DOJ - Series

What is Government-Related Data Under the DOJ Rule?

in , , , ,

By Hansenard Piou and Sam Castic

This is the third in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). It provides an overview of the second type of data that the DOJ Rule focuses on: government-related data.

Data transactions that are prohibited or restricted by the DOJ Rule are those that involve bulk U.S. sensitive personal data or government-related data. This post explores the types of data that consist of “government-related data”, and the types of companies that are likely to deal with it—including most companies that offer or track precise geolocation data on individuals in the U.S.

There are two types of data that count as government-related data: (1) Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in § 202.1401, and (2) Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.  Each of these data types are examined in the sections below.

Precise geolocation data for any location within an area on the Government-Related Location Data List

The first type of government-related data is “precise geolocation data” for any location within any area enumerated on the Government-Related Location Data List, regardless of volume.  Precise geolocation data is data that identifies the physical location of an individual or a device with a precision of within 1,000 meters, whether real-time or historical.  This would include GPS-based location data of a cell phone or computer, such as of a company’s employee or customer using location-based services, when it is in one of the government-related locations.

The Government-Related Location Data List is included in the DOJ Rule.  At present, there are 736 locations on the Government-Related Location Data List, and each correspond to an area that is defined by four latitude and longitude coordinates.  For example, here’s the first location on the list:

Looking at the list, it’s difficult to understand where the locations are, or how large they are.  We had these coordinates mapped on Google Maps to show where the 736 government-related locations are.  We’re lawyers, not cartographers, so it’s possible there are errors on this map.  Still, looking at the map shows that some of these areas are very large.  For example, consider location # 236, which covers a large area outside of Charleston South Carolina:

Or location # 128, which covers much of the panhandle and large portion of the gulf coast of Florida:

Or location # 239, which covers a significant portion of the State of Washington:

These locations include interstate highways, large portions of entire counties, and entire cities like Clearwater Florida, Orangeburg South Carolina, and Yakima Washington.  They include places where people live, work, travel through, and visit.  As a practical matter, this means that any company that deals with precise geolocation data of its employees, customers, or other stakeholders on a national basis will almost certainly be dealing with government-related data.  Employers may deal with precise location data of their employees when remotely accessing their network, or in connection with mobile device management solutions.  Companies may be dealing with precise location data of customers in connection with mobile app that include location-based services.

The DOJ Rule indicates that the government-related location data list represents areas that the Attorney General has determined to pose “a heightened risk of being exploited by a country of concern to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there.” The locations may include:

  • Worksites or duty stations of federal government employees or contractors in national security positions

  • Military installations, or

  • Facilities or locations that otherwise support the federal government’s national security, defense, intelligence, law enforcement, or foreign policy missions.

As shown in the examples above, the areas on the government-related location data list are much larger than the specific buildings or parcels of land that correspond to those criteria.  That could be due to an intentional effort to avoid disclosing the specific locations where national security-related activities occur, or to obfuscate the specific devices that go to and from the exact locations where national security-related activities occur.

The DOJ may add additional locations to the list, so if your company processes location data, it’s important to stay on top of the locations included on the list.

Sensitive personal data marketed as linked or linkable to U.S. government personnel

The second subcategory is any sensitive personal data that a transacting party markets as “linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community,” regardless of volume.

The DOJ Compliance Guide notes that “recent former employees” and “recent former contractors” include “employees or contractors who worked for or provided services to the United States Government, in a paid or unpaid status, within the past two years of a potential covered data transaction with a country of concern or covered person.”

The key part of the DOJ Rule definition is that an entity “markets [the data] as linked or linkable” to such individuals. The DOJ Rule gives examples of what this can consist of:

Example 1.  A U.S. company advertises the sale of a set of sensitive personal data as belonging to “active duty” personnel, “military personnel who like to read,” “DoD” personnel, “government employees,” or “communities that are heavily connected to a nearby military base.” The data is government-related data.

Example 2.  In discussing the sale of a set of sensitive personal data with a covered person, a U.S. company describes the dataset as belonging to members of a specific named organization. The identified organization restricts membership to current and former members of the military and their families. The data is government-related data.

These examples show that government-related data will almost certainly include audience segments, and datasets from data brokers and data enrichment providers, that identify individuals as current or former federal government employees, officials, or military personnel.  Adtech, data broker, and data enrichment companies should understand the data types they deal with, and should know when they fall within this part of the definition of government-related data.  Companies that obtain data from these sources should also understand when the data they obtain constitutes government-related data for this reason.  Other companies may also be dealing with government-related data when they have data stored or processed in a way that identifies it is about current or former government employees or military personnel.

When assessing the application of the DOJ Rule, both government-related data and bulk U.S. sensitive personal data need to be considered.  Companies that are not dealing with data in the volumes that meet the bulk sensitive personal data volumes may still find that they are dealing with in-scope data if they process precise geolocation data throughout the U.S., or if they have data-related products or services that relate to identified current or former government employees. 

As noted above, in the coming weeks we will discuss other aspects of the DOJ Rule and the issues it raises. In the next post, we will discuss transactions that the rule prohibits.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.  

Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.

What is “Bulk U.S. Sensitive Personal Data”?

in , ,
What is “Bulk U.S. Sensitive Personal Data”?

By Emily Litka

This is the second in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). It provides an overview of one of the categories of data that is in scope under the DOJ Rule: bulk U.S. sensitive personal data.

Read More

Does the DOJ Rule Apply?

in , ,
Does the DOJ Rule Apply?

By Hansenard Piou and Sam Castic

This is the first in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”).  It provides a high-level overview of the kinds of cross-border data transfers that are regulated by the DOJ Rule. Future blog posts will more closely examine the DOJ Rule, its requirements, potential impacts, and strategies to address compliance.

Read More