Proposed data broker regulations draw industry pushback on anonymized data exceptions, bulk thresholds
The Biden administration should adopt less-strict standards about what triggers a proposed prohibition on data brokers selling bulk sensitive information to adversarial foreign entities, industry groups argued in public comments due last week.
Among their biggest suggestions is that any potential rules should make exceptions for anonymized data. Another is that they should raise the volume threshold for what counts as bulk information.
The groups’ comments, which were submitted by Friday under a Department of Justice deadline, broadly reflect their desire to scale back those potential rules directed by a February executive order.
“We recommend that the regulations do not treat data that is protected via anonymization, pseudonymization, de-identification, or encryption as sensitive personal data,” wrote the Interactive Advertising Bureau, which represents digital ad marketers. “Such data does not present the same level of threats to U.S. national security and foreign policy given that countries of concern would not be able to use this data to track and build profiles on specific U.S. individuals for the nefarious purposes described in the” DOJ rulemaking notice.
But a prominent expert on data brokerage said that treating anonymized or de-identified data differently could leave Americans dangerously exposed. “There is an ever-evolving body of computer science and statistics literature demonstrating the ways in which companies, governments, and other organizations can combine large datasets together or analyze datasets to link data points back to specific individuals,” wrote Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy, where he runs its data brokerage research project, and a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.
The executive order is part of a recent U.S. government trend toward taking action to prevent abuses by data brokers, which collect and sell massive amounts of sensitive information like geolocation data or health data. The efforts include two House–passed bills, a bipartisan House-Senate privacy measure that includes data broker provisions and proposed regulations from the Consumer Financial Protection Bureau.
At least eight of the industry organizations that supplied public comments during an advanced notice of proposed rulemaking — ranging from organizations representing CEOs to major tech companies to clinical researchers — said the Justice Department should make exceptions to the definition of sensitive personal data under the proposed rules.
“Likening such data with other sensitive personal data that is unprotected or unmasked fails to distinguish the significant harm reduction afforded to U.S. persons when their data is encrypted or rendered unintelligible through anonymization,” representatives of the Bank Policy Institute wrote.
While Sherman said that there are some ways to protect sensitive datasets, in some cases it simply isn’t feasible. “It is incredibly difficult if not sometimes virtually impossible to effectively ‘anonymize’ device-level geolocation data while still leaving the data in a form that companies find usable for their desired business purpose,” he wrote.
According to its public notice, the Justice Department is looking at establishing ranges of bulk dataset thresholds to which regulations apply based on the kind of data. For example, the low total for personal financial data would be 1,000 U.S. persons, with a high of 1 million.
Most industry groups favored the higher ranges, or a wholesale rethinking of those thresholds.
“Biopharmaceutical firms, from small- and medium-sized biotech companies to multinational biopharmaceutical companies, are likely to exceed the minimum bulk volume thresholds that are proposed in the rules in the normal course of their research and business operations and, thus, potentially risk engaging in prohibited bulk volume transfers of sensitive personal data of U.S. individuals,” the Biotechnology Innovation Organization wrote.
Said the U.S.-China Business Council: “At a minimum, we suggest that the DOJ substantially raise its thresholds until it has provided further guidance to industry.”
The Center for Democracy and Technology, however, argued for adopting the lower thresholds.
“The goal of this proceeding is to prevent as much information about US individuals from being sold to countries of concern,” it said. “To best achieve that goal, and to best protect people’s privacy generally, the bulk definition should be as low as reasonably possible.”
The issues of sensitive personal information anonymization and bulk threshold definitions attracted the most attention from commenters, but they weren’t the only kinds of feedback directed to the DOJ.
The Future of Privacy Forum, for instance, said that the definition of the kind of “persons” covered under the rules should exclude organizations like businesses or nonprofits, while adding in data related to “households,” like residential utility usage.
Sherman further contended that DOJ should use a wider definition of “personal health data” since, as proposed, it would exclude “numerous wearable device vendors, mobile apps, telehealth companies, social media platforms, advertising technology firms, and data brokers.”
Others suggested that the department develop a different method of identifying “countries of concern” to whom the prohibition applies, which as of now foresees that list as China, Russia, North Korea, Iran, Cuba and Venezuela. A group of industry organizations representing communications providers suggested tying the list to the Commerce Department’s list of foreign adversaries.
The Information Technology Industry Council, meanwhile, questioned the overall approach of the DOJ’s proposed rulemaking. It “sets out a multilayered regulatory regime that establishes and regulates multiple classes of prohibited transactions, restricted transactions, exemptions, categories of sensitive data with different bulk data thresholds, and licensing requirements,” the organization wrote. “There are important upfront questions about whether this proposed regulatory approach will be successful in addressing the articulated national security threat.”
