On Feb. 28, President Joe Biden issued an executive order with the intent of protecting Americans’ personal data from foreign threats.

The data referred to is primarily sensitive and personal information such as biometric data, personal health, geolocation, financial information, and personally identifiable information (PII). This kind of information, in the hands of malicious actors, could be used in scams and blackmail, for surveillance, and in other disturbances of privacy, potentially causing unwanted national security issues.

The Time Is Now for Data Privacy Regulation, but Why?

Increasingly, companies are collecting personal data, then legally — or sometimes even illegally — selling, or reselling that data. 

Just this past month, the Federal Trade Commission (FTC) claimed that Avast collected consumer browsing data and was storing it indefinitely without notice or consent, then selling and licensing the Web browsing data to third parties — all after claiming to protect its consumers from this very act. 

While this instance may have been illegal, legally tracking and selling private data collected from consumers and citizens isn’t all that different, and it’s more common than the average person may realize.

“There has been a demand for advertisers and markets to obtain customer lists and that has created this market for data brokers,” says Aloke Chakravarty, partner at the Snell & Wilmer law firm. He is the co-chair for the law firm’s investigations, government enforcement, and white-collar protection practice group, and the firm’s cybersecurity, data protection, and privacy practice group.

“The idea in America of buying and selling customer lists is actually a very old and often legitimate business model,” he adds.

Either way, once data is collected by companies or data brokers, they can then go on to sell that data to so-called countries of concern, as noted in the EO fact sheet — nations including China, North Korea, Iran, Cuba, and Venezuela, which already have a history of collecting data on Americans.

Once in the hands of foreign operators, this data can be used by other intelligence services, militaries, or entities that function under foreign governments, which raises concerns of national security and counterintelligence. These countries could gather information on “activists, academics, journalists, dissidents, political figures, and members of non-governmental organizations and marginalized communities” to intimidate their opposition or blackmail them, the fact sheet warned.

Privacy & Election Integrity

There are also specific forces at play, however. 

As noted by FBI Director Christopher Wray at the International Conference on Cyber Security (ICCS) earlier this year, there is an expectation of chaos for this upcoming 2024 presidential election and potential cyber warfare interference from foreign countries such as Russia, Iran, and China — the latter of which harbors hackers that have stolen more personal and corporate data belonging to Americans than every other country put together. 

“There is an election this year, and to allow US persons’ information to be mined or used for purposes of influencing that election is of paramount concern to the administration,” Chakravarty says. “I’m not saying it’s all politics, but election integrity is a factor here.”

Regulation for data privacy has never taken such national prevalence in the past, at least in the United States. While other countries have privacy and security laws like the General Data Protection Regulation (GDPR) to regulate data privacy and the rights of individuals, the US falls behind in this aspect. There is an imperative to implement safeguards to protect citizens as soon as possible, Chakravarty notes, especially at a time when the risk to private data is reaching a boiling point.

The Biden Administration’s Data Privacy Plan

The administration detailed several directions for government agencies and departments to issue regulations and determine rules and licensing decisions, some of which are clearer than others. The Department of Justice (DoJ), for instance, will be expected to establish “clear protections for Americans’ sensitive personal data” and “will prevent the large-scale transfer of that data to countries of concern.” The definition of the scope and volume of a “large-scale transfer” remains unclear.

In addition, the DoJ will be expected to establish greater protections to sensitive data and, alongside Homeland Security, prevent access to Americans’ data through commercial means by countries of concern, such as through investment or employment relationships.

The Departments of Health and Human Services, Defense, and Veterans Affairs will also collectively be involved to ensure the safety of sensitive health data. And, the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector has been ordered to consider potential threats when reviewing submarine cable licenses. In one year, the secretaries of these departments, as well as the director of the National Science Foundation, will report to the president to detail their progress in implementing data privacy measures around the information. 

An Unknown Future

How these presidential orders will influence foreign relations going forward is uncertain, though Chakravarty says this only furthers the “cyber cold war” at play geopolitically.

“Any time you discriminate against a country, it is going to have an offending impact on your bilateral relationship, as well as the multilateral dynamics and signals that you’re sending to the world,” Chakravarty says, “both from a foreign policy perspective as well as a commercial perspective.”

He notes, however, that the US government hasn’t necessarily shied away from publicly admonishing adversarial countries and their cyber tactics in the past.

“The fact that this is an executive order does add some formality to that. … I don’t think it’s going to [prompt] a vigorous response,” Chakravarty says, “but it might actually formalize some of the anti-American policies that might appear in some of these other jurisdictions.”

Source: www.darkreading.com