Preventing Access to Americans Bulk Sensitive Personal Data and United States GovernmentRelated Data by Countries of Concern
p
This site displays a prototype of a Web 20 version of the daily
Federal Register It is not an official legal edition of the Federal
Register and does not replace the official print version or the official
electronic version on GPOs govinfogov
pp
The documents posted on this site are XML renditions of published Federal
Register documents Each document posted on the site includes a link to the
corresponding official PDF file on govinfogov This prototype edition of the
daily Federal Register on FederalRegistergov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register ACFR issues a regulation granting it official legal status
For complete information about and access to our official publications
and services go to
About the Federal Register
on NARAs archivesgov
pp
The OFRGPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegistergov with the objective of
establishing the XMLbased Federal Register as an ACFRsanctioned
publication in the future While every effort has been made to ensure that
the material on FederalRegistergov is accurately displayed consistent with
the official SGMLbased PDF version on govinfogov those relying on it for
legal research should verify their results against an official edition of
the Federal Register Until the ACFR grants it official status the XML
rendition of the daily Federal Register on FederalRegistergov does not
provide legal notice to the public or judicial notice to the courts
pp
Enter a search term or FR citation eg
88 FR 382
30 FR 7878
202413208
USDA
090524
RULE
0503AA39
SORN
pp
Choosing an item from
full text search results
will bring you to those results Pressing enter in the search box
will also bring you to search results
Choosing an item from
suggestions
will bring you directly to the content
pp
Background and more details are available in the
Search Navigation
guide
pp
A Presidential Document by the Executive Office of the President on 03012024
ppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatppExecutive order notes are compiled and maintained by the Office of the Federal Register editorsppAmends EO 13873 May 15 2019 EO 14034 June 9 2021
See EO 13694 April 1 2015 EO 13913 April 4 2020ppExecutive order notes are compiled and maintained by the Office of the Federal Register editorsppAmends EO 13873 May 15 2019 EO 14034 June 9 2021
See EO 13694 April 1 2015 EO 13913 April 4 2020pp
This table of contents is a navigational tool processed from the
headings within the legal text of Federal Register documents
This repetition of headings to form internal navigation links
has no substantive legal effect
ppThis feature is not available for this documentppAdditional information is not currently available for this documentpp
Document page views are updated periodically throughout the day and are
cumulative counts for this document Counts are subject to sampling
reprocessing and revision up or down throughout the day
pp
This document is also available in the following formats
pp
More information and documentation can be found in our
developer tools pages
pp
This PDF is the current
document as it appeared on Public Inspection on
02292024 at 1115 am
pp
It was viewed
128
times while on Public Inspection
pp
If you are using public inspection listings for legal research you
should verify the contents of the documents against a final official
edition of the Federal Register Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 USC 1503 1507
Learn more here
ppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatpp
By the authority vested in me as President by the Constitution and the laws of the United States of America including the International Emergency Economic Powers Act 50 USC 1701
et seq IEEPA the National Emergencies Act 50 USC 1601
et seq NEA and section 301 of title 3 United States Code
ppI JOSEPH R BIDEN JR President of the United States of America hereby expand the scope of the national emergency declared in Executive Order 13873 of May 15 2019 Securing the Information and Communications Technology and Services Supply Chain and further addressed with additional measures in Executive Order 14034 of June 9 2021 Protecting Americans Sensitive Data from Foreign Adversaries The continuing effort of certain countries of concern to access Americans sensitive personal data and United States Governmentrelated data constitutes an unusual and extraordinary threat which has its source in whole or substantial part outside the United States to the national security and foreign policy of the United States Access to Americans bulk sensitive personal data or United States Governmentrelated data increases the ability of countries of concern to engage in a wide range of malicious activities Countries of concern can rely on advanced technologies including artificial intelligence AI to analyze and manipulate bulk sensitive personal data to engage in espionage influence kinetic or cyber operations or to identify other potential strategic advantages over the United States Countries of concern can also use access to bulk data sets to fuel the creation and refinement of AI and other advanced technologies thereby improving their ability to exploit the underlying data and exacerbating the national security and foreign policy threats In addition access to some categories of sensitive personal data linked to populations and locations associated with the Federal Governmentincluding the militaryregardless of volume can be used to reveal insights about those populations and locations that threaten national security The growing exploitation of Americans sensitive personal data threatens the development of an international technology ecosystem that protects our security privacy and human rightsppAccordingly to address this threat and to take further steps with respect to the national emergency declared in Executive Order 13873 it is hereby ordered thatpp
Section 1
Policy
It is the policy of the United States to restrict access by countries of concern to Americans bulk sensitive personal data and United States Governmentrelated data when such access would pose an unacceptable risk to the national security of the United States At the same time the United States continues to support open global interoperable reliable and secure flows of data across borders as well as maintaining vital consumer economic scientific and trade relationships that the United States has with other countries
pp
The continuing effort by countries of concern to access Americans bulk sensitive personal data and United States Governmentrelated data threatens the national security and foreign policy of the United States Such countries governments may seek to access and use sensitive personal data in a manner
printed page 15422
that is not in accordance with democratic values safeguards for privacy and other human rights and freedoms Such countries approach stands in sharp contrast to the practices of democracies with respect to sensitive personal data and principles reflected in the Organisation for Economic Cooperation and Development Declaration on Government Access to Personal Data Held by Private Sector Entities Unrestricted transfers of Americans bulk sensitive personal data and United States Governmentrelated data to such countries of concern may therefore enable them to exploit such data for a variety of nefarious purposes including to engage in malicious cyberenabled activities Countries of concern can use their access to Americans bulk sensitive personal data and United States Governmentrelated data to track and build profiles on United States individuals including Federal employees and contractors for illicit purposes including blackmail and espionage Access to Americans bulk sensitive personal data and United States Governmentrelated data by countries of concern through data brokerages thirdparty vendor agreements employment agreements investment agreements or other such arrangements poses particular and unacceptable risks to our national security given that these arrangements often can provide countries of concern with direct and unfettered access to Americans bulk sensitive personal data Countries of concern can use access to United States persons bulk sensitive personal data and United States Governmentrelated data to collect information on activists academics journalists dissidents political figures or members of nongovernmental organizations or marginalized communities in order to intimidate such persons curb dissent or political opposition otherwise limit freedoms of expression peaceful assembly or association or enable other forms of suppression of civil liberties
ppThis risk of access to Americans bulk sensitive personal data and United States Governmentrelated data is not limited to direct access by countries of concern Entities owned by and entities or individuals controlled by or subject to the jurisdiction or direction of a country of concern may enable the government of a country of concern to indirectly access such data For example a country of concern may have cyber national security or intelligence laws that without sufficient legal safeguards obligate such entities and individuals to provide that countrys intelligence services access to Americans bulk sensitive personal data and United States Governmentrelated datappThese risks may be exacerbated when countries of concern use bulk sensitive personal data to develop AI capabilities and algorithms that in turn enable the use of large datasets in increasingly sophisticated and effective ways to the detriment of United States national security Countries of concern can use AI to target United States persons for espionage or blackmail by for example recognizing patterns across multiple unrelated datasets to identify potential individuals whose links to the Federal Government would be otherwise obscured in a single datasetppWhile aspects of this threat have been addressed in previous executive actions such as Executive Order 13694 of April 1 2015 Blocking the Property of Certain Persons Engaging in Significant Malicious CyberEnabled Activities as amended additional steps need to be taken to address this threatpp
