President Biden has recently issued Executive Order 14117 titled “Preventing Access to
Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of
Concern” (the “Order”), which directs the Department of Justice (DOJ) and multiple other
federal departments and agencies to promulgate new rules and regulations to restrict the large-
scale transfer of sensitive personal data and United States Government-related data to “countries
of concern.”
The Order states that data brokerages, third-party vendor agreements, employment agreements,
investment agreements, and other such arrangements can provide direct and unfettered access to
Americans’ bulk sensitive data and thus pose unacceptable risks to US national security. Covered
“sensitive” data types would include a substantial array of digital identifiers, geolocation data,
biometric and health data, and personal financial data.
Pursuant to the Order, DOJ concurrently issued an Advance Notice of Proposed Rulemaking
(ANPRM). ANPRM would require compliance with government cybersecurity standards before
engaging in vendor or data brokering transactions involving bulk sensitive personal data and
certain U.S. government-related data to entities and individuals based in (or controlled by
persons based in) countries of concern, initially proposed to be China (including Hong Kong and
Macau), Russia, Iran, North Korea, Cuba, and Venezuela. Perhaps more significantly, the
ANPRM would also condition or prohibit U.S. companies holding bulk sensitive data from
accepting any investment (including noncontrolling investments, other than passive investment
in publicly traded securities) from entities of concern. These restrictions apply even to
transactions where the Committee on Foreign Investment in the United States would not have
jurisdiction.
The 45-day public comment period on the ANPRM will conclude on April 15, 2024. The Order
directs the DOJ to publish a proposed rule by August 26, 2024; once that happens, there will be a
second comment period on the proposed rule.
Given its sweeping scope, the Order, once implemented, will have a material impact on a broad
spectrum of companies across industries. Companies that are potentially affected should follow
the rulemaking process closely and proactively take steps in preparation for the ultimate
implementation of the Order.