President Biden is expected to issue an order as soon as this week to prevent the bulk flow of Americans’ sensitive data — including genetic information — to hostile foreign countries, prime among them China.
The plan takes aim at a controversial practice that privacy advocates have long criticized as an enabler of mass surveillance, whether in the United States or other countries.
The order is designed to block data brokers and other companies from selling access to large stores of geolocation, genomic and other sensitive, personal information to buyers in “countries of concern” such as China, Russia and Iran, administration officials have told industry and civil society experts. The forthcoming order was first reported by Bloomberg News.
Federal officials have for years expressed alarm over the risk that the information bought legally from data brokers or stolen by hackers working for foreign governments could be used to spy on or blackmail high-value targets in the United States, such as lawmakers and military personnel. China, for instance, has been mining Western social media, including Facebook and X, to furnish its security services with information on foreign targets, The Washington Post reported in 2021.
Recent advances in artificial intelligence have also prompted fears that the data could be analyzed in more powerful ways to enable profiling and espionage, including of activists, journalists and political figures. At the same time, new laws in China have restricted foreign access to data once available to academics, researchers and Western companies.
China’s siphoning of tens of millions of Americans’ data, whether through hacking or the purchasing of companies, has long been of concern to U.S. officials. A massive Chinese cyber breach of federal personnel records discovered in 2014 and of Marriott Hotels’ database a few years later, merged with existing intelligence and commercially available information, prompted worry that Beijing — and, to a certain extent, Moscow — was building an ability to track individuals, including undercover CIA officers.
There have been “serious adverse consequences” as a result of these breaches, said one former senior U.S. official, speaking on the condition of anonymity because of the matter’s sensitivity.
Now that vast stores of personal genomic, geolocation, health and financial data are available commercially, officials are concerned that foreign adversaries can simply buy the information in bulk from brokers without users’ knowledge or consent. There are no laws that would stop a genomics company from contracting with a Chinese firm to sequence its genetic specimens, for instance.
“In China they’re using mass data collection for surveillance and repression,” said James A. Lewis, a technology policy expert at the Center for Strategic and International Studies. “And the concern is they might use Americans’ data for malicious purposes.”
At the same time, some analysts said, the order probably will be difficult to implement and enforce, requiring the government to figure out a way to track flows of commercial data on a global scale.
“In the face of a persistent, sophisticated foreign adversary, will this be effective in denying them access to this data?” asked Nigel Cory, associate director of trade policy at the Information Technology and Innovation Foundation. “At this stage it’s hard to see how what the administration is doing will be targeted enough and effective enough to do that.”
Other analysts feared that what the Biden administration intends as a narrow and targeted regime could embolden future presidents or other governments to more aggressively exert their influence over the world’s most powerful communications medium.
“My impression is that the administration does not want to fragment the internet,” Samm Sacks, senior fellow at Yale Law School’s Paul Tsai China Center, said, adding that for now the data categories in the executive order appear to be limited. “But those could expand as we play whack-a-mole” with new types of data collection, she said.
Administration officials declined to comment, as the order has not been issued. But they have said in briefings that such a move is necessary in the absence of a national data privacy law, which would regulate the collection and sale of Americans’ sensitive information. And they have noted that the order merely starts a months-long rulemaking process through which industry and civil society groups can offer suggestions and criticism.
Also prompting the order was a concern that the government has limited ability to deal with the threats of foreign data misuse. The most prominent pathway today — a cross-agency group known as the Committee on Foreign Investment in the United States, or CFIUS — has the authority to review and block individual foreign business deals on national security grounds. The committee has said it needs a comprehensive policy to guide decisions in areas involving businesses that collect sensitive personal data. The Justice Department, which reviews certain telecom-related licenses for national security risk, has similar concerns.
The order will not extend to any “expressive” activity such as Americans’ social media posts, messages or videos on platforms such as TikTok, the popular video app whose ownership by the Chinese tech giant ByteDance has led to fierce debates in Washington over national security and freedom of expression.
The order will not target any one company, such as TikTok. However, if an app is collecting information in bulk considered sensitive because it can help identify a person and their habits, such as geolocation data, that information cannot be sent to any country of concern, experts said.
For each category of restricted data, the administration will specify an amount beyond which the transfer is prohibited — for instance, a certain number of U.S. individuals for genomic data — and a certain number of devices on which geolocation data is collected.
The most sensitive categories include people’s DNA and biometric data, as well as computer keyboard use patterns. The intent is not, for instance, to prevent an American from sending DNA to the genomics company 23andMe to see if she has distant relatives in China, though the firm would be barred from selling data in bulk to China or from working with a Chinese processing firm, they said.
U.S. officials have noted that BGI Group, a Chinese company with a U.S. subsidiary, operates the China National GeneBank, a vast government-owned repository that now includes genetic data drawn from millions of people around the world. Intelligence officials say they believe Chinese companies are trying to acquire DNA from Americans.
China’s quest for genetic data spurs fears of a DNA arms race
“Genomic data will provide the blueprint for future biotech products and capabilities to grow the economy, but in the wrong hands, it could also be weaponized to create engineered pathogens or misused to identify and target individuals,” said Michelle Rozo, vice chair of the congressionally mandated National Security Commission on Emerging Biotechnology. “Genomic data is a strategic resource, and the United States needs to treat it as such.”
The order would cover bulk data exchanged as part of a corporate investment, acquisition or contract, though there may be exceptions if the data exchange meets certain cybersecurity and privacy requirements. The order will exempt ordinary financial activities of multinationals or federal contractors, such as a company or government agency that is processing payroll data for employees in countries of concern.
Some Commerce Department officials have expressed unease that the plan might undermine trade or economic activity, including by imposing complicated new demands on businesses with international operations, some experts said. Administration officials have said the order is drawn narrowly so as to minimize its negative impact.
Experts say enforcement will be challenged by determined adversaries who seek to buy data through third parties in countries outside the United States. “What about the use of proxies?” Cory said. “How do you expect firms to do due diligence to try to figure out who is the ultimate owner of an entity? How do they do that with so many different transactions involving the types of data they’re worried about?”
Whatever rule is eventually adopted, he said, it’s important that it be flexible enough to adapt in the future. “This is uncharted territory,” Cory said.
Cate Brown contributed to this report.