Cornell Journal of Law and Public Policy

(Source)

Introduction:

In a brief period, two branches of the U.S. government have unveiled ambitious initiatives aimed at safeguarding Americans’ personal data from hostile exploitation. While their approaches differ, both share a foundational commitment to national security. This alignment is noteworthy, particularly as Congress grapples with stalled comprehensive privacy legislation and the reauthorization of key surveillance authorities with enhanced privacy measures.

These initiatives transcend mere privacy protections—often likened to sector-specific federal laws or state privacy regulations like the EU’s GDPR. They are fundamentally rooted in national security concerns. As targeted efforts against specific threats, they have the potential to bolster the nation’s cyber defenses and complicate adversarial maneuvers while offering some privacy safeguards. However, their efficacy hinges on their integration into a cohesive, government-wide data protection strategy that effectively shields personal information from malicious use. Existing frameworks such as the National Security Strategy, National Intelligence Strategy, and National Cybersecurity Strategy underscore the pressing need for a comprehensive National Data Protection Strategy to address these emerging threats.

Recent Developments – An Overview:

On February 28, 2024, President Joe Biden signed Executive Order 14117, designed to protect Americans’ sensitive personal data and government-related information from exploitation by designated “countries of concern.” This order mandates the Department of Justice (DOJ) to develop corresponding regulations. Following this, the DOJ issued an advance notice of proposed rulemaking (ANPRM), a 23-page document, outlining key proposals and inviting public commentary and participation. The DOJ is contemplating measures to restrict or prohibit transactions involving defining this term to encompass various personal identifiers, precise geolocation data, biometric identifiers, genomic information, health records, and financial data. These regulations would apply when the volume of such data exceeds certain thresholds, except for data related to U.S. government personnel or locations.

The proposed regulations would target “ ,” defined as entities or individuals under the control of “ ,” a classification aligned with a . as per 31 CFR Section 560.210. Simultaneously, the Department of Commerce issued its own ANPRM concerning information and communications technology (ICT) in connected vehicles, seeking public input on strategies to mitigate the risk of foreign adversaries misusing these systems to collect sensitive personal data. On March 20, 2024, the House of Representatives unanimously passed a bill prohibiting “data brokers” from disclosing sensitive information about U.S. individuals to designated foreign adversaries.

Assessing the National Security Framework:

A decade ago, the breach of sensitive background investigation records at the Office of Personnel Management (OPM) sent shockwaves through government circles, revealing vulnerabilities that extended to cyber intrusions at Equifax, Marriott, and Anthem, all attributed to the People’s Republic of China (PRC). This year, a cybersecurity advisory disclosed that PRC-affiliated operatives, known as Volt Typhoon, are actively attempting to infiltrate IT networks, positioning themselves for potential disruptive cyberattacks on critical U.S. infrastructure during times of crisis. These incidents contribute to an increasingly perilous threat landscape, as highlighted by the U.S. Intelligence Community (IC). The ANPRM draws upon the , emphasizing that adversaries view data as a vital asset, seeking to acquire personally identifiable information and other data types to bolster their capabilities in espionage, influence operations, kinetic actions and cyberattacks, ultimately undermining the U.S. economy and strategic position.

The 2024 Annual Threat Assessment issued by the Director of National Intelligence (DNI) warns that “China continues to pose the foremost and enduring cyber threat” to U.S. networks. China’s cyber espionage activities, combined with its export of surveillance technologies, heighten the risk of aggressive cyber operations targeting critical infrastructure, particularly if a major conflict with the U.S. seems imminent.

Regarding other nations, Russia remains a persistent global cyber threat, employing cyber disruptions as a tool of foreign policy while attempting to undermine Western alliances. Iran is noted for its growing capacity for aggressive cyber operations, while North Korea continues its cyber activities, particularly in cryptocurrency theft. The assessment does not identify similar threats from Cuba or Venezuela, though President Biden extended a national emergency declaration concerning Venezuela on March 5, 2024. Previous assessments noted attempts by both Cuba and Venezuela to influence the 2020 U.S. elections.

Moreover, the IC warns of a broader trend in digital repression. The indicated that foreign governments are increasingly utilizing digital technologies to monitor and suppress political discourse domestically and among expatriate communities. According to the 2024 Annual Threat Assessment, digital technologies, particularly artificial intelligence (AI), have become central to the repressive strategies of various regimes. China is advancing AI for applications in surveillance, smart cities, and military technologies, while Russia is employing AI to generate deepfake content, and potentially deceiving experts.

