Artificial Intelligence, Cybersecurity & Data PrivacyPublications

National Security of Data? U.S. Government Issues Executive Order Aimed at Protecting Americans’ Personal Data: How Does New Cyber Security Executive Order Affect Your Business?

April 4, 2024Legal Alerts

In a move aimed at protecting Americans’ data security, President Joe Biden signed Executive Order 14117 on “Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern” (the “Order”).[1] The Order, signed on February 28, 2024, prompts the Department of Justice (the “DOJ”) to develop regulations to prevent mass transfers of sensitive personal and government-related data to certain “countries of concern.”[2] This Order will carry significant implications for businesses, agencies and organizations across various sectors within the nation. Your organization should pay close attention to key provisions of the Order and explore its potential impact on your operations to prepare for compliance.

Overview

Executive Order 14117 is built upon the premise of national security. It seeks to prevent “countries of concern” from accessing sensitive bulk personal data and U.S. Government-related data where such access would present “an unacceptable risk to the national security of the United States.” Additionally, the Order seeks to minimize risks related to the sale of Americans’ data concerning privacy, counterintelligence and blackmail.[3] The Order will promote the establishment of regulations that will have a direct impact on business arrangements involving access to Americans’ sensitive data, including data brokerage arrangements, third-party vendor agreements, employment agreements, investment agreements and other agreements concerning data processing.

Key Takeaways

  1. The Order directs multiple federal agencies and departments, including the DOJ and U.S. Attorney General, to act within 180 days to promulgate new rules and regulations to control and restrict the transfer of “sensitive personal data” to “countries of concern.”
  2. “Sensitive personal data” is broadly defined by the Order and includes personal identifiers, geolocation information, biometric identifiers, metabolic data, personal health data, personal financial data or any combination thereof. This definition will likely expand as regulations are passed and as emerging technologies, such as artificial intelligence (AI), continue to advance.
  3. The DOJ is considering identifying China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela as “countries of concern.”
  4. The DOJ is considering a two-tiered approach to implementing the Order, where certain data transactions will be strictly prohibited and others may only proceed on the condition of compliance with predefined security requirements.[4] The security requirements will be established by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.[5]
  5. The Order places an increased focus on AI, noting misuse or malicious code used in the development of AI capabilities and algorithms heightens the risks associated with the collection and processing of bulk sensitive data by “countries of concern.” 

Impact

The U.S. Government continues to stress the importance of federal comprehensive privacy legislation and Executive Order 14117 is just one step toward the establishment of a federal data privacy bill. Under the Order, the U.S. has issued a call to action for federal agencies and departments to establish, implement and enforce new regulations concerning data processing, transfer and security. Organizations that engage in transactions involving bulk transfers of Americans’ personal data or U.S. Government-related data, including the sale or licensing of access to such data, must anticipate and establish plans for compliance with new privacy regulations under the Order. Businesses must adapt to the forthcoming changes under the Order by ensuring compliance with regulatory requirements, embracing a culture of data security and proactively taking advantage of opportunities to secure sensitive personal data in an evolving age of technological development.