At the same time the United States is committed to promoting an open global interoperable reliable and secure Internet protecting human rights online and offline supporting a vibrant global economy by promoting crossborder data flows required to enable international commerce and trade and facilitating open investment To ensure that the United States continues to meet these important policy objectives this order does not authorize the imposition of generalized data localization requirements to store Americans bulk sensitive personal data or United States Governmentrelated data within the United States or to locate computing facilities used to process Americans bulk sensitive personal data or United States Governmentrelated
printed page 15423
data within the United States This order also does not broadly prohibit United States persons from conducting commercial transactions including exchanging financial and other data as part of the sale of commercial goods and services with entities and individuals located in or subject to the control direction or jurisdiction of countries of concern or impose measures aimed at a broader decoupling of the substantial consumer economic scientific and trade relationships that the United States has with other countries In addition my Administration has made commitments to increase public access to the results of taxpayerfunded scientific research the sharing and interoperability of electronic health information and patient access to their data The national security restrictions established in this order are specific carefully calibrated actions to minimize the risks associated with access to bulk sensitive personal data and United States Governmentrelated data by countries of concern while minimizing disruption to commercial activity This order shall be implemented consistent with these policy objectives including by tailoring any regulations issued and actions taken pursuant to this order to address the national security threat posed by access to Americans bulk sensitive personal data and United States Governmentrelated data by countries of concern
pp
Sec 2
Prohibited and Restricted Transactions
a To assist in addressing the national emergency described in this order the Attorney General in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies shall issue subject to public notice and comment regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition holding use transfer transportation or exportation of or dealing in any property in which a foreign country or national thereof has any interest transaction where the transaction
ppi involves bulk sensitive personal data or United States Governmentrelated data as further defined by regulations issued by the Attorney General pursuant to this sectionppii is a member of a class of transactions that has been determined by the Attorney General in regulations issued by the Attorney General pursuant to this section to pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Governmentrelated data in a manner that contributes to the national emergency described in this orderppiii was initiated is pending or will be completed after the effective date of the regulations issued by the Attorney General pursuant to this sectionppiv does not qualify for an exemption provided in or is not authorized by a license issued pursuant to the regulations issued by the Attorney General pursuant to this section andppv is not as defined by regulations issued by the Attorney General pursuant to this section ordinarily incident to and part of the provision of financial services including banking capital markets and financial insurance services or required for compliance with any Federal statutory or regulatory requirements including any regulations guidance or orders implementing those requirementsppb The Attorney General in consultation with the heads of relevant agencies is authorized to take such actions including the promulgation of rules and regulations and to employ all other powers granted to the President by IEEPA as may be necessary or appropriate to carry out the purposes of this order Executive departments and agencies agencies are directed to take all appropriate measures within their authority to implement the provisions of this orderpp
c Within 180 days of the date of this order the Attorney General in coordination with the Secretary of Homeland Security and in consultation
printed page 15424
with the heads of relevant agencies shall publish the proposed rule described in subsection a of this section for notice and comment This proposed rule shall
ppi identify classes of transactions that meet the criteria specified in subsection aii of this section that are to be prohibited prohibited transactionsppii identify classes of transactions that meet the criteria specified in subsection aii of this section and for which the Attorney General determines that security requirements established by the Secretary of Homeland Security through the Director of the Cybersecurity and Infrastructure Security Agency in accordance with the process described in subsection d of this section adequately mitigate the risk of access by countries of concern or covered persons to bulk sensitive personal data or United States Governmentrelated data restricted transactionsppiii identify with the concurrence of the Secretary of State and the Secretary of Commerce countries of concern and as appropriate classes of covered persons for the purposes of this orderppiv establish as appropriate mechanisms to provide additional clarity to persons affected by this order and any regulations implementing this order including by designations of covered persons and licensing decisionsppv establish a process to issue including to modify or rescind in concurrence with the Secretary of State the Secretary of Commerce and the Secretary of Homeland Security and in consultation with the heads of other relevant agencies as appropriate licenses authorizing transactions that would otherwise be prohibited transactions or restricted transactionsppvi further define the terms identified in section 7 of this order and any other terms used in this order or any regulations implementing this orderppvii address as appropriate coordination with other United States Government entities such as the Committee on Foreign Investment in the United States the Office of Foreign Assets Control within the Department of the Treasury the Bureau of Industry and Security within the Department of Commerce and other entities implementing relevant programs including those implementing Executive Order 13873 Executive Order 14034 and Executive Order 13913 of April 4 2020 Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector andppviii address the need for as appropriate recordkeeping and reporting of transactions to inform investigative enforcement and regulatory effortsppd The Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency shall in coordination with the Attorney General and in consultation with the heads of relevant agencies propose seek public comment on and publish security requirements that address the unacceptable risk posed by restricted transactions as identified by the Attorney General pursuant to this section These requirements shall be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technologyppi The Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency shall in coordination with the Attorney General issue any interpretive guidance regarding the security requirementsppii The Attorney General shall in coordination with the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency issue enforcement guidance regarding the security requirementspp
e The Secretary of Homeland Security in coordination with the Attorney General is hereby authorized to take such actions including promulgating
printed page 15425
rules regulations standards and requirements issuing interpretive guidance and employing all other powers granted to the President by IEEPA as may be necessary to carry out the purposes described in subsection d of this section
