President Biden issued an govt order to “defend People’ delicate private information from exploitation by international locations of concern.” In brief, the order seeks to mitigate nationwide safety danger by stopping corporations from promoting, sharing, or transferring delicate information on People to unnamed “international locations of concern,” which the New York Instances stories are China, Russia, Iran, North Korea, Cuba, and Venezuela.

The limitation to 6 international locations of concern confirms that that is extra about nationwide safety and counterintelligence than it’s about defending customers’ information. However the nationwide safety angle is a brand new one and will encourage federal privateness laws that’s extra expansive than this govt order.

The Order Addresses Two Areas Of Danger

This order defines delicate information as the same old suspects — genomic and biometric information, monetary information, private well being information — but it surely additionally covers geolocation information and “sure sorts of personally identifiable data.” The chief order frames the dearth of strong information privateness protections as a danger from two angles:

1. A nationwide safety danger. The order makes a number of references to how industrial information brokers and different corporations can promote these classes of client information, which might ultimately discover their technique to international governments, militaries, and intelligence providers. In flip, the order argues, the sale of this information raises “vital privateness, counterintelligence, blackmail dangers, and different nationwide safety dangers.”
2. A civil liberties danger. With pointed information shopping for or information gathering efforts, international locations of concern can entry delicate information belonging to “activists, teachers, journalists, dissidents, political figures, and members of nongovernmental organizations and marginalized communities.” Mixed with blackmail and different dangers outlined above, this might probably give dangerous actors leverage to intimidate or in any other case silence dissidents and influential voices, curbing their freedom of expression.

Biden Responds To A Tidal Wave Of Information Privateness And Safety Issues

This govt order is an unsurprising response to a damning string of investigations and Congressional hearings on client information. Final 12 months noticed a number of US states with pending biometrics information laws, two landmark circumstances associated to Illinois’ Biometric Info Privateness Act, an information breach at 23andMe, and vital breaches of main telco corporations (T-Cellular, Comcast, AT&T, Verizon).

Double Down On Privateness, Safety, And Danger As A Strategic Precedence

The chief order sends an necessary sign in regards to the Biden administration’s prioritization of information privateness and safety & danger. It isn’t complete, however it’s a step in the appropriate route. Government orders create a trickle-down impact, as they influence corporations that work with the federal government and affect change amongst distributors and enterprises — comparable to in 2021, with Biden’s govt order on Zero Belief. With this govt order, keep watch over:

• New regulation of delicate private information. The order calls on the Division of Justice (DOJ) to challenge rules that defend customers’ delicate information. It additionally calls on the DOJ to raised defend delicate government-related information, together with information on members of the navy and geolocation information on delicate websites. That may create ripple results as information brokers contemplate the sensitivity of the information that they’re promoting and probably limit entry or sale sooner or later.
• Your parameters of information sharing along with your third-party ecosystem. Your organization is instantly accountable for information on clients, staff, and companions that makes its method into the arms of “international locations of concern.” Catalog all third-party entities which have entry to this information, together with advertising applied sciences, businesses, and open-source apps, and be sure that your group is following third-party danger administration finest practices with a view to defend your clients and your model. In circumstances the place you might be sharing information with third events, use our trusted information sharing framework to slender the belief hole.
• Your dealing with of kids’s information. The final sentence of the chief order provides a nod to defending the protection of kids. In 2023, of the highest 35 international privateness abuses, fines, and violations that we analyzed, 4 fines — totaling practically $424 million — associated to the misuse and retention of kids’s information, along with a scarcity of transparency, discover, and consent for information assortment and processing.
• Your necessities as rules implement cybersecurity measures. This order is one more instance of cybersecurity necessities established within the non-public sector beneath the guise of nationwide safety issues. Because the administration works to “set excessive safety requirements to stop entry by international locations of concern,” organizations have to be ready for these requirements to trickle all the way down to the non-public sector. Cataloging the governments that corporations are related to, and the way information is managed and accessed in and by every of these areas, is essential as extra orders like these are established.
• Your use of geolocation and IP addresses for decisioning. GPS and IP deal with geolocation, system status/fingerprinting, and behavioral biometrics information are thought of private data in lots of European international locations and Canada. This bars their use for advertising and gross sales focusing on functions however permits their use for safety and fraud administration functions. We count on that this govt order will pave the best way for US laws that stipulates the allowed makes use of and sharing of private data on a per-use-case foundation. How retailers, banks, and different corporations’ lobbies reply to such laws stays to be seen.

There’s greater than meets the attention with this govt order. We’ll proceed to watch (and weblog about!) the influence of this order. Within the meantime, arrange a steerage session when you’d like a deeper dive.