CBDF Authors Examine National Security, Data Flows, China De-Risking, and the New Executive Order on Bulk Data Sales

This week, CBDF authors Samm Sacks and Peter Swire published three articles at the intersection of national security and data flows. All three articles address, at least in part, President Biden’s February 28 Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, as well the Advance Notice of Proposed Rulemaking (ANPRM) from the Department of Justice, with comments due in 45 days, to implement the executive order.

(1) “Limiting Data Broker Sales in the Name of U.S. National Security: Questions on Substance and Messaging,” Peter Swire & Samm Sacks, Lawfare (Feb. 28, 2024):

The authors begin this article:

“A new executive order issued today contains multiple provisions, most notably limiting bulk sales of personal data to “countries of concern.” The order has admirable national security goals but quite possibly would be ineffective and may be counterproductive. There are serious questions about both the substance and the messaging of the order.

The new order combines two attractive targets for policy action. First, in this era of bipartisan concern about China, the new order would regulate transactions specifically with “countries of concern,” notably China, but also others such as Iran and North Korea. A key rationale for the order is to prevent China from amassing sensitive information about Americans, for use in tracking and potentially manipulating military personnel, government officials, or anyone else of interest to the Chinese regime.

Second, the order targets bulk sales, to countries of concern, of sensitive personal information by data brokers, such as genomic, biometric, and precise geolocation data. The large and growing data broker industry has come under well-deserved bipartisan scrutiny for privacy risks. Congress has held hearings and considered bills to regulate such brokers. California has created a data broker registry and last fall passed the Delete Act to enable individuals to require deletion of their personal data. In January, the Federal Trade Commission issued an order prohibiting data broker Outlogic from sharing or selling sensitive geolocation data, finding that the company had acted without customer consent, in an unfair and deceptive manner. In light of these bipartisan concerns, a new order targeting both China and data brokers has a nearly irresistible political logic.

Accurate assessment of the new order, however, requires an understanding of this order as part of a much bigger departure from the traditional U.S. support for free and open flows of data across borders. Recently, in part for national security reasons, the U.S. has withdrawn its traditional support in the World Trade Organization (WTO) for free and open data flows, and the Department of Commerce has announced a proposed rule, in the name of national security, that would regulate U.S.-based cloud providers when selling to foreign countries, including for purposes of training artificial intelligence (AI) models. We are concerned that these initiatives may not sufficiently account for the national security advantages of the long-standing U.S. position and may have negative effects on the U.S. economy.

Despite the attractiveness of the regulatory targets—data brokers and countries of concern—U.S. policymakers should be cautious as they implement this order and the other current policy changes. As discussed below, there are some possible privacy advances as data brokers have to become more careful in their sales of data, but a better path would be to ensure broader privacy and cybersecurity safeguards to better protect data and critical infrastructure systems from sophisticated cyberattacks from China and elsewhere.”

The authors conclude:

“The U.S. government has opened a new chapter in how it regulates data flows with recent actions at the WTO, scrutiny of foreign purchasers of cloud services, and the executive order regulating bulk commercial data transfers To reassure allies and fend off excessive limits in other countries on cross-border activity, the Biden administration should clearly and convincingly explain the vast gulf between the U.S. system, with a presumption of openness to the global internet, and the Chinese system, with its presumption of blocking exports of data and imports of foreign ideas.

The new limits on data sales restrict global commerce but likely with little to no national security upside. The new set of administration actions may hurt U.S. strategic interests, from ceding ground to Chinese cloud service providers and cable to freezing out lawful U.S. and allied access, under FISA Section 702 and other authorities, to global data flows. Identifying these strategic ripple effects of the recent policy shift illustrates how there is a false binary between economic gain versus national security risk—U.S. economic success abroad often benefits national security.

