Breaking Down The Executive Order On Sensitive Personal Data

President Biden issued an govt order to “shield People’ delicate private information from exploitation by nations of concern.” In brief, the order seeks to mitigate nationwide safety threat by stopping firms from promoting, sharing, or transferring delicate information on People to unnamed “nations of concern,” which the New York Instances stories are China, Russia, Iran, North Korea, Cuba, and Venezuela.

The limitation to 6 nations of concern confirms that that is extra about nationwide safety and counterintelligence than it’s about defending shoppers’ information. However the nationwide safety angle is a brand new one and will encourage federal privateness laws that’s extra expansive than this govt order.

The Order Addresses Two Areas Of Threat

This order defines delicate information as the standard suspects — genomic and biometric information, monetary information, private well being information — but it surely additionally covers geolocation information and “sure sorts of personally identifiable data.” The manager order frames the dearth of strong information privateness protections as a threat from two angles:

A nationwide safety threat. The order makes a number of references to how business information brokers and different firms can promote these classes of client information, which may ultimately discover their method to international governments, militaries, and intelligence companies. In flip, the order argues, the sale of this information raises “important privateness, counterintelligence, blackmail dangers, and different nationwide safety dangers.”
A civil liberties threat. With pointed information shopping for or information gathering efforts, nations of concern can entry delicate information belonging to “activists, lecturers, journalists, dissidents, political figures, and members of nongovernmental organizations and marginalized communities.” Mixed with blackmail and different dangers outlined above, this might doubtlessly give dangerous actors leverage to intimidate or in any other case silence dissidents and influential voices, curbing their freedom of expression.

Biden Responds To A Tidal Wave Of Knowledge Privateness And Safety Considerations

This govt order is an unsurprising response to a damning string of investigations and Congressional hearings on client information. Final yr noticed a number of US states with pending biometrics information laws, two landmark circumstances associated to Illinois’ Biometric Data Privateness Act, a knowledge breach at 23andMe, and important breaches of main telco firms (T-Cellular, Comcast, AT&T, Verizon).

Double Down On Privateness, Safety, And Threat As A Strategic Precedence

The manager order sends an necessary sign in regards to the Biden administration’s prioritization of information privateness and safety & threat. It isn’t complete, however it’s a step in the best route. Govt orders create a trickle-down impact, as they influence firms that work with the federal government and affect change amongst distributors and enterprises — resembling in 2021, with Biden’s govt order on Zero Belief. With this govt order, regulate:

New regulation of delicate private information. The order calls on the Division of Justice (DOJ) to situation rules that shield shoppers’ delicate information. It additionally calls on the DOJ to higher shield delicate government-related information, together with information on members of the army and geolocation information on delicate websites. That may create ripple results as information brokers think about the sensitivity of the information that they’re promoting and probably limit entry or sale sooner or later.
Your parameters of information sharing along with your third-party ecosystem. Your organization is instantly liable for information on clients, staff, and companions that makes its means into the arms of “nations of concern.” Catalog all third-party entities which have entry to this information, together with advertising applied sciences, businesses, and open-source apps, and make sure that your group is following third-party threat administration greatest practices so as to shield your clients and your model. In circumstances the place you’re sharing information with third events, use our trusted information sharing framework to slim the belief hole.
Your dealing with of youngsters’s information. The final sentence of the manager order offers a nod to defending the protection of youngsters. In 2023, of the highest 35 world privateness abuses, fines, and violations that we analyzed, 4 fines — totaling practically $424 million — associated to the misuse and retention of youngsters’s information, along with a scarcity of transparency, discover, and consent for information assortment and processing.
Your necessities as rules implement cybersecurity measures. This order is yet one more instance of cybersecurity necessities established within the non-public sector underneath the guise of nationwide safety considerations. Because the administration works to “set excessive safety requirements to stop entry by nations of concern,” organizations have to be ready for these requirements to trickle all the way down to the non-public sector. Cataloging the governments that firms are related to, and the way information is managed and accessed in and by every of these areas, is important as extra orders like these are established.
Your use of geolocation and IP addresses for decisioning. GPS and IP handle geolocation, machine fame/fingerprinting, and behavioral biometrics information are thought of private data in lots of European nations and Canada. This bars their use for advertising and gross sales focusing on functions however permits their use for safety and fraud administration functions. We count on that this govt order will pave the best way for US laws that stipulates the allowed makes use of and sharing of non-public data on a per-use-case foundation. How retailers, banks, and different corporations’ lobbies reply to such laws stays to be seen.

There’s greater than meets the attention with this govt order. We’ll proceed to watch (and weblog about!) the influence of this order. Within the meantime, arrange a steering session in case you’d like a deeper dive.