The U.S. is cracking down on data sharing and export with foreign countries. A clear example of the United States’ position is seen in Executive Order 14117 (EO 14117) issued by President Biden on February 28, 2024.
Titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” EO 14117’s main objective is simple – protect the sensitive personal data of individuals located in the United States. But, the reason for this Executive Order is more nuanced.
As technological developments continue to advance powerful AI tools that process mass quantities of data in mere seconds, the Executive Branch has made it a policy of the U.S. to restrict access of “countries of concern” to Americans’ bulk sensitive personal data and United States Government-related data when such access would pose an unacceptable risk to the national security of the United States. Under EO 14117, the Attorney General, along with various other federal agency heads — such as Secretary of Commerce, Secretary of Homeland Security, etc. — will implement a framework (the Program) to better protect sensitive data from the countries of concern by issuing regulations that will outline parameters that restrict the import and export of sensitive personal data.
Together with EO 14117, the Department of Justice (DOJ) issued an Advance Notice of Proposed Rulemaking (ANPRM) on March 5, 2024, to provide additional details on the proposed program and related regulations, provide formal notice of the Program, and solicit public comment.
For U.S. companies doing business with entities in “countries of concern,” common data sharing permitted under vendor agreements, employment agreements, or regular business practices could be at risk. Although much remains open about how the Program will impact data flows, below is what you need to know about EO 14117, the ANPRM, and the Program.
What is EO 14117’s objective?
EO 14117 has two primary objectives:
(1) Limit bulk and highly sensitive personal data transactions between the U.S. and “countries of concern” by either (i) prohibiting the transaction outright (Prohibited Transactions); or (ii) limiting the transaction to only countries that comply with security requirements as defined by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to mitigate the risk of access to the data by countries of concern (Restricted Transactions); and
(2) Better protect sensitive personal data through policy creation and enforcement.
Who is protected by EO 14117?
Unlike state laws, which aim to protect a certain state residents’ personal information, the breadth of EO 14117 is much broader and includes not only U.S. citizens’ sensitive personal data but also the sensitive personal data of (i) lawful permanent residents, (ii) anyone admitted to the United States as a refugee or granted asylum, (iii) any entity organized solely under U.S. laws or jurisdiction; and (iv) any person located in the United States who would not fall into these categories of covered persons.
What is “Sensitive Personal Data” under EO 14117?
“Sensitive personal data” means personal identifiers that include:
- covered personal identifiers;
- geolocation and related sensor data;
- biometric identifiers;
- human genomic data (which is data generated from humans that characterizes or quantifies human biological molecule(s), such as human genomic data (i.e., nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a cell), epigenomic data, proteomic data, transcriptomic data, microbiomic data, or metabolomic data);
- personal health data;
- personal financial data;
- data that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals; and
- any combination thereof.
This term will be further defined in regulations issued by the Attorney General.
Notably, sensitive personal data does not include the following:
- data that is a matter of public record, such as court records or other government records, that is lawfully and generally available to the public;
- personal communications that are within the scope of section 203(b)(1) of International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.)(IEEPA); and
- information or informational materials within the scope of section 203(b)(3) of IEEPA.
What is considered “bulk” sensitive personal data?
The EO defines “bulk” as “an amount of sensitive personal data that meets or exceeds a threshold over a set period of time as specified by the regulations to be issued by the Attorney General.” Therefore, EO 14117 does not give a specific number or threshold for what is considered bulk sensitive data, but instead leaves it up to the Attorney General to provide a definition.
What is a “Prohibited Transaction”?:
A Prohibited Transaction will restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation or exportation of, or dealing in any property in which a foreign country or national thereof has any interest, where the transaction:
- involves bulk sensitive personal data or United States Government-related data, as further defined by regulations issued by the Attorney General;
- is a member of a class of transactions that has been determined by the Attorney General, in regulations issued by the Attorney General, to pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data in a manner that contributes to the national emergency;
- was initiated, is pending, or will be completed after the effective date of the regulations issued by the Attorney General;
- does not qualify for an exemption provided in, or is not authorized by a license issued pursuant to, the regulations issued by the Attorney General; and
- is not, as defined by regulations issued by the Attorney General, ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any federal statutory or regulatory requirements, including any regulations, guidance, or orders implementing those requirements.
