Thought for the week: Spark for the US DOJ Rule enforcement and/or new legislation?

Last week, U.S. Sen. Ron Wyden, D-Ore. and other U.S. lawmakers sent a letter to Department of Defense Chief Information Officer Kirsten Davies on how foreign adversaries are leveraging cell phone location data to target U.S. troops in active war zones. This letter has already been picked up by several media outlets, including Reuters, TechCrunch and CyberWire Daily. 

The letter asserts that the DOD has not taken basic steps to protect U.S. military personnel from the serious threats posed by the collection and sale of cell phone location data by data brokers. It includes an attachment with an important exchange of questions and responses from Sen. Wyden to U.S. Central Command, including the following:

"Q.3. Has USCENTCOM received any reports about adversaries using commercial location data to target US personnel in theatre?

RESPONSE: (U) Yes, USCENTCOM has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater."

Other USCENTCOM responses clarify that U.S. military personnel are not prohibited from possessing or using personal smartphones and describe a guidance document/policy that directs U.S. military personnel to disable geolocation functionality when not needed combined with escalating geolocation restrictions tied to DOD Force Protection Condition levels. 

From my reading, it does not appear that the DOD information technology teams are directly implementing this guidance for U.S. military personnel, and instead at least certain aspects of the policy must be implemented by the individuals themselves. Although the letter is short on details, it specifies that this geolocation data has been leveraged by foreign adversaries — presumably Iran but perhaps others — in connection with Operation Epic Fury to target U.S. military personnel in the theater of war.

Why is this significant from a commercial perspective? 

Apart from our concern about the safety of U.S. military personnel and the broader national security implications, this development matters from a commercial standpoint in at least two respects.

First, this could be a spark for the first enforcement actions under the U.S. Department of Justice's final rule on protecting Americans' sensitive data from foreign adversaries. In particular, there have not been any publicly announced enforcement actions under the DOJ rule, but these types of high-profile news stories that relate to the data brokerage sale of cell phone location data about U.S. military personnel could drive some priority test cases. 

It is not at all clear how, specifically, Iran or other foreign adversaries accessed precise geolocation information from data brokers in this case — perhaps by purchasing it directly from U.S. data brokers or more indirectly downstream from data brokers in non-U.S. locations. 

However, the broad requirements under the DOJ rule may provide a means for the DOJ to trace back to activities by U.S. data brokers or others that may infringe the rule. Among other points, the precise geolocation data about U.S. military personnel is within the scope of U.S. sensitive personal data that is subject to regulation under the DOJ rule, regardless of where the individuals are located. 

As such, the prohibitions and restrictions applicable to companies within the scope of the DOJ rule could apply, including: general prohibitions on allowing access to entities in countries of concern — that is, China, including Hong Kong and Macau; Cuba; Iran; North Korea; Russia; and Venezuela — as well as other covered persons — non-U.S. entities that are 50% or more owned by a country of concern or other covered persons. The rule also imposes general obligations to include contractual limits on onward transfers with any non-U.S. recipient that has licensing or other rights in the data — called "data brokerage" under the rule; obligations to impose appropriate contractual requirements on vendors and others; and other requirements. 

Second, this development could spur more legislation on this topic. Right now, the DOJ rule is implemented pursuant to a Biden-era executive order under the International Economic Emergency Powers Act. We have seen in Learning Resources v. Trump that IEEPA has certain limits in the scope of its statutory authority, such that Congress might decide to pursue legislation to place these requirements on firmer statutory footing. 

This could take the form of expanding the existing Protecting Americans' Data from Foreign Adversaries Act, which imposes restrictions on data brokers regarding the selling of U.S. sensitive data to a foreign adversary country or entity controlled by a foreign adversary. Unlike the DOJ rule, the PADFAA is relatively narrow in that it applies only to true data brokers, not the wide range of industries that collect and process U.S. sensitive personal information, and it is civilly enforced by the U.S. Federal Trade Commission, not the potential criminal enforcement under the DOJ rule. 

What companies should do now 

The DOJ rule is truly the first of its kind set of U.S. requirements on outbound — cross-border — access to U.S. sensitive personal information. Unlike commercial data privacy rules, the DOJ rule has been drafted by national security professionals for national security purposes, which means many of the definitions and provisions appear to be complex and difficult to understand how they apply to day-to-day business operations. 

This is particularly the case with respect to implementation of the DOJ rule in the context of the ad tech ecosystem where the technologies and business models are developing rapidly. In the wake of these developments with U.S. military personnel data, companies should consider taking steps to evaluate and enhance their DOJ rule programs in this area, for example by analyzing key issues, such as: 

• Do we have an inventory of all third parties with which we interact in relation to our mobile apps — for example, ad networks, data brokers, measurement/analytics providers, software development kit-based data collectors, and the like?
• Are we able to confirm that none of them are located in a country of concern?
• Are we able to confirm that none of them are a covered person by virtue of 50% or more ownership by a country of concern or other covered persons?
• Do we have appropriate contractual provisions in place with any such non-U.S. third parties, such as data brokerage onward transfer restrictions, even where such non-U.S. persons are not located in a country of concern or otherwise constitute a covered person?
• With respect to third parties in the U.S., do we know or should we know that there may be circumvention of the DOJ rule with respect to such parties?

At a big picture level, this type of proactive global data governance and compliance will become increasingly important as the legal requirements become more complex and the geopolitical rivalries continue to expand.