Breaking Down The US Executive Order To Protect Americans’ Sensitive Personal Data
President Biden issued an executive order to “protect Americans’ sensitive personal data from exploitation by countries of concern.” In short, the order seeks to mitigate national security risk by preventing companies from selling, sharing, or transferring sensitive data on Americans to unnamed “countries of concern,” which the New York Times reports are China, Russia, Iran, North Korea, Cuba, and Venezuela.
The limitation to six countries of concern confirms that this is more about national security and counterintelligence than it is about protecting consumers’ data. But the national security angle is a new one and could inspire federal privacy legislation that is more expansive than this executive order.
The Order Addresses Two Areas Of Risk
This order defines sensitive data as the usual suspects — genomic and biometric data, financial data, personal health data — but it also covers geolocation data and “certain kinds of personally identifiable information.” The executive order frames the lack of robust data privacy protections as a risk from two angles:
- A national security risk. The order makes multiple references to how commercial data brokers and other companies can sell these categories of consumer data, which can eventually find their way to foreign governments, militaries, and intelligence services. In turn, the order argues, the sale of this data raises “significant privacy, counterintelligence, blackmail risks, and other national security risks.”
- A civil liberties risk. With pointed data buying or data collecting efforts, countries of concern can access sensitive data belonging to “activists, academics, journalists, dissidents, political figures, and members of nongovernmental organizations and marginalized communities.” Combined with blackmail and other risks outlined above, this could potentially give bad actors leverage to intimidate or otherwise silence dissidents and influential voices, curbing their freedom of expression.
Biden Responds To A Tidal Wave Of Data Privacy And Security Concerns
This executive order is an unsurprising response to a damning string of investigations and Congressional hearings on consumer data. Last year saw multiple US states with pending biometrics data legislation, two landmark cases related to Illinois’ Biometric Information Privacy Act, a data breach at 23andMe, and significant breaches of major telco companies (T-Mobile, Comcast, AT&T, Verizon).
Double Down On Privacy, Security, And Risk As A Strategic Priority
The executive order sends an important signal about the Biden administration’s prioritization of data privacy and security & risk. It isn’t comprehensive, but it is a step in the right direction. Executive orders create a trickle-down effect, as they impact companies that work with the government and influence change among vendors and enterprises — such as in 2021, with Biden’s executive order on Zero Trust. With this executive order, keep an eye on:
- New regulation of sensitive personal data. The order calls on the Department of Justice (DOJ) to issue regulations that protect consumers’ sensitive data. It also calls on the DOJ to better protect sensitive government-related data, including data on members of the military and geolocation data on sensitive sites. That will create ripple effects as data brokers consider the sensitivity of the data that they are selling and possibly restrict access or sale in the future.
- Your parameters of data sharing with your third-party ecosystem. Your company is directly responsible for data on customers, employees, and partners that makes its way into the hands of “countries of concern.” Catalog all third-party entities that have access to this data, including marketing technologies, agencies, and open-source apps, and ensure that your organization is following third-party risk management best practices in order to protect your customers and your brand. In cases where you are sharing data with third parties, use our trusted data sharing framework to narrow the trust gap.
- Your handling of children’s data. The last sentence of the executive order gives a nod to protecting the safety of children. In 2023, of the top 35 global privacy abuses, fines, and violations that we analyzed, four fines — totaling nearly $424 million — related to the misuse and retention of children’s data, in addition to a lack of transparency, notice, and consent for data collection and processing.
- Your requirements as regulations enforce cybersecurity measures. This order is yet another example of cybersecurity requirements established in the private sector under the guise of national security concerns. As the administration works to “set high security standards to prevent access by countries of concern,” organizations must be prepared for these standards to trickle down to the private sector. Cataloging the governments that companies are associated with, and how data is controlled and accessed in and by each of those regions, is critical as more orders like these are established.
- Your use of geolocation and IP addresses for decisioning. GPS and IP address geolocation, device reputation/fingerprinting, and behavioral biometrics data are considered personal information in many European countries and Canada. This bars their use for marketing and sales targeting purposes but allows their use for security and fraud management purposes. We expect that this executive order will pave the way for US legislation that stipulates the allowed uses and sharing of personal information on a per-use-case basis. How retailers, banks, and other firms’ lobbies respond to such legislation remains to be seen.
There is more than meets the eye with this executive order. We’ll continue to monitor (and blog about!) the impact of this order. In the meantime, set up a guidance session if you’d like a deeper dive.