Exploring the Significance of Personal Data:

The ANPRM articulates that the unrestricted transfer of vast amounts of sensitive personal and government-related data to designated countries poses significant risks to U.S. national security and foreign policy. The following broad categories are noteworthy:

Malicious cyber activities facilitated by personal data enable hostile actors to breach systems for a spectrum of harmful objectives, including disrupting critical infrastructure, financial theft, and intellectual property misuse. While the Order and ANPRM do not cite specific instances, cybersecurity experts consistently caution about the tactics used by malicious actors, such as social engineering (like posing as a trusted individual) to acquire login credentials or prompt the installation of malware.

Identifying and focusing on individuals with access to sensitive systems or data is closely linked to the previous point. Information about government personnel, whether obtained directly or indirectly, could facilitate additional access to sensitive data. Furthermore, it could potentially disclose the locations of previously undisclosed sensitive facilities. Smear , enhancing the creation of believable synthetic content and improving the precision in crafting and targeting messaging for malicious purposes and similar activities. Access to personal data could assist governments in identifying dissidents and their supporters globally, facilitating digital repression tactics. Advanced technology, particularly Artificial Intelligence, increases the demand for extensive data to enhance capabilities. This enables regimes to efficiently sift through large volumes of data, accelerating their ability to exploit information for malicious ends as described earlier.

Current Strategies in Safeguarding Personal Data from National Security Risks:

To combat emerging threats, the executive branch has employed legal mechanisms across three primary areas. One significant initiative is the Committee on Foreign Investment in the United States (CFIUS), which evaluates foreign investments for potential national security risks. The 2018 Foreign Investment Risk Review Modernization Act (FIRRMA) enhanced CFIUS’s authority to include assessments of risks related to personally identifiable information and other sensitive data.

FIRRMA mandates that CFIUS examine the implications of foreign access to such data, a focus further emphasized by President Biden’s Executive Order 14083, issued on September 15, 2022. This order directs CFIUS to consider whether transactions might transfer sensitive U.S. data to foreign entities that could threaten national security. However, CFIUS primarily scrutinizes investment transactions, leaving other avenues for foreign data access, such as data broker acquisitions, largely unaddressed.

Former President Trump’s Executive Order 13873 identified foreign adversaries exploiting vulnerabilities in information and communications technology (ICT). This order restricts specific ICT transactions with foreign adversaries due to perceived risks. The Department of Commerce has acted on this by issuing an ANPRM concerning connected vehicles and by defining “foreign adversaries,” which includes nations like China, Russia, and Iran.

Additionally, Executive Order 13913 formalized the interagency Committee for the Assessment of Foreign Participation in the Telecommunications Sector, known as Team Telecom, which aids the Federal Communications Commission (FCC) in evaluating foreign involvement in U.S. telecommunications. These initiatives suggest that their architects are acutely aware of both the capacities and limitations of existing frameworks, aiming to address gaps in national security regarding foreign access to sensitive data through commercial transactions. As stated in the DOJ’s fact sheet, current mechanisms, while useful for case-by-case evaluations, do not comprehensively mitigate risks posed by foreign entities.

A specialized team is overseeing the implementation of the new order within the DOJ’s Foreign Investment Review Section (FIRS), which encompasses CFIUS and Team Telecom. This structure facilitates coordinated enforcement in collaboration with other agencies like the Department of Commerce. The recent proliferation of regulations and executive actions indicates a heightened urgency to address these threats proactively, relying on existing authorities rather than waiting for new legislation. However, this reliance on executive power introduces its own complexities.

Executive Order 14117 – Addressing the Need, Assessing the Scope:

Drawing on Abraham Maslow’s analogy, “if the only tool you have is a hammer, it’s tempting to treat everything as a nail,” the Executive Branch must adeptly utilize its legal authorities and leverage the expertise of seasoned professionals to counter escalating threats effectively. Executive Order 14117 and its accompanying ANPRM demonstrate the depth of experience among officials, representing a natural extension of ongoing interagency efforts to address existing gaps. The comprehensive inquiries within the ANPRM reflect the government’s commitment to gathering public feedback before proceeding.

While the Executive Order 14117 may appear significant, it can be seen as a strategic yet incremental advancement. Coupled with Commerce’s ANPRM on connected vehicles, it reveals a targeted approach focusing on specific high-risk transactions and technologies. The DOJ’s fact sheet emphasizes this targeted nature, which aligns with the government’s aim to mitigate economic impacts while preserving essential cross-border data flows. This focus prompts critical inquiries regarding future regulations:

Countries of Concern: The current static list fails to account for the varied risk profiles of these nations. A dynamic process for adjusting the designation of “countries of concern” would better reflect evolving threats.

Transaction Classification: Determining which transactions to prohibit, restrict, or exempt requires nuanced judgments across numerous