ppf In exercising the authority delegated in subsection b of this section the Attorney General in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies may in addition to the rulemaking directed in subsection c of this section propose one or more regulations to further implement this section including to identify additional classes of prohibited transactions to identify additional classes of restricted transactions with the concurrence of the Secretary of State and the Secretary of Commerce to identify new or remove existing countries of concern and as appropriate classes of covered persons for the purposes of this order and to establish a mechanism for the Attorney General to monitor whether restricted transactions comply with the security requirements established under subsection d of this sectionppg Any proposed regulations implementing this sectionppi shall reflect consideration of the nature of the class of transaction involving bulk sensitive personal data or United States Governmentrelated data the volume of bulk sensitive personal data involved in the transaction and other factors as appropriateppii shall establish thresholds and due diligence requirements for entities to use in assessing whether a transaction is a prohibited transaction or a restricted transactionppiii shall not establish generalized data localization requirements to store bulk sensitive personal data or United States Governmentrelated data within the United States or to locate computing facilities used to process bulk sensitive personal data or United States Governmentrelated data within the United Statesppiv shall account for any legal obligations applicable to the United States Government relating to public access to the results of taxpayerfunded scientific research the sharing and interoperability of electronic health information and patient access to their data andppv shall not address transactions to the extent that they involve types of human omic data other than human genomic data before the submission of the report described in section 6 of this orderpph The prohibitions promulgated pursuant to this section apply except to the extent provided by law including by statute or in regulations orders directives or licenses that may be issued pursuant to this order and notwithstanding any contract entered into or any license or permit granted prior to the effective date of the applicable regulations directed by this orderppi Any transaction or other activity that has the purpose of evading or avoiding causes a violation of or attempts to violate any of the prohibitions promulgated pursuant to this section is prohibitedppj Any conspiracy formed to violate any of the prohibitions promulgated pursuant to this section is prohibitedppk In regulations issued by the Attorney General under this section the Attorney General may prohibit United States persons from knowingly directing transactions if such transactions would be prohibited transactions under regulations issued pursuant to this order if engaged in by a United States personpp
l The Attorney General may consistent with applicable law redelegate any of the authorities conferred on the Attorney General pursuant to this section within the Department of Justice The Secretary of Homeland Security may consistent with applicable law redelegate any of the authorities conferred on the Secretary of Homeland Security pursuant to this section within the Department of Homeland Security
printed page 15426
ppm The Attorney General in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies is hereby authorized to submit recurring and final reports to the Congress related to this order consistent with section 401c of the NEA 50 USC 1641c and section 204c of IEEPA 50 USC 1703cpp
Sec 3
Protecting Sensitive Personal Data
a Access to bulk sensitive personal data and United States Governmentrelated data by countries of concern can be enabled through the transmission of data via network infrastructure that is subject to the jurisdiction or control of countries of concern The risk of access to this data by countries of concern can be and sometime is exacerbated where the data transits a submarine cable that is owned or operated by persons owned by controlled by or subject to the jurisdiction or direction of a country of concern or that connects to the United States and terminates in the jurisdiction of a country of concern Additionally the same risk of access by a country of concern is further exacerbated in instances where a submarine cable is designed built and operated for the express purpose of transferring data including bulk sensitive personal data or United States Governmentrelated data to a specific data center located in a foreign jurisdiction To address this threat the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector Committee shall to the extent consistent with its existing authority and applicable law
ppi prioritize for purposes of and in reliance on the process set forth in section 6 of Executive Order 13913 the initiation of reviews of existing licenses for submarine cable systems that are owned or operated by persons owned by controlled by or subject to the jurisdiction or direction of a country of concern or that terminate in the jurisdiction of a country of concernppii issue policy guidance in consultation with the Committees Advisors as defined in section 3d of Executive Order 13913 regarding the Committees reviews of license applications and existing licenses including the assessment of thirdparty risks regarding access to data by countries of concern andppiii address on an ongoing basis the national security and law enforcement risks related to access by countries of concern to bulk sensitive personal data described in this order that may be presented by any new application or existing license reviewed by the Committee to land or operate a submarine cable system including by updating the Memorandum of Understanding required under section 11 of Executive Order 13913 and by revising the Committees standard mitigation measures with the approval of the Committees Advisors which may include as appropriate any of the security requirements contemplated by section 2d of this orderppb Entities in the United States healthcare market can access bulk sensitive personal data including personal health data and human genomic data through partnerships and agreements with United States healthcare providers and research institutions Even if such data is anonymized pseudonymized or deidentified advances in technology combined with access by countries of concern to large data sets increasingly enable countries of concern that access this data to reidentify or deanonymize data which may reveal the exploitable health information of United States persons While the United States supports open scientific data and sample sharing to accelerate research and development through international cooperation and collaboration the following additional steps must be taken to protect United States persons sensitive personal health data and human genomic data from the threat identified in this orderpp
i The Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs and the Director of the National Science Foundation shall consider taking steps including issuing regulations guidance or orders as appropriate and consistent with the legal authorities authorizing relevant Federal assistance programs to prohibit the provision of assistance that enables access by countries of concern or covered persons
printed page 15427
to United States persons bulk sensitive personal data including personal health data and human genomic data or to impose mitigation measures with respect to such assistance which may be consistent with the security requirements adopted under section 2d of this order on the recipients of Federal assistance to address this threat The Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs and the Director of the National Science Foundation shall in consultation with each other develop and publish guidance to assist United States research entities in ensuring protection of their bulk sensitive personal data
ppii Within 1 year of the date of this order the Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs and the Director of the National Science Foundation shall jointly submit a report to the President through the Assistant to the President for National Security Affairs APNSA detailing their progress in implementing this subsectionppc Entities in the data brokerage industry enable access to bulk sensitive personal data and United States Governmentrelated data by countries of concern and covered persons These entities pose a particular risk of contributing to the national emergency described in this order because they routinely engage in the collection assembly evaluation and dissemination of bulk sensitive personal data and of the subset of United States Governmentrelated data regarding United States consumers The Director of the Consumer Financial Protection Bureau CFPB is encouraged to consider taking steps consistent with CFPBs existing legal authorities to address this aspect of the threat and to enhance compliance with Federal consumer protection law including by continuing to pursue the rulemaking proposals that CFPB identified at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemakingpp
Sec 4
Assessing the National Security Risks Arising from Prior Transfers of United States Persons Bulk Sensitive Personal Data
Within 120 days of the effective date of the regulations issued pursuant to section 2c of this order the Attorney General the Secretary of Homeland Security and the Director of National Intelligence in consultation with the heads of relevant agencies shall recommend to the APNSA appropriate actions to detect assess and mitigate national security risks arising from prior transfers of United States persons bulk sensitive personal data to countries of concern Within 150 days of the effective date of the regulations issued pursuant to section 2c of this order the APNSA shall review these recommendations and as appropriate consult with the Attorney General the Secretary of Homeland Security and the heads of relevant agencies on implementing the recommendations consistent with applicable law
pp
Sec 5
Report to the President
a Within 1 year of the effective date of the regulations issued pursuant to section 2c of this order the Attorney General in consultation with the Secretary of State the Secretary of the Treasury the Secretary of Commerce and the Secretary of Homeland Security shall submit a report to the President through the APNSA assessing to the extent practicable
