Biden executive order seeks to cut China off from Americans’ sensitive data
President Joe Biden will issue an executive order Wednesday that will bar companies and individuals in the United States from selling certain types of large sensitive datasets to six countries: China, Russia, North Korea, Iran, Cuba and Venezuela.
Amid the failure of Congress to pass privacy legislation, Wednesday’s executive order represents the Biden administration’s most serious attempt to date to regulate the growing data broker industry. As companies collect increasing amounts of data and find ways to monetize it, the data broker industry has made ever more granular data available for sale, and national security officials are increasingly concerned that this data is being purchased by U.S. adversaries and used to carry out blackmail or surveillance.
The order directs the Justice Department to develop regulations barring U.S. companies from selling genomic, biometric, personal health, geolocation and financial data, along with some types of personally identifiable information to the countries of concern.
“Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security toolkit that we’re working to fill with this program,” a senior administration official speaking on condition of anonymity told reporters in a briefing ahead of the order’s release. “Countries of concern, such as China and Russia, are buying American’s sensitive personal data from data brokers.”
The official added that advances in artificial intelligence and synthetic biology have made large datasets easier than ever to mine, and that the rapid proliferation of AI had created urgency for the Biden administration to cut off American adversaries’ access to sensitive commercially available datasets.
In addition to the categories of transactions prohibited under the order, the measure also includes three categories of restricted transactions that will be allowed if accompanied by safeguards. These include investment agreements, transactions between a company and their employees or contractors and vendor agreements, such as cloud computing contracts.
Justin Sherman, an adjunct professor at Duke University’s Sanford School of Public Policy who has written extensively about data brokers, called the executive order a “sensible” and “overdue” move to address the highly unregulated data brokerage industry.
“Foreign actors such as the Chinese government have many ways to get sensitive data on Americans, and exploiting the U.S.’ data brokerage ecosystem is one of them,” he said. “There are many data brokers that do not implement robust customer vetting programs, and the market for certain data types, such as location data, is only growing.”
“What the order does is directly aim at the low-hanging-fruit of this problem: cases where large-scale transfers of certain kinds of sensitive data could present a direct threat to national security,” Sherman added.
While the executive order seeks to cut off American adversaries from the burgeoning U.S. data market, it does nothing to restrict the internal market itself. Broader action to regulate the collection and sale of data belonging to Americans would likely require an act of Congress, where proposals to pass a comprehensive privacy bill have repeatedly stalled.
U.S. intelligence agencies also make use of commercially available data, and the order does nothing to restrict their access to such data.
Sen. Ron Wyden, D-Ore., welcomed the executive order in a statement Wednesday but argued the Biden administration was mistaken in its decision to prohibit data sales to only a handful of countries. “Authoritarian dictatorships like Saudi Arabia and UAE cannot be trusted with Americans’ personal data, both because they will likely use it to undermine U.S. national security and target U.S. based dissidents, but also because these countries lack effective privacy laws necessary to stop the data from being sold onwards to China,” Wyden said.
Wednesday’s order will not go into effect immediately and will go through two rounds of public comment before being implemented. Business groups have raised concerns that the new restrictions might affect transactions and data transfers made in the ordinary course of business, and trade groups are closely watching how the order might impact major technology firms.
“The cross-border exchange of data and information is a cornerstone of U.S. leadership in the global economy, and policymakers worldwide should exercise caution before introducing restrictions that could have a wide-ranging impact across different industries,” Aaron Cooper, the senior vice president of global policy at BSA | The Software Alliance, a trade group representing enterprise software companies, said in a statement.
In their briefing ahead of the order’s release, Biden administration officials were at pains to emphasize that the order will not affect data transfers within multinational companies and will include carve-outs for things like payroll operations.
The officials also emphasized that the order aims to be narrowly tailored toward transactions of concern between U.S. entities and countries of concern, rather than cutting off data flows more broadly and undermining American commitments to maintain an open internet.
The order charges the Justice Department with enforcing the measure, and officials concede that enforcement will be a challenge. The order will establish thresholds for bulk data transactions that would qualify under the order, but how U.S. authorities will monitor such transactions is highly unclear.
“The main crux” of how the Justice Department plans to enforce the measure is through “guidance, advisory opinions, voluntary compliance and making clear what we expect of companies,” a senior DOJ official told reporters.
Once bundled and sold, data can easily be resold, and officials said that while they don’t expect the order to completely eliminate such transactions, they hope that the order will encourage companies to seek assurances from entities to whom they sell data about how it will be used and resold.
Violators could conceivably be prosecuted, but the order aims to inform companies about “what the government is expecting of them and are incentivized to institute compliance programs that protect U.S. national security,” the DOJ officials said.
Updated Feb. 28, 2024: This article has been updated with a statement from Sen. Ron Wyden.