On February 28, 2024, President Biden issued Executive Order 14117 (the Order). The Order primarily directs various federal agencies to issue regulations and standards to stop the distribution of Americans' sensitive personal data and US government-related data to designated countries due to national security concerns. The Order expands upon two previous executive orders, one signed on May 15, 2019, declaring a national emergency with regard to the information technology supply chain, and the other signed on June 9, 2021, seeking to protect sensitive American data from "foreign adversaries."

The purpose of the Order is to prevent the spread of Americans' personal data by and to countries with national security concerns. These countries are expected to be Russia, China, North Korea, Iran, Venezuela and Cuba. The Order broadly defines sensitive personal data to include genomic, biometric, personal health, geolocation, financial, and certain personal identifiers. The standards will seek to prevent these Countries of Concern from accessing Americans' data through commercial means such as by investment, vendor, and employment relationships. Finally, the Order seeks to ensure that US Federal contracts are not used to facilitate access to sensitive health data by countries of concern.

Key Definitions

The Order sets forth key definitions. Specifically, it defines "countries of concern", the relevant entities covered by the Order, and the types of personal data that the Order seeks to protect.

  • "Country of concern"means any foreign government that the Department of Justice (DOJ) determines, has "engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States ... and poses a significant risk of exploiting bulk sensitive personal data.
  • "Covered person"means: (1) an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern; ... (4) a foreign person who is primarily resident in the ... country of concern; (5) or any person so designated by the DOJ (emphasis added).
  • "Covered personal identifiers"means specifically listed classes of personally identifiable data, ... reasonably linked to an individual, which could be used to identify an individual from a data set or link data across multiple data sets to an individual.
  • "Human genomic data"refers to data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a cell.
  • "Human 'omic data" means human data characterizing or quantifying "human biological molecule(s), such as genomic data, epigenomic data, proteomic data, transcriptomic data, microbiomic data, and metabolomic data . . . ."
  • "Sensitive personal data" means "covered personal identifiers, geolocation and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof . . . ."

Directives

The Order directs several federal agencies, committees, and entities to implement rulemaking, perform assessments and reviews, and/or prepare reports.

The most important rulemaking directives are as follows:

  • DOJ, in coordination with the Department of Homeland Security (DHS), shall issue regulations that prohibit United States persons from engaging in any transaction with a foreign country or national where the transaction (1) involves bulk sensitive personal data, [or] (2) is a member of a class of transactions determined by DOJ to pose an unacceptable national security risk because they may enable countries of concern or covered persons to access such data (emphasis added). DHS, acting through the Cybersecurity and Infrastructure Agency, shall, in coordination with DOJ, issue security requirements addressing the unacceptable risk posed by restricted transactions based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology.
  • The Department of Defense, Department of Health and Human Services, Department of Veteran Affairs, and the National Science Foundation shall consider ... issuing regulations, guidance, or orders to (1) prohibit the provision of assistance that enables access by countries of concern or covered persons to bulk sensitive personal data, including personal health and human genomic data (emphasis added).
  • The Consumer Financial Protection Bureau is encouraged to consider taking steps to address the risk of entities in the data brokerage industry enabling access to bulk sensitive personal data (emphasis added).

The most important review and/or report directives are as follows:

  • The Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, more commonly known as Team Telecom, shall: (1) initiate reviews of existing licenses for submarine cable systems owned or operated by persons owned by, controlled by, or subject to the jurisdiction of a country of concern, or that terminate in the jurisdiction of a country of concern; (2) issue policy guidance regarding the reviews of license applications and existing licenses; and (3) address the national security and law enforcement risks related to access by countries of concern to bulk sensitive personal data that may be presented by any new application or existing license to land or operate a submarine cable system (emphasis added).
  • Within 120 days of the DOJ rulemaking directed above, DOJ, DHS, and the Director of National Intelligence shall recommend to the Assistant to the President for National Security Affairs appropriate actions ... arising from prior transfers of bulk sensitive personal data to countries of concern.

DOJ Proposed Rulemaking

On March 5, 2024, DOJ's National Security Division issued an Advance Notice of Proposed Rulemaking (ANPRM) implementing the rulemaking directed above.

Under the ANPRM, the DOJ would implement the Order by establishing a program that would identify classes of transactions that would be prohibited in their entirety, and classes of transactions that would be restricted under predefined security transactions. The ANPRM proposed several "bulk thresholds," which would establish volume-based thresholds for six different categories of sensitive personal data to determine whether a transaction is considered prohibited or restricted. Nevertheless, the ANPRM seeks comments on this proposal, as well as several other questions related to a possible implementation of the Order. The comment period for the ANPRM closes on April 19, 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.