The ANPRM contemplates two categories of Prohibited Transactions between U.S. persons and countries of concern or covered persons:
(1) data-brokerage transactions, and
(2) genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived.
“Restricted Transactions”, Explained:
What is considered a Restricted Transaction is not explicitly outlined in EO 14117. However, the ANPRM identifies three categories of restricted data transactions:
(1) vendor agreements involving the provision of goods and services (including cloud-service agreements);
(2) employment agreements; and
(3) investment agreements.
The security requirements applicable to these Restricted Transactions will be established by the Department of Homeland Security’s CISA. These security requirements will aim to mitigate the risk of access by countries of concern or covered persons and may include cybersecurity measures such as basic organizational cybersecurity posture requirements, physical and logical access controls, data masking and minimization, and the use of privacy-preserving technologies.
What is a “Country of Concern”?
According to EO 14117, the term “country of concern” means any foreign government that, as determined by the Attorney General, has
(1) engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons; and
(2) poses a significant risk of exploiting bulk sensitive personal data or United States Government-related data to the detriment of the national security of the United States or the security and safety of United States persons.
The Attorney General, with the agreement of the Secretaries of State and Commerce, has until August 26, 2024, to identify countries of concern, but the ANPRM currently identifies six countries of concern:
- China (including Hong Kong and Macau);
- Russia;
- Iran;
- North Korea;
- Cuba; and
- Venezuela.
Definition of “Covered Persons”
EO 14117, defines four categories of covered persons, which includes entities, that will be subject to the order:
- An entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern;
- a foreign person who is an employee or contractor of such an entity
- a foreign person who is an employee or contractor of a country of concern; and
- a foreign person who is primarily resident in the territorial jurisdiction of a country of concern.
Which entities and data transactions are exempt?
Under EO 14117 and ANPRM, the Program will contain several across-the-board exemptions for data transactions that would be excluded from regulations to the extent that they are:
- ordinarily incident to and part of financial services, payment processing, and regulatory compliance (such as banking, capital markets, or financial-insurance activities; financial activities under the purview of other regulators; the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services; and legal and regulatory compliance);
- ordinarily incident to and part of ancillary business operations (such as payroll or human resources) within multinational U.S. companies;
- activities of the U.S. Government and its contractors, employees, and grantees (such as federally funded health and research activities, which the funding agencies will regulate themselves); or
- transactions required or authorized by federal law or international agreements (such as the exchange of passenger-manifest information, INTERPOL requests, and public health surveillance).
The ANPRM also contemplates exempting certain investments that do not convey the rights or influence that ordinarily pose an unacceptable national-security risk of giving countries of concern or covered persons access to sensitive personal data.
Do the EO and ANPRM impose data localization requirements on U.S. companies?
No. EO 14117 and ANPRM do not propose generalized data-localization requirements to store individuals within the United States’ bulk sensitive personal data or government-related data within the United States, nor to locate computing facilities used to process Americans’ bulk sensitive personal data or government-related data within the United States. Further, neither the EO nor the ANPRM seek to broadly prohibit U.S. persons from conducting commercial transactions with entities and individuals located in countries of concern or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries.
What’s next for U.S. companies?
EO 14117 and the ANPRM signal major changes in the data privacy landscape. With the specifics of the Program and its implementation still in the works, many open questions remain about how companies can brace for these changes. The public comment period for the ANPRM closed last month and no updates have been released yet. It will be interesting to see how the DOJ approaches enforcement, especially hard-hitting questions posed by U.S. companies with expanding digital markets across the globe.
Taft’s Privacy & Data Security team will continue to monitor updates in rulemaking. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.