White House Aims to Curb Data Broker Sales to Foreign Countries

A new executive order aims to protect Americans’ sensitive data - like personal, financial, geolocation and biometric data - from being accessed by China, Russia, Iran, North Korea, Cuba and Venezuela.


A new executive order issued by the Biden administration aims to stop "countries of concern" - like China, Russia, Iran, North Korea, Cuba and Venezuela - from accessing sensitive American data.

Personal, financial, geolocation and biometric data is frequently accessed via breaches, but the executive order instead focuses on the collection of this type of data through the legal commercial market. While privacy experts have cited various concerns over the years with how data brokers broadly access, utilize and share information, the executive order specifically looks at data being sold to specific foreign countries. The concern, said the White House, is that sensitive American data would land in the hands of intelligence services, militaries or companies owned by governments, which could open the door for various privacy and counterintelligence risks - and potentially enable countries to collect information about activists or dissidents.

“The President’s Executive Order focuses on Americans’ most personal and sensitive information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information,” according to the executive order, issued on Wednesday. “Bad actors can use this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy.”

Currently, limited legal restrictions exist to prevent the trade of Americans’ personal data to companies and governments overseas, and lawmakers like Sen. Ron Wyden (D-Ore.) have pointed out how China in particular obtains vast amounts of personal data - like cell phone locations, credit card purchases and web browsing history - through the open market. Various governmental efforts have targeted different aspects of foreign data acquisition over the years, including a 2018 order by the Committee on Foreign Investment in the U.S. that prevented U.S.-based companies with large amounts of sensitive Amercians’ data from being sold to foreign firms. The Protecting Americans’ Data From Foreign Surveillance Act, proposed three years ago by Wyden, focused less on the companies holding the data and more on the data itself by introducing the concept of a license requirement for foreign companies to trade U.S. citizens’ personal information.

The executive order, on the other hand, looks to leverage the authorities of various governmental agencies to help set up “clear protections” for sensitive data, though detail on the scope and scale of these protections is yet to be seen. Under the executive order, the Attorney General is ordered to block the large-scale transfer of Americans’ personal data to certain countries, and the Justice Department is required to issue regulations that prohibit the transaction of certain types of data “that pose an unacceptable risk to national security.” This includes sensitive government-related data, like geolocation data on sensitive sites or information about military members.

The Justice Department and DHS are also mandated to set “high security standards” to prevent certain countries from accessing Americans’ data through commercial means, with the executive order citing commercial means like data available through investment, vendor and employment relationships. Finally, the Department of Health and Human Services, DoD, and Department of Veterans Affairs are ordered to "help ensure that Federal grants, contracts, and awards are not used to facilitate access to Americans’ sensitive health data by countries of concern, including via companies located in the United States."

Moving forward, as part of its role in the executive order, the Justice Department said it will issue a notice of proposed rulemaking that will publicly describe the categories of transactions that involve bulk sensitive personal data, and will seek public comment before its rule goes into effect.

Caitlin Fennessy, with the International Association of Privacy Professionals (IAPP), said the big question is whether the executive order should be considered “a stark deviation from decades of U.S. support for data flows or a targeted set of privacy protections for sensitive personal data in response to concrete national security threats.”

“Given longstanding difficulties advancing broad-based federal privacy legislation, the Administration may have viewed this executive order as the only viable alternative to address what it perceived as an imminent risk,” said Fennessy. “Privacy professionals will now turn their attention to the practical implications - which organizations, data and transfers are implicated now, which might be down the line and what is needed to comply.”