ppi the effectiveness of the measures imposed under this order in addressing threats to the national security of the United States described in this order andppii the economic impact of the implementation of this order including on the international competitiveness of United States industryppb In preparing the report described in subsection a of this section the Attorney General shall solicit and consider public comments concerning the economic impact of this orderpp
Sec 6
Assessing Risks Associated with Human omic Data
Within 120 days of the date of this order the APNSA the Assistant to the President and Director of the Domestic Policy Council the Director of the Office of Science and Technology Policy and the Director of the Office of Pandemic
printed page 15428
Preparedness and Response Policy in consultation with the Secretary of State the Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs the Director of the National Science Foundation the Director of National Intelligence and the Director of the Federal Bureau of Investigation shall submit a report to the President through the APNSA assessing the risks and benefits of regulating transactions involving types of human omic data other than human genomic data such as human proteomic data human epigenomic data and human metabolomic data and recommending the extent to which such transactions should be regulated pursuant to section 2 of this order This report and recommendation shall consider the risks to United States persons and national security as well as the economic and scientific costs of regulating transactions that provide countries of concern or covered persons access to these data types
pp
Sec 7
Definitions
For purposes of this order
ppa The term access means logical or physical access including the ability to obtain read copy decrypt edit divert release affect alter the state of or otherwise view or receive in any form including through information technology systems cloud computing platforms networks security systems equipment or softwareppb The term bulk means an amount of sensitive personal data that meets or exceeds a threshold over a set period of time as specified in regulations issued by the Attorney General pursuant to section 2 of this orderppc The term country of concern means any foreign government that as determined by the Attorney General pursuant to section 2ciii or 2f of this order has engaged in a longterm pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons and poses a significant risk of exploiting bulk sensitive personal data or United States Governmentrelated data to the detriment of the national security of the United States or the security and safety of United States persons as specified in regulations issued by the Attorney General pursuant to section 2 of this orderppd The term covered person means an entity owned by controlled by or subject to the jurisdiction or direction of a country of concern a foreign person who is an employee or contractor of such an entity a foreign person who is an employee or contractor of a country of concern a foreign person who is primarily resident in the territorial jurisdiction of a country of concern or any person designated by the Attorney General as being owned or controlled by or subject to the jurisdiction or direction of a country of concern as acting on behalf of or purporting to act on behalf of a country of concern or other covered person or as knowingly causing or directing directly or indirectly a violation of this order or any regulations implementing this orderppe The term covered personal identifiers means as determined by the Attorney General in regulations issued pursuant to section 2 of this order specifically listed classes of personally identifiable data that are reasonably linked to an individual and thatwhether in combination with each other with other sensitive personal data or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concerncould be used to identify an individual from a data set or link data across multiple data sets to an individual The term covered personal identifiers does not includeppi demographic or contact data that is linked only to another piece of demographic or contact data such as first and last name birth date birthplace zip code residential street or postal address phone number and email address and similar public account identifiers orpp
ii a networkbased identifier accountauthentication data or calldetail data that is linked only to another networkbased identifier account
printed page 15429
authentication data or calldetail data for the provision of telecommunications networking or similar services
ppf The term entity means a partnership association trust joint venture corporation group subgroup or other organizationppg The term foreign person means any person that is not a United States personpph The term human genomic data refers to data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a cellppi The term human omic data means data generated from humans that characterizes or quantifies human biological molecules such as human genomic data epigenomic data proteomic data transcriptomic data microbiomic data or metabolomic data as further defined by regulations issued by the Attorney General pursuant to section 2 of this order which may be informed by the report described in section 6 of this orderppj The term person means an individual or entityppk The term relevant agencies means the Department of State the Department of the Treasury the Department of Defense the Department of Commerce the Department of Health and Human Services the Office of the United States Trade Representative the Office of the Director of National Intelligence the Office of the National Cyber Director the Office of Management and Budget the Federal Trade Commission the Federal Communications Commission and any other agency or office that the Attorney General determines appropriateppl The term sensitive personal data means to the extent consistent with applicable law including sections 203b1 and b3 of IEEPA covered personal identifiers geolocation and related sensor data biometric identifiers human omic data personal health data personal financial data or any combination thereof as further defined in regulations issued by the Attorney General pursuant to section 2 of this order and that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals The term sensitive personal data does not includeppi data that is a matter of public record such as court records or other government records that is lawfully and generally available to the publicppii personal communications that are within the scope of section 203b1 of IEEPA orppiii information or informational materials within the scope of section 203b3 of IEEPAppm The term United States Governmentrelated data means sensitive personal data that regardless of volume the Attorney General determines poses a heightened risk of being exploited by a country of concern to harm United States national security and thatppi a transacting party identifies as being linked or linkable to categories of current or recent former employees or contractors or former senior officials of the Federal Government including the military as specified in regulations issued by the Attorney General pursuant to section 2 of this orderppii is linked to categories of data that could be used to identify current or recent former employees or contractors or former senior officials of the Federal Government including the military as specified in regulations issued by the Attorney General pursuant to section 2 of this order orppiii is linked or linkable to certain sensitive locations the geographical areas of which will be specified publicly that are controlled by the Federal Government including the militarypp
n The term United States person means any United States citizen national or lawful permanent resident any individual admitted to the United
printed page 15430
States as a refugee under 8 USC 1157 or granted asylum under 8 USC 1158 any entity organized solely under the laws of the United States or any jurisdiction within the United States including foreign branches or any person in the United States
pp
Sec 8
General Provisions
a Nothing in this order shall be construed to impair or otherwise affect
ppi the authority granted by law to an executive department or agency or the head thereof orppii the functions of the Director of the Office of Management and Budget relating to budgetary administrative or legislative proposalsppb Nothing in this order shall prohibit transactions for the conduct of the official business of the United States Government by employees grantees or contractors thereof or transactions conducted pursuant to a grant contract or other agreement entered into with the United States Governmentppc Any disputes that may arise among agencies during the consultation processes described in this order may be resolved pursuant to the interagency process described in National Security Memorandum 2 of February 4 2021 Renewing the National Security Council System or any successor documentppd This order shall be implemented consistent with applicable law and subject to the availability of appropriationsppe This order is not intended to and does not create any right or benefit substantive or procedural enforceable at law or in equity by any party against the United States its departments agencies or entities its officers employees or agents or any other personppppFR Doc 202404573 ppBilling code 3395F4Pp
