Biden executive order aims to stop adversaries from obtaining, exploiting Americans’ personal data

President Joe Biden will sign an executive order Wednesday designed to curb adversarial nations from acquiring and exploiting the sensitive personal data of Americans, including U.S. government officials and servicemembers.

The move does not authorize immediate data transfer restrictions but would empower agencies including the Departments of Justice, Homeland Security and Health and Human Services to craft regulations that could prevent a variety of sensitive data types from falling into the hands of foreign rivals, including China and Russia.

The Biden administration is seeking to prohibit transactions that data brokers make to “countries of concern” on grounds that such data can be surreptitiously processed by foreign hackers or intelligence operatives, enabling myriad national security risks and exposing American citizens to surveillance, blackmail and other privacy violations, said a senior administration official who spoke on the condition of anonymity to preview the contents of the order with reporters.

“These same countries are applying advanced technology like big data analytics, artificial intelligence and high performance computing to manipulate large quantities of personal information that will allow them to more effectively target and influence or coerce individuals and groups in the United States and allied countries,” the senior administration official said.

The order specifically targets data transactions with China, Russia, North Korea, Iran, Cuba, and Venezuela, focusing on seven classifications including genomic data, biometric identifiers, geolocation information, health data, financial documentation, personal data and government-linked data.

The order directs DOJ and others to initiate an early-stage rulemaking process in which the directed agencies will seek comments from the public and organizations about how to best build and enforce the regulatory framework.

The effort will have to be highly surgical, as domestic-based data brokers already legally obtain, process and sell Americans’ data for commercial purposes, though privacy advocates and some members of Congress frequently highlight cases in which, they say, data broker transactions go too far. The U.S. this past year enshrined a pair of intricate data transfer pacts with the United Kingdom and European Union that could also muddle the development of the White House’s order.

The directive contemplates a near-total restriction on transactions involving data broker arrangements that would sell data to the listed adversarial countries or companies based in those countries, as well as prohibitions against American citizens that sell bulk personal data or U.S. government data to those nations. The order also stamps cloud service contracts, employment agreements and investment deals as less restricted categories where data transactions can still occur but will still be secured with certain mitigation measures that were not elaborated on by officials on the call

Additionally, HHS, the Pentagon and the Veterans Affairs Department are asked to craft rules that prevent federal grants, contracts or awards from facilitating the transfer of sensitive health data to the listing of foreign nations. The DOJ’s Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector must also assess data security threats in undersea cable licensing.

One mystery remaining is how U.S. intelligence agencies that have relied frequently on data broker transactions and commercial data agreements could feel the effects of the order. The directive comes shortly before IC-friendly lawmakers are expected to shove a contested spying power’s reauthorization into a springtime government funding measure. The spying authority, derived from Section 702 of the Foreign Intelligence Surveillance Act, has frequently leveraged harvested communications data from overseas targets.

The intelligence community’s involvement in those purchases was outside the scope of the executive order, another senior administration official said on the call, who stressed that foreign adversaries’ use of Americans’ data is more of a concern than how the U.S. uses such data.

“I think we need to make sure that we are protecting American sensitive data … to ensure that we can continue to enjoy data flows across borders with the trust of American citizens,” the senior official said.

The executive order comes amid a slew of high-level security concerns facing the U.S. this year. As officials and researchers continue to warn of nation-state hacking threats from China, Russia, and other adversaries on the executive order’s target list, other intelligence community partners have urged businesses to be wary of Chinese efforts to siphon genomic data from their systems.

Additionally, a breach at ancestral data firm 23andMe surfaced concerns about the threat of genetic data exposures. Hospitals and other medical facilities have also been deemed target-rich environments for attackers to steal private medical and financial data.