US moves ahead with crackdown on data brokers selling to six 'countries of concern'

Biden's Executive Order finally getting its day in the sun, soonish

The US federal government is poised to implement an Executive Order that would ban data brokers selling significant amounts of information to buyers in six countries.

On February 28, President Biden issued an Executive Order [PDF] - "Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern". The order empowered the Department of Justice to block data sales to unfriendly countries, namely China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

In March, the House of Representatives voted unanimously to implement such a plan but excluded Cuba or Venezuela.

And then, nothing happened.

But now the White House has decided to use the powers granted under the Executive Order and opened a 30 day public consultation period before finalizing how the Executive Order will be applied.

Under the proposed rules, US citizens would be prohibited from selling data to, or processing data within, firms that are at least 50 percent owned by "a country of concern," or individuals primarily residing there. The restrictions, to be enforced by the DoJ's National Security Division, kick in after an entity meets the following thresholds:

• Personal financial data on over 10,000 US persons
• Personal health data on over 10,000 US persons
• Precise geolocation data on over 1,000 US devices
• Human genomic data on over 100 US persons
• Biometric identifiers on over 1,000 US persons
• Certain covered personal identifiers on over 100,000 US persons
• Or any combination of these data types that meets the lowest threshold for any category in the dataset

"A US company would be prohibited from hiring a laboratory in China to analyze more than 100 US persons data or DNA samples, and a US company that holds more than 10,000 US persons financial or health data would have to comply with Justice Department security requirements if, say, it gave the equity staking its firm to a Russian investor, hires a Chinese headquarter company to store or process, or hires employees who primarily reside in China as part of its global IT team," a senior Justice Department official said on Monday.

"The prohibitions would also be triggered if any government related data, such as precise geolocation data within certain geographic areas relating to us, government facilities and activities or sensitive personal data on US government personnel."

There are, of course, exceptions. Official government activities are exempt, as are transactions related to the provision of basic telecommunications services such as international calls. Harmless personal communications that "do not transfer anything of value" are also not covered. So are regulatory disclosures for clinical drug or medical device trials, according to the Justice Department. As with many US restrictions, exemptions can be requested from the DoJ through a licensing process.

"Transfers from, say, a US based app to a Chinese parent or within a corporate group would be regulated by the prohibitions," a senior Homeland Security official said. "There is an exception for the sharing of data that is part of routine administrative or ancillary and business processes like payroll or resources or tax payments or the like."

Despite all these get-out clauses, the rules are at least a step forward on the long and tortuous path to improving data protection for US residents. That path is yet to include a strong national data privacy law, an idea that does not feature prominently in this year’s US election campaigns. ®