CNAS Responds: Executive Order to Protect Americans’ Sensitive Personal Data

Last night, the Biden administration issued an executive order (EO) that limits the sale of sensitive American data to countries of concern, such as China and Russia. This includes data like genetic information, fingerprints, health records, location data, financial information, and personal details. Today, CNAS experts provide their analysis on the new EO; commenting on what is included, what is left out, and its broader implications.

All quotes may be used with attribution. To arrange an interview, email Alexa Whaley at awhaley@cnas.org.

Vivek Chilukuri, Senior Fellow and Director, Technology and National Security Program:

The new executive order reflects three important realities. First, Washington continues to grasp for a new consensus on how to balance its historic commitment to the open, free flow of goods and data with national security imperatives from the global technology competition. Just as the United States learned the hard way about the dangers of surrendering its supply chains for advanced chips to the free market, it has also learned the dangers of allowing third-party data brokers to operate with virtually no restrictions on the collection, storage, and sale of bulk sensitive personal data—including to competitors like Russia and China. In both cases, the free market failed to consider U.S. national security interests, and Washington is now improvising to repair the breach.

Second, the age of AI has raised the stakes of data protection beyond privacy into the realm of national security. Beijing has used licit and illicit means to amass genomic and health data from across the globe, including from Americans. Paired with its massive domestic data collection, Beijing now has unrivaled access to bulk biodata it can combine with advanced AI tools to unlock powerful insights to propel health research and innovation, develop novel vaccines (or viruses), and secure a lead in critical emerging biotechnologies. If data is the new oil, this executive order is a targeted way to tighten the spigot for competitors like China.

Third, the executive order could foreshadow more decoupling of digital infrastructure across the globe if both China and the United States increasingly restrict each other’s access to sensitive data, raising difficult questions for governments and companies caught in the middle. For example, the executive order calls on the Committee on Foreign Investment in the United States (CFIUS) to consider risks to bulk sensitive personal data in existing or future licenses of submarine cable systems—the backbone of global data flows. This is a shot across the bow for any submarine cable system in CFIUS’s purview that involves Chinese-linked firms. If America’s allies and partners pursue similar policies, and China responds in turn, the splintering of global digital infrastructure does not seem so far-fetched.

Emily Kilcrease, Senior Fellow and Director, Energy, Economics and Security Program:

It's about time.

With the release of the data security executive order, the U.S. government has finally taken a concrete step toward increasing data security of the U.S. public. For far too long, there have been virtually no restrictions on the collection and sale of vast troves of data on American citizens to foreign adversaries. The EO is a well-targeted and reasonable approach to put in place restrictions on the unfettered sale of sensitive personal data, at least when it comes to foreign transactions.

This news is not, however, an unmitigated success. The EO, which is based on international emergency powers and applies only to transactions with foreign parties, cannot address broader concerns related to data privacy. In other words, U.S. citizens still have little control over how their data is collected and used domestically. A robust debate is ongoing in the United States over how much control technology companies have over the data of individuals, and the EO does not (and indeed, cannot) resolve this. If the United States is serious about data protection, it must pass data privacy legislation as a necessary complement to the data security EO.

While the EO gives a polite nod to the importance of open data flows, there remains a yawning void in the U.S. digital trade space, left by the recent U.S. retreat from its traditional digital trade positions. Digital trade agreements are intended to enable open flows of data and digital goods in an increasingly connected world, while providing governments flexibility to regulate domestically for legitimate public policy purposes. There is a real opportunity to use digital trade agreements to raise global standards on a range of issues central to the future of the digital economy (e.g., online safety, consumer protection, gig workers). Yet, the United States appears afraid of its own shadow when it comes to digital trade and has failed to leverage these opportunities. While the data security EO is urgently needed, the United States must pursue a balanced strategy for the digital economy, one that includes robust security protections and positions the United States for a leadership role in setting the rules for an open digital future.

Hannah Kelley, Research Associate, Technology and National Security Program:

The new data protection executive order targets legal (though problematic) transfers of U.S. personal and government data to countries of concern, namely through commercial data brokers. Shutting down these easy access points is important. Right now, amassing sensitive U.S. data is far too easy for competitor states willing to pay a premium. But this EO only serves as a first step to keeping adversarial data acquisition at bay—especially when these actors have historically used a variety of access vectors, both legal and illegal. For example, China has acquired the rights to U.S. genetic data and records through stock purchases and corporate partnerships, as well as by outright buying U.S. genetics companies such as San Jose-based Complete Genomics. Beijing is also notorious for using hackers-for-hire to infiltrate U.S. industry and government systems in search of sensitive data.

Closing this particular legal access vector is not a fail-safe—especially when the countries in question don’t always play by the rules. It is, however, a necessary move to cause more friction for bad actors who continue to seek out U.S. sensitive data. Taken together with efforts to strengthen CFIUS authorities and export controls—as well as a number of other high-impact EO's on issues relating to biotechnology, outbound investments, and AI safety and security—the new data protection EO signals continued government urgency to maintain U.S. leadership and crack down on the misuse of U.S.-origin tech and technical inputs abroad. While ironing out implementation of this foreign-facing EO is a priority, the United States must also pursue an enduring framework for domestic data protection and shore up government and industry cybersecurity to better guard against backdoors to foreign bulk data theft.

All CNAS experts are available for interviews. To arrange one, contact Alexa Whaley at awhaley@cnas.org.