top of page

New Executive Order Seeks to Protect Americans’ Sensitive Data from Countries of Concern

4/29/24

President Biden has recently issued Executive Order 14117 titled “Preventing Access to

Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of

Concern” (the “Order”), which directs the Department of Justice (DOJ) and multiple other

federal departments and agencies to promulgate new rules and regulations to restrict the large-

scale transfer of sensitive personal data and United States Government-related data to “countries

of concern.”


The Order states that data brokerages, third-party vendor agreements, employment agreements,

investment agreements, and other such arrangements can provide direct and unfettered access to

Americans’ bulk sensitive data and thus pose unacceptable risks to US national security. Covered

“sensitive” data types would include a substantial array of digital identifiers, geolocation data,

biometric and health data, and personal financial data. 


Pursuant to the Order, DOJ concurrently issued an Advance Notice of Proposed Rulemaking

(ANPRM). ANPRM would require compliance with government cybersecurity standards before

engaging in vendor or data brokering transactions involving bulk sensitive personal data and

certain U.S. government-related data to entities and individuals based in (or controlled by

persons based in) countries of concern, initially proposed to be China (including Hong Kong and

Macau), Russia, Iran, North Korea, Cuba, and Venezuela. Perhaps more significantly, the

ANPRM would also condition or prohibit U.S. companies holding bulk sensitive data from

accepting any investment (including noncontrolling investments, other than passive investment

in publicly traded securities) from entities of concern. These restrictions apply even to

transactions where the Committee on Foreign Investment in the United States would not have

jurisdiction.


The 45-day public comment period on the ANPRM will conclude on April 15, 2024. The Order

directs the DOJ to publish a proposed rule by August 26, 2024; once that happens, there will be a

second comment period on the proposed rule. 


Given its sweeping scope, the Order, once implemented, will have a material impact on a broad

spectrum of companies across industries. Companies that are potentially affected should follow

the rulemaking process closely and proactively take steps in preparation for the ultimate

implementation of the Order.

bottom of page