On February 28, President Joe Biden issued a executive order with the intent of protecting Americans’ personal data from foreign threats.
The data referred to is mainly sensitive and personal information such as biometric data, personal health, geolocation, financial information and personally identifiable information (PII). This type of information, in the hands of malicious actors, could be used for scams and blackmail, surveillance and other privacy violations, potentially causing unwanted national security issues.
It’s time to regulate data privacy, but why?
Increasingly, companies collect personal data, then legally – or sometimes even illegally – sell or resell that data.
Just last month, the Federal Trade Commission (FTC) said as much Avast collected consumer browsing data and stored it indefinitely without notice or consent, then sold and licensed the web browsing data to third parties, all after claiming to protect its consumers from this very act.
While this case may have been illegal, legally tracking and selling private data collected from consumers and citizens isn’t all that different, and is more common than the average person might imagine.
“There has been a demand from advertisers and marketplaces to get customer lists, and that has created this market for data brokers,” says Aloke Chakravarty, a partner at law firm Snell & Wilmer. She is co-chair of the law firm’s investigations, law enforcement and white collar protection practice group, as well as the firm’s cybersecurity, data protection and privacy practice group.
“In America the idea of buying and selling customer lists is actually a very old and often legitimate business model,” he adds.
In any case, once companies or data brokers collect the data, they can then sell it to so-called countries of concern, as indicated in the EO fact sheet – nations including China, North Korea, Iran, Cuba and Venezuela, which already have a history of collecting data on Americans.
Once in the hands of foreign operators, this data can be used by other intelligence services, militaries, or entities operating under foreign governments, raising national security and counterintelligence concerns. These countries could collect information on “activists, academics, journalists, dissidents, political figures and members of non-governmental organizations and marginalized communities” to intimidate their opposition or blackmail them, the briefing note warns.
Privacy and electoral integrity
However, there are also specific forces at play.
As noted by FBI Director Christopher Wray at the International Conference on Cyber Security (ICCS) earlier this year, chaos is expected for this upcoming presidential elections in 2024 and potential interference in cyber warfare from foreign countries such as Russia, IranAND China – the latter is home to hackers who have stolen more personal and business data belonging to Americans than any other country combined.
“There is an election this year, and allowing the information of U.S. citizens to be mined or used for the purpose of influencing that election is critically important to the administration,” Chakravarty says. “I’m not saying it’s all politics, but election integrity is a factor here.”
Data privacy regulation has never been so prevalent nationwide in the past, at least in the United States. While other countries have privacy and security laws like the General Data Protection Regulation (GDPR) In regulating data privacy and people’s rights, the United States lags behind in this respect. It is imperative to implement safeguards to protect citizens as soon as possible, Chakravarty notes, especially at a time when the risk to private data is reaching a boiling point.
The Biden administration’s data privacy plan
The administration has detailed several directions for government agencies and departments to issue regulations and make licensing rules and decisions, some of which are clearer than others. The Department of Justice (DoJ), for example, will have to establish “clear protections for Americans’ sensitive personal data” and “prevent the large-scale transfer of such data to countries of concern.” The definition of the scope and volume of a “large-scale transfer” remains unclear.
Additionally, the DoJ is expected to establish stronger protections for sensitive data and, together with Homeland Security, to prevent affected countries from accessing Americans’ data through commercial means, such as through investments or business relationships.
The Departments of Health and Human Services, Defense, and Veterans Affairs will also be collectively involved to ensure the security of sensitive health data. Additionally, the Committee to Evaluate Foreign Participation in the U.S. Telecommunications Services Industry was ordered to consider potential threats when reviewing undersea cable licenses. In a year, the secretaries of these departments, as well as the director of the National Science Foundation, will report to the president to detail their progress in implementing information privacy measures.
An unknown future
How these presidential orders will affect foreign relations in the future is uncertain, although Chakravarty says this only furthers the “cyber cold war” at play on a geopolitical level.
“Any time you discriminate against a country, it will have an offensive impact on your bilateral relations, as well as multilateral dynamics and the signals you send to the world,” Chakravarty says, “both from a foreign policy perspective as well as a trade perspective. “
Note, however, that in the past the US government has not necessarily shied away from publicly admonishing adversary countries and their cyber tactics.
“The fact that it’s an executive order adds some formality to it… I don’t think that [prompt] a vigorous response,” Chakravarty says, “but it may actually formalize some of the anti-American policies that may appear in some of these other jurisdictions.”