Executive Order 14117: Protecting Americans’ Bulk Sensitive Personal Data

Executive Order 14117, signed on February 28, 2024, expands the national emergency declared in Executive Order 13873 to address the “unusual and extraordinary threat” posed by countries of concern accessing Americans’ sensitive personal data. The Order specifically notes that “access to Americans’ bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities” including using artificial intelligence to “analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations.” This Order reflects growing recognition that sensitive data has become a strategic resource for adversarial nations, who can exploit it to identify vulnerabilities, conduct espionage, and refine AI systems that may further compromise U.S. national security.

The Department of Justice’s implementing regulations at 28 CFR Part 202 create a framework that prohibits or restricts certain data transactions with countries of concern while supporting “open, global, interoperable, reliable, and secure flows of data across borders.” Rather than imposing blanket data localization requirements, the regulations take a targeted approach to balance security with economic interests. As noted in § 202.101, the rule “prohibits or restricts United States persons from engaging in certain transactions involving government-related data or bulk U.S. sensitive personal data with certain countries of concern or covered persons.” This approach aims to address national security risks while minimizing disruption to legitimate commercial, scientific, and trade activities.

Protected Data Categories and Thresholds

The regulations identify six categories of sensitive personal data requiring protection under § 202.249: covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, and personal financial data. Each category has defined “bulk” thresholds in § 202.205 that determine when data collections trigger regulatory oversight. For example, the threshold for human genomic data is set at 100 U.S. persons, while personal financial data has a higher threshold of 10,000 U.S. persons. These thresholds are designed to capture data collections large enough to present significant national security risks if accessed by countries of concern. Importantly, § 202.206 specifies that bulk U.S. sensitive personal data includes collections “in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted,” recognizing that advanced technologies can often defeat de-identification measures.

Countries of Concern and Covered Persons

Section 202.601 identifies six “countries of concern” that have engaged in conduct adverse to U.S. national security and pose significant risk of exploiting sensitive data: the People’s Republic of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. The regulations define “covered persons” in § 202.211 as entities or individuals subject to these countries’ ownership, jurisdiction, or control. This includes foreign entities that are 50% or more owned by a country of concern, organized under a country of concern’s laws, or having their principal place of business in a country of concern. It also includes individuals primarily residing in these countries or working for their governments or covered person entities. The rule expressly notes that the covered person definition is not based on nationality, race, or ethnicity, but on the risk of being leveraged by a country of concern.

Prohibited and Restricted Transactions

The regulatory framework in Subparts C and D establishes two categories of regulated transactions. Section 202.301 prohibits “data-brokerage” transactions with countries of concern or covered persons, defined in § 202.214 as “the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data.” Section 202.303 prohibits transactions involving human ‘omic data or biospecimens with countries of concern. Section 202.302 requires U.S. persons engaging in data brokerage with non-covered foreign persons to contractually restrict onward transfers to countries of concern. These prohibitions target the highest-risk transactions that could enable direct access to sensitive U.S. personal data.

Section 202.401 authorizes certain otherwise-prohibited “restricted transactions” if the U.S. person complies with security requirements developed by CISA and incorporated by reference in § 202.248. These restricted transactions include vendor agreements (§ 202.258), employment agreements (§ 202.217), and investment agreements (§ 202.228) with countries of concern or covered persons that would provide access to government-related data or bulk sensitive personal data. The security requirements include organizational controls (risk assessment processes), system-level controls (access management), and data-level controls (encryption, minimization, and masking). This approach allows economically valuable transactions to continue with appropriate safeguards against unauthorized data access.

Exemptions to Ensure Legitimate Activities

Subpart E establishes several important exemptions to ensure legitimate activities can continue. Section 202.502 exempts transactions involving “information or informational materials” to protect expressive content. Section 202.504 exempts official U.S. Government business, including federally funded research. Section 202.505 exempts financial services transactions, including e-commerce. Section 202.506 exempts internal corporate administrative operations. Section 202.510 exempts data transactions necessary for drug and medical device regulatory approvals, while § 202.511 exempts clinical investigations. These carefully calibrated exemptions reflect the rule’s focus on targeting national security risks while minimizing disruption to legitimate activities.

