WASHINGTON—President Joe Biden is signing an executive order today to prevent hostile nations from purchasing the sensitive data of U.S. residents through legal sources.
The executive order will direct the Department of Justice (DOJ) to create regulations to prevent countries of concern from collecting and exploiting U.S. residents’ sensitive personal data including genomic, biometric, personal health, geolocation, and financial information.
“We feel very strongly that this rule responds to a real national security concern that is growing,” a senior DOJ official told reporters during a call with media outlets.
The official said that the order will give the department the authority to regulate certain types of cross-border data transactions that pose an unacceptable risk of giving “countries of concern, adversary countries, and certain entities and individuals in their jurisdiction” access to U.S. residents’ personal data.
The executive order will not immediately grant these authorities, but instead initiates an advance notice of proposed rulemaking, which will solicit the feedback of the national security community to determine the scope of the regulations.
Countries Purchasing Bulk Data to Target Americans
The executive order is an attempt to address one of the most pressing national security issues facing the globe, which is the legal sale of personal information by so-called data brokers.Such brokers purchase vast troves of data and aggregate it to sell to the highest bidder. Oftentimes, the buyer will be a private enterprise seeking leverage for marketing. Other times, it might be a foreign power attempting to gain leverage over an individual or organization.
This means that adversarial powers such as communist China are just as likely to simply purchase U.S. residents’ private data on the open market as they are to collect it illicitly.
“Countries of concern such as China and Russia are buying Americans’ sensitive personal data from data brokers,” one official said. “This can include very revealing data, such as financial and geolocation information, tracking what Americans buy and where they go.
“These countries are leveraging their access to Americans’ bulk sensitive personal data and government-related data to engage in a variety of nefarious activities including malicious cyber-enabled activities, espionage, and blackmail.”
Among the initial tranche of proposed regulations, the officials said, would be new security requirements relating to the encryption and anonymization of data purchased from data brokers.
Similarly, the restrictions are written to prohibit both the direct sale of data to countries of concern, as well as the indirect sale.
The Biden administration pursued a similar framework with the Chips and Science Act, in which it sought to limit partner nations’ ability to sell semiconductors purchased from the United States to China.
The officials clarified, however, that the administration was taking steps to ensure that the international flow of commercial data was still relatively unimpeded.
“Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security toolkit that we’re working to fill with this program,” one official said.
“It is very explicit that this is not a generalized data localization policy for the United States. It is also very clear that it does not broadly prohibit U.S. persons from conducting commercial transactions, including exchanging financial and other data as part of sale of commercial goods and services.”
The executive order will also direct the DOJ to work jointly with the Department of Homeland Security to set security standards, and will direct the Departments of Health and Human Services, Defense, and Veterans Affairs to help ensure that federal grants, contracts, and awards are not used to facilitate access to U.S. residents’ sensitive health data.
Hostile nations are not the only ones that exploit the services of data brokers, however.
It is currently unclear how President Biden’s proposed regulations will incorporate the FTC’s finding.