go to something along and I'm paraphrasing here, but something along the lines of, you know, why Would you know, one of our, the enemy state actors go to the trouble of hacking us to get this information if they can just buy it on the open market? So this really goes to the ease with which organizations, you know, state actors were able to get their hands on data about American citizens so that they could engage in cyber bully cyber hacking or you know, spear phishing or other activities that, that benefited them to the, to the detriment of, of the United States. So it's a, they're treating this data privacy issue because that's really what it is. It's about the extent to which my data goes into somebody else's hands. Then they do something nefarious with it. They're treating a data privacy issue as a national security issue, which is a very interesting kind of cross of these two critical questions.
[00:03:32] Speaker A: How much extra lift will this rule put on orgs that are already paying close attention to the data security and third parties who for other regulatory reasons?
[00:03:40] Speaker B: Yeah, I think, you know, if you are somebody, if you are an organization that was already carefully considering the way in which you moved data data of US citizens across borders, you don't have a ton of, of new work that you're going to have to do because you were already thinking carefully about where that data goes and where that data lives. Unfortunately, that, that description does not apply to a lot of companies that might be listening in here who are, who could potentially get caught flat footed. And the reason I say that is, you know, some of the data that is discussed here are things like precise location data, right? So you open up an app on your iPhone. If you are an iPhone user, you open up your app on your iPhone and you allow the app to track you. Well, that is precise location data. And if that is something that is potentially being transferred to, you know, another part of the business that is outside the US or is being sold to a third party for third party marketing purposes. That is where you're going to need to do a lot of work because it is going to be your obligation as an organization to make sure that, that, that geolocation data, that biometric marker data, that personal health data, that, you know, personal information data isn't being somehow sold to one of the countries listed in the, in the the regulation or to, you know, an ever changing list of sanctioned persons. So there's going to be two pieces to this. There's the the country list and so making sure that it's not going to anybody in those countries and then there's also going to be a list of Individuals who are also not allowed to get their hands on this information. So it's really interesting, you know, Bill, from my perspective, because the US For a long time has been one of the developed countries that doesn't have a national privacy law. Right. We don't have a GDPR type piece of legislation. But this is going to be a data privacy regulation at its base because it limits where you can sell the personal information of U.S. citizens.
And we're going to, you know, it's going to be something that companies are going to have to get their arms around.
[00:05:51] Speaker A: It's worth noting that despite the turmoil in Washington these days, this is a Biden era EO and a DOJ ruling that really crosses over administrative lines. So what does this tell you about the consistency of DOJ enforcement in the months and years to come?
[00:06:06] Speaker B: Yeah, it's, it tells me, Bill, that there are certain, there are certain issues that transcend partisan lines and, and national security as it pertains to some of these state actors is one of those issues particular, particularly as it pertains to the sale of the, the of information about private citizens here in the US that is then used for nefarious purposes. So whether that be, you know, because if you think about it, a lot of this information is being sold to some of those state actors who then engage in some of the spear phishing issues that we've seen in some of the, the cyber attacks, in the hacks, in those sorts of things. That's how this data gets used. And so this is, this is a way for the government to try to shut the door on some of that, that information that these individuals who wish the country harm are using inappropriately.
[00:07:01] Speaker A: Well, this is a super important topic and a super interesting one as well. There's undoubtedly going to be further developments over the course of the year. But in the meantime, Erika, thank you so much for stopping by and being our ear to the ground on this.
[00:07:12] Speaker B: Oh, absolutely, Bill, my pleasure. And for anybody out there who wants to learn more about this, Bill's conversation with David is on the YouTube channel. Definitely worth a listen. So is the session that he was part of to close the Global Ethics Summit this year, there was a panel of people kind of talking about some of the different regulatory trends and things we can expect for the next couple of years. David was a great part of that. So definitely check those resources out and keep an eye on this one. Particularly if you are a company that engages in, you know, the sale or transfer outside of the US of any of these kinds of pieces of sensitive information.
Even if you think that the data you're selling is going that you know where it's going, the obligation on you to make sure that you know where it's going is going to be higher than ever. And the consequences of a misstep in this area will be larger than ever because this is being positioned as a national security issue. So definitely something that you want to be working very closely with your cyber teams, your compliance teams, and your sales teams to make sure that you really understand where the data that you are potentially sending out of the country is actually going.
[00:08:19] Speaker A: For plenty of helpful resources around third parties, data security and more. Be sure to visit the Ethisphere resource
[email protected] resources. I'm Bill Coffin and this has been the Ethicast. For more episodes, please Visit the Ethisphere YouTube
[email protected] ethisphere and if this is your first time enjoying the show, please please make sure to like and subscribe on YouTube, Apple Podcasts and Spotify. Thanks so much for joining us. And until next time, remember, strong ethics is good business.
