Executive Order to Target Data Sold to US Foes

President Joe Biden on Wednesday announced an executive order aiming to curtail foreign adversaries’ ability to buy Americans’ sensitive personal data.

The administration will seek the Justice Department’s input to write rules to restrict Americans’ information -- including data regarding health, location, genetics, and more -- being sold to China, Russia, Iran, North Korea, Cuba, and Venezuela, along with any entities linked to those countries. The rules would also apply to biometric data and financial information along with sensitive information relating to the government.

“Companies are collecting more of Americans’ data than ever before, and it is often legally sold and resold through data brokers,” the White House said in a release. “Commercial data brokers and other companies can sell this data to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments.”

The Biden Administration is concerned about the data’s use in counterintelligence, blackmail, and other security risks, according to the release. “Countries of concern can also access Americans’ sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, and members of non-governmental organizations and marginalized communities to intimidate opponents …”

Related:US Data Privacy Relationship Status: It’s Complicated

Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals (IAPP), tells InformationWeek in an interview that any business that buys and sells data needs to pay attention to the proposed rules.

“Really, the best practice in data privacy is to already know who is buying your personal data from you and create restrictions on the outward transfer of that information,” he says. “Companies not doing that are certainly well advised to make sure that they understand the risks … and to have proper procedures and policies in place to make sure that they are checking up on the uses.”

The executive order didn’t come as a surprise -- concerns about risks surrounding foreign adversaries’ efforts to use personal data have been ongoing. Zweifel-Keegan pointed to Duke University Sanford School of Public Policy’s November study that warned of data brokers selling the personal data of military personnel and the risks to national security.

The study found that sensitive data of active-duty members and their families was easily found. “The team bought this and other data from US data brokers via a .org and .asia domain for as low as $0.12 per record,” according to the report. “Currently, these inconsistent practices are highly unregulated by the US government.

Related:California’s Delete Act: What CIOs, CDOs, Businesses Need to Know

Directives from the Executive Order

Biden’s order directs the Department of Justice (DOJ) to issue regulations surrounding sensitive personal data access by foreign countries “of concern.” The administration also calls for the DOJ to work with Homeland Security to set “high security standards” that prevent foreign countries access to sensitive data through indirect means, such as through investment, vendors, and employment relationships.

The telecommunications industry is also involved in the effort. The order calls on the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (or, “Team Telecom”) to examine threats to American’s sensitive data via submarine cable licenses.

The order also makes clear that the White House does not want to interfere with established relationships with other countries, so “these activities do not stop the flow of information necessary for financial services activities or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries.”

Related:US Lawmakers Mull AI, Data Privacy Regulation

Caitlin Fennessy, IAPP’s chief knowledge officer and vice president, said the White House sees the data privacy threat as an “imminent risk,” and without a federal level privacy law in place, leaves American interests open to harm.

“The big question is whether we should consider this executive order a stark deviation from decades of US support for data flows or a targeted set of privacy protections for sensitive personal data in response to national security threats,” Fennessy said in a release. “Privacy professionals will now turn their attention to the practical implications -- which organizations, data and transfers are implicated, which might be down the line and what will be needed to comply.”

The White House statement also called for Congress to act on proposed federal level data privacy legislation.