Biden Signs EO Targeting Data Broker Deals With Foreign Actors
President Joe Biden on Wednesday signed an executive order directing DOJ to establish rules blocking large-scale transfers of Americans’ personal data to entities in hostile nations.
The EO targets transactions between data brokers and entities in six countries: China, Iran, Russia, North Korea, Cuba and Venezuela. Biden signed the EO under the International Emergency Economic Powers Act (IEEPA), which grants the president authority to deal with “extraordinary threats to national security” originating outside the U.S. The White House said its intent is closing loopholes that allow commercial data brokers to engage in deals that compromise Americans’ sensitive data related to biometrics, health and finances. DOJ will issue an Advance NPRM soliciting public comment on the proposal.
The rules will be crafted to minimize the impact on legitimate commercial activity and preserve data flows with international partners, senior administration officials said Wednesday. This detail will be key, said Brandon Pugh, policy director at the R Street Institute.
The rulemaking should be “tailored enough to get at some of the concerns that the administration rightfully has but doesn’t unduly burden some of the companies already engaged in this space that have legitimate purposes,” said Pugh. The EO's licensing regime does that, he said.
DOJ said it will work with the departments of Commerce, State and Homeland Security to issue licenses that allow entities to apply for exemptions to the rules. The licensing regime would also account for “wind-down” periods for certain types of transactions, said DOJ.
Existing national security authorities allow the Committee on Foreign Investment in the United States (CFIUS) and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom) to review these types of data transactions case by case. The EO’s contemplated rules would allow for a more universal approach to the data broker marketplace, allowing agencies to fill the gaps in existing national security authorities, said DOJ.
The rules should carry the force of law because violations of IAEEPA are subject to civil and criminal sanctions, said Samir Jain, Center for Democracy & Technology vice president-policy. “A lot depends on what the final rules say and how they’re written, but they could very well have the force of law,” he said. While the EO addresses a “significant problem” in data broker transactions, it’s not a substitute for a federal privacy law, Jain said. In their announcements, DOJ and the White House called for passage of comprehensive, bipartisan legislation dealing with broader privacy issues.
The White House said foreign data sales raise “significant privacy, counterintelligence, blackmail risks and other national security risks -- especially for those in the military or national security community.” In addition, the data of “activists, academics, journalists, dissidents, political figures, and members of non-governmental organizations and marginalized communities” is at high levels of risk, the White House said.
Sen. Ron Wyden, D-Ore., welcomed the EO, noting that many of its provisions mirror his Protecting Americans’ Data from Foreign Surveillance Act. His bipartisan legislation also seeks to block data broker transactions with foreign adversaries. Wyden said it’s a mistake to limit the EO’s application to a handful of countries, arguing Saudi Arabia and the United Arab Emirates can’t be trusted with Americans’ personal data. These countries will likely use the data to undermine U.S. national security, and they lack privacy controls to prevent sales to China, he said.
“Countries like China have made it their mission to collect as much sensitive information as possible on Americans,” Senate Intelligence Committee Chairman Mark Warner, D-Va., said Wednesday, as he applauded Biden’s EO. Warner agreed executive action doesn’t preclude the need for a comprehensive federal privacy law.