How to report an app that violates Executive Order 14117

You’ll need to provide ⇢ Product Feedback.

Good luck! 👋🏼😉

Hi @AndyWang8888 -

So, the EO you referenced technically just outlines a scope of work (basically, direction to complete an analysis, issue a report, and finally conduct a formal rulemaking process). This ultimately resulted in a final rule, 28 CFR Part 202, implementing a data security program under the purview of the Foreign Investment Review Section within DoJ’s National Security Division.

TLDR: 

Implementation guidance on federal regs falls outside the scope of this user forum. 

Alternative resources: 

• If you haven’t already reviewed info about 28 CFR Part 202 available online, I would start here official website or, for a Cliff’s Notes version, here DoJ’s breezy 10-page FACT SHEET.
• The best ‘official’ resource/contact for inquiries about implementation of this rule is the following email address: nsd.firs.datasecurity@usdoj.gov.  It routes to a mailbox set up specifically for this purpose. 
• The best ‘unofficial’ source for help, imho, is Reddit. Specifically, r/legaladviceofftopic. (Tip: You’re going to want to provide the legal professionals fielding questions there a better starting point than just a ref to the initiating EO.)

Interesting question. I’m not sure that it will end up being a violation, but it’s worth following up. Good luck!

The EO refers to bulk collection of personal information. You certainly do not need to use the app at all and no personal data is gained unless you freely submit it, which the EO does not prevent.

If you have ever added a credit card to the Wallet app, you will see that your personal information is required for the bank to confirm your identity and will not be added without it. That does not mean you have to add a card to your Wallet if you do not wish.

You can report any app you want to Apple for a number of reasons by going  to reportaproblem.apple.com.

I cannot confirm the data retention policy of the company you referenced. For Apple, you can see that most regions require a 10 year data retention and in China it is 30 years for some personal data.

Where you make a purchase such as a subscription, we retain personal data associated with your purchase for the periods specified by applicable laws relating to financial reporting, which vary by region. For most customers, that requires at least a 10-year retention period, but in regions such as China that period can be 30 years.

Legal - Apple Account & Privacy- Apple

The Executive Order you mentioned primarily sets out a framework for conducting an analysis, producing a report, and eventually moving forward with a formal rulemaking procedure. This process culminated in the creation of the final regulatory rule found under 28 CFR Part 202. This rule establishes a data security program overseen by the Foreign Investment Review Section within the Department of Justice’s National Security Division.

In short: detailed guidance on how to implement these federal regulations isn’t something this forum can provide.

If you haven’t yet, I recommend reviewing the official information concerning 28 CFR Part 202, which you can find on the DOJ’s website here insert official URL. For a concise summary, check out the DOJ’s straightforward 10-page fact sheet here insert fact sheet URL.

For direct questions about how to implement this regulation, the best point of contact is: nsd.firs.datasecurity@usdoj.gov. This email connects you with a mailbox specifically established for inquiries related to this rule.

If you want informal advice or community help, Reddit’s r/legaladviceofftopic is a valuable resource. Just a tip: when posting, provide detailed context beyond just referencing the original Executive Order to get the most useful feedback from legal experts there.

It’s an interesting issue, and while it’s unclear if this situation might constitute a violation, it certainly merits further investigation. Wishing you the best of luck as you follow up!

[Edited by Moderator]