What happened?

On February 28, 2024, President Biden issued Executive Order (EO) 14117to protect Americans’ sensitive personal data from exploitation by countries of concern. This is because certain foreign governments are amassing sensitive data and using it to engage in activities that threaten national security, such as espionage (including hacking), extortion, transnational repression, and disinformation campaigns.

What are the details?

The EO calls for the Department of Justice (DOJ) to promulgate regulations to prevent the large-scale transfer of sensitive personal data and US Government-related data to “countries of concern.” This is because the sale of Americans’ data raises significant privacy, counterintelligence, extortion risks and other national security risks (especially for those in the military or national security community).

With this EO, also came an Advanced Notice of Proposed Rulemaking (ANPRM), which was published on March 5, 2024.

Key Bites

• Agreements and contracts
• Entities to establish regulation
• Sensitive personal data
• Country of Concern (and Covered persons)
• Prohibited and Restricted Transactions

Other Bites for consideration:

• The ANPRM has proposed the following bulk thresholds.
• New security regulations are coming.
• For persons (including employers) that have Cross-Border data flow.
• Possible privacy rulemaking updates coming soon, to meet new requirements.

Business Considerations

• Due to the extensive and expansive nature, prepare to adjust your policies and practices, especially the ones concerning Data Privacy.
• Conduct an audit of your providers and vendors to identify in what country they are located. This is to prepare you to find new providers and vendors once the countries and persons of concern are identified (by the DOJ and DHS).
• Try to seek assurances from your vendors that they will also comply with the EO and not transfer information to countries of concern. This is so that a proxy is not established between your provider and your business.

Resources

• Executive Order (“EO”) 14117
• White House Press Release
• Advance Notice of Proposed Rulemaking (ANPRM) 

Source References

• New Executive Order Seeks to Protect Americans’ Sensitive Personal Data (White & Case LLP)
• New Executive Order to Block Businesses From Transferring Data to China and Other Countries of Concern – 4 Steps to Comply (Fisher & Phillips LLP.)
• PRESIDENT BIDEN ISSUES EXECUTIVE ORDER EMPOWERING DOJ TO REGULATE THE EXPORT OF SENSITIVE PERSONAL DATA (Mayer Brown)

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.