Is 2024 the year we finally care about adversaries buying and exploiting our data?

For years, high-level government officials have warned that countries like China are collecting and exploiting the sensitive data of Americans, but little has been done. Today, the White House announced an executive order (EO) that seeks to address a key part of the problem. This focus is a step in the right direction, but additional action will be needed, and getting the mechanics right is critical.

The data that adversarial nations are collecting is much more than shopping habits or identifying friends of American citizens. This data can be used to track and surveil sensitive populations like members of the military and intelligence community, blackmail high-profile individuals, carry out more effective cyber incidents, and spread disinformation during warfare. National policy documents, such as the National Cybersecurity Strategy and the Annual Threat Assessment, have highlighted these risks. Complicating matters further, the arrival of artificial intelligence—while tremendously valuable to cybersecurity and privacy—will make the use and analysis of this data even easier.

Bad actors seek to access this data through a variety of means, including by buying companies that already hold it, hacking campaigns and data breaches, and scraping it online themselves. However, simply buying it from companies that already have the data, commonly called data brokers, is an easy and cheap option. While not every data broker is the same and there are legitimate reasons to buy data, some will gladly sell sensitive data on Americans to adversarial nations and criminal groups. This might be done unknowingly, such as through resales or selling to a company or individual controlled by an adversarial nation, but the outcome is often the same. In a majority of cases, this is legal and has limited transparency. The Biden administration’s EO seeks to change this fact.

At a high level, the EO focuses on sensitive information like biometric data, geolocation data, and health data. The national security risks from this data and gaps in existing authorities like the Committee on Foreign Investment in the United States (CFIUS) process are main reasons stated for this action. There will not be immediate new legal obligations, but the U.S. Department of Justice (DOJ) will issue regulations to protect this data from access by and transfer to countries of concern, including through data brokers.

The aim is for there not to be case-by-case review, but generally applicable rules for engaging in specific categories of data transactions with certain countries. This considers prohibited data transactions (e.g., data-brokerage transactions and some genomic-data transactions) as well as restricted transactions that can proceed if certain security requirements are met to mitigate access (e.g., vendor agreements, employment agreements, and investment agreements). The DOJ and the Department of Homeland Security will address other access measures, including investment and employment relationships.

The DOJ contemplates identifying “countries of concern” as China, Russia, Iran, North Korea, Cuba, and Venezuela. Those covered will include entities and individuals subject to the “jurisdiction, direction, ownership, or control of countries of concern” since the data likely will end up in the hands of the identified countries. U.S. citizens and others, including refugees and those located in the United States, are not covered. Six categories of sensitive data are contemplated, but generally, those are only regulated if bulk volumes are met (e.g., number of U.S. persons or devices). However, U.S. government-related data on personnel does not have thresholds.

Most would agree the intentions of this EO are important. However, the key to success will be getting the implementation and accompanying regulations right to ensure trade, innovation, ordinary business practices, and existing legal frameworks like data flow agreements are not unduly impacted. This includes carefully assessing security requirements established by the Cybersecurity and Infrastructure Security Agency (CISA) for restricted transactions; addressing exceptions and exemptions (four are contemplated around financial transactions, ancillary business operations, activities of the U.S. government and contractors, and transactions allowed by federal law and international agreements); exploring types of data that should be subjected to less scrutiny; streamlining the process to seek licenses and advisory opinions to allow otherwise-regulated transactions; ensuring penalties are appropriate and reasonable; and identifying how classifications of covered entities are reviewed and updated, among other considerations.

The EO certainly has the potential to be part of the data security solution, but even if it is implemented perfectly, more is needed. The White House acknowledges this by urging “Congress to do its part and pass comprehensive bipartisan privacy legislation…” A federal comprehensive data privacy and security law is a critical component that extends beyond purely consumer privacy. Provisions of such a law might cement data minimization to reduce sensitive information collected in the first place, notify individuals should their data go to countries like China and Russia, and require data security measures, among other parts. Other legislative solutions have also been proposed, including the Protecting Americans’ Data from Foreign Surveillance Act. Likewise, this EO is also not the first step to protect privacy and security this year. Other legislation and agency action have acknowledged this risk, such as the 2024 National Defense Authorization Act – Section 803 which limits Department of Defense data from going to third parties.

It will be critical for industry, civil society, and other stakeholders to engage in the rulemaking process and next steps to work toward an outcome that protects the privacy and security of sensitive data on Americans, while recognizing the interconnected nature of business and data flows. After all, data itself is essential for innovation and business, but adversaries continue to leverage it for strategic and nefarious advantages.

This analysis was written before the EO and ANPRM were released, so additional analysis and commentary might be necessary.