What You Need to Know about Executive Order 14117 (The Data Broker EO)

Executive Order 14117, sometimes called the Data Broker Executive Order is a new rule that affects how companies can and can't share American's data with other countries. If you're a business owner, especially if you deal with the data of thousands of Americans, here's what you need to know.

Who needs to comply with EO 14117?

This rule applies to U.S. companies that share data with anyone affiliated with certain regions called "Countries of Concern" including:

1. China

2. Cuba

3. Iran

4. North Korea

5. Russia

6. Venezuela.

Key term: "U.S. persons" - This means both individuals and companies based in the U.S.

Who is a Covered Person according to EO 14117?

"Covered persons" include individuals and entities affiliated with countries of concern.

Under Executive Order 14117, the following individuals and entities are considered affiliated with countries of concern:

1. Entities with Significant Ownership: 50% or more owned by a country of concern or other covered persons.

2. Entities Based in Countries of Concern: Chartered or with principal place of business there.

3. Employees and Contractors: Working for countries of concern or their entities.

4. Residents: Primarily residing in a country of concern.

5. Designated by the Attorney General: Individuals or entities acting on behalf of countries of concern or causing violations.

When does EO 14117 go into effect?

The EO has a two-phase rollout of its rules:

• April 8, 2025: Businesses must stop prohibited transactions (e.g., selling bulk human 'omic data) and implement basic compliance measures

• October 6, 2025: Due diligence, audit, and reporting requirements become mandatory

What is Covered Data under EO 14117?

The rule specifies six types of U.S. sensitive personal data and 2 types of U.S. Government Data, each with its own "bulk" threshold. These thresholds refer to the amount of data that triggers compliance requirements when transferred over the preceding 12 months:

U.S. Consumer Sensitive Data:

1. Human 'Omic Data

   • Human genomic data: More than 100 U.S. persons

   • Other 'omic data (epigenomic, proteomic, transcriptomic): More than 1,000 U.S. persons

2. Biometric Identifiers

   • More than 1,000 U.S. persons

   • Includes facial images, voice prints, retina scans, and fingerprints

3. Precise Geolocation Data:

   • More than 1,000 U.S. devices

   • Identifies location within 1,000 meters

4. Personal Health Data:

   • More than 10,000 U.S. persons

   • Covers physical measurements, medical history, test results, and health-related behaviors

5. Personal Financial Data:

   • More than 10,000 U.S. persons

   • Includes credit card information, bank accounts, and credit reports

6. Covered Personal Identifiers:

   • More than 100,000 U.S. persons

   • Combinations of identifiers that can be linked to other sensitive data

U.S. Government-Related Data:

This category doesn't have a bulk threshold and includes:

1. Precise geolocation data for designated sensitive areas (e.g., military installations)

2. Any sensitive personal data marketed as linkable to current or former U.S. government employees or officials

What is a Covered Data Transaction under EO 14117?

A Covered Data Transaction is deal that may give "bulk" access to lots of sensitive personal data about Americans or data related to the U.S. government. Access could be through a sale of that data directly or other types of deals such as employment.

The rule covers four main types of deals:

• Selling data

• Hiring employees

• Working with vendors

• Making investments

What is a Country of Concern according to EO 14117?

The regulations specifically designate six countries as "countries of concern":

• China (including Hong Kong and Macau)

• Cuba

• Iran

• North Korea

• Russia

• Venezuela

What is Prohibited under EO 14117?

Certain transactions are completely banned under the rule starting April 8th, 2025 including:

1. Data brokerage transactions to countries of concern or covered persons

2. Transactions involving human 'omic data

What is Restricted under EO 14117?

Three types of transactions are permitted but subject to substantial compliance requirements when dealing with affiliates of Countries of Concern:

1. Vendor agreements

2. Employment agreements

3. Investment agreements (except certain passive investments)

These restrictions apply specifically to bulk sensitive personal data, which is defined by thresholds based on the number of U.S. persons whose information is included in a transaction.

What are the requirements of EO 14117?

First and foremost, you should stop any and all prohibited transactions by the April 8th, 2025 deadline.

Organizations engaging in restricted transactions have four primary categories of obligations:

1. Due Diligence Obligations:

   1. Written compliance policies governing data flows and access

   2. Risk-based procedures for evaluating potential transactions

   3. Processes to identify and verify entities involved in transactions

   4. Mechanisms to assess data security risks before entering into agreements
      

2. Audit Requirements:

   1. Annual audits of all restricted transactions

   2. Verification of adherence to due diligence procedures

   3. Assessment of ongoing compliance with recordkeeping requirements

   4. Evaluation of implementation of security measures While the initially proposed rule required external audits, the final rule permits internal audits if they are conducted with sufficient independence and objectivity.
      

3. Recordkeeping Obligations:

   1. Complete and accurate documentation of every restricted transaction for at least 10 years

   2. Records demonstrating compliance with due diligence requirements

   3. Evidence of completed audits and remediation efforts

   4. Documentation of security measures implemented
      

4. Security Requirements:

   1. Starting April 8th, 2025, businesses participating in restricted transactions must the Cybersecurity and Infrastructure Security Agency (CISA) published comprehensive security requirements that organizations must implement. These requirements are divided into two main categories:

      1. Organizational and System-Level Requirements

      2. Data-Level Requirements

What are the penalties for non-compliance with EO 14117?

The consequences for violating Executive Order 14117 and its implementing regulations are substantial and include both civil and criminal penalties.

Civil Penalties

For violations of the rule, civil penalties can amount to the greater of:

• $368,136 (adjusted for inflation), or

• Twice the value of the transaction forming the basis of the violation

Criminal Penalties

For willful violations, criminal penalties may include:

• Fines up to $1,000,000

• Imprisonment for up to 20 years

• Or both

Conclusion

Companies potentially affected by these regulations should begin evaluating their data flows, business relationships, and security measures well in advance of the April 8, 2025 effective date.

This evaluation should include identifying potential restricted transactions, assessing current security controls against CISA requirements, and developing comprehensive compliance programs that address due diligence, auditing, and recordkeeping obligations.

This blog is only intended to be informational and is in no way legal advice. If you are looking for specific legal advice, consult a legal expert.