U.S. President Joe Biden announced plans for an executive order that would bar data brokers from selling U.S. citizens' sensitive personal data to entities located in or affiliated with adversarial countries.

According to a fact sheet published by the White House 28 Feb., the executive order will direct the Department of Justice to develop regulations prohibiting data brokers from carrying out transfers to so-called "countries of concern" that involve troves of sensitive personal information. The designated countries of concern are China, Cuba, Iran, North Korea, Russia and Venezuela, according to multiple press reports.  

The types of sensitive data to be protected under the order are "genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers," per the fact sheet. The White House claimed adversarial nations were accessing vast amounts of Americans' personal data for blackmail and surveillance purposes, and could utilize advanced artificial intelligence systems to advance those malicious goals.

As part of the order, the DOJ will work in conjunction with the Department of Homeland Security to "set high security standards to prevent access by countries of concern to Americans' data through other commercial means, such as data available via investment, vendor, and employment relationships."

Another key point of emphasis is a directive to the DOJ to "issue regulations that establish greater protection of sensitive government-related data, including geolocation information on sensitive government sites and information about military members."

Free data flow intact

According to press reports, White House officials said the executive order is not a departure from the G-7 principle of "Data Free Flow with Trust," which Information Technology Industry Council Senior Vice President of Policy and General Counsel John Miller said "is essential for U.S. competitiveness."

"We appreciate that the Biden Administration aims to craft targeted rules to address a specific national security threat and has structured the rulemaking process in a way that ensures opportunities for necessary and robust stakeholder engagement," Miller said in a statement. "The administration has also been clear that today's action is no substitute for a federal privacy law, which is the strongest and most comprehensive way to protect Americans' personal data."

Additionally, the Network Advertising Initiative came out in support of Biden's order. 

"The NAI supports the President’s plan to ban sales of sensitive U.S. consumer data to foreign adversaries," President and CEO Leigh Freund said in a statement. "The nonconsensual sale of U.S. consumer data to foreign governments is unethical and poses a serious privacy threat to consumers." 

While the executive order may not outright end the commercial sale of personal data, Center for Democracy and Technology Vice President of Policy Samir Jain told the IAPP the order could have a positive chilling effect, of sorts, on data brokers' business practices insomuch that they take a more risk-adverse approach to selling Americans' sensitive personal data.

Jain echoed Miller's sentiment that the executive order was not an adequate replacement for U.S. Congress falling short in efforts to pass a comprehensive privacy law that would curb consumer harms as the executive order aims to do.

"It'll be interesting what spillover effect it has on the commercial market more generally," Jain said. "They'll need to set up compliance programs and get greater awareness of the data they have so they don't engage in these illicit kinds of transfers."

Presidential authority

Biden issued the executive order under the authority of the International Emergency Economic Powers Act, which gives the president broad powers to "investigate, regulate, and prohibit certain financial transactions following a declaration of an 'unusual and extraordinary threat' originating outside the United States."

CDT's Jain said DOJ rulemaking could potentially generate some criminal penalties for flagrant violations of the executive order because it invokes the security of U.S. citizens' sensitive data as a national security consideration, not just a commercial one. He cited Know Your Customer banking regulations as an example data brokers may soon have to follow, which are intended to prevent banks from engaging in business that may facilitate crime.

"I suspect data brokers will have to move in that direction, and if transferring genomic data is banned, for instance, they could decide altogether that they just won't sell it because it's too risky," Jain said. "But there's a whole range of penalties that could be imposed under the IEEPA. The penalties will have to depend on the intentionality."

Ultimately, the responsibility will fall on data brokers to ensure data they exchange does not end up in the wrong hands once the DOJ finalizes regulations to meet the objectives of Biden's order.

"There are innumerable details between the announced goal and companies knowing how to implement these global due-diligence programs," Georgia Tech School of Cybersecurity and Privacy Chair of Law and Ethics Peter Swire, CIPP/US, told the IAPP. "But data brokers will be responsible for conducting that due-diligence against transferring their data in bulk to countries of concern."

Potential loopholes

Some skepticism exists among privacy professionals and technology industry stakeholders if the executive order is the right tool for executing the policy of preventing the exploitation of data by malicious actors working on behalf of, or within an adversarial country, which could additionally carry unintended commercial impacts.

Jain said the executive order, as proposed, may not account for subsequent sales of sensitive data that has been re-sold several times over by various data brokers around the world, which could pose enforcement challenges.

"One of the interesting issues to look at when we see actual proposed rules is how the DOJ will try to reach beyond the initial transaction," Jain said. "It'll be interesting how far they go to block that subsequent chain of transactions."

Georgia Tech's Swire questioned if the order would actually meet its stated goal of preventing malicious foreign entities from accessing citizens' sensitive data. He said there's "still a serious question" regarding the effectiveness of the proposed rules and how they'll prevent access to data "by an advanced, persistent threat."

Swire added Biden's executive order represents a different data protection strategy from regulations engineered to protect individuals' privacy, such as the previously introduced American Data Privacy and Protection Act.

"Most privacy rules focus on potential harm to an individual," Swire said. "The rationale for the rule is to stop the most sophisticated hackers from getting access to data even though data sales would continue in vast majority of commercial settings."