Biden Wants to Limit Data Transfers to Adversaries
Closing the barn door after the horse has left.
The Record (“Biden administration proposes new rules governing data transfers to adversarial nations“):
The Biden administration announced on Monday new proposed rules for regulating the transfer of certain data to adversarial countries such as China and Russia, creating specific requirements for how sensitive personal and federal information can be shared, if at all.
The proposed regulations follow the release of a February executive order designed to block foreign adversaries from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic and other data to carry out cyberattacks or spy on Americans.
Under the proposed rules, data transfers to companies and individuals in six countries — China, Russia, Iran, North Korea, Venezuela and Cuba — will be prohibited when specific pre-set volume thresholds are exceeded, according to a detailed fact sheet released by the administration and comments from senior administration officials.
Specifically, U.S. companies will be restricted from transferring more than 100 Americans’ genomic data across any 12-month period to the targeted countries. Data transfers for more than 1,000 Americans’ geolocation data and biometric identifiers, more than 10,000 Americans’ health and financial data and more than 100,000 Americans’ personal identifiers also will be barred.
Personal identifiers include names linked to device IDs, Social Security numbers and driver’s license numbers.
Data belonging to even a single active duty member of the military or federal personnel will be prohibited from being transferred, as will data broker sales where the seller has reason to believe the information they are peddling will make its way to any of the six countries.
So, on the one hand, this seems like a reasonable and prudent measure. On the other, it strikes me as futile.
Many if not most of the companies involved are multinational. If their data is available in any number of non-US countries who don’t have similar laws, US law won’t protect said data. And, of course, these governments are unlikely to purchase the data directly rather than through a stalking horse. For that matter, China, Russia, and Iran have elite level hacking capabilities, so they can likely get it without purchasing it.
To the extent we’re serious about protecting this data, then, it would seem that the thing to do would be to preclude the firms from collecting it in the first place. But, of course, they’re major campaign donors.
So, to sum up, let’s start somewhere or let’s do nothing.
@~Chris: It’s perfectly reasonable to look at obvious flaws in policy proposals in assessing their probability of achieving their desired outcomes. It’s good that, near the end of his presidency, Biden is tackling a major problem. But this simply won’t do much to solve it.
This seems a pretty straightforward extension of the ITAR technical data rules, so this is something we already know how to enforce relatively well.
Hmmm, in the 90’s there were export controls on high-end computers. This had an impact on the company I worked for at the time – Silicon Graphics (which by the way also made supercomputers) – even though it was a multinational with a manufacturing plant in Switzerland.