Virtual exclamation mark showing data brokers selling sensitive personal data

Biden Administration Limits Data Brokers in Overseas Selling of Sensitive Personal Data

A new executive order from president Joe Biden has put new restrictions on US data brokers, greatly limiting their ability to ship sensitive personal data overseas to “countries of concern.”

The order lists adversarial countries that data brokers can expect to be obligated to avoid, and issued a flurry of instructions to assorted federal agencies to develop new regulations and security practices that will further protect sensitive personal data.

Data brokers restricted in moving personal, financial and health information to adversary nations

Describing it as “the most significant executive action any President has ever taken to protect Americans’ data,” the executive order specifies that a broad range of sensitive personal data can no longer be sold off to or shared with adversary nations: biometric and genomic information, personal health data, financial information, geolocation data, and certain types of personally identifiable information. The administration noted that data brokers, knowingly or otherwise, often feed foreign intelligence services and scammers by passing this information onward in certain parts of the world.

Under present law, most of these sales by data brokers were legal. The order heavily restricts such transfers in “countries of concern,” but the executive order does not provide a specific list of these. That was left to the Department of Justice (DOJ), which followed the order up with an “Advance Notice of Proposed Rulemaking” that names six countries: China, Cuba, Iran, North Korea, Russia and Venezuela.

The DOJ was tasked with developing the specific regulations to guide handling of sensitive personal data with respect to these countries. It was also ordered to improve regulations regarding internal handling of government data that is classified or secret, and to work with the Department of Homeland Security to develop security standards aimed at heading off foreign threat actors from obtaining this sort of information via routes other than the typical data brokers.

The Departments of Health and Human Services, Defense, and Veterans Affairs have also been ordered to ensure that health data is not leaking out of the country by way of grants, awards or federal contracts. And the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector was directed to review submarine cable licenses for potential threats to the sensitive personal data of Americans. The Consumer Financial Protection Bureau additionally announced that it would consider leverage existing power granted by the Fair Credit Reporting Act to put extra regulations on data brokers that sell information overseas.

Ian Cohen, CEO of LOKKER, expands on why this measure is necessary: “Most companies are not in the business of buying and selling data to China. But when data brokers, whom Biden is seeking to stop, sell this information, it gets thrown into the data lakes and shared with countries like China and other adversaries via ad tech. That is where much of the outrage is coming from – why is a social media tracker in another country collecting my data, particularly if I’m on a healthcare website, for example? The only way to stop this is by blocking data going into different geographies at a universal level.”

Sensitive personal data can leak to foreign militaries and intelligence agencies via data brokers

Much of the executive order will be subject to rulemaking processes that each agency is required to go through, but support for protecting sensitive personal data is very much a bipartisan issue in an otherwise divided government.

A statement from Biden press secretary Karine Jean-Pierre indicated that the order was not directed at any specific data brokers or companies, but that TikTok has been at front of mind for the federal government for some time. The Biden administration continues to have concerns about the Beijing-based app despite years of efforts by the company to geographically separate its operations and improve transparency.

Biden issued the executive order under the authority of the International Emergency Economic Powers Act, which allows for greater scrutiny of and restrictions on certain financial transactions if they are deemed to be part of an “unusual and extraordinary threat” that originates from outside the United States. It is still unclear exactly how each agency will develop its new regulations in response to the act, but the DOJ has the authority to levy criminal penalties against data brokers if misuse of sensitive personal data is uncovered.

The DOJ’s initial rulemaking notice thus far establishes that it first plans to formally define the parties the order’s terms are subject to, determine any necessary expansions to the sensitive personal data categories that have already been named, and to establish bulk volume amounts that will make data brokers subject to the new rules. The DOJ has also established some exceptions, such as financial transactions that are already subject to existing banking regulations and an exemption for “ordinary business transactions” such as payroll. And the agency will be opening up the floor for a public comment period on its broader data security program connected to the order.

While many see the executive order as a positive step, it also serves as a reminder that the government continues to make little progress on a federal data privacy bill. Jack Berkowitz, Chief Data Officer at Securiti AI, also notes that the seemingly limited selection of countries the measures applies to could create complications for compliance teams: “Understanding data flows is a significant challenge. Companies face a considerable challenge in comprehending the flow of both structured and unstructured data, necessitating a thorough understanding of data origin and destination. 2.    Prioritizing data protection measures is crucial. Given the extensive usage of personal data, such as selling to credit agencies and advertisers, there are significant security implications, emphasizing the urgent need for companies to prioritize data protection measures. 3.    Corporate compliance is imperative. The Executive Order mandates heightened corporate responsibility and compliance, particularly for industries linked to federal agencies. Non-compliance could result in legal repercussions, urging Chief Data Officers to promptly initiate planning and mapping of data flows.”