(Spanish version here)

Last Wednesday, Biden signed an executive order (EO) seeking to block bulk transfers of data, including geolocation, financial data, and certain types of personally identifiable information to countries of concern.¹ The purpose is to protect sensitive personal information from being exploited by these countries of concern. The White House states, “[b]ad actors can use this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy.”² This is a great step in the right direction because it limits outbound data transfers that pose “an unacceptable risk to the national security of the U.S.”³

Regulating data brokers

The EO primarily affects the business models of third-party firms known as data brokers (companies profiting from the bulk collection, aggregation and sale of personal data). According to the EU’s General Data Protection Regulation, personal data refers to any information which are related to an identified or identifiable natural person, which includes biographical information, internet browsing history, and geolocation.⁴ A data broker is any company that makes money from any personal data.⁵ Through this EO, Biden directs the Department of Justice to issue regulations restricting  U.S. companies from transferring or selling large datasets to “covered persons” who are subject to the jurisdiction of “countries of concern,” identifying China, Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern under this program.⁶ It also prevents transactions to designated “covered persons” (a foreign person employee or contractor of such entity who is controlled by or subject to the jurisdiction of the country of concern) located in third-party countries (such as EU member states) depending on the nature of their relationship with covered countries.⁷ The Department of Justice (DOJ) will be responsible for implementing the EO, in collaboration with other federal agencies. The DOJ plans to issue regulations aiming to protect American’s sensitive personal data from being exploited by countries of concern through a rule making proceeding. The DOJ has released a fact sheet of how it plans to implement the EO, which states that the DOJ “will issue an Advance Notice of Proposed Rule making (ANPRM) to provide details on the proposed riles and to provide notice and solicit comment from the public.”⁸

What are the limits of the EO?

The scope of the EO is limited because it only impacts data brokers from transferring data to the countries of concern, however, it does nothing in regulating data transfer within the U.S. Technology companies and data brokers who aggregate, process, store, and share sensitive personal information with entities in the U.S. and continues to allow U.S. companies to share or sell personal data tyo most third party countries that are not considered “countries of concern.”⁹ Many industry leaders have praised the EO while also acknowledging the need for future rules and regulation:

“Today’s executive order is a reminder of the urgent need to protect the personal data of Americans. Corporate data brokers are assembling and selling extremely sensitive data on all of us, including U.S. military personnel, to foreign purchasers. The executive order calls on the CFPB to utilize its legal authorities to provide greater protections. This year, we will be proposing new rules to rein in these abuses that will safeguard families and our national security,” CFPB Director, Rohit Chopra said.¹⁰

“The NAI supports the President’s plan to ban sales of sensitive U.S. consumer data to foreign adversaries. The nonconsensual sale of U.S. consumer data to foreign governments is unethical and poses a serious privacy threat to consumers, NAI President and CEO Leigh Freund said.¹¹

“Our adversaries are exploiting Americans’ sensitive personal data to threaten our national security,” said Attorney General Merrick B. Garland. “They are purchasing this data to use to blackmail and surveil individuals, target those they view as dissidents here in the United States, and engage in other malicious activities. This Executive Order gives the Justice Department the authority to block countries that pose a threat to our national security from harvesting Americans’ most sensitive personal data—including human genomic data, biometric and personal identifiers, and personal health and financial data.”¹²

What’s next?

Numerous privacy experts have underscored the relentless expansion of government and private surveillance, a trend exacerbated by the rapid advancement of artificial intelligence and tracking technologies. This situation highlights the pressing need for robust data privacy legislation, akin to the GDPR, to protect the rights of Americans.¹³ Although the executive order (EO) targets primarily foreign adversaries, it falls short in addressing the legitimate concerns surrounding domestic surveillance practices. The EO fails to limit increasingly invasive tracking methods and the unauthorized transfer and sale of personal data within the United States, revealing a significant regulatory gap. As the nation faces evolving privacy challenges, it is imperative for policymakers to develop legislation that not only safeguards national security interests but also staunchly protects the fundamental right to privacy for all Americans.

1. Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” The White House, February 28, 2024. Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2024/02/28/executive-order-on-preventing-access-to-americans-bulk-sensitive-personal-data-and-united-states-government-related-data-by-countries-of-concern/. ↩︎
2. Fact Sheet: President Biden Issues Sweeping Executive Order to Protect Americans’ Sensitive Personal Data,” The White House, February 28, 2024. Available at: https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/. ↩︎
3. Id. ↩︎
4. The General Data Protection Regulation is a European Union regulation on information privacy in the European Union and the European Economic Area.  The GDPR protects personal data regardless of the technology used for processing that data. GDPR-Info.eu, “GDPR Personal Data,” available at: https://gdpr-info.eu/issues/personal-data/#:~:text=GDPR%20Personal%20Data&text=Only%20if%20a%20processing%20of,identified%20or%20identifiable%20natural%20person. ↩︎
5. Gartner, “Data Broker Definition,” available at: https://www.gartner.com/en/information-technology/glossary/data-broker#:~:text=A%20Data%20Broker%20is%20a,provide%20them%20with%20enhanced%20results. ↩︎
6. U.S. Department of State, Countries of Particular Concern & Special Watch List Countries & Entities of Particular Concern, U.S. Department of State, https://www.state.gov/countries-of-particular-concern-special-watch-list-countries-entities-of-particular-concern/ (last visited Feb. 29, 2024). ↩︎
7. Id. ↩︎
8. Department of Justice, Press Release, January 18, 2024. Available at https://www.justice.gov/opa/media/1340216/dl. ↩︎
9. Exploring the White House’s Executive Order to Limit Data Transfers to Foreign Adversaries,” Center for Strategic and International Studies (CSIS), February 28, 2024. Available at: https://www.csis.org/analysis/exploring-white-houses-executive-order-limit-data-transfers-foreign-adversaries#:~:text=On%20February%2028%2C%20the%20White,security%20of%20the%20United%20States.%E2%80%9D.
   ↩︎
10. CFPB Director Rohit Chopra Releases a Statement in Response to President Biden’s Executive Order to Protect Americans’ Sensitive Personal Data,” Consumer Financial Protection Bureau, February 28, 2024. Available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-director-rohit-chopra-releases-a-statement-in-response-to-president-bidens-executive-order-to-protect-americans-sensitive-personal-data/#:~:text=%22Today’s%20executive%20order%20is%20a,military%20personnel%2C%20to%20foreign%20purchasers. ↩︎
11. The NAI Supports Limits on the Sale of U.S. Consumer Data,” Network Advertising Initiative, February 28, 2024. Available at https://thenai.org/press/nai-applauds-president-bidens-order-to-protect-americans-sensitive-data-from-foreign-adversaries/ ↩︎
12. Justice Department to Implement Groundbreaking Executive Order Addressing National Security,” U.S. Department of Justice, February 28, 2024. Available at https://www.justice.gov/opa/pr/justice-department-implement-groundbreaking-executive-order-addressing-national-security. ↩︎
13. The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world.  It came into effect on May 25, 2018, and imposes obligations on any companies in the world that collects or processes data related to residents of the EU. Available at: https://gdpr-info.eu/issues/personal- ↩︎