White House issues data protection executive order

As any company that’s involved in global operations knows, regulatory compliance can be a complex, ongoing task. With multiple national and regional regulatory regimes such as GDPR in Europe, PIPEDA in Canada, and CPRA/CCPA in California, there are a lot of controls on how certain types of data are gathered, stored, moved, transferred, etc.

A massive exception is the United States of America at the national level, where there is no federal privacy or data protection law, which some see as a threat to the national interest and national security. It is certainly a threat to the privacy of individuals whose private data is collected and stored in the United States.

On February 28, 2024, President Biden issued an executive order to address some aspects of this threat.

Disturbing data-breach trends

In 2023, the number of data breaches globally fell significantly. According to a Surfshark report released in January 2024, nearly 300 million accounts were compromised in breaches — an 18% reduction from 2022’s numbers.

But in the same study, the number of compromised accounts in the U.S. was found to have more than tripled. The increase from 30.9 million to 96.7 million means the U.S. accounts for almost a third of all breached accounts globally. And it pushes the U.S. into first place, replacing Russia as the most-breached nation.

National security angle

The White House views this from a national security angle and is responding accordingly. The chief threat they see is that of U.S. nationals’ PII — including health, location, financial data, and even genomic data — falling into the hands of “countries of concern.”

In the current regulatory desert, U.S. data brokers are able to gather data from a wide variety of sources and sell it on the open market — including to organizations in, or representing, hostile or potentially hostile countries.

The White House is especially concerned about the possibility of such data being used to compromise government employees and agents, including members of the military.

Targeting data brokers

The President’s executive order specifically addresses this concern by authorizing the Attorney General to prevent large-scale transfers of Americans’ personal data to countries of concern. This puts established data brokers and their business model squarely in the crosshairs.

The order includes a number of specific instructions to the Department of Justice, including:

• To specifically regulate increased protection of government sites’ geolocation and military members’ personal data
• To find ways to prevent countries of concern getting access to U.S. data via other commercial means
• To help ensure government grants and contracts can’t be used to access Americans’ data by countries of concern

And more — including the instruction to carry out these activities without stopping the flow of information necessary for financial services or otherwise decoupling any U.S. trade relationships.

What it means for you

If you operate transnationally, you would do well to identify all the data you store belonging to U.S. nationals.

Then review any relationships you may have with data brokers. It might be a good time to suspend those relationships until there’s greater clarity about the effects of the executive order on their ability to conduct business — and on the potential liability of selling data that ends up in a country of concern.

In the long term, the optimistic view is that the executive order may mark the beginning a process leading to U.S. legislation comparable to GDPR. Establishing a shared level of privacy and data protection will bring U.S. data-breach numbers in line with the rest of the world. And in the long run, a more secure, consistent regulatory environment is good for business.