Governance & Risk Management , Privacy
Biden Executive Order Targets Bulk Data Transfers to China
New Order Tasks Department of Justice With Developing Data Transfer ProtectionsUpdate Feb. 29, 2024 4:51 UTC: The White House published the executive order, a copy of which is available here.
See Also: Using the Netskope HIPAA Mapping Guide
U.S. President Joe Biden is set to sign Wednesday an executive order aimed at preventing the large-scale transfer of Americans' sensitive personal data to countries including China.
The order, aimed in large measure at data brokers, will direct the Department of Justice to initiate a rule-making process to stymie the bulk transfer of data to "countries of concern" that include Russia and Iran. The order will cover genomic data, biometric data, personal health data, geolocation data, financial data and certain kinds of personal identifiable information, according to a White House fact sheet.
"The executive order is carefully scoped to really focus on aspects of personal sensitive data and types of bulk personal sensitive data that pose a national security risk," a senior administration official said Tuesday, speaking on condition of only being identified as such.
"We are both trying to be very deliberate in how we work with industry and stakeholders in designing a set of rules that are implementable, and get at the very real national security concerns that we have with respect to the transfer of bulk sensitive data."
The order effectively kicks off a rule-making process lasting at least months, if not years, which officials said will aim to be a highly collaborative process to ensure "the trusted free flow of data."
Officials also said the executive order will specifically prohibit data broker and genomic data transactions, while establishing categories of restricted data transactions, such as vendor agreements that can expose critical security components commonly used by government agencies and major private organizations.
The White House will also direct the departments of Health and Human Services, Defense and Veterans Affairs with reviewing federal grants, contracts and awards to ensure sensitive health data is not being transferred to prohibited countries.
The order does not place new restrictions or standards on how U.S. companies are expected to maintain personal sensitive information. Rather, it focuses on the transfer of data abroad. Officials said the countries of concern included in the executive order are China, Russia, North Korea, Iran, Cuba and Venezuela.
Multiple presidential administrations have flagged China's large appetite for data on Americans, whether obtained through hacking - such as a 2018 cyberattack against hotel chain Marriott - or through commercial transactions. Director of National Intelligence Avril Haines told a Senate panel in April 2021, "There’s a concern about foreign adversaries getting commercially acquired information as well, and [I] am absolutely committed to trying to do everything we can to reduce that possibility."
What China does with the data is less certain, although academics have suggested its motives include identifying intelligence agents or training artificial intelligence models. "The most intriguing is the possibility that Beijing doesn't even know why or how it might be able to use this data set, yet nonetheless figures that it's worth acquiring it now, with an anticipation of putting it to use later," said a blog post published on Just Security in 2019.
Administration officials told reporters Tuesday that data from companies holding vast troves of Americans' information "can land in the hands of foreign intelligence services, militaries or companies controlled by foreign governments."