Executive Order 14117 Takes Effect: What Cross-Border Businesses Must Know About New U.S. Data Restrictions

On April 8, 2025, the U.S. Department of Justice’s final rule implementing Executive Order 14117—Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern—officially took effect. This rule introduces new legal restrictions on the transfer, processing, and access of U.S. personal and government-related data by entities linked to designated “Countries of Concern.”

The regulation is part of a broader U.S. strategy to safeguard national security and prevent foreign adversaries from exploiting sensitive data for malicious purposes.

Countries of Concern

The rule targets data activities involving the following jurisdictions, defined as “Countries of Concern”:

• China (including Hong Kong and Macau)

• Russia

• Iran

• North Korea

• Cuba

• Venezuela

  
  

Entities from or affiliated with these countries may face prohibitions or licensing requirements when accessing certain U.S. data.

What Counts as Sensitive Personal Data?

The regulation focuses on bulk datasets containing the following categories of U.S. sensitive personal data:

• Personal Identifiers: Passport numbers, Social Security numbers, bank account information, IP addresses, login credentials, and advertising tracking IDs.

• Precise Geolocation Data: Location information that identifies individuals or devices within a 1,000-meter radius.

• Biometric Identifiers: Facial recognition data, fingerprints, iris scans, voiceprints, gait, and typing behavior.

• Human ‘Omic Data: Genomic, proteomic, transcriptomic, or similar data that reflect genetic or biological characteristics.

• Financial Data: Banking details, transaction histories, credit reports, and financial profiles.

• Health Data: Medical records, prescriptions, physical health conditions, and mental health information.

Also covered is certain U.S. government-related data, such as information from critical infrastructure, defense contractors, or intelligence systems.

High-Risk Scenarios to Watch

The following business activities may fall under restricted or prohibited transactions:

• Accessing U.S. employee or user data (e.g., health, payroll, HR data) from within China or other Countries of Concern.

• Using U.S. personal data in AI development, such as for training models in image recognition, voice analysis, or emotion detection.

• Providing SaaS platforms, cloud hosting, or database storage involving U.S. user data, especially if foreign teams have access.

• Collaborating with U.S. partners in medical, biotech, or financial sectors, where data sharing is involved.

• Storing or analyzing U.S. data for business decisions at a corporate headquarters in a Country of Concern.

DOJ Guidance and Grace Period for Compliance

On April 11, 2025, the DOJ’s National Security Division (NSD) released a Compliance Guide, FAQs, and its Implementation and Enforcement Policy, clarifying how the rule will be applied and enforced. Most notably, the DOJ announced a 90-day grace period, from April 8 to July 8, 2025, during which companies that are making good faith efforts to comply will generally not be subject to enforcement actions. However, willful violations or bad-faith conduct may still be pursued during this period. This transitional period is intended to support early cooperation and to encourage companies across affected industries to build a compliance-first culture when handling covered data.

Enforcement and Penalties

Violations of this rule may result in:

• Civil fines and sanctions;

• Placement on the U.S. Entity List (export control restrictions);

• Criminal penalties for willful or egregious breaches.

If you have questions about how Executive Order 14117 affects your business operations, data infrastructure, or international partnerships, please contact our team at contact@consultils.com.

Disclaimer: The materials provided on this website are for general informational purposes only and do not, and are not intended to, constitute legal advice. You should not act or refrain from acting based on any information provided here. Please consult with your own legal counsel regarding your specific situation and legal questions.

Fiona Xu, Esq. is the Partner and Head of Transaction of ILS.

She has extensive experience supporting global and high-growth technology companies on compliance and business needs. Her practice focuses on regulatory compliance across different sectors, with a focus on sector-specific regulations for artificial intelligence (AI) and medical devices. She supports multinational corporations in establishing and maintaining U.S. operations, managing legal and compliance challenges in various areas such as Privacy, Export Control, and CFIUS issues.

Email: contact@consultils.com | Phone: 626-344-8949