Biden seeks to curb sharing of consumer data with hostile countries

Ting Shen/Bloomberg

President Biden issued an executive order on Wednesday that aims to increase safeguards on Americans' personal data, extending the reach of a data privacy push that is already underway at financial regulators.

The White House's action, which focuses on protecting information like genomic data, biometric data and financial data, is meant to guard against the transfer or sale of customer data to hostile countries.

The executive order urges the Consumer Financial Protection Bureau to take further steps to protect Americans from data aggregators. Following the White House's announcement, CFPB Director Rohit Chopra said in a written statement that the agency will be proposing new rules later this year to "rein in these abuses."

"Today's executive order is a reminder of the urgent need to protect the personal data of Americans," Chopra said in the statement. "Corporate data brokers are assembling and selling extremely sensitive data on all of us, including U.S. military personnel, to foreign purchasers."

Biden's executive order directs several federal agencies, including the Department of Justice, the Department of Homeland Security and the Department of Veterans Affairs, to establish regulations and security standards to limit access to data by "countries of concern." Specific countries weren't listed in the White House's fact sheet, but other news reports named China and Russia. Protections should also cover information obtained through "commercial means," such as via investment, vendor and employment relationships, according to the order.

"The sale of Americans' data raises significant privacy, counterintelligence, blackmail risks and other national security risks," a White House fact sheet about the order states.

The order includes the caveat that the regulation and enforcement of data privacy protections should not "stop the flow of information necessary for financial services activities," or negatively impact economic relationships between the U.S. and other countries.

Chi Chi Wu, senior attorney at the National Consumer Law Center, urged the CFPB on Wednesday to issue a proposed rule as soon as possible. She said in a written statement that strong regulation is required to ensure that data brokers act responsibly.

Over the last year, the CFPB has taken some steps toward increasing consumer data protection.

In August, the agency participated in a White House roundtable regarding "harmful data broker practices," where Chopra said that the CFPB would propose rules to increase the accountability of data aggregation companies. He said that the harms caused by data brokers include the facilitation of fraud and harassment.

"After conducting an inquiry into the practices of data brokers in the surveillance industry, we have decided to launch a rulemaking to ensure that modern-day digital data brokers are not misusing or abusing our sensitive data," Chopra said at the roundtable.

In September, the CFPB proposed major changes to Fair Credit Reporting Act regulations, which would designate data brokers as "credit reporting companies," putting them under the regulatory umbrella. By folding those companies into the 1970 law, the CFPB aims to prevent data brokers from selling data for uses outside of what Congress has deemed permissible. For example, data couldn't be sold to companies looking to use the information for training AI algorithms or for targeted advertising. Under the proposal, consumers would also have the right to access and dispute their data.

Regulation and compliance

CFPB outlines sweeping data proposal, drawing swift bank condemnation

September 21, 2023 5:04 PM

Chopra has also emphasized privacy and data protection across other CFPB initiatives.

The agency's proposed open-banking plan, released in October, would give consumers more control over their financial data by limiting which companies can collect, retain and sell that information.

Under the proposed open-banking rule, companies that gather data could only use it for specific, approved reasons, and could not sell the information.