Compliance Requirements and Recordkeeping

For regulated entities, Subparts J and K establish comprehensive compliance requirements. Section 202.1001 requires U.S. persons engaging in restricted transactions to conduct risk-based due diligence on transaction parties. Section 202.1002 mandates annual independent audits to verify compliance with security requirements. Section 202.1101 requires maintaining detailed records for at least 10 years, including documentation of compliance programs, security measures, and due diligence efforts. Section 202.1104 requires U.S. persons to report rejected prohibited transactions within 14 days. These requirements create accountability while generating information to support enforcement efforts.

Enforcement, Licensing, and Implementation Timeline

The Department of Justice has broad enforcement authority under the rule, with potential civil and criminal penalties under the International Emergency Economic Powers Act. Section 202.701 authorizes the Department to designate additional covered persons based on their relationship with countries of concern. Subpart H creates processes for issuing general and specific licenses to authorize otherwise prohibited transactions. The regulations take effect on April 8, 2025, with some compliance requirements delayed until October 6, 2025 to provide organizations adequate time to develop compliance programs while addressing urgent national security risks.

Risk-Based Compliance Approach

The rule emphasizes a risk-based approach to compliance tailored to each organization’s circumstances. As noted in the preamble to the rule, “the Department expects that U.S. persons will develop compliance programs that fit their own individualized risk profile,” varying based on “size and sophistication, products and services, customers and counterparties, and geographic locations.” This approach includes conducting data inventories, implementing screening procedures, evaluating transactions, developing policies, and maintaining documentation. The rule allows organizations to leverage existing privacy, cybersecurity, and export control frameworks rather than creating entirely new systems.

Recent Incidents Highlighting the Urgency

The rule responds to increasingly urgent threats documented in recent investigations. The preamble cites a November 2024 WIRED investigation that used commercially available advertising and location data to track U.S. military personnel at sensitive installations, including sites storing nuclear weapons. This investigation revealed how such data could be used to “identify individuals with access to sensitive areas; decipher when U.S. nuclear weapons are least guarded; or leverage embarrassing information for blackmail.” Another cited example showed how commercially available data could track the movements of U.S. officials and their protective details through fitness apps. These real-world examples demonstrate the concrete national security risks addressed by the rule.

Comparison with Other Data Protection Regimes

Unlike some other countries’ approaches, the U.S. rule does not broadly prohibit cross-border data transfers or impose data localization requirements. As § 202.101(b) states, the rule “does not establish generalized data localization requirements.” This targeted approach differs from China’s regime, which broadly restricts data exports and requires government review of many cross-border transfers. It also differs from the EU’s GDPR, which focuses primarily on individual privacy rather than national security. The rule’s focus on specific high-risk transactions reflects the U.S. commitment to maintaining global data flows while addressing targeted security concerns.

Knowledge Standard and Business Impact

The rule applies a “knowingly” standard for prohibited transactions, defined in § 202.230 as situations where a U.S. person “had actual knowledge of, or reasonably should have known about, the conduct, circumstance, or result.” This standard, more flexible than strict liability regimes used in some sanctions programs, recognizes the complexity of data transactions while still creating accountability for willfully blind or reckless actions. For businesses engaged in international operations, compliance will require careful examination of data practices, transaction patterns, and relationships with entities in countries of concern or covered persons.

Scientific Research Considerations

The rule’s exemptions for scientific research reflect careful consideration of both security concerns and international cooperation needs. The exemption in § 202.511 for clinical investigations allows sharing of de-identified or pseudonymized data for FDA-regulated research. Section 202.510 exempts regulatory approval data necessary to market drugs, biological products, and devices in countries of concern. These provisions recognize the humanitarian importance of global access to medical treatments while still protecting particularly sensitive categories of data, such as human genomic information, from potential exploitation by countries of concern.

Ongoing Engagement

The Department of Justice has established robust mechanisms for continued engagement with stakeholders throughout the implementation process of Executive Order 14117. Section 202.901 creates a formal advisory opinion process allowing U.S. persons to request written guidance on how the regulations apply to specific, non-hypothetical transactions. This process provides a channel for organizations to seek clarity on ambiguous situations and creates a public record of interpretations that can guide the broader regulated community. The Department has committed to publishing these advisory opinions, subject to confidentiality protections, creating a growing body of guidance that will help refine understanding of the rule’s application.