U.S. policymakers are correct to be concerned about Beijing’s access to American data in an era of strategic competition. Although the order may spur the creation of due diligence programs for data brokers, the best way to address data risks is by enacting nationwide privacy protections, such as the American Data Privacy and Protection Act. The U.S. government should continue to pursue a range of cybersecurity improvements, to protect data and information technology systems, and to respond directly to ongoing Chinese attacks on critical infrastructure. Far less clear is whether new data regulations in the name of national security will succeed in blocking an advanced persistent threat of China’s nature.”
 

(2) “The Executive Action on Sensitive Bulk and Government-Related Data Sales to Adversary Nations,” Emily Benson, Samm Sacks & Peter Swire, Center for Strategic and International Studies (Feb. 29, 2024).

This briefing document summarizes key aspects of the Executive Order and ANPRM, including:

1. Content of the executive action
2. Risks this action seeks to address
3. How the rules will be implemented
4. The rules’ statutory authority;
5. The impact of the rules on the physical infrastructure through which data flows
6. Likely implementation and enforcement challenges
7. The United States and digital sovereignty, and
8. Next steps

(3) “Mapping U.S.-China Data De-Risking: Accumulating Barriers and Safeguards for Data Transfers,” Samm Sacks, Yan Luo & Graham Webster, Digi-China, Stanford Geopolitics, Technology & Governance: Freeman Spogli Institute (Feb. 29, 2024).

In this 20-page report, the authors summarize relevant policy changes in the U.S. and China since an earlier DigiChina and New America report in 2020.

The authors observe:

“The United States and China have long stood far apart on data controls, with China decades into developing inbound barriers in the form of the Great Firewall and years into crafting outbound controls to protect national security, and the United States traditionally a vocal advocate for Internet freedom and free flows of data across borders. These two recent developments show that, while still far apart, reckoning with data’s role in society and the economy can sometimes mean they take a step or two toward one another. Beijing regulators seemingly found that their security-motivated efforts to scrutinize all data transfers indiscriminately were having unintended negative consequences on the growth of the economy in general and on foreign investment in particular, and some in Washington apparently believe an ideological commitment to maximally free flows could be a barrier to mitigating data harms. Both sides also appear to be seeking to carve out space to allow data flows in areas deemed less sensitive to national security. At the center of this moment of slight convergence is work on both sides to figure out which forms and uses of data might have national security implications, and how to manage those risks. If nothing else, the two governments share a wariness of each other (among others around the world) and a determination not to let data be their downfall.”

The report summarizes a number of recent policy actions and proposals in the United States, including:

1. EO on Bulk Sensitive Personal and Other Data (2/24)
2. Proposed Rule Would Add Know-Your-Customer Requirements for Cloud Providers (1/24)
3. Final Rule on Securing the Information and Communications Technology and Services (ICTS) Supply Chain (6/23)
4. Introduction of Protecting Military Service Members’ Data Act (3/23)
5. Introduction of RESTRICT Act (3/23)
6. EO adds data to CFIUS concerns (9/22)
7. EO on “Protecting Americans’ Sensitive Data from Foreign Adversaries” (6/21)
8. ICTS Interim Rule (1/21)
9. 2 EO’s seeking to ban TikTok and WeChat (8/20)
10. Regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA)
11. Department of the Interior action concerning DJI and other Chinese-made drones and components (1/20)
12. Original ICTS Supply Chain EO (5/19)

The report also summarizes a number of recent Chinese policy actions and proposals:

1. Cyberspace Administration of China issues draft changes to data transfer procedures (9/23)
2. Rules outlining “Standard Contract” route for compliant data transfers (2/23)
3. Final rules on outbound data transfer security assessments (9/22)
4. Personal Information Protection Law takes effect (11/21)
5. Data Security Law takes effect (9/21)
6. Regulation on smart vehicle data security (8/21)
7. Regulation issued on Critical Information Infrastructure (8/21)
8. Revised Cybersecurity Review Measures (7/21)
9. Limits on Foreign Access to Genetic Data (6/19)

These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.