This site displays a prototype of a Web 20 version of the daily
Federal Register It is not an official legal edition of the Federal
Register and does not replace the official print version or the official
electronic version on GPOs govinfogov
pp
The documents posted on this site are XML renditions of published Federal
Register documents Each document posted on the site includes a link to the
corresponding official PDF file on govinfogov This prototype edition of the
daily Federal Register on FederalRegistergov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register ACFR issues a regulation granting it official legal status
For complete information about and access to our official publications
and services go to
About the Federal Register
on NARAs archivesgov
pp
The OFRGPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegistergov with the objective of
establishing the XMLbased Federal Register as an ACFRsanctioned
publication in the future While every effort has been made to ensure that
the material on FederalRegistergov is accurately displayed consistent with
the official SGMLbased PDF version on govinfogov those relying on it for
legal research should verify their results against an official edition of
the Federal Register Until the ACFR grants it official status the XML
rendition of the daily Federal Register on FederalRegistergov does not
provide legal notice to the public or judicial notice to the courts
pp
Enter a search term or FR citation eg
88 FR 382
30 FR 7878
202413208
USDA
090524
RULE
0503AA39
SORN
pp
Choosing an item from
full text search results
will bring you to those results Pressing enter in the search box
will also bring you to search results
Choosing an item from
suggestions
will bring you directly to the content
pp
Background and more details are available in the
Search Navigation
guide
pp
A Presidential Document by the Executive Office of the President on 03012024
ppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatppExecutive order notes are compiled and maintained by the Office of the Federal Register editorsppAmends EO 13873 May 15 2019 EO 14034 June 9 2021
See EO 13694 April 1 2015 EO 13913 April 4 2020ppExecutive order notes are compiled and maintained by the Office of the Federal Register editorsppAmends EO 13873 May 15 2019 EO 14034 June 9 2021
See EO 13694 April 1 2015 EO 13913 April 4 2020pp
This table of contents is a navigational tool processed from the
headings within the legal text of Federal Register documents
This repetition of headings to form internal navigation links
has no substantive legal effect
ppThis feature is not available for this documentppAdditional information is not currently available for this documentpp
Document page views are updated periodically throughout the day and are
cumulative counts for this document Counts are subject to sampling
reprocessing and revision up or down throughout the day
pp
This document is also available in the following formats
pp
More information and documentation can be found in our
developer tools pages
pp
This PDF is the current
document as it appeared on Public Inspection on
02292024 at 1115 am
pp
It was viewed
128
times while on Public Inspection
pp
If you are using public inspection listings for legal research you
should verify the contents of the documents against a final official
edition of the Federal Register Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 USC 1503 1507
Learn more here
ppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatpp
By the authority vested in me as President by the Constitution and the laws of the United States of America including the International Emergency Economic Powers Act 50 USC 1701
et seq IEEPA the National Emergencies Act 50 USC 1601
et seq NEA and section 301 of title 3 United States Code
ppI JOSEPH R BIDEN JR President of the United States of America hereby expand the scope of the national emergency declared in Executive Order 13873 of May 15 2019 Securing the Information and Communications Technology and Services Supply Chain and further addressed with additional measures in Executive Order 14034 of June 9 2021 Protecting Americans Sensitive Data from Foreign Adversaries The continuing effort of certain countries of concern to access Americans sensitive personal data and United States Governmentrelated data constitutes an unusual and extraordinary threat which has its source in whole or substantial part outside the United States to the national security and foreign policy of the United States Access to Americans bulk sensitive personal data or United States Governmentrelated data increases the ability of countries of concern to engage in a wide range of malicious activities Countries of concern can rely on advanced technologies including artificial intelligence AI to analyze and manipulate bulk sensitive personal data to engage in espionage influence kinetic or cyber operations or to identify other potential strategic advantages over the United States Countries of concern can also use access to bulk data sets to fuel the creation and refinement of AI and other advanced technologies thereby improving their ability to exploit the underlying data and exacerbating the national security and foreign policy threats In addition access to some categories of sensitive personal data linked to populations and locations associated with the Federal Governmentincluding the militaryregardless of volume can be used to reveal insights about those populations and locations that threaten national security The growing exploitation of Americans sensitive personal data threatens the development of an international technology ecosystem that protects our security privacy and human rightsppAccordingly to address this threat and to take further steps with respect to the national emergency declared in Executive Order 13873 it is hereby ordered thatpp
Section 1
Policy
It is the policy of the United States to restrict access by countries of concern to Americans bulk sensitive personal data and United States Governmentrelated data when such access would pose an unacceptable risk to the national security of the United States At the same time the United States continues to support open global interoperable reliable and secure flows of data across borders as well as maintaining vital consumer economic scientific and trade relationships that the United States has with other countries
pp
The continuing effort by countries of concern to access Americans bulk sensitive personal data and United States Governmentrelated data threatens the national security and foreign policy of the United States Such countries governments may seek to access and use sensitive personal data in a manner
printed page 15422
that is not in accordance with democratic values safeguards for privacy and other human rights and freedoms Such countries approach stands in sharp contrast to the practices of democracies with respect to sensitive personal data and principles reflected in the Organisation for Economic Cooperation and Development Declaration on Government Access to Personal Data Held by Private Sector Entities Unrestricted transfers of Americans bulk sensitive personal data and United States Governmentrelated data to such countries of concern may therefore enable them to exploit such data for a variety of nefarious purposes including to engage in malicious cyberenabled activities Countries of concern can use their access to Americans bulk sensitive personal data and United States Governmentrelated data to track and build profiles on United States individuals including Federal employees and contractors for illicit purposes including blackmail and espionage Access to Americans bulk sensitive personal data and United States Governmentrelated data by countries of concern through data brokerages thirdparty vendor agreements employment agreements investment agreements or other such arrangements poses particular and unacceptable risks to our national security given that these arrangements often can provide countries of concern with direct and unfettered access to Americans bulk sensitive personal data Countries of concern can use access to United States persons bulk sensitive personal data and United States Governmentrelated data to collect information on activists academics journalists dissidents political figures or members of nongovernmental organizations or marginalized communities in order to intimidate such persons curb dissent or political opposition otherwise limit freedoms of expression peaceful assembly or association or enable other forms of suppression of civil liberties
ppThis risk of access to Americans bulk sensitive personal data and United States Governmentrelated data is not limited to direct access by countries of concern Entities owned by and entities or individuals controlled by or subject to the jurisdiction or direction of a country of concern may enable the government of a country of concern to indirectly access such data For example a country of concern may have cyber national security or intelligence laws that without sufficient legal safeguards obligate such entities and individuals to provide that countrys intelligence services access to Americans bulk sensitive personal data and United States Governmentrelated datappThese risks may be exacerbated when countries of concern use bulk sensitive personal data to develop AI capabilities and algorithms that in turn enable the use of large datasets in increasingly sophisticated and effective ways to the detriment of United States national security Countries of concern can use AI to target United States persons for espionage or blackmail by for example recognizing patterns across multiple unrelated datasets to identify potential individuals whose links to the Federal Government would be otherwise obscured in a single datasetppWhile aspects of this threat have been addressed in previous executive actions such as Executive Order 13694 of April 1 2015 Blocking the Property of Certain Persons Engaging in Significant Malicious CyberEnabled Activities as amended additional steps need to be taken to address this threatpp
At the same time the United States is committed to promoting an open global interoperable reliable and secure Internet protecting human rights online and offline supporting a vibrant global economy by promoting crossborder data flows required to enable international commerce and trade and facilitating open investment To ensure that the United States continues to meet these important policy objectives this order does not authorize the imposition of generalized data localization requirements to store Americans bulk sensitive personal data or United States Governmentrelated data within the United States or to locate computing facilities used to process Americans bulk sensitive personal data or United States Governmentrelated
printed page 15423
data within the United States This order also does not broadly prohibit United States persons from conducting commercial transactions including exchanging financial and other data as part of the sale of commercial goods and services with entities and individuals located in or subject to the control direction or jurisdiction of countries of concern or impose measures aimed at a broader decoupling of the substantial consumer economic scientific and trade relationships that the United States has with other countries In addition my Administration has made commitments to increase public access to the results of taxpayerfunded scientific research the sharing and interoperability of electronic health information and patient access to their data The national security restrictions established in this order are specific carefully calibrated actions to minimize the risks associated with access to bulk sensitive personal data and United States Governmentrelated data by countries of concern while minimizing disruption to commercial activity This order shall be implemented consistent with these policy objectives including by tailoring any regulations issued and actions taken pursuant to this order to address the national security threat posed by access to Americans bulk sensitive personal data and United States Governmentrelated data by countries of concern
pp
Sec 2
Prohibited and Restricted Transactions
a To assist in addressing the national emergency described in this order the Attorney General in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies shall issue subject to public notice and comment regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition holding use transfer transportation or exportation of or dealing in any property in which a foreign country or national thereof has any interest transaction where the transaction
ppi involves bulk sensitive personal data or United States Governmentrelated data as further defined by regulations issued by the Attorney General pursuant to this sectionppii is a member of a class of transactions that has been determined by the Attorney General in regulations issued by the Attorney General pursuant to this section to pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Governmentrelated data in a manner that contributes to the national emergency described in this orderppiii was initiated is pending or will be completed after the effective date of the regulations issued by the Attorney General pursuant to this sectionppiv does not qualify for an exemption provided in or is not authorized by a license issued pursuant to the regulations issued by the Attorney General pursuant to this section andppv is not as defined by regulations issued by the Attorney General pursuant to this section ordinarily incident to and part of the provision of financial services including banking capital markets and financial insurance services or required for compliance with any Federal statutory or regulatory requirements including any regulations guidance or orders implementing those requirementsppb The Attorney General in consultation with the heads of relevant agencies is authorized to take such actions including the promulgation of rules and regulations and to employ all other powers granted to the President by IEEPA as may be necessary or appropriate to carry out the purposes of this order Executive departments and agencies agencies are directed to take all appropriate measures within their authority to implement the provisions of this orderpp
c Within 180 days of the date of this order the Attorney General in coordination with the Secretary of Homeland Security and in consultation
printed page 15424
with the heads of relevant agencies shall publish the proposed rule described in subsection a of this section for notice and comment This proposed rule shall
ppi identify classes of transactions that meet the criteria specified in subsection aii of this section that are to be prohibited prohibited transactionsppii identify classes of transactions that meet the criteria specified in subsection aii of this section and for which the Attorney General determines that security requirements established by the Secretary of Homeland Security through the Director of the Cybersecurity and Infrastructure Security Agency in accordance with the process described in subsection d of this section adequately mitigate the risk of access by countries of concern or covered persons to bulk sensitive personal data or United States Governmentrelated data restricted transactionsppiii identify with the concurrence of the Secretary of State and the Secretary of Commerce countries of concern and as appropriate classes of covered persons for the purposes of this orderppiv establish as appropriate mechanisms to provide additional clarity to persons affected by this order and any regulations implementing this order including by designations of covered persons and licensing decisionsppv establish a process to issue including to modify or rescind in concurrence with the Secretary of State the Secretary of Commerce and the Secretary of Homeland Security and in consultation with the heads of other relevant agencies as appropriate licenses authorizing transactions that would otherwise be prohibited transactions or restricted transactionsppvi further define the terms identified in section 7 of this order and any other terms used in this order or any regulations implementing this orderppvii address as appropriate coordination with other United States Government entities such as the Committee on Foreign Investment in the United States the Office of Foreign Assets Control within the Department of the Treasury the Bureau of Industry and Security within the Department of Commerce and other entities implementing relevant programs including those implementing Executive Order 13873 Executive Order 14034 and Executive Order 13913 of April 4 2020 Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector andppviii address the need for as appropriate recordkeeping and reporting of transactions to inform investigative enforcement and regulatory effortsppd The Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency shall in coordination with the Attorney General and in consultation with the heads of relevant agencies propose seek public comment on and publish security requirements that address the unacceptable risk posed by restricted transactions as identified by the Attorney General pursuant to this section These requirements shall be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technologyppi The Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency shall in coordination with the Attorney General issue any interpretive guidance regarding the security requirementsppii The Attorney General shall in coordination with the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency issue enforcement guidance regarding the security requirementspp
e The Secretary of Homeland Security in coordination with the Attorney General is hereby authorized to take such actions including promulgating
printed page 15425
rules regulations standards and requirements issuing interpretive guidance and employing all other powers granted to the President by IEEPA as may be necessary to carry out the purposes described in subsection d of this section
ppf In exercising the authority delegated in subsection b of this section the Attorney General in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies may in addition to the rulemaking directed in subsection c of this section propose one or more regulations to further implement this section including to identify additional classes of prohibited transactions to identify additional classes of restricted transactions with the concurrence of the Secretary of State and the Secretary of Commerce to identify new or remove existing countries of concern and as appropriate classes of covered persons for the purposes of this order and to establish a mechanism for the Attorney General to monitor whether restricted transactions comply with the security requirements established under subsection d of this sectionppg Any proposed regulations implementing this sectionppi shall reflect consideration of the nature of the class of transaction involving bulk sensitive personal data or United States Governmentrelated data the volume of bulk sensitive personal data involved in the transaction and other factors as appropriateppii shall establish thresholds and due diligence requirements for entities to use in assessing whether a transaction is a prohibited transaction or a restricted transactionppiii shall not establish generalized data localization requirements to store bulk sensitive personal data or United States Governmentrelated data within the United States or to locate computing facilities used to process bulk sensitive personal data or United States Governmentrelated data within the United Statesppiv shall account for any legal obligations applicable to the United States Government relating to public access to the results of taxpayerfunded scientific research the sharing and interoperability of electronic health information and patient access to their data andppv shall not address transactions to the extent that they involve types of human omic data other than human genomic data before the submission of the report described in section 6 of this orderpph The prohibitions promulgated pursuant to this section apply except to the extent provided by law including by statute or in regulations orders directives or licenses that may be issued pursuant to this order and notwithstanding any contract entered into or any license or permit granted prior to the effective date of the applicable regulations directed by this orderppi Any transaction or other activity that has the purpose of evading or avoiding causes a violation of or attempts to violate any of the prohibitions promulgated pursuant to this section is prohibitedppj Any conspiracy formed to violate any of the prohibitions promulgated pursuant to this section is prohibitedppk In regulations issued by the Attorney General under this section the Attorney General may prohibit United States persons from knowingly directing transactions if such transactions would be prohibited transactions under regulations issued pursuant to this order if engaged in by a United States personpp
l The Attorney General may consistent with applicable law redelegate any of the authorities conferred on the Attorney General pursuant to this section within the Department of Justice The Secretary of Homeland Security may consistent with applicable law redelegate any of the authorities conferred on the Secretary of Homeland Security pursuant to this section within the Department of Homeland Security
printed page 15426
ppm The Attorney General in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies is hereby authorized to submit recurring and final reports to the Congress related to this order consistent with section 401c of the NEA 50 USC 1641c and section 204c of IEEPA 50 USC 1703cpp
Sec 3
Protecting Sensitive Personal Data
a Access to bulk sensitive personal data and United States Governmentrelated data by countries of concern can be enabled through the transmission of data via network infrastructure that is subject to the jurisdiction or control of countries of concern The risk of access to this data by countries of concern can be and sometime is exacerbated where the data transits a submarine cable that is owned or operated by persons owned by controlled by or subject to the jurisdiction or direction of a country of concern or that connects to the United States and terminates in the jurisdiction of a country of concern Additionally the same risk of access by a country of concern is further exacerbated in instances where a submarine cable is designed built and operated for the express purpose of transferring data including bulk sensitive personal data or United States Governmentrelated data to a specific data center located in a foreign jurisdiction To address this threat the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector Committee shall to the extent consistent with its existing authority and applicable law
ppi prioritize for purposes of and in reliance on the process set forth in section 6 of Executive Order 13913 the initiation of reviews of existing licenses for submarine cable systems that are owned or operated by persons owned by controlled by or subject to the jurisdiction or direction of a country of concern or that terminate in the jurisdiction of a country of concernppii issue policy guidance in consultation with the Committees Advisors as defined in section 3d of Executive Order 13913 regarding the Committees reviews of license applications and existing licenses including the assessment of thirdparty risks regarding access to data by countries of concern andppiii address on an ongoing basis the national security and law enforcement risks related to access by countries of concern to bulk sensitive personal data described in this order that may be presented by any new application or existing license reviewed by the Committee to land or operate a submarine cable system including by updating the Memorandum of Understanding required under section 11 of Executive Order 13913 and by revising the Committees standard mitigation measures with the approval of the Committees Advisors which may include as appropriate any of the security requirements contemplated by section 2d of this orderppb Entities in the United States healthcare market can access bulk sensitive personal data including personal health data and human genomic data through partnerships and agreements with United States healthcare providers and research institutions Even if such data is anonymized pseudonymized or deidentified advances in technology combined with access by countries of concern to large data sets increasingly enable countries of concern that access this data to reidentify or deanonymize data which may reveal the exploitable health information of United States persons While the United States supports open scientific data and sample sharing to accelerate research and development through international cooperation and collaboration the following additional steps must be taken to protect United States persons sensitive personal health data and human genomic data from the threat identified in this orderpp
i The Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs and the Director of the National Science Foundation shall consider taking steps including issuing regulations guidance or orders as appropriate and consistent with the legal authorities authorizing relevant Federal assistance programs to prohibit the provision of assistance that enables access by countries of concern or covered persons
printed page 15427
to United States persons bulk sensitive personal data including personal health data and human genomic data or to impose mitigation measures with respect to such assistance which may be consistent with the security requirements adopted under section 2d of this order on the recipients of Federal assistance to address this threat The Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs and the Director of the National Science Foundation shall in consultation with each other develop and publish guidance to assist United States research entities in ensuring protection of their bulk sensitive personal data
ppii Within 1 year of the date of this order the Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs and the Director of the National Science Foundation shall jointly submit a report to the President through the Assistant to the President for National Security Affairs APNSA detailing their progress in implementing this subsectionppc Entities in the data brokerage industry enable access to bulk sensitive personal data and United States Governmentrelated data by countries of concern and covered persons These entities pose a particular risk of contributing to the national emergency described in this order because they routinely engage in the collection assembly evaluation and dissemination of bulk sensitive personal data and of the subset of United States Governmentrelated data regarding United States consumers The Director of the Consumer Financial Protection Bureau CFPB is encouraged to consider taking steps consistent with CFPBs existing legal authorities to address this aspect of the threat and to enhance compliance with Federal consumer protection law including by continuing to pursue the rulemaking proposals that CFPB identified at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemakingpp
Sec 4
Assessing the National Security Risks Arising from Prior Transfers of United States Persons Bulk Sensitive Personal Data
Within 120 days of the effective date of the regulations issued pursuant to section 2c of this order the Attorney General the Secretary of Homeland Security and the Director of National Intelligence in consultation with the heads of relevant agencies shall recommend to the APNSA appropriate actions to detect assess and mitigate national security risks arising from prior transfers of United States persons bulk sensitive personal data to countries of concern Within 150 days of the effective date of the regulations issued pursuant to section 2c of this order the APNSA shall review these recommendations and as appropriate consult with the Attorney General the Secretary of Homeland Security and the heads of relevant agencies on implementing the recommendations consistent with applicable law
pp
Sec 5
Report to the President
a Within 1 year of the effective date of the regulations issued pursuant to section 2c of this order the Attorney General in consultation with the Secretary of State the Secretary of the Treasury the Secretary of Commerce and the Secretary of Homeland Security shall submit a report to the President through the APNSA assessing to the extent practicable
ppi the effectiveness of the measures imposed under this order in addressing threats to the national security of the United States described in this order andppii the economic impact of the implementation of this order including on the international competitiveness of United States industryppb In preparing the report described in subsection a of this section the Attorney General shall solicit and consider public comments concerning the economic impact of this orderpp
Sec 6
Assessing Risks Associated with Human omic Data
Within 120 days of the date of this order the APNSA the Assistant to the President and Director of the Domestic Policy Council the Director of the Office of Science and Technology Policy and the Director of the Office of Pandemic
printed page 15428
Preparedness and Response Policy in consultation with the Secretary of State the Secretary of Defense the Secretary of Health and Human Services the Secretary of Veterans Affairs the Director of the National Science Foundation the Director of National Intelligence and the Director of the Federal Bureau of Investigation shall submit a report to the President through the APNSA assessing the risks and benefits of regulating transactions involving types of human omic data other than human genomic data such as human proteomic data human epigenomic data and human metabolomic data and recommending the extent to which such transactions should be regulated pursuant to section 2 of this order This report and recommendation shall consider the risks to United States persons and national security as well as the economic and scientific costs of regulating transactions that provide countries of concern or covered persons access to these data types
pp
Sec 7
Definitions
For purposes of this order
ppa The term access means logical or physical access including the ability to obtain read copy decrypt edit divert release affect alter the state of or otherwise view or receive in any form including through information technology systems cloud computing platforms networks security systems equipment or softwareppb The term bulk means an amount of sensitive personal data that meets or exceeds a threshold over a set period of time as specified in regulations issued by the Attorney General pursuant to section 2 of this orderppc The term country of concern means any foreign government that as determined by the Attorney General pursuant to section 2ciii or 2f of this order has engaged in a longterm pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons and poses a significant risk of exploiting bulk sensitive personal data or United States Governmentrelated data to the detriment of the national security of the United States or the security and safety of United States persons as specified in regulations issued by the Attorney General pursuant to section 2 of this orderppd The term covered person means an entity owned by controlled by or subject to the jurisdiction or direction of a country of concern a foreign person who is an employee or contractor of such an entity a foreign person who is an employee or contractor of a country of concern a foreign person who is primarily resident in the territorial jurisdiction of a country of concern or any person designated by the Attorney General as being owned or controlled by or subject to the jurisdiction or direction of a country of concern as acting on behalf of or purporting to act on behalf of a country of concern or other covered person or as knowingly causing or directing directly or indirectly a violation of this order or any regulations implementing this orderppe The term covered personal identifiers means as determined by the Attorney General in regulations issued pursuant to section 2 of this order specifically listed classes of personally identifiable data that are reasonably linked to an individual and thatwhether in combination with each other with other sensitive personal data or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concerncould be used to identify an individual from a data set or link data across multiple data sets to an individual The term covered personal identifiers does not includeppi demographic or contact data that is linked only to another piece of demographic or contact data such as first and last name birth date birthplace zip code residential street or postal address phone number and email address and similar public account identifiers orpp
ii a networkbased identifier accountauthentication data or calldetail data that is linked only to another networkbased identifier account
printed page 15429
authentication data or calldetail data for the provision of telecommunications networking or similar services
ppf The term entity means a partnership association trust joint venture corporation group subgroup or other organizationppg The term foreign person means any person that is not a United States personpph The term human genomic data refers to data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a cellppi The term human omic data means data generated from humans that characterizes or quantifies human biological molecules such as human genomic data epigenomic data proteomic data transcriptomic data microbiomic data or metabolomic data as further defined by regulations issued by the Attorney General pursuant to section 2 of this order which may be informed by the report described in section 6 of this orderppj The term person means an individual or entityppk The term relevant agencies means the Department of State the Department of the Treasury the Department of Defense the Department of Commerce the Department of Health and Human Services the Office of the United States Trade Representative the Office of the Director of National Intelligence the Office of the National Cyber Director the Office of Management and Budget the Federal Trade Commission the Federal Communications Commission and any other agency or office that the Attorney General determines appropriateppl The term sensitive personal data means to the extent consistent with applicable law including sections 203b1 and b3 of IEEPA covered personal identifiers geolocation and related sensor data biometric identifiers human omic data personal health data personal financial data or any combination thereof as further defined in regulations issued by the Attorney General pursuant to section 2 of this order and that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals The term sensitive personal data does not includeppi data that is a matter of public record such as court records or other government records that is lawfully and generally available to the publicppii personal communications that are within the scope of section 203b1 of IEEPA orppiii information or informational materials within the scope of section 203b3 of IEEPAppm The term United States Governmentrelated data means sensitive personal data that regardless of volume the Attorney General determines poses a heightened risk of being exploited by a country of concern to harm United States national security and thatppi a transacting party identifies as being linked or linkable to categories of current or recent former employees or contractors or former senior officials of the Federal Government including the military as specified in regulations issued by the Attorney General pursuant to section 2 of this orderppii is linked to categories of data that could be used to identify current or recent former employees or contractors or former senior officials of the Federal Government including the military as specified in regulations issued by the Attorney General pursuant to section 2 of this order orppiii is linked or linkable to certain sensitive locations the geographical areas of which will be specified publicly that are controlled by the Federal Government including the militarypp
n The term United States person means any United States citizen national or lawful permanent resident any individual admitted to the United
printed page 15430
States as a refugee under 8 USC 1157 or granted asylum under 8 USC 1158 any entity organized solely under the laws of the United States or any jurisdiction within the United States including foreign branches or any person in the United States
pp
Sec 8
General Provisions
a Nothing in this order shall be construed to impair or otherwise affect
ppi the authority granted by law to an executive department or agency or the head thereof orppii the functions of the Director of the Office of Management and Budget relating to budgetary administrative or legislative proposalsppb Nothing in this order shall prohibit transactions for the conduct of the official business of the United States Government by employees grantees or contractors thereof or transactions conducted pursuant to a grant contract or other agreement entered into with the United States Governmentppc Any disputes that may arise among agencies during the consultation processes described in this order may be resolved pursuant to the interagency process described in National Security Memorandum 2 of February 4 2021 Renewing the National Security Council System or any successor documentppd This order shall be implemented consistent with applicable law and subject to the availability of appropriationsppe This order is not intended to and does not create any right or benefit substantive or procedural enforceable at law or in equity by any party against the United States its departments agencies or entities its officers employees or agents or any other personppppFR Doc 202404573 ppBilling code 3395F4Pp
