Governance & Risk Management
,
Privacy
New Order Tasks Department of Justice with Developing Data Transfer Protections
U.S. President Joe Biden is set to sign Wednesday an executive order aimed at preventing the large-scale transfer of Americans’ sensitive personal data to countries including China.
See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors
The order, aimed in large measure at data brokers, will direct the Department of Justice to initiate a rulemaking process to stymie the bulk transfer of data to “countries of concern” that also include Russia and Iran. The order will cover genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information, according to a White House fact sheet.
“The executive order is carefully scoped to really focus on aspects of personal sensitive data and types of bulk personal sensitive data that pose a national security risk,” a senior administration official said Tuesday, speaking on condition of only being identified as such.
“We are both trying to be very deliberate in how we work with industry and stakeholders in designing a set of rules that are implementable, and get at the very real national security concerns that we have with respect to the transfer of bulk sensitive data.”
The order effectively kicks off a rulemaking process lasting at least months, if not years, which officials said will aim to be a highly-collaborative process to ensure “the trusted free flow of data.”
Officials also said the executive order will specifically prohibit data broker and genomic data transactions, while establishing categories of restricted data transactions, such as vendor agreements that can expose critical security components commonly-used by government agencies and major private organizations.
The White House will also direct the Departments of Health and Human Services, Defense and Veterans Affairs with reviewing federal grants, contracts and awards to ensure sensitive health data is not being transferred to prohibited countries.
The order does not place new restrictions or standards on how U.S. companies are expected to maintain personal sensitive information. Rather, it focuses on the transfer of data abroad. Officials said the countries of concern included in the executive order are China, Russia, North Korea, Iran, Cuba and Venezuela.
Multiple presidential administrations have flagged China’s large appetite for data on Americans, whether obtained through hacking such as a 2018 cyberattack against hotel chain Marriott or through commercial transactions. Director of National Intelligence Avril Haines told a Senate panel in April 2021 that “There’s a concern about foreign adversaries getting commercially-acquired information as well, and [I] am absolutely committed to trying to do everything we can to reduce that possibility.”
What China does with the data is less certain, although academics have suggested its motives include identifying intelligence agents or training artificial intelligence models. “The most intriguing is the possibility that Beijing doesn’t even know why or how it might be able to use this data set, yet nonetheless figures that it’s worth acquiring it now, with an anticipation of putting it to use later,” said one blog posted published on Just Security in 2019.
Administration officials told reporters Tuesday that data from companies holding vast troves of Americans’ information “can land in the hands of foreign intelligence services, militaries or companies controlled by foreign governments.”