Navigating Executive Order 14117: What Privacy Leaders Need to Know About Cross-Border Data Transfers
When companies move or exchange data across international borders, they can trigger additional compliance requirements. Issued February 2024, Executive Order 14117 introduced new complexities for companies sharing the personal data of U.S. citizens or Government-related data with certain “countries of concern.”
Led by special guest Iliá Dubovtsev, CIPP/E/US, CIPM, the Privacy Roundtable community recently gathered for a practical discussion on what Executive Order 14117 means for privacy teams, where organizations face real risk, and how to prepare for a new era of national security driven data regulation. Read on for the biggest takeaways from this privacy huddle.
What Is Executive Order 14117?
Executive Order 14117 directs the U.S. Department of Justice to regulate certain transfers of sensitive U.S. personal data to designated countries of concern.
Dubovtsev described, “The core goal of the executive order is preventing sensitive U.S. personal and government-related data from reaching foreign adversaries, particularly those who can weaponize data via AI-driven surveillance, or manipulation”.
Unlike GDPR or state privacy laws, this Executive Order is not focused on consumer rights. It is grounded in national security. The core concern is preventing large scale access to sensitive U.S. data by foreign adversaries.
The DOJ’s implementing rule targets:
- Bulk transfers of sensitive personal data
- Transactions involving countries of concern
- Certain categories of data that could present national security risks
Under the DOJ regulations implementing Executive Order 14117, certain covered data transactions are prohibited outright, while others may proceed as ‘restricted transactions’ provided that specific security and compliance requirements are satisfied.
What counts as sensitive and bulk?
A central theme of the discussion was scale.
The DOJ rule identifies several categories of sensitive personal data, which may include:
- Geolocation data
- Biometric identifiers
- Health data
- Financial data
- Genomic data
- Government related data
- Certain personal identifiers
The rule applies when this data is transferred in bulk, meaning it exceeds defined volume thresholds. The focus is not on incidental transfers. It is on data sets large enough to enable profiling, surveillance, or intelligence gathering.
For privacy leaders, this changes the framing. It is no longer just about whether a transfer mechanism is valid. It is about whether the volume and sensitivity of a transfer create material national security exposure.
Countries of concern and vendor risk
The rule specifically addresses transfers involving designated countries of concern: China, Russia, Iran, North Korea, Cuba, and Venezuela.
Indirect access matters. If a vendor’s personnel in a restricted jurisdiction can access production systems, that may implicate the rule, depending on the nature of the access and the volume and category of data involved.
Privacy and security teams must now work together to map not only where data is stored, but who can access it and from which locations.
Where organizations are most exposed
The biggest risks are not edge cases. They are visibility gaps.
Organizations face exposure when they:
- Lack a clear inventory of sensitive data
- Do not understand transfer volumes
- Overlook downstream vendor access
- Rely on outdated transfer risk assessments
- Assume that SCCs or other contractual mechanisms are sufficient
Executive Order 14117 introduces a separate compliance layer. It does not replace GDPR or other frameworks. It operates alongside them with a different objective.
As a result, privacy huddle attendees recommended reviewing existing cross border transfer documentation to ensure it also addresses the specific concerns raised by the DOJ rule.
Practical next steps for privacy teams
The discussion surfaced several concrete actions organizations should prioritize.
1. Classify and quantify sensitive data
Understand what qualifies as sensitive under the rule. Identify where that data resides and how much of it is transferred. Bulk thresholds cannot be assessed without accurate data mapping and volume visibility.
2. Reevaluate vendor and subprocessor access
Update diligence processes to ask:
- Where are support and engineering teams located?
- Who has remote access to production systems?
- Are there subcontractors in countries of concern?
3. Align privacy, security, and legal
This regulation sits at the intersection of governance and infrastructure. Security teams should be involved in reviewing access controls, architectural decisions, and remote access policies.
4. Monitor regulatory developments
The DOJ framework continues to evolve. Additional guidance may refine thresholds, licensing requirements, and enforcement priorities. Staying informed will be critical as implementation matures.
How to navigate Executive Order 14117
Navigating Executive Order 14117 requires clarity into your data footprint, vendor access, and transfer volumes.
With DataGrail, privacy teams can:
- Maintain accurate, dynamic data inventories
- Strengthen vendor oversight
- Document transfer risk assessments
- Improve cross functional collaboration
- Stay agile as regulations evolve
In today’s environment, visibility is not optional. It is foundational.
Are you passionate about privacy, legal, or security issues? Want to connect with like-minded professionals and stay ahead in a rapidly evolving landscape? Join the Privacy Roundtable community and sign up for updates on the next Privacy Huddle.
