Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern
Executive Order 14117, signed February 27, 2024, expands the government’s use of emergency powers to curb how and where “bulk sensitive personal data” and “United States Government-related data” can be accessed by countries the Administration designates as “countries of concern.” Built on prior actions (EOs 13873 and 14034), it treats certain foreign access to large data sets as a national-security risk, including risks amplified by AI, cyber operations, or targeted surveillance. The order creates a framework in which the Attorney General (AG), in coordination with Homeland Security and other agencies, can prohibit or restrict U.S. persons from engaging in transactions involving data tied to a country of concern, subject to licensing and safety requirements. It also emphasizes protecting data flows and privacy while avoiding broad data localization or blanket commerce restrictions. The measure covers not just direct data transfers but also indirect access through entities tied to countries of concern, with particular attention to health data, genomic data, data brokers, and critical data pathways like submarine cables.
Key Points
- 1- Prohibited and restricted transactions: The AG can prohibit or restrict U.S. persons from acquiring, holding, using, transferring, or exporting data transactions that involve bulk sensitive personal data or U.S. Government-related data, where a country of concern has an interest, and where such transactions pose unacceptable national security risks. Licensing and exemptions are part of the framework.
- 2- Rulemaking timeline and process: Within 180 days, the AG (with DHS and other heads of relevant agencies) must publish proposed regulations identifying prohibited and restricted classes of transactions, determining security requirements, and designating countries of concern and covered persons. The process includes licensing pathways and ongoing updates to security measures.
- 3- Security requirements and enforcement: DHS, through the Cybersecurity and Infrastructure Security Agency, will propose and publish security requirements (based on NIST frameworks), with interpretive and enforcement guidance from the AG and DHS. The order authorizes the use of IEEPA powers for implementation and enforcement.
- 4- Scope of data and sectors addressed: The order targets bulk sensitive personal data and U.S. Government-related data, including data related to health, genomics, and populations linked to federal employees or sensitive locations. It also addresses risks in data brokerage and the transit of data via submarine cables.
- 5- Oversight, reporting, and reviews: The order requires periodic risk assessments, reports to the President and Congress, and coordination with multiple federal departments (State, Treasury, Commerce, Defense, Homeland Security, etc.). It also contemplates regular updates to mitigation measures and potential revisions to countries of concern and covered persons.