What Biden’s Data Broker EO Means For Your Business
Table Of Contents:
Many data brokers are happy to sell all kinds of personal information about US citizens. Piece this data together and you can get some frighteningly detailed intelligence about a wide range of people, from the physically vulnerable to the politically prominent.
Lawmakers are increasingly nervous about the risks of a foreign adversary buying that data, which could range from blackmail to physical harm. On February 28 the White House took another step to mitigate the threat.
A History of Concern Over Foreign Data Flows
The Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern is the latest in a series of steps that the White House has taken to secure Americans’ personal data.
On May 15, 2019, the Trump administration issued Securing the Information and Communications Technology and Services Supply Chain. That EO declared a national emergency concerning the use of foreign IT and communications technology.
The Biden White House acknowledged that emergency on June 9, 2021 in another EO, Protecting Americans’ Sensitive Data from Foreign Adversaries. This called for a risk analysis of the dangers from the sharing of US citizens’ data overseas, along with recommendations for executive action.
The latest EO is a response to that analysis. It states the administration’s fears that malicious actors overseas could use AI and other technologies to mine new insights from data on US citizens. It has concerns about data on any citizens, but singles out individuals in the military and others working for the government, along with vulnerable groups including dissidents.
The document calls for governmental departments to protect these groups via several measures, including prioritising the examination of licenses for undersea data transmission cables (an issue first raised in yet another Trump-era EO from April 4 2020. The White House hopes that this prioritization will help stop countries of concern from manipulating licensees into lifting data from the wires.
Healthcare researchers are another target of the EO. It directed various executive branch departments to issue rules over the management of bulk healthcare information, including types of biological data such as genomics.
Putting Data Brokers on Notice
The EO also zeroes in on data brokers.
“Entities in the data brokerage industry enable access to bulk sensitive personal data and United States government-related data by countries of concern and covered persons,” it says. “These entities pose a particular risk of contributing to the national emergency described in this order because they routinely engage in the collection, assembly, evaluation, and dissemination of bulk sensitive personal data and of the subset of United States Government-related data regarding United States consumers.”
It addresses this sector by forbidding those in the US from entering into transactions involving bulk sensitive personal data with foreign nationals representing countries of concern. That data includes some personal and biometric identifiers, along with geolocation and related sensor data, biological and personal health data, and personal financial data. There are exemptions to the rule, including the provision of information for financial services or for regulatory compliance.
However, regular companies whose primary business is not selling data shouldn’t be alarmed. The EO states that the order isn’t designed to prohibit commercial transactions “including exchanging financial and other data as part of the sale of commercial goods and services” with these countries. Neither does it attempt to disrupt broader trade relationships. It’s all about access to sensitive bulk data, the document explains.
The White House will rely partly on the Consumer Financial Protection Bureau (CFPB) to help bring data brokers within scope of the law. There is no specific federal regulation for data brokers, but consumer reporting agencies (CRAs) are regulated under the 1970 Fair Credit Reporting Act (FCRA).
In its proposed rulemaking, the CFPB fretted that over half a century after its introduction, the act’s definition of a CRA is now too narrow, and that some data brokers dealt in sensitive personal information without having to comply with its privacy mandate. Proposed measures include widening the scope to define those brokers as reporting agencies, bringing them into the fold.
The question, according to Claude Mandy, is whether data brokers will be able to restrict sales to foreign nationals. Mandy is chief data security evangelist at Symmetry Systems, which helps companies understand where their sensitive data is, how it has been used, and by whom. Answering those questions is more difficult than it seems, he warns.
“Every time we go into an organization we see the challenges they have in controlling the flow of data and understanding what data they have,” he tells ISMS.online.
Mandy also warns that data is regularly sold to third parties who then sell it on themselves, creating a supply chain that is murky at best.
“They don’t know who it’s being sent to. They don’t know who has access to it. And that flow of data from first principles isn’t being tackled,” he says. “With shell companies and foreign ownership, how many layers deep can you go before it becomes untenable to find that final position? And that’s what we are asking them to do with this Executive Order.”
Time to Rethink Data Practices
Cobun Zweifel-Keegan, Washington DC managing director at the International Association of Privacy Professionals (IAPP), says that when the government agencies eventually create specific rules, data brokers might need to rethink their data management. That might not be a bad thing, he adds.
“Understanding the context and potential harms of certain data sets is a known challenge that a company should be already taking into account,” he tells ISMS.online.
One Law to Bind Them All?
In the meantime, the federal government continues to press for a broader federal privacy law. The latest proposal is the draft American Privacy Rights Act, which would allow Americans to control what data companies can collect and keep about them, and to prevent their data being transferred to others.
While we wait for that draft discussion to become an actual bill, there are other efforts on the Hill to rein in data brokers. Lawmakers introduced H.R. 7521, the Protecting Americans from Foreign Adversary Controlled Applications Act (publicised as the TikTok ban) and H.R. 7520, the Protecting Americans’ Data from Foreign Adversaries Act of 2024. Like Februrary’s EO, the latter focuses on choking off data brokers’ sale of information to foreign entities.
With both the White House and the House of Representatives eager to tighten pressures on data brokers, companies that focus on selling individuals’ data would be wise to examine their practices.
“Data brokers are certainly on notice that policymakers are concerned about practices involving foreign adversaries and even the sale of data in unfettered ways and in other contexts,” says Zweifel-Keegan. “It’s definitely not a time to rest on your laurels, because this is just one of many moving policy targets that are closing in on data broker practices.”