News: 1729553228

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

US moves ahead with crackdown on data brokers selling to six 'countries of concern'

(2024/10/22)


The US federal government is poised to implement an Executive Order that would ban data brokers selling significant amounts of information to buyers in six countries.

On February 28, President Biden [1]issued an [2]Executive Order [PDF] - "Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern". The order empowered the Department of Justice to block data sales to unfriendly countries, namely China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

In March, the House of Representatives [3]voted unanimously to implement such a plan but excluded Cuba or Venezuela.

[4]

And then, nothing happened.

[5]

[6]

But now the White House has decided to use the powers granted under the Executive Order and opened a [7]30 day public consultation period before finalizing how the Executive Order will be applied.

Under the proposed rules, US citizens would be prohibited from selling data to, or processing data within, firms that are at least 50 percent owned by "a country of concern," or individuals primarily residing there. The restrictions, to be enforced by the DoJ's National Security Division, kick in after an entity meets the following thresholds:

Personal financial data on over 10,000 US persons

Personal health data on over 10,000 US persons

Precise geolocation data on over 1,000 US devices

Human genomic data on over 100 US persons

Biometric identifiers on over 1,000 US persons

Certain covered personal identifiers on over 100,000 US persons

Or any combination of these data types that meets the lowest threshold for any category in the dataset

"A US company would be prohibited from hiring a laboratory in China to analyze more than 100 US persons data or DNA samples, and a US company that holds more than 10,000 US persons financial or health data would have to comply with Justice Department security requirements if, say, it gave the equity staking its firm to a Russian investor, hires a Chinese headquarter company to store or process, or hires employees who primarily reside in China as part of its global IT team," a senior Justice Department official said on Monday.

"The prohibitions would also be triggered if any government related data, such as precise geolocation data within certain geographic areas relating to us, government facilities and activities or sensitive personal data on US government personnel."

[8]Uncle Sam tells nosy nations to keep their hands off Americans' personal data

[9]Congress votes unanimously to ban brokers selling American data to enemies

[10]National Public Data files for bankruptcy, admits 'hundreds of millions' potentially affected

There are, of course, exceptions. Official government activities are exempt, as are transactions related to the provision of basic telecommunications services such as international calls. Harmless personal communications that "do not transfer anything of value" are also not covered. So are regulatory disclosures for clinical drug or medical device trials, according to the Justice Department. As with many US restrictions, exemptions can be requested from the DoJ through a licensing process.

"Transfers from, say, a US based app to a Chinese parent or within a corporate group would be regulated by the prohibitions," a senior Homeland Security official said. "There is an exception for the sharing of data that is part of routine administrative or ancillary and business processes like payroll or resources or tax payments or the like."

[11]

Despite all these get-out clauses, the rules are at least a step forward on the long and tortuous path to improving data protection for US residents. That path is yet to include a strong national data privacy law, an idea that does not feature prominently in this year’s US election campaigns. ®

Get our [12]Tech Resources



[1] https://www.theregister.com/2024/02/28/white_house_sensitive_data/

[2] https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf

[3] https://www.theregister.com/2024/03/21/congress_votes_unanimously_to_ban/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZxcjZ-8-7pcEO11KTVWnUQAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxcjZ-8-7pcEO11KTVWnUQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZxcjZ-8-7pcEO11KTVWnUQAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.justice.gov/opa/pr/justice-department-issues-comprehensive-proposed-rule-addressing-national-security-risks

[8] https://www.theregister.com/2024/02/28/white_house_sensitive_data/

[9] https://www.theregister.com/2024/03/21/congress_votes_unanimously_to_ban/

[10] https://www.theregister.com/2024/10/09/national_public_data_bankrupt/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxcjZ-8-7pcEO11KTVWnUQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[12] https://whitepapers.theregister.com/



More holes than a fishing net...

NapTime ForTruth

...should be fine. At least we can say we did something. Or approximately nothing, which is close enough, right?

What you *can* do...

DrkShadow

They could start a wholly-owned American company, perhaps employing Chinese people (perhaps a couple with American citizenship), and the Chinese (businesses?) who want to interact with this company can "invest" in the company -- heavily.

The company that is wholly American-owned, then, can "license" the data out to any Chinese-origin companies (or entities) that wish to use the data. No sales required! Or, if licenses are not permissible, then certain things can be made freely available, perhaps as part of technical demos, marketing data or example data, about their "products". Of course, for any other American companies, to whom they *are* allowed to sell things, they can happily make this all for sale. Good thing they had that initial investment, to get started! Now they've got a "product".

Not that I've *ever* seen anything like this such as with regards to CFIUS and Chinese companies buying restricted American technology. Nope. Never. That would *never* happen. This stuff is _regulated_.

Testing can show the presence of bugs, but not their absence.
-- Dijkstra