The Biden administration has identified “countries of concern” that misuse sensitive personal data of Americans as a national emergency. To address this crisis, the White House issued an executive order on February 28, 2024 aimed at preventing these countries from accessing large amounts of sensitive personal data of Americans.
The order does not specify the countries, but reports, citing anonymous government officials, identified them as China, Russia, North Korea, Iran, Cuba and Venezuela.
Although this Executive Order adopts a simple and broad definition of sensitive data to be protected, the Executive Order provides limited protections.
The greater significance of this order lies in the stated rationale for why the United States needs such an order to protect people's sensitive data in the first place. This national emergency is a direct result of vast amounts of sensitive personal data being made available for sale to anyone in a vast international commercial data marketplace made up of companies that collect, analyze, and sell personal data. .
Data brokers use constantly advancing predictive and generative artificial intelligence systems to gain insight into and harness the power of people's lives. This poses increasing risks to personal, domestic and national security.
I'm a lawyer and law professor who works, writes, and teaches about data, information privacy, and AI. Recognizing that companies are collecting data on more Americans than ever before, and that data is being legally sold and resold through data brokers, this order puts a spotlight on the dangers of data markets. Thank you for guessing. These risks highlight Congress' failure to protect people's most sensitive data.
Sensitive personal data can be used as extortion material, raise national security concerns, and be used as evidence in prosecutions. This is especially true in this era of misinformation and deepfakes (AI-generated video and audio spoofs). It also applies to recent U.S. federal and state court decisions that allow states to restrict and criminalize individual choices, including those related to reproductive rights. The executive order is intended to protect Americans from these risks, at least from countries of concern.
Contents of the presidential order
The order directs federal agencies to counter continued efforts by certain countries to gain access to large amounts of sensitive personal and U.S. government data of Americans. Among other concerns, the order highlights that personal data could be used to blackmail people, including military personnel and government officials.
Under the order, the Department of Justice will develop and promulgate regulations to prevent large-scale transfers of sensitive personal data of Americans to countries of concern.
More broadly, the order encourages the Consumer Financial Protection Bureau to take steps to enhance compliance with federal consumer protection laws. In part, this could help limit overly invasive collection and sales of sensitive data and reduce the amount of financial information, such as credit reports, that data brokers collect and resell.
The order also directs relevant federal agencies to prohibit data brokers from selling large amounts of health and genomics data to countries of concern. It is becoming increasingly possible for data brokers and their customers to use their AI to analyze health and genomics data, as well as other types of data that do not include individual identities, and to link data to specific individuals. I am aware that there are
Definition of sensitive personal data
From an information privacy perspective, the Order is significant in that it broadly defines what constitutes sensitive personal data. This umbrella term includes “targeted personal identifiers, geolocation and related sensor data, biometric identifiers, human omics data, personal health data, personal financial data, or any combination thereof.” Masu. This definition does not include data that is public record.
This broad definition is important because it represents a departure from the standard approach of the U.S. legal system, which treats data on a sector-by-sector basis. Federal and state laws generally protect different types of data, such as health data, biometric data, and financial data, in different ways. Only people and entities in these sectors, such as doctors and banks, are regulated in how their data is used.
This piecemeal approach is poorly suited to the era of satellites and smart devices, leaving much data, including highly sensitive data, unprotected. For example, smartphones and wearable devices and their apps sense, collect, use, and distribute vast amounts of highly visible health-related and geolocation data; Not subject to gender and responsibility laws or other data protection laws. law.
By collapsing these historically disparate categories of data into a broader and more understandable terminology of “sensitive personal data,” policymakers in the executive branch will be able to better understand how to protect sensitive consumer data. Inspired by the work of the Federal Trade Commission. The FTC has ordered some data brokers to stop selling sensitive location information about individuals. The order also reflects policymakers' growing understanding of what is needed for meaningful data protection in the era of predictive and generative AI.
What cannot be done by presidential order
The executive order specifies that it will not transform global data markets or adversely affect “substantive consumer, economic, scientific, or trade relationships between the United States and other countries.” It also does not broadly prohibit people in the United States from doing business with entities or individuals in that country or “subject to its control, direction, or jurisdiction.”
Nor would it impose measures that would limit U.S. efforts to increase public access to scientific research, the sharing and interoperability of electronic health information, or patient access to data.
Notably, this does not impose a general requirement that companies store sensitive data of Americans or U.S. government-related data within U.S. territory; Is Rukoto. Nor does it seek to rewrite his 2023 voluntary data privacy framework for data transfers between the European Union and the United States.
In short, it is unlikely to change the activities and practices of U.S. commercial data brokers unless such activities involve countries of concern.
What's next?
The various agencies directed to act must do so within a clearly specified period of time in the order (ranging from four months to a year), so for now it's a wait-and-see situation. Meanwhile, President Joe Biden has joined a long list of people who continue to urge Congress to pass comprehensive bipartisan privacy legislation.
This article is republished from The Conversation, a nonprofit, independent news organization that provides facts and analysis to help you understand our complex world.
Author: Anne Twomey McKenna University of Richmond.
read more:
Anne Twomey McKenna is co-chair of the Institute of Electrical and Electronics Engineers (IEEE) and the U.S. Artificial Intelligence Policy Committee (AIPC), which includes Congressional staff in the U.S. Senate and House of Representatives and the U.S. and education-related interactions. Congressional AI Caucus. Mr. McKenna has received funding from the National Security Agency to develop legal education materials on cyber law and collaborated with the U.S. Department of Justice's COPS Division on a legal analysis of the use of drones in domestic law enforcement. Funded by the National Police Foundation.