91´ÎÔª

Executive Order 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“the Order”), directs the Attorney General to issue regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“transaction”), where the transaction: involves United States Government-related data (“government-related data”) or bulk U.S. sensitive personal data, as defined by final rules implementing the Order; falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because the transactions may enable access by countries of concern or covered persons to government-related data or bulk U.S. sensitive personal data; and meets other criteria specified by the Order.  

The researcher should assess whether the research involves: 

• Accessing or sharing sensitive data types listed. 
• Collaborating with foreign entities or researchers from countries of concern. 
• Utilizing data platforms or services that may be subject to DSP restrictions. 

If the research involves any of these factors, it may be subject to DSP regulations. 

Researchers should:

• Ensure that any data sharing or collaboration complies with DSP restrictions.
• Review the  provided by the Department of Justice National Security Division (NSD).
• For assistance in understanding specific compliance scenarios refer to the US Department of Justice’s .

The final rule’s prohibitions and restrictions apply to covered data transactions involving a country of concern or covered person and sensitive personal data that meets or exceeds certain a certain bulk volume or government-related data. 

Definition. A covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:

1. Data brokerage; 
2. A vendor agreement; 
3. An employment agreement; or 
4. An investment agreement.

The term country of concern means any foreign government that, as determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce: 

(a) Has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons; and 

(b) Poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons.  

Currently there are six countries of concern: 

• China (including Hong Kong and Macau) 
• Cuba 
• Iran 
• North Korea 
• Russia
• Venezuela 

*The above list of countries also includes individuals and entities under their control. 

The term covered person means: 

1. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern; 
2. A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate,  
3. A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in (1), (2) or (5). 
4. A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or 

(5) Any person, wherever located, determined by the Attorney General: 

• To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; 
• To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or 
• To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

The term "bulk" means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person: 

(a) Human `omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons; 

(b) Biometric identifiers collected about or maintained on more than 1,000 U.S. persons; 

(c) Precise geolocation data collected about or maintained on more than 1,000 U.S. devices; 

(d) Personal health data collected about or maintained on more than 10,000 U.S. persons; 

(e) Personal financial data collected about or maintained on more than 10,000 U.S. persons;

(f) Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons;

(g) or Combined data, meaning any collection or set of data that contains more than one of the categories in through of this section, or that contains any listed identifier linked to categories in through of this section, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data. 

Definition. The term sensitive personal data means covered personal identifiers, precise geolocation data, biometric identifiers, human `omic data, personal health data, personal financial data, or any combination thereof. 

Exclusions. The term sensitive personal data, and each of the categories of sensitive personal data, excludes: 

1. Public or nonpublic data that does not relate to an individual, including such data that meets the definition of a “trade secret” (as defined in ) or “proprietary information” (as defined in ); 
2. Data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories); 
3. Personal communications; and 
4. Information or informational materials and ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials. 

The term bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold.

No. The term “bulk U.S. sensitive personal data” means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold. 

No. The DSP generally governs covered data transactions with, or that involve access by, covered persons or countries of concern. There are only two limited instances in which the DSP governs data transactions between U.S. persons and third countries (i.e., a transaction in which a country of concern or covered person is not a party). First, to prevent the resale or onward transfer of government-related data or bulk sensitive personal data to countries of concern or covered persons, the DSP imposes some conditions on U.S. persons engaging in covered data transactions involving data brokerage with foreign persons that are not covered persons. Second, the DSP prohibits any transaction on or after the effective date that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions—which could include, for example, attempts to evade the DSP’s prohibitions by using foreign persons or foreign governments as proxies for covered persons or countries of concern.  

Yes. However, to address the risk of an onward transfer of data by foreign third parties to countries of concern or covered persons, the DSP only allows a U.S. person to engage in a covered data transaction involving data-brokerage with a foreign person that is not a covered person if the U.S. person satisfies certain conditions, including (1) using contractual language in which the foreign person agrees not to resell or give access to a country of concern or covered person to the bulk U.S. sensitive personal data or government-related data, and (2) disclosing to NSD any known or suspected violations of this contractual provision.

Under § 202.243, the term “prohibited transaction” means a data transaction involving access by a country of concern or covered person that is subject to one or more of the prohibitions described in DSP subpart C. There are five categories of prohibited transactions. · U.S. persons knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person (§ 202.301) · U.S. persons knowingly engaging in a covered data transaction involving data brokerage with a foreign person (that is not a covered person) unless the U.S. person (1) contractually requires that the foreign person refrain from onward sale with a country of concern or covered person; and (2) reports any known or suspected violations of this contractual requirement (§ 202.302) · U.S. persons knowingly engaging in a covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived (§ 202.303) · Transactions with the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions set forth in the DSP or any conspiracy formed to violate the prohibitions in the DSP (§ 202.304) · U.S. persons knowingly directing any covered data transaction that would be a prohibited transaction or unauthorized restricted transaction if engaged in by a U.S. person. 

Under § 202.246, the term “restricted transaction” means a transaction subject to the restrictions in subpart D. U.S. persons are prohibited from knowingly engaging in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person (a “restricted transaction”), unless the U.S. person complies with Cybersecurity and Infrastructure Security Agency (“CISA”) security requirements and other applicable requirements. If a U.S. person engages in a restricted transaction without complying with the security requirements and other applicable requirements, such activity would be considered an unauthorized restricted transaction and a violation of the DSP, pursuant to § 202.304. Covered data transactions that involve a vendor, employment, or investment agreement and involve access by countries of concern or covered persons to bulk human genomic data or human biospecimens from which such data can be derived are prohibited transactions—not restricted transactions—and are subject to the prohibitions in § 202.303.  

The term government-related data means the following: 

1. (1) Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in which the Attorney General has determined poses a heightened risk of being exploited by a country of concern to reveal insights about locations controlled by the Federal Government, including insights about facilities, activities, or populations in those locations, to the detriment of national security, because of the nature of those locations or the personnel who work there. Such locations may include: 
   • The worksite or duty station of Federal Government employees or contractors who occupy a national security position as that term is defined in ; 
   • A military installation as that term is defined in ; or 
   • Facilities or locations that otherwise support the Federal Government's national security, defense, intelligence, law enforcement, or foreign policy missions. 
2. (2) Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community. 

Non-compliance can lead to: 

• Civil or criminal penalties 
• Sanctions
• Reputational damage to the researchers and institution 

The terms United States person and U.S. person mean any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under or granted asylum under ; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States. 

Examples can be found in the definition on 28 CFR 202 

The term human `omic data means: 

1. Human genomic data. Data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual's “genetic test” (as defined in ) and any related human genetic sequencing data. 
2. Human epigenomic data. Data derived from a systems-level analysis of human epigenetic modifications, which are changes in gene expression that do not involve alterations to the DNA sequence itself. These epigenetic modifications include modifications such as DNA methylation, histone modifications, and non-coding RNA regulation. Routine clinical measurements of epigenetic modifications for individualized patient care purposes would not be considered epigenomic data under this rule because such measurements would not entail a systems-level analysis of the epigenetic modifications in a sample. 
3. Human proteomic data. Data derived from a systems-level analysis of proteins expressed by a human genome, cell, tissue, or organism. Routine clinical measurements of proteins for individualized patient care purposes would not be considered proteomic data under this rule because such measurements would not entail a systems-level analysis of the proteins found in such a sample. 
4. Human transcriptomic data. Data derived from a systems-level analysis of RNA transcripts produced by the human genome under specific conditions or in a specific cell type. Routine clinical measurements of RNA transcripts for individualized patient care purposes would not be considered transcriptomic data under this rule because such measurements would not entail a systems-level analysis of the RNA transcripts in a sample. 

The term human `omic data excludes pathogen-specific data embedded in human `omic data sets. 

The term data brokerage means the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.  

Examples can be found in the definition on 28 CFR 202 

The term employment agreement means any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level. 

Examples can be found in the definition on 28 CFR 202 

The term investment agreement means an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to: 

1. Real estate located in the United States; or 
2. A U.S. legal entity. 

Exclusion for passive investments. The term investment agreement excludes any investment that: 

1. Is made: 
   • Into a publicly traded security, with “security” defined in section 3(a)(10) of the Securities Exchange Act of 1934 (), denominated in any currency that trades on a securities exchange or through the method of trading that is commonly referred to as “over-the-counter,” in any jurisdiction; 
   • Into a security offered by: 
     1. Any “investment company” (as defined in section 3(a)(1) of the Investment Company Act of 1940 () that is registered with the United States Securities and Exchange Commission, such as index funds, mutual funds, or exchange traded funds; or 
     2. Any company that has elected to be regulated or is regulated as a business development company pursuant to section 54(a) of the Investment Company Act of 1940 (), or any derivative of either of the foregoing; or 
   • As a limited partner into a venture capital fund, private equity fund, fund of funds, or other pooled investment fund, or private entity, if the limited partner's contribution is solely capital and the limited partner cannot make managerial decisions, is not responsible for any debts beyond its investment, and does not have the formal or informal ability to influence or participate in the fund's or a U.S. person's decision making or operations; 
2. Gives the covered person less than 10% in total voting and equity interest in a U.S. person; and 
3. Does not give a covered person rights beyond those reasonably considered to be standard minority shareholder protections, including: 
   • membership or observer rights on, or the right to nominate an individual to a position on, the board of directors or an equivalent governing body of the U.S. person, or
   • any other involvement, beyond the voting of shares, in substantive business decisions, management, or strategy of the U.S. person. 

Examples can be found in the definition on 28 CFR 202 

The term vendor agreement means any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration. 

Examples can be found in the definition on 28 CFR 202 

The term biometric identifiers means measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system. 

The term precise geolocation data means data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters. 

The term personal financial data means data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report” (as defined in ). 

The term personal health data means health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications. 

(a) Definition. The term covered personal identifiers means any listed identifier: 

(1) In combination with any other listed identifier; or 

(2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data. 

(b) Exclusion. The term covered personal identifiers excludes: 

(1) Demographic or contact data that is linked only to other demographic or contact data (such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers); and 

(2) A network-based identifier, account-authentication data, or call-detail data that is linked only to other network-based identifier, account-authentication data, or call-detail data as necessary for the provision of telecommunications, networking, or similar service.