Biden order will limit how much data can be sold to Russia and China

Data brokers and other companies peddling Americans’ personal information to hostile countries such as Russia and China are now in the crosshairs of the Biden administration, which on Wednesday will issue an unprecedented executive order limiting such transfers of Americans’ most sensitive personal data.

The order seeks to protect Americans’ data from being exploited by adversarial countries and entities tied to them — China, Russia, Iran, North Korea, Venezuela and Cuba — for use in blackmail, fraud, surveillance and other violations.

Under the order, the Justice Department will be able to bar what the administration referred to as the “large-scale” transfer of Americans’ private data.

The focus is on genomic, biometric, personal health, geolocation and financial data, which a senior administration official told reporters is already being used for “malicious cyber-enabled activities,” espionage and blackmail, with military members, national security officials, journalists and dissidents among the most vulnerable.

The White House said the order also recognizes that bulk data seized by adversarial countries could easily be used to train artificial intelligence models.

In announcing the executive order, which will go through several layers of review, a Department of Justice official emphasized that the administration is focused on setting terms that do not block the free flow of data needed to conduct trade.

“This rule, again, is very focused on specific thresholds of bulk data going to a specific and limited number of countries … and making sure that companies do prudent, responsible things when selling that data, when giving it to their employees or when giving it to those who invest in them,” the official said.

The administration’s plan represents just the latest front in a digital battle between the U.S. and China, whose TikTok social media platform has come under fire for sucking up American data and allowing the spread of disinformation. For its part, China makes American tech platforms that sweep up vast quantities of data — such as Meta, Google and Snapchat — unavailable to its populace.

“Hostile foreign powers are weaponizing bulk data and the power of artificial intelligence to target Americans,” Assistant Attorney General Matthew Olsen said in a statement.

He added that the executive order will fill a “key gap in our national security authorities, affording the Justice Department a new and powerful enforcement tool to protect Americans and their most sensitive information from being exploited by our adversaries.”

Biden’s order attacks a problem already well under way as a surging number of data brokers have indefinitely stored and proven willing to sell ever more granular information on Americans to anyone who wants to buy it.

In November, Duke University researchers announced they had used .asia domain names tied to a server in Singapore to obtain vast amounts of data on American service members for 12 to 32 cents a record. The researchers said they also were able to buy data for people located in “geofenced” military compounds such as Quantico, Virginia.

The new rules take on an exploding industry — data broker companies are used by small companies to market products and the raw trade in bulk private data is a vital tool for tech giants fueling highly profitable behavioral advertising.

Recent Federal Trade Commission enforcement actions have exposed the inner workings of companies collecting, storing and selling Americans’ most personal information, including geolocation data, web browsing data and health data. One firm, BetterHelp, Inc, allegedly sold personal information on individuals’ mental health challenges to tech platforms including Facebook, Snapchat and Pinterest for behavioral advertising.

Among the executive order’s additional provisions are requirements that:

• The Department of Justice establishes rules better protecting sensitive government-related data, including location data for government facilities and members of the military.
• The departments of Justice and Homeland Security collaborate in setting tough security standards to block adversarial countries from obtaining Americans’ data from sources other than data brokers, including data available via what the administration called “investment, vendor, and employment relationships.”
• The departments of Health and Human Services, Defense, and Veterans Affairs guarantee that federal contracts and grants are not used by hostile countries to gain access to sensitive health data, including through companies based in the U.S.
• The interagency Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector weighs how U.S. citizens’ sensitive personal data is potentially threatened as it considers whether to grant submarine cable licenses.