By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code,
I, JOSEPH R. BIDEN JR., President of the United States of America, hereby expand the scope of the national emergency declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and further addressed with additional measures in Executive Order 14034 of June 9, 2021 (Protecting Americans' Sensitive Data from Foreign Adversaries). The continuing effort of certain countries of concern to access Americans' sensitive personal data and United States Government-related data constitutes an unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security and foreign policy of the United States. Access to Americans' bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. Countries of concern can rely on advanced technologies, including artificial intelligence (AI), to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States. Countries of concern can also use access to bulk data sets to fuel the creation and refinement of AI and other advanced technologies, thereby improving their ability to exploit the underlying data and exacerbating the national security and foreign policy threats. In addition, access to some categories of sensitive personal data linked to populations and locations associated with the Federal Government — including the military — regardless of volume, can be used to reveal insights about those populations and locations that threaten national security. The growing exploitation of Americans' sensitive personal data threatens the development of an international technology ecosystem that protects our security, privacy, and human rights.
Accordingly, to address this threat and to take further steps with respect to the national emergency declared in Executive Order 13873, it is hereby ordered that:
Section 1. Policy. It is the policy of the United States to restrict access by countries of concern to Americans' bulk sensitive personal data and United States Government-related data when such access would pose an unacceptable risk to the national security of the United States. At the same time, the United States continues to support open, global, interoperable, reliable, and secure flows of data across borders, as well as maintaining vital consumer, economic, scientific, and trade relationships that the United States has with other countries.
The continuing effort by countries of concern to access Americans' bulk sensitive personal data and United States Government-related data threatens the national security and foreign policy of the United States. Such countries' governments may seek to access and use sensitive personal data in a manner that is not in accordance with democratic values, safeguards for privacy, and other human rights and freedoms. Such countries' approach stands in sharp contrast to the practices of democracies with respect to sensitive personal data and principles reflected in the Organisation for Economic Co-operation and Development Declaration on Government Access to Personal Data Held by Private Sector Entities. Unrestricted transfers of Americans' bulk sensitive personal data and United States Government-related data to such countries of concern may therefore enable them to exploit such data for a variety of nefarious purposes, including to engage in malicious cyber-enabled activities. Countries of concern can use their access to Americans' bulk sensitive personal data and United States Government-related data to track and build profiles on United States individuals, including Federal employees and contractors, for illicit purposes, including blackmail and espionage. Access to Americans' bulk sensitive personal data and United States Government-related data by countries of concern through data brokerages, third-party vendor agreements, employment agreements, investment agreements, or other such arrangements poses particular and unacceptable risks to our national security given that these arrangements often can provide countries of concern with direct and unfettered access to Americans' bulk sensitive personal data. Countries of concern can use access to United States persons' bulk sensitive personal data and United States Government-related data to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities in order to intimidate such persons; curb dissent or political opposition; otherwise limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties.
This risk of access to Americans' bulk sensitive personal data and United States Government-related data is not limited to direct access by countries of concern. Entities owned by, and entities or individuals controlled by or subject to the jurisdiction or direction of, a country of concern may enable the government of a country of concern to indirectly access such data. For example, a country of concern may have cyber, national security, or intelligence laws that, without sufficient legal safeguards, obligate such entities and individuals to provide that country's intelligence services access to Americans' bulk sensitive personal data and United States Government-related data.
These risks may be exacerbated when countries of concern use bulk sensitive personal data to develop AI capabilities and algorithms that, in turn, enable the use of large datasets in increasingly sophisticated and effective ways to the detriment of United States national security. Countries of concern can use AI to target United States persons for espionage or blackmail by, for example, recognizing patterns across multiple unrelated datasets to identify potential individuals whose links to the Federal Government would be otherwise obscured in a single dataset.
While aspects of this threat have been addressed in previous executive actions, such as Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities), as amended, additional steps need to be taken to address this threat.
At the same time, the United States is committed to promoting an open, global, interoperable, reliable, and secure Internet; protecting human rights online and offline; supporting a vibrant, global economy by promoting cross-border data flows required to enable international commerce and trade; and facilitating open investment. To ensure that the United States continues to meet these important policy objectives, this order does not authorize the imposition of generalized data localization requirements to store Americans' bulk sensitive personal data or United States Government-related data within the United States or to locate computing facilities used to process Americans' bulk sensitive personal data or United States Government-related data within the United States. This order also does not broadly prohibit United States persons from conducting commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services, with entities and individuals located in or subject to the control, direction, or jurisdiction of countries of concern, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries. In addition, my Administration has made commitments to increase public access to the results of taxpayer-funded scientific research, the sharing and interoperability of electronic health information, and patient access to their data. The national security restrictions established in this order are specific, carefully calibrated actions to minimize the risks associated with access to bulk sensitive personal data and United States Government-related data by countries of concern while minimizing disruption to commercial activity. This order shall be implemented consistent with these policy objectives, including by tailoring any regulations issued and actions taken pursuant to this order to address the national security threat posed by access to Americans' bulk sensitive personal data and United States Government-related data by countries of concern.
