March 6, 2024
On February 28, 2024, President Joe Biden signed an executive order to protect America's bulk sensitive personal data. This executive order provides an overview of upcoming regulations to limit foreign countries' access to the bulk sensitive personal data of United States persons and the United States Government when such access poses an unacceptable security risk. These regulations aim to balance the unacceptable risks associated with bulk data flow and the need to support secure data flow across borders for legitimate economic, scientific, and trade purposes.
The order defines sensitive personal data as covered personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof, as further defined in regulations issued by the Attorney General pursuant to Section 2 of the order, and that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals. It requires the Attorney General, in coordination with the Secretary of Homeland Security and consultation with the heads of relevant agencies, to create regulations that outline the class of prohibited bulk personal data transactions, exceptions to these prohibitions, identities of new or existing countries of concern, and, if appropriate, classes of covered persons. The regulations shall govern any transaction that:
The regulations must also establish a process to issue, modify, or rescind licenses for transactions that would otherwise be impermissible, establish mechanisms to provide clarity to impacted parties, coordinate with the Committee on Foreign Investment in the United States and other stakeholders, and develop a process for record keeping, as appropriate.
The order also requires the Attorney General to, within 120 days of the effective date of the regulations, recommend appropriate actions to mitigate national security risks with respect to prior transactions of a United States person's bulk sensitive personal information data to the countries of concern. The Secretary of Homeland Security, acting through the Director of Cybersecurity and Infrastructure Security, will draft regulations and seek public comments on security requirements designed to address the unacceptable risks posed by the transactions that the Attorney General identifies. Additionally, Section 5 of the order requires a report to the president within one year of the effective date of the regulation. This report will include an update on the effectiveness and economic impact of the regulations. This report to the president will provide another opportunity for the public to comment on the impact of the regulation. Additionally, the Departments of Health and Human Services, Defense, and Veterans Affairs must ensure that Federal grants, contracts, and awards are not used to facilitate access to Americans’ sensitive health data by countries of concern, including via companies located in the United States and the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (often called “Team Telecom”) must consider the threats to Americans’ sensitive personal data in its reviews of submarine cable licenses.
While the threshold amount of data that constitutes, “bulk” data will be set by the regulations, companies involved in collecting, selling, and transmitting large amounts of sensitive personal data should begin to understand where and how their data is controlled and shared. Specifically, companies involved in the transmission of bulk sensitive personal data to countries, or businesses closely aligned with countries of concern with a track record of misusing data to infringe upon privacy and human rights will need to ensure that the data is used in a way that is not detrimental to United States national security.
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
Hybrid Conference
Intellectual Property Law Institute 2026 – New York
September 28-29, 2026
New York
Articles
When the Classroom Goes Dark: Lessons from the Canvas Breach for Corporate Cyber Preparedness
July 8, 2026
Webinar
Inventive Step in Europe and the US: Comparing the UPC, EPO and National Approaches
July 8, 2026
Webinar
Federal Circuit IP Blog
July 8, 2026
At the PTAB Blog
June 30, 2026
Articles
How Low Can You Go? Courts Lower Marking Defense Burden, Raising Patent Damages Risks
June 29, 2026
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.