Biden to crack down on US data flows to China, Russia
By Alexandra Alper and Kanishka Singh
WASHINGTON (Reuters) – President Joe Biden’s administration on Wednesday unveiled an executive order aimed at protecting American personal data by restricting its transfer to China, Russia and other countries, senior U.S. officials said, citing national security concerns.
The order, first reported by Reuters, will curb bulk transfers of Americans’ geolocation, biometric, health and financial information by data brokers and others to specific “countries of concern,” the officials said.
It will also bar the transfer of any volume of data on U.S. government personnel, they added, to such countries, which also include Iran, North Korea, Cuba and Venezuela.
“China and Russia are buying American sensitive personal data from data brokers” and leveraging it “to engage in a variety of nefarious activities including malicious cyber-enabled activities, espionage and blackmail,” the officials said.
“Buying data through data brokers is currently legal in the United States. That reflects a gap in our national security toolkit,” they added, saying Wednesday’s order aimed to fill that gap.
The order is the latest bid by Washington to stem the flow of American data to China, which is locked in a years-long trade and technology war with the United States.
The U.S. Congress is considering legislation to ban federal agencies from contracting with China’s BGI Group and Wuxi APPTEC, part of an effort to keep China from accessing American genetic data and personal health information.
In 2018, a U.S. panel that reviews foreign investments for potential national security threats rejected a plan by China’s Ant Financial to acquire U.S. money transfer company MoneyGram International because the companies could not assuage concerns over the safety of data that can be used to identify U.S. citizens.
The officials said on Wednesday that transactions with data brokers who know that the information will end up in “countries of concern” will be banned, as will all genomic data transfers.
Transfers of other classes of data – from biometric to financial – would only be banned if they met certain volume thresholds and were being sent to those countries, one official said.
To allay concerns that the new rules would unnecessarily hamper economic activity, certain types of data including corporate payroll and compliance are exempted, they added.
Certain transactions such as cloud service, employment and investment agreements would also be permitted, subject to some security requirements such as encryption and anonymization.
The order also directs the Department of Justice to give industry ample opportunity to comment on proposals before they go into effect.
The White House says companies are collecting more of Americans’ data than ever before. That data is often legally sold and resold through data brokers who can then transfer it to foreign intelligence services, militaries, or companies controlled by foreign governments.