Sec. 2. Prohibited and Restricted Transactions. (a) To assist in addressing the national emergency described in this order, the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, shall issue, subject to public notice and comment, regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (transaction), where the transaction:
(i) involves bulk sensitive personal data or United States Government-related data, as further defined by regulations issued by the Attorney General pursuant to this section;
(ii) is a member of a class of transactions that has been determined by the Attorney General, in regulations issued by the Attorney General pursuant to this section, to pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data in a manner that contributes to the national emergency described in this order;
(iii) was initiated, is pending, or will be completed after the effective date of the regulations issued by the Attorney General pursuant to this section;
(iv) does not qualify for an exemption provided in, or is not authorized by a license issued pursuant to, the regulations issued by the Attorney General pursuant to this section; and
(v) is not, as defined by regulations issued by the Attorney General pursuant to this section, ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any Federal statutory or regulatory requirements, including any regulations, guidance, or orders implementing those requirements.
(b) The Attorney General, in consultation with the heads of relevant agencies, is authorized to take such actions, including the promulgation of rules and regulations, and to employ all other powers granted to the President by IEEPA, as may be necessary or appropriate to carry out the purposes of this order. Executive departments and agencies (agencies) are directed to take all appropriate measures within their authority to implement the provisions of this order.
(c) Within 180 days of the date of this order, the Attorney General, in coordination with the Secretary of Homeland Security, and in consultation with the heads of relevant agencies, shall publish the proposed rule described in subsection (a) of this section for notice and comment. This proposed rule shall:
(i) identify classes of transactions that meet the criteria specified in subsection (a)(ii) of this section that are to be prohibited (prohibited transactions);
(ii) identify classes of transactions that meet the criteria specified in subsection (a)(ii) of this section and for which the Attorney General determines that security requirements established by the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency, in accordance with the process described in subsection (d) of this section, adequately mitigate the risk of access by countries of concern or covered persons to bulk sensitive personal data or United States Government-related data (restricted transactions);
(iii) identify, with the concurrence of the Secretary of State and the Secretary of Commerce, countries of concern and, as appropriate, classes of covered persons for the purposes of this order;
(iv) establish, as appropriate, mechanisms to provide additional clarity to persons affected by this order and any regulations implementing this order (including by designations of covered persons and licensing decisions);
(v) establish a process to issue (including to modify or rescind), in concurrence with the Secretary of State, the Secretary of Commerce, and the Secretary of Homeland Security, and in consultation with the heads of other relevant agencies, as appropriate, licenses authorizing transactions that would otherwise be prohibited transactions or restricted transactions;
(vi) further define the terms identified in section 7 of this order and any other terms used in this order or any regulations implementing this order;
(vii) address, as appropriate, coordination with other United States Government entities, such as the Committee on Foreign Investment in the United States, the Office of Foreign Assets Control within the Department of the Treasury, the Bureau of Industry and Security within the Department of Commerce, and other entities implementing relevant programs, including those implementing Executive Order 13873; Executive Order 14034; and Executive Order 13913 of April 4, 2020 (Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector); and
(viii) address the need for, as appropriate, recordkeeping and reporting of transactions to inform investigative, enforcement, and regulatory efforts.
(d) The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency, shall, in coordination with the Attorney General and in consultation with the heads of relevant agencies, propose, seek public comment on, and publish security requirements that address the unacceptable risk posed by restricted transactions, as identified by the Attorney General pursuant to this section. These requirements shall be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology.
(i) The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency, shall, in coordination with the Attorney General, issue any interpretive guidance regarding the security requirements.
(ii) The Attorney General shall, in coordination with the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency, issue enforcement guidance regarding the security requirements.
(e) The Secretary of Homeland Security, in coordination with the Attorney General, is hereby authorized to take such actions, including promulgating rules, regulations, standards, and requirements; issuing interpretive guidance; and employing all other powers granted to the President by IEEPA as may be necessary to carry out the purposes described in subsection (d) of this section.
(f) In exercising the authority delegated in subsection (b) of this section, the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, may, in addition to the rulemaking directed in subsection (c) of this section, propose one or more regulations to further implement this section, including to identify additional classes of prohibited transactions; to identify additional classes of restricted transactions; with the concurrence of the Secretary of State and the Secretary of Commerce, to identify new or remove existing countries of concern and, as appropriate, classes of covered persons for the purposes of this order; and to establish a mechanism for the Attorney General to monitor whether restricted transactions comply with the security requirements established under subsection (d) of this section.
(g) Any proposed regulations implementing this section:
(i) shall reflect consideration of the nature of the class of transaction involving bulk sensitive personal data or United States Government-related data, the volume of bulk sensitive personal data involved in the transaction, and other factors, as appropriate;
(ii) shall establish thresholds and due diligence requirements for entities to use in assessing whether a transaction is a prohibited transaction or a restricted transaction;
(iii) shall not establish generalized data localization requirements to store bulk sensitive personal data or United States Government-related data within the United States or to locate computing facilities used to process bulk sensitive personal data or United States Government-related data within the United States;
(iv) shall account for any legal obligations applicable to the United States Government relating to public access to the results of taxpayer-funded scientific research, the sharing and interoperability of electronic health information, and patient access to their data; and
(v) shall not address transactions to the extent that they involve types of human 'omic data other than human genomic data before the submission of the report described in section 6 of this order.
(h) The prohibitions promulgated pursuant to this section apply except to the extent provided by law, including by statute or in regulations, orders, directives, or licenses that may be issued pursuant to this order, and notwithstanding any contract entered into or any license or permit granted prior to the effective date of the applicable regulations directed by this order.
(i) Any transaction or other activity that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions promulgated pursuant to this section is prohibited.
(j) Any conspiracy formed to violate any of the prohibitions promulgated pursuant to this section is prohibited.
(k) In regulations issued by the Attorney General under this section, the Attorney General may prohibit United States persons from knowingly directing transactions if such transactions would be prohibited transactions under regulations issued pursuant to this order if engaged in by a United States person.
(l) The Attorney General may, consistent with applicable law, redelegate any of the authorities conferred on the Attorney General pursuant to this section within the Department of Justice. The Secretary of Homeland Security may, consistent with applicable law, redelegate any of the authorities conferred on the Secretary of Homeland Security pursuant to this section within the Department of Homeland Security.
(m) The Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, is hereby authorized to submit recurring and final reports to the Congress related to this order, consistent with section 401(c) of the NEA (50 U.S.C. 1641(c)) and section 204(c) of IEEPA (50 U.S.C. 1703(c)).
Sec. 3. Protecting Sensitive Personal Data. (a) Access to bulk sensitive personal data and United States Government-related data by countries of concern can be enabled through the transmission of data via network infrastructure that is subject to the jurisdiction or control of countries of concern. The risk of access to this data by countries of concern can be, and sometime is, exacerbated where the data transits a submarine cable that is owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that connects to the United States and terminates in the jurisdiction of a country of concern. Additionally, the same risk of access by a country of concern is further exacerbated in instances where a submarine cable is designed, built, and operated for the express purpose of transferring data, including bulk sensitive personal data or United States Government-related data, to a specific data center located in a foreign jurisdiction. To address this threat, the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Committee) shall, to the extent consistent with its existing authority and applicable law:
(i) prioritize, for purposes of and in reliance on the process set forth in section 6 of Executive Order 13913, the initiation of reviews of existing licenses for submarine cable systems that are owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that terminate in the jurisdiction of a country of concern;
(ii) issue policy guidance, in consultation with the Committee's Advisors as defined in section 3(d) of Executive Order 13913, regarding the Committee's reviews of license applications and existing licenses, including the assessment of third-party risks regarding access to data by countries of concern; and
(iii) address, on an ongoing basis, the national security and law enforcement risks related to access by countries of concern to bulk sensitive personal data described in this order that may be presented by any new application or existing license reviewed by the Committee to land or operate a submarine cable system, including by updating the Memorandum of Understanding required under section 11 of Executive Order 13913 and by revising the Committee's standard mitigation measures, with the approval of the Committee's Advisors, which may include, as appropriate, any of the security requirements contemplated by section 2(d) of this order.
(b) Entities in the United States healthcare market can access bulk sensitive personal data, including personal health data and human genomic data, through partnerships and agreements with United States healthcare providers and research institutions. Even if such data is anonymized, pseudonymized, or de-identified, advances in technology, combined with access by countries of concern to large data sets, increasingly enable countries of concern that access this data to re-identify or de-anonymize data, which may reveal the exploitable health information of United States persons. While the United States supports open scientific data and sample sharing to accelerate research and development through international cooperation and collaboration, the following additional steps must be taken to protect United States persons' sensitive personal health data and human genomic data from the threat identified in this order:
(i) The Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, and the Director of the National Science Foundation shall consider taking steps, including issuing regulations, guidance, or orders, as appropriate and consistent with the legal authorities authorizing relevant Federal assistance programs, to prohibit the provision of assistance that enables access by countries of concern or covered persons to United States persons' bulk sensitive personal data, including personal health data and human genomic data, or to impose mitigation measures with respect to such assistance, which may be consistent with the security requirements adopted under section 2(d) of this order, on the recipients of Federal assistance to address this threat. The Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, and the Director of the National Science Foundation shall, in consultation with each other, develop and publish guidance to assist United States research entities in ensuring protection of their bulk sensitive personal data.
(ii) Within 1 year of the date of this order, the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, and the Director of the National Science Foundation shall jointly submit a report to the President through the Assistant to the President for National Security Affairs (APNSA) detailing their progress in implementing this subsection.
(c) Entities in the data brokerage industry enable access to bulk sensitive personal data and United States Government-related data by countries of concern and covered persons. These entities pose a particular risk of contributing to the national emergency described in this order because they routinely engage in the collection, assembly, evaluation, and dissemination of bulk sensitive personal data and of the subset of United States Government-related data regarding United States consumers. The Director of the Consumer Financial Protection Bureau (CFPB) is encouraged to consider taking steps, consistent with CFPB's existing legal authorities, to address this aspect of the threat and to enhance compliance with Federal consumer protection law, including by continuing to pursue the rulemaking proposals that CFPB identified at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemaking.
Sec. 4. Assessing the National Security Risks Arising from Prior Transfers of United States Persons' Bulk Sensitive Personal Data. Within 120 days of the effective date of the regulations issued pursuant to section 2(c) of this order, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, in consultation with the heads of relevant agencies, shall recommend to the APNSA appropriate actions to detect, assess, and mitigate national security risks arising from prior transfers of United States persons' bulk sensitive personal data to countries of concern. Within 150 days of the effective date of the regulations issued pursuant to section 2(c) of this order, the APNSA shall review these recommendations and, as appropriate, consult with the Attorney General, the Secretary of Homeland Security, and the heads of relevant agencies on implementing the recommendations consistent with applicable law.
Sec. 5. Report to the President. (a) Within 1 year of the effective date of the regulations issued pursuant to section 2(c) of this order, the Attorney General, in consultation with the Secretary of State, the Secretary of the Treasury, the Secretary of Commerce, and the Secretary of Homeland Security, shall submit a report to the President through the APNSA assessing, to the extent practicable:
(i) the effectiveness of the measures imposed under this order in addressing threats to the national security of the United States described in this order; and
(ii) the economic impact of the implementation of this order, including on the international competitiveness of United States industry.
(b) In preparing the report described in subsection (a) of this section, the Attorney General shall solicit and consider public comments concerning the economic impact of this order.
Sec. 6. Assessing Risks Associated with Human 'omic Data. Within 120 days of the date of this order, the APNSA, the Assistant to the President and Director of the Domestic Policy Council, the Director of the Office of Science and Technology Policy, and the Director of the Office of Pandemic Preparedness and Response Policy, in consultation with the Secretary of State, the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, the Director of the National Science Foundation, the Director of National Intelligence, and the Director of the Federal Bureau of Investigation, shall submit a report to the President, through the APNSA, assessing the risks and benefits of regulating transactions involving types of human 'omic data other than human genomic data, such as human proteomic data, human epigenomic data, and human metabolomic data, and recommending the extent to which such transactions should be regulated pursuant to section 2 of this order. This report and recommendation shall consider the risks to United States persons and national security, as well as the economic and scientific costs of regulating transactions that provide countries of concern or covered persons access to these data types.
Sec. 7. Definitions. For purposes of this order:
(a) The term "access" means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information technology systems, cloud computing platforms, networks, security systems, equipment, or software.
(b) The term "bulk" means an amount of sensitive personal data that meets or exceeds a threshold over a set period of time, as specified in regulations issued by the Attorney General pursuant to section 2 of this order.
(c) The term "country of concern" means any foreign government that, as determined by the Attorney General pursuant to section 2(c)(iii) or 2(f) of this order, has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons, and poses a significant risk of exploiting bulk sensitive personal data or United States Government-related data to the detriment of the national security of the United States or the security and safety of United States persons, as specified in regulations issued by the Attorney General pursuant to section 2 of this order.
(d) The term "covered person" means an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern; a foreign person who is an employee or contractor of such an entity; a foreign person who is an employee or contractor of a country of concern; a foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or any person designated by the Attorney General as being owned or controlled by or subject to the jurisdiction or direction of a country of concern, as acting on behalf of or purporting to act on behalf of a country of concern or other covered person, or as knowingly causing or directing, directly or indirectly, a violation of this order or any regulations implementing this order.
(e) The term "covered personal identifiers" means, as determined by the Attorney General in regulations issued pursuant to section 2 of this order, specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that — whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern — could be used to identify an individual from a data set or link data across multiple data sets to an individual. The term "covered personal identifiers" does not include: