Skip to content

Illustration by iStock; Security Management

Sensitive Data for Sale: White House Looks to Curb Foreign Governments’ Ability to Buy Americans’ Information

There is a vast amount of personal data available for sale online, and it has been heavily used for intelligence gathering by spy agencies worldwide, said a 2022 U.S. intelligence report, which was declassified in June 2023. Commercially available data opens up avenues for governments to spy on foreign adversaries, but it also exposes individuals—whether government or military personnel or civilians—to hacking and blackmail threats.

Today, U.S. President Joe Biden will issue an executive order intended to curb foreign governments’ ability to buy Americans’ sensitive personal information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information.

“Bad actors can use this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services,” a White House fact sheet said. “This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy.”

The order marks a rare policy effort to address national security concerns about data acquisition and exploitation, CNN reported. “A surge in recent years in the amount of personal information on U.S. citizens that can be bought and sold online has alarmed lawmakers and senior U.S. officials focused on national security,” CNN said. “The concern is that U.S. adversaries are augmenting traditional sources of intelligence like codebreaking and human sources by simply going online to shop for it.”

The order will give the U.S. Department of Justice (DOJ) the authority to regulate commercial transactions of Americans’ data that “pose an unacceptable risk” to national security, including those that give a foreign government or a company owned or controlled by a foreign power large-scale access to Americans’ personal data.

“Companies are collecting more of Americans’ data than ever before, and it is often legally sold and resold through data brokers,” the fact sheet said. Data brokers buy personal information, including people’s Social Security numbers, names, addresses, income, employment history, and criminal background. “Commercial data brokers and other companies can sell this data to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments.”

The fact sheet warned that countries of concern (without specifying which countries are under the microscope here) can also access Americans’ private data through these transactions to collect information on academics, activists, dissidents, journalists, political figures, and more to “intimidate opponents of countries of concern, curb dissent, and limit Americans’ freedom of expression and other civil liberties.”

So, what does the executive order require government agencies to do? Among the directives:

  • The DOJ must issue regulations to establish clear protections for Americans’ sensitive personal data from access and exploitation by countries of concern.
  • The DOJ must issue regulations that establish greater protection of sensitive government-related data, such as geolocation information on sensitive government sites and military members’ information.
  • The DOJ must work with the Department of Homeland Security (DHS) to set high security standards to prevent countries of concern from accessing Americans’ data through commercial means.
  • The Departments of Health and Human Services, Defense, and Veterans Affairs must help ensure that federal grants, contracts, and awards are not used to facilitate access to sensitive health data.

The executive order is intended to apply narrowly so it does not hurt business transactions that do not pose a national security risk, administration officials told reporters. That could be a particularly challenging needle to thread.

“The big question is whether we should consider this executive order a stark deviation from decades of U.S. support for data flows or a targeted set of privacy protections for sensitive personal data in response to national security threats,” said Caitlin Fennessy, chief knowledge officer and vice president of the International Association of Privacy Professionals, in an emailed statement. “Given longstanding difficulties advancing broad-based federal privacy legislation, the Administration may have seen executive action as the only viable option to advance privacy protections to address what it perceives as an imminent risk. Privacy professionals will now turn their attention to the practical implications—which organizations, data, and transfers are implicated, which might be down the line, and what will be needed to comply.”