Biden’s new data security order leaves industry officials, privacy advocates scratching their heads

A new White House directive that gives agencies the legal power to prevent Americans’ sensitive data from falling into the hands of foreign adversaries is getting mixed reviews, with industry executives saying it could risk muddling current data flow mechanisms and privacy advocates contending it doesn’t go far enough to address potential abuses at home.

The Justice Department and other agencies are set to kick off a complex process to craft regulations built into that sweeping data security executive order signed by President Joe Biden on Wednesday. The order’s aim is to block myriad data transactions with China, Russia and others, on grounds that such data can be surreptitiously processed to target Americans and enable other national security risks.

As officials and researchers continue to warn of hacking threats from nation-states and other “countries of concern” on the order’s target list, intelligence community partners have also urged businesses to be wary of Chinese efforts to siphon genomic data from their systems. Over the past year, hacking incidents involving data types listed in the order have further motivated officials to embolden agencies with the authority to help prevent misuse of Americans’ data overseas.

Acting on such an order is expected to be a complex undertaking because regulators will have to determine how the restrictions apply to different cross-border data transfer scenarios.

That would involve formally defining sensitive data types and shaping the numerical thresholds that make up bulk data transfers, an industry source close to the White House told Nextgov/FCW, speaking on the condition of anonymity in order to be candid about discussions surrounding the directive.

The order also introduces entirely new concepts like categories that combine multiple data types — such as health and genomic data being packaged in the same data set — that will also have to be worked through, the source added.

The order contemplates a near-total restriction on data broker transactions of sensitive data to adversarial countries or companies based in those countries. Americans that sell bulk personal data or U.S. government data to those nations would also be held liable for doing so. Multiple data broker firms, including Equifax, Experian, CoreLogic, Oracle and Acxiom did not return requests for comment.

The order may also usher in unintended consequences if it’s not surgical enough, particularly with employee data, according to another tech industry official.

“We have 20,000 employees in China. We have to share data like payroll or personal information,” said the official, who spoke on the condition of anonymity because they were not authorized to publicly communicate their views. “[The Biden administration] assured us that’s not the target, but I want to see how it works out,” they added.

The order stamps employment agreements and other common business contracts as less restricted categories where data transactions can still occur, but the directive says they would still be constrained with certain mitigations.

The U.S. must also consider scenarios where American data caches are ported to an allied nation and ensure prevention measures are intact to stop that data from being transmitted again to adversaries.

There are tracking techniques available that regulators may consider to address those cases, said John Ackerly, a former White House official who handled the Bush administration’s tech policy portfolio. 

For instance, specialized labeling technologies can stick to data no matter where it goes, said Ackerly, who now leads data encryption services firm Virtru. “You can create a [tagging] system where you have an audit over where that data is going,” he said, adding that the Defense Department uses similar techniques to keep watch over sensitive information.

Privacy advocates argue the order doesn’t go far enough to address ongoing concerns over data broker and related activities from tech firms.

Domestic-based data brokers already legally obtain, process and sell Americans’ data for commercial purposes, though civil liberties groups and members of Congress frequently highlight cases in which, they say, data broker transactions ostensibly go too far.

“I’m sure that foreign adversaries are using our information … just like we’re seeing our own government use our information in ways that we do not like and we’re seeing domestic, private companies use our information in ways that we may not like,” said Cody Venzke, senior policy counsel at the American Civil Liberties Union.

The Biden administration “has argued Congress should not ban the U.S. government from buying Americans’ data, because such protections would put the United States at a disadvantage to China and Russia,” said Sen. Ron Wyden, D-Ore., a privacy-focused lawmaker who sits on the Senate Intelligence Committee. “With this EO, that argument is no longer valid, and the Administration should stop opposing common sense surveillance reform.”

How the order may impact U.S. spy agencies that have relied frequently on data broker transactions and similar commercial data agreements is also unclear. A contested surveillance authority, in particular, frequently leverages harvested communications data from overseas targets.

“The intelligence community has many tools at their disposal,” Ackerly said, arguing the order wouldn’t have a material impact on U.S. national security activities.

A senior administration official said at the time of the order’s release that the intelligence community’s involvement in data purchases was outside the scope of the order and stressed that foreign adversaries’ use of Americans’ data is more of a concern than how the U.S. uses such data.