Executive Order to Protect Sensitive Bulk Data in the U.S.

President Biden issued Executive Order 14117 on February 28, 2024, to address the threat of certain countries of concern accessing or misusing bulk American sensitive data. As a result, the order directly impacts data handling practices within organizations.

The order expands on the 2019 Executive Order 13873, Securing the Information and Communications Technology and Service Supply Chain. The original Executive Order addresses the "unrestricted acquisition or use of information and communications technology by foreign adversaries."

What is Executive Order 14117?

The primary goal of Executive Order 14117 is to limit access to Americans' sensitive personal data and US Government-related data to "countries of concern". The order authorizes the Attorney General to prevent the large-scale transfer of Americans' personal data. It notes that the development of artificial intelligence (AI) capabilities and algorithms exacerbates the risks of bulk sensitive data, such as recognizing patterns across multiple unrelated datasets and potentially de-anonymizing data. 

Executive Order 14117 restricts access when bulk sensitive data is considered an "unacceptable risk to the national security of the United States". The order defines sensitive data to include:

• Personal identifiers
• Geolocation and related sensor data
• Biometric identifiers
• Human 'omic data (data generated from humans that characterizes or quantifies human biological molecules or metabolic data)
• Personal health data
• Personal financial data
• Any combination of the above

The order authorizes the Department of Justice (DOJ) to identify foreign governments that are countries of concern based on certain parameters. As of February 28, 2024, the DOJ specified the following countries as countries of concern:

• China
• Russia
• Cuba
• Iran
• Venezuela
• North Korea

The order also directs other federal departments and agencies to act, including promoting new rules and regulations, to curb the flow of "sensitive personal data" to countries of concern. The full text for Executive Order 14117 can be found here.

How does this affect employers?

Companies engaged in transactions that include bulk sensitive data or U.S. Government-related data, such as the sale or licensing of such data, can expect new regulations in the future.

Executive Order 14117 specifically highlights transactions that can provide unguarded access to Americans' bulk sensitive data such as data brokerages, third-party vendor agreements, employment agreements, and investment agreements. 

The DOJ in consultation with other government agencies will be identifying classes of prohibited data transactions, including:  

• Data-brokerage transactions
• Transactions involving the transfer of bulk human genomic data or human biospecimens from which human genomic data can be derived

The DOJ will also be considering three classes of restricted data transactions that may affect employers:

• Vendor agreements (including technology services and cloud-service agreements)
• Employment agreements
• Investment agreements

What's next for employers?

This Executive Order is one of several recent regulations implemented as the Federal Government navigates proper precautions for using bulk data and AI safely. The October 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence is another example of this ongoing effort. Other details and new state-level regulations to safely guard sensitive data and specify guidelines for the safe use of AI are likely to follow.

Employers should review potentially affected agreements and transactions with their legal counsel, especially those related to technology services, cloud solutions, and the use or transfer of bulk sensitive data. Verified Credentials will continue to monitor the development of regulations designed to protect security and data and provide updates as they become available.