Beyond the formal advisory opinion process, the rule contemplates ongoing dialogue through the licensing procedures established in Subpart H. Section 202.801 authorizes the issuance of general licenses that categorically permit classes of transactions that would otherwise be prohibited, while § 202.802 creates a specific license application process for individual transactions. The Department has indicated it will consider both humanitarian concerns and economic impacts when evaluating license applications. Through these processes, the Department can refine its approach based on real-world implementation challenges and emerging patterns of legitimate business needs.

The rule also includes a formal assessment mechanism. Section 5 of the Executive Order requires the Attorney General to submit a report to the President within one year of the regulations’ effective date. This report must assess both the effectiveness of the measures in addressing national security threats and their economic impact, including effects on international competitiveness. Importantly, the Order requires the Attorney General to solicit and consider public comments when preparing this report, creating another avenue for stakeholder input. This formal assessment will provide valuable data for potential refinements to the regulatory approach.

As implementation proceeds, the Department has committed to publishing additional guidance documents addressing common compliance questions and scenarios. This guidance will likely include sample policies, procedures, and contractual clauses that organizations can adapt to their specific circumstances. The Department has also indicated it will work collaboratively with industry groups that have experience with similar regulatory regimes, such as sanctions and export controls, to develop best practices and compliance frameworks that leverage existing expertise.

The phased implementation timeline reflects the Department’s recognition that organizations need time to develop appropriate compliance systems. While the core prohibitions take effect on April 8, 2025, the more complex due diligence, auditing, and reporting requirements are delayed until October 6, 2025. This phased approach allows organizations to focus first on identifying and halting prohibited transactions before implementing the more detailed compliance infrastructure required for restricted transactions. The Department has also indicated it may consider further guidance or general licenses if implementation challenges emerge during this period.

Conclusion

Executive Order 14117 and its implementing regulations at 28 CFR Part 202 establish a framework that addresses an increasingly urgent national security threat while preserving America’s commitment to open data flows. The regulations take a targeted, risk-based approach that focuses specifically on transactions involving the most sensitive data categories and the countries that pose the greatest risks of exploiting that data. Rather than imposing blanket prohibitions on international data transfers, the rule creates a calibrated system of prohibitions, restrictions, and exemptions that balance security imperatives with economic and humanitarian considerations.

The regulations represent a significant evolution in the U.S. approach to data protection, recognizing data as a strategic resource with national security implications beyond individual privacy concerns. By establishing categorical rules for data transactions with countries of concern, the regulations provide greater certainty than case-by-case assessments while offering flexibility through the security requirements framework for restricted transactions. This approach allows essential business, scientific, and humanitarian activities to continue with appropriate safeguards.

The success of the regulations will ultimately depend on effective implementation by both the government and regulated entities. For organizations, developing robust compliance programs that accurately identify sensitive data, screen transaction parties, and implement appropriate controls will be essential. For the Department of Justice, providing clear guidance, timely responses to advisory opinion and license requests, and consistent enforcement will be critical to establishing a workable regulatory environment.

As the global data landscape continues to evolve, the framework established by Executive Order 14117 provides a foundation that can adapt to emerging threats and technologies. The ongoing engagement mechanisms built into the regulations ensure that implementation can be refined based on real-world experience and stakeholder feedback. This collaborative approach increases the likelihood that the regulations will effectively protect national security without unduly burdening legitimate activities or undermining U.S. leadership in technology and innovation.

In the broader context of international data governance, Executive Order 14117 represents a distinctly American approach that focuses on targeted security measures rather than comprehensive data localization or privacy regimes. By addressing specific national security risks while maintaining a general commitment to cross-border data flows, the regulations position the United States to continue advocating for an open, interoperable global internet while protecting its citizens from exploitation by foreign adversaries. This balanced approach may ultimately prove more sustainable and effective than either unrestricted data flows or comprehensive localization requirements.

Additional Resources

• eBook FedRAMP Private Cloud: The Gold Standard for Sensitive Content Communications
• Brief Kiteworks Enterprise – Why FedRAMP Hosted vs. Standard Hosted
• Blog Post FedRAMP: The Short Path to Secure Content Communications
• Blog Post Don’t Be Fooled: Why Empty Claims of “FedRAMP Equivalency” Put CMMC Compliance at Risk
• Brief Meet the CMMC’s FedRAMP Equivalency Requirement