2026 Institute Addresses U.S. Data Security Risks Under EO 14117

Science & Technology Law Section

The 2026 Privacy and Emerging Technology National Institute highlighted a notable shift in how policymakers and practitioners are approaching data governance. Speakers emphasized the growing convergence of national security and commercial data practices, particularly in the transfer of sensitive information. The discussions reflected a regulatory approach that focuses less on individual privacy harms and more on systemic risks, specifically, the potential for foreign adversaries to access and exploit U.S. data at scale..

For the first time, the United States federal government has established an outbound national data security rule aimed at restricting how certain types of U.S. data can be transferred by foreign entities. This new regulatory framework marks a shift from traditional data transfer rules toward a broader data security program that emphasizes national security risks. The Data Transfer Rule enacted under Executive Order 14117 reflects increasing concern among policymakers that adversarial nations can easily obtain large amounts of sensitive data about U.S. individuals through commercial data markets.

This rule is not a privacy regulation because it is based on national security concerns rather than individual privacy rights. The issue is not whether someone's privacy has been violated, but whether foreign adversaries can gather large datasets about U.S. people and use that information for intelligence gathering. The rule aims to limit transactions that could enable foreign adversaries to access large amounts of sensitive personal or government-related data. It applies to transactions involving covered persons, which include entities owned or controlled by more than 50% of the governments of specific countries of concern, currently China, Russia, Iran, North Korea, Cuba, and Venezuela.

A key concept in the rule is the definition of “bulk” data, especially “bulk sensitive data.” This includes personal and biometric identifiers, human omic data, personal health data, personal financial data, and precise geolocation data. Regulatory restrictions are triggered when a dataset includes sensitive personal data concerning a specified number of U.S. persons. The thresholds depend on how sensitive the data category is. For example, the rule may apply to datasets involving as few as 100 U.S. persons for human genomic data and up to 100,000 U.S. persons for personal identifiers. Put simply, the more sensitive the data, the lower the threshold needed to trigger the rule. These thresholds are not based on a single data transaction but are calculated from the total transactions over a 12-month period.

Government-related data is treated even more strictly. This category includes location-based data connected to intelligence or law enforcement facilities and personnel-based data about individuals working in the government. Unlike bulk sensitive data, government-related data has no volume threshold since even a single data point can trigger the rule.

The rule also includes safeguards to prevent companies from bypassing this threshold through incremental transactions. The regulations adopt an entity-to-entity or aggregation approach, essentially blocking companies from avoiding the rule simply by dividing data into smaller parts. For example, if the threshold is triggered at 10,000 individual data points, a company cannot spread out the dataset by selling portions to different companies if those companies are ultimately under the same corporate structure.

This new rule prompts broader questions about the operational and economic sustainability of compliance for certain data-driven business models. Companies face difficult decisions ahead as they adapt to the new rules, the challenge will be balancing national security concerns with the realities of commercial data practice.

Endnotes

Author

View Bio →

Author

Jessica Ogu

Committees

This content was produced by:

• Law Student Engagement Committee

Related Content