03/14/2024

Executive Order On Exporting U.S. Sensitive Personal Data: What To Know

On February 28, 2024, President Biden issued Executive Order 14117, titled “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Executive Order”). This Executive Order sets in motion a rule-making process that has the potential to significantly impact the data processing practices of certain entities and organizations that hold U.S. citizens’ personal data. Read on to find out more about the Executive Order and its implications:

What Does the Executive Order Do?

Executive Order 14117 accomplishes four primary goals:

• It directs the Department of Justice to issue new regulations that establish clear protections for Americans’ sensitive personal data from access and exploitation by “countries of concern.”
• It directs the Departments of Justice and Homeland Security to work together to set high security standards to prevent access by “countries of concern” to Americans’ data through other commercial means, such as data available via investment, vendor, and employment relationships.
• It directs the Department of Justice to issue regulations that establish greater protection of sensitive government-related data, which includes geolocation information on sensitive government sites and information about military members.
• It directs the Departments of Health and Human Services, Defense, and Veterans Affairs to help ensure that Federal grants, contracts, and awards are not used to facilitate access to Americans’ sensitive health data by “countries of concern”, including via companies located in the United States.

What Are Countries of Concern?

The Executive Order does not call out any specific country by name as being a country of concern, though the Biden Administration has specifically identified China, Russia, North Korea, Iran, Cuba, and Venezuela as being countries that will likely be targeted under the Executive Order. Additionally, the Attorney General will have the ability to designate countries as “countries of concern.”

What is Sensitive Personal Data?

Sensitive personal data includes certain personal identifiers, geolocation and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof, that could be exploited by a country of concern to harm United States national security. The Attorney General is empowered to further define categories of sensitive personal data under the Executive Order.

What’s Next?

It should be noted that although the Executive Order begins the rule-making process for the transfer of U.S. citizens’ personal data, no new rules are directly prescribed as of this time. The rule-making process will take months, at minimum, before any rule goes into effect. In the meantime, entities that either (1) hold U.S. government information or have significant contracts with the U.S. government or (2) transfer U.S. citizens’ personal data to any countries of concern should be prepared to adopt new practices and procedures as required by any new rules.

For all questions relating to the international transfer of personal data, reach out to a cybersecurity expert at McGrath North today.