The U.S. has taken a decisive step to protect the personal data of its citizens from falling into the hands of foreign adversaries. On Wednesday, an executive order was unveiled with the explicit aim of curtailing the transfer of sensitive American personal data to nations identified as posing a threat to national security, notably China and Russia. This move is not just a policy adjustment but a strategic maneuver in the digital domain of international rivalry, highlighting the intricate interplay between privacy, commerce, and national security.
Data brokers, operating within the legal framework of the United States, have long trafficked in the personal details of millions of Americans. These entities, often operating in the shadows of the digital marketplace, compile and categorize vast troves of data—including health records, financial information, geolocation data, and biometrics. This data is then sold, creating profiles that are rented or sold to the highest bidder. Alarmingly, among these bidders are foreign governments and companies that may use this information for “nefarious activities including malicious cyber-enabled activities, espionage, and blackmail,” as senior U.S. officials highlighted. This realization underscores a glaring vulnerability in national security—a vulnerability the Biden administration seeks to address through its recent executive order.
The executive order is a significant pivot in the U.S. strategy to safeguard personal data from exploitation by “countries of concern,” a list that includes, but is not limited to, China, Russia, Iran, North Korea, Cuba, and Venezuela. It introduces a prohibition on bulk transfers of a wide array of Americans’ personal data to these nations, focusing on particularly sensitive categories such as geolocation, biometric, health, and financial information. Moreover, it extends to banning any volume of data transfer concerning U.S. government personnel to these nations. This comprehensive approach aims to mitigate the risk posed by the legal acquisition of sensitive data by adversarial entities through data brokers.
The rationale behind this crackdown is articulated by the officials, who argue that “China and Russia are buying American sensitive personal data from data brokers” and exploiting this data for activities that undermine U.S. national security. The legal nature of these transactions through data brokers highlights a “gap in our national security toolkit,” a gap the executive order aims to bridge. By targeting the channels through which sensitive data flows to foreign adversaries, the U.S. government seeks to thwart the potential for espionage, surveillance, and other forms of exploitation that could jeopardize the safety and privacy of American citizens and the integrity of national security.
However, implementing such an order comes with its set of challenges. The digital economy’s global and interconnected nature means that monitoring and controlling data flows across borders is a complex task. The U.S. government must navigate this complexity while ensuring that the restrictions do not hamper legitimate economic activities and innovation. To this end, the executive order carves out exemptions for certain types of data transactions, including those related to corporate payroll and compliance, and allows for certain transactions under security requirements like encryption and anonymization.
This is a measure that is long overdue – equivalent to closing the barn door after the horse has escaped. So much personal data has been accumulated and compiled that the privacy of American citizens is practically non-existent.
While China and Russia pose massive risks to Americans with this data, the risks inside America are tragically high. Is it too late?
Perhaps this measure becomes the starting point for stuffing the genie back into the bottle.
