The Biden administration has identified “countries of concern” exploiting Americans’ sensitive personal data as a national emergency. To address the crisis, the White House issued an executive order on Feb. 28, 2024, aimed toward stopping these countries from accessing Americans’ bulk sensitive personal data.
The order doesn’t specify the countries, but news reports cited unnamed senior administration officials identifying them as China, Russia, North Korea, Iran, Cuba and Venezuela.
The executive order adopts an easy, broad definition of sensitive data that needs to be protected, however the order is restricted in the protections it affords.
The order’s larger significance lies in its stated rationale for why the U.S. needs such an order to guard people’s sensitive data in the primary place. The national emergency is the direct results of the staggering quantities of sensitive personal data up on the market – to anyone – within the vast international business data market, which is comprised of firms that collect, analyze and sell personal data.
Data brokers are using ever-advancing predictive and generative artificial intelligence systems to realize insight into people’s lives and exploit that power. This is increasingly posing risks to individuals and to domestic and national security.
I’m an attorney and law professor, and I work, write and teach about data, information privacy and AI. I appreciate the highlight the order puts on the risks of the information market by acknowledging that firms collect more data about Americans than ever before – and that the information is legally sold and resold through data brokers. These dangers underscore Congress’ failure to guard people’s most sensitive data.
Sensitive personal data could be fodder for blackmail, raises national security concerns, and could be used as evidence for prosecutions. This is very true on this era of misinformation and deepfakes – AI-generated video or audio impersonations – and with recent U.S. federal and state court rulings that allow states to limit and criminalize private personal selections, including those related to reproductive rights. The executive order seeks to guard Americans from these risks – at the least from those countries of concern.
What the manager order does
The order issues directives to federal agencies to counter certain countries’ continuing efforts to access Americans’ bulk sensitive personal data in addition to U.S. government-related data. Among other concerns, the order emphasizes that non-public data could possibly be used to blackmail people, including military and government personnel.
Under the order, the Department of Justice will develop and issue regulations that prevent the large-scale transfer of Americans’ sensitive personal data to countries of concern.
More broadly, the order encourages the Consumer Financial Protection Bureau to take steps to spice up compliance with federal consumer protection law. In part, this might help restrict overly invasive collection and sale of sensitive data and reduce the quantity of economic information – like credit reports – that data brokers collect and resell.
The order also directs pertinent federal agencies to ban data brokers from selling bulk health and genomics data to the countries of concern. It recognizes that data brokers and their customers are increasingly capable of use AI to research health and genomics data and other kinds of data that don’t contain individuals’ identities to link data to particular individuals.
Defining sensitive personal data
From an information privacy standpoint, the order is important for its broad definition of what constitutes sensitive personal data. Included in this umbrella term are “covered personal identifiers, geolocation and related sensor data, biometric identifiers, human omic data, personal health data, personal financial data, or any combination thereof.” Not included within the definition is any data that may be a matter of public record.
The broad definition is important since it affirms a departure from the U.S. legal system’s standard approach to data, which is sector by sector. Generally, federal and state laws protect various kinds of data, like health data, biometric data and financial data, in other ways. Only the people and entities inside those sectors, like your doctor or bank, are regulated in how they use the information.
That piecemeal approach isn’t well suited to the era of satellites and smart devices, and has left much data, even very sensitive data, unprotected. For instance, smartphones and wearable devices and the apps on them sense, collect, use and disseminate vast quantities of highly revealing health-related data and geolocation data, yet such data isn’t covered by the Health Insurance Portability and Accountability Act or other data protection laws.
By bringing these historically different categories of knowledge under the broader and more easily understood phrase “sensitive personal data,” policymakers in the manager branch have taken a cue from the Federal Trade Commission’s work to protect sensitive consumer data. The FTC has ordered some data brokers to stop selling sensitive location details about individuals. The order also reflects policymakers’ increasing understanding of what’s required for meaningful data protection within the era of predictive and generative AI.
What the manager order doesn’t do
The executive order specifies that it doesn’t seek to upend the worldwide data market or adversely impact “the substantial consumer, economic, scientific and trade relationships that the United States has with other countries.” It also doesn’t seek to broadly prohibit people within the U.S. from conducting business transactions with entities and individuals in or “subject to the control, direction or jurisdiction of” the countries of concern.
Nor does it impose measures that will restrict U.S. commitments to extend public access to scientific research, the sharing and interoperability of electronic health information, and patient access to their data.
Notably, it doesn’t seek to impose a general requirement that firms should store Americans’ sensitive data or U.S. government-related data throughout the territorial boundaries of the U.S., which in theory would offer higher protection for the information. It also doesn’t seek to rewrite the 2023 voluntary Data Privacy Framework for transfers of knowledge between the European Union and the U.S.
In sum, it does little to vary U.S. business data brokers’ activities and practices – except when such activities involve those countries of concern.
What’s next?
The various agencies directed to act must accomplish that inside clearly specified time periods within the order, starting from 4 months to a 12 months, so for now it’s a waiting game. In the meantime, President Joe Biden has joined an extended list of people that proceed to induce Congress to pass comprehensive bipartisan privacy laws.
This article was originally published at theconversation.com
