Explaining Executive Order 14117: “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”

On February 28, 2024, the Biden Administration released Executive Order) 14117, the latest in a series of Executive Orders (“EO”) issued over the past decade that seeks to use emergency national security powers to limit adversarial nations’ access to data concerning American citizens.  This EO is broader in sweep than other bans, for example President Trump’s now-overturned EO attempting to ban the Chinese Communist Party from collecting data on American citizens through the TikTok app, and therefore is implicitly designed to survive Constitutional challenge.  This article is the first of three articles on EO 14117.  This article simply explains what provisions are included in the EO.  The second article attempts to analyze how the EO may affect American businesses and business practices.  The third article addresses corporate compliance.

   The subject matter of the EO is data, specifically “sensitive personal data.”  The EO defines the term as, “covered personal identifiers, geolocation and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof, …, and that could be exploited by a country of concern (emphasis added) to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals.”  The essence of this definition is that it seeks to prevent foreign countries’ intelligence operations from building dossiers on individual American citizens.  A complete dossier would include information about a person’s finances, which can be used to compromise a person; geolocation data, which can build patterns of behavior based on where a person routinely goes as tracked by smartphones and smartwatches; and intrinsic health information, which includes not only medical records, but information from genetic testing that can disclose vulnerabilities to sicknesses or compromised personal relationships inside of families.  Any of these categories in whole or in isolation, can be used to approach and compromise a citizen, to threaten their security and freedom of movement, or to blackmail or extort from someone.  

   There are exceptions to the application of the EO, but those exceptions are limited to three categories: 1) information already in the public record; 2) the personal communications of a person; and 3) informational materials.  The latter two are known as the Berman Amendments, which were included in IEEPA as a civil liberties protection, but more significantly were the stumbling block of the Trump TikTok ban because the content of videos would necessarily have been suppressed in the process of blocking the app.

   The term “country of concern” is used within the definition of sensitive personal data.  This term creates the national security tie-in at the heart of the EO.  The EO defines the term as, in essence, “means any foreign government that, as determined by the Attorney General…, has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons, and poses a significant risk of exploiting bulk sensitive personal data…”  Who are these nations?  Per the DOJ fact sheet on the EO, the nations likely contemplates identifying China, Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern under this program. 

   Why the concern over sensitive personal data and adversarial foreign nations?  The rise in computing power and artificial intelligence has made the possibility of constructing these espionage dossiers, or unlocking a genetic “deficiency” that leaves a subset of people vulnerable to a specific attack, has become both realistic and potentially achievable.  The “countries of concern” have already begun collecting this data.  In June 2018, Facebook (Meta) acknowledged sharing personal data of users with four Chinese electronics companiesdeemed national security threats.  A Chinese genetics company called the BGI Group has developed a prenatal test for Non-Invasive Fetal Trisom Y that captures genetic information about the mother.  A BGI study used a military supercomputer to look for genes and characteristics that could be singled out in minority Tibetan and Uyghur populations.  And to further the concern for abusing ethnic subsets, the genetic testing database of 23andMe was hacked and the hackers searched specifically for the genetic data of Ashkenazi Jews and ethnically Chinese customers.

   But to return to the text of the Executive Order, what conduct is the EO prohibiting?  Section 2(c) suggests a framework for what conduct will eventually be prohibited, but the National Security Division of the Department of Justice will issue a notice of proposed rulemaking and the commentary will shape the prohibitions.  The framework includes the identification of the classes of transactions to be prohibited, such as selling genetic data to researchers in countries of concern; identify classes of transactions where the risk of improper access can be mitigated against by Homeland Security’s CISA agency; the identification of countries of concern and covered persons who shall not be allowed to receive such sensitive personal data; and the creation of a licensing process to undertake allowable transactions involving sensitive personal data.  Homeland Security will also develop interpretive guidance and enforcement guidance.  Other provisions exist in the bill, but an interesting nugget that will increase the cost of compliance is that the National Institute for Standards and Technology (NIST) will develop a framework, based on their Cybersecurity and Privacy Frameworks to help companies engaging in business that collects sensitive personal data comply with the regulations.

   Multiple government agencies will be involved in the development and execution of the EO.  Many separate departments will contribute to the EO and have responsibilities after the final rule has been made.  The Department of Justice will work with the Secretary of State and Secretary of Commerce to identify the countries of concern.  The AG will also work with Homeland Security to identify the prohibited transactions and the related substance of the EO.  Homeland Security will assist with promulgating rules and regulations using the IEEPA authorities, as well as use CISA to help entities understand compliance responsibilities.  Finally, an interagency committee known as “Team Telecom” will work to review transactions involving foreign investment in American companies that possess this data.

   The EO is a useful framework for the public and the federal agencies, but the substance of it will be determined through the rulemaking process.  Per the Department of Justice, “The purpose of the ANPRM is to provide transparency and clarity about the intended scope of the program and to solicit input from the public before it goes into effect. The Department welcomes comments on the ANPRM from industry, civil society, and advocacy groups with expertise on data security and cybersecurity, organizations and entities affected by the proposed regulations, and anyone else with an interest in the proper administration of the Executive Order’s directions to prohibit or restrict certain transactions involving Americans’ bulk sensitive personal data or U.S. Government-related data with countries of concern or persons subject to their jurisdiction. Written comments on the ANPRM may be submitted within 45 days on regulations.gov. The ANPRM will be followed by proposed regulations at a later date.” 

   Until the rules are out, companies will not know how to comply with the Executive Order.  However, they will be able to make educated guesses as to how such an EO might change their business practices, from external customers to internal process management, and companies would be wise to assess how they might be affected by the EO, and to use their time to shape the EO in a way that comports with their business practices.  The next article in this series will provide my projections on how businesses that collect sensitive personal data might have to change their business practices.