Welcome to QuickHits! A concise newsletter that covers current cases, recent hot topics, and/or pressing questions pertaining to the rapidly evolving U.S.-China relationship and related legal and commercial environments. QuickHits is brought to you by attorneys at the U.S.-based law firm Dickinson Wright PLLC and Chinese law firm JunHe Law Offices.
This version of "QuickHits" examines the U.S. Department of Justice's January 8, 2025, Final Rule implementing Executive Order 14117 regulating cross-border data transfers and, midway through its first year, highlights key considerations for covered Chinese enterprises conducting data audits.
Executive Order 14117 Comes into Force: Key Considerations for Cross-Border Data Transfers
What Happened? On January 8, 2025, the United States Department of Justice ("DOJ") issued a final rule ("Final Rule") to implement Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" ("EO 14117"). The Final Rule aims to restrict or prohibit certain categories of data transactions by U.S. persons with "Countries of Concern," including the People's Republic of China ("China" or the "PRC") and "Covered Persons."
The Final Rule regulating data transactions went into effect on April 8, 2025, with additional compliance provisions—audits, recordkeeping, and reporting—scheduled to come into force by October 6, 2025. The DOJ implemented a 90-day grace period from the effective date of the Final Rule for individuals and entities to prepare for and comply with enforcement of EO 14117, which ended recently on July 8, 2025.
Why Is It Important? The change in presidential administrations has not kept the DOJ from moving forward with implementing the Final Rule and robust enforcement of EO 14117. Indeed, transactions involving bulk U.S. sensitive personal data (e.g., precise geolocation data, biometric identifiers, and personal health data) and U.S. government-related data are now subject to heightened regulatory scrutiny by the agency. This new enforcement environment presents significant compliance challenges for Chinese enterprises conducting business in the United States, particularly where data processing and cross-border data flows are involved which could not only implicate EO 14117, but also any number of Chinese laws and regulations governing the inbound and outbound flow of data in China. Accordingly, cross-border collaborations between Chinese and U.S. entities will be directly affected and require heightened attention.
What Can or Should I Do Now? Given that the audits, recordkeeping, and reporting compliance provisions of EO 14117 do not take effect until October 6, 2025, there is no reason for companies to panic. There are proactive steps you can take to prepare for the new enforcement landscape created by the Order. "U.S. Persons" or "Covered Persons, as defined under the Final Rules (and potentially including Chinese companies engaging in a restricted transaction), are required to conduct annual data audits. These companies can begin (or continue) designing audit plans to meet the regulatory requirements of EO 14117 and, if necessary, relevant Chinese data laws and regulations.
Based on our experience, below are recommendations for how to design an effective annual audit plan and enhance (or design) the appropriate compliance framework:
- National Security Focus: The Final Rule focuses heavily on national security. The United States, like China, prioritizes the regulation of data and data privacy as a "national security" measure—in addition to viewing active regulation as important to civil, personal, and privacy considerations. As such, covered individuals and entities must consider U.S. national security interests when designing specific audit and/or conducting cross-border data transfers.
- Dual-Regime Compliance: If a "Covered Transaction" includes Chinese-origin data and, particularly if it involves the cross-border transmission of Chinese-origin data out of China and to the United States, then any audit and broader internal compliance scheme should include elements that navigate both the new EO 14117 and the PRC's current data compliance rules and regulatory framework (e.g., Personal Information Protection Law ("PIPL") and Data Security Law ("DSL"), etc.). For example, Chinese enterprises responding to U.S. data reporting requirements under the Final Rule should consider Article 36 of the DSL, which prohibits providing data to foreign judicial or law enforcement bodies without prior approval. Cross-border data strategies and compliance programs must, therefore, bridge and accommodate both U.S. and Chinese laws and regulations. While this is challenging, maintaining a compliance framework that accounts for risks in both is essential to mitigating civil and criminal risks in either nation.
- Technical Data Mapping and Audit: While
compliance reviews and enhancements are essential, cross-border
data transmission is inherently a technical challenge. It is
usually best to have technical experts identify the scenarios to
map out and illustrate the data flow pathways between China and the
United States to identify, document, and visualize, for example:
- What sensitive U.S. personal data or government-related data will be handled?
- Where the above data originates from, is stored, and processed?
- How these data flows internally and externally?
- Who has access to these data?
Through technical data mapping techniques, companies can (i) rigorously map restricted transactions involving "U.S. Persons/Covered Persons;" (ii) monitor whether any bulk collections of personal data trigger reporting requirements; and (iii) determine whether any cross-border flow of data involves prohibited or restricted data under EO 14117, the Final Rule, or one of China's data protection laws, including the involvement of internal transactions of affiliated companies.
- Consider an Advisory Opinion: Given how recently EO 14117 was implemented, it may be challenging to determine if a certain transaction is covered under its requirements. Consider requesting an advisory opinion under Final Rule Section 202.901. The request and resulting information, will help you explain the transaction and who/what is involved, and allow the DOJ to inform you whether you have any auditing, reporting, enforcement, or other requirements. The response could be helpful to enhancing your program and fending off future DOJ inquiries. It will also provide insight into whether modifications should be made before moving forward with your compliance planning for the Final Rule.
- Develop a Consistent Compliance Program: Companies engaged in restricted transactions should design, develop, implement, and routinely enhance a robust data Compliance Program—or assess and update the existing one. Covered companies are encouraged to embrace their data compliance obligations, including compliance program updates, internal and external reporting, and annual data audits to ensure compliance with evolving regulatory requirements. While the initial costs involved with program assessments and updates may cost time, money, and resources on the front end, they can save a company from future financial and legal entanglements with both U.S. and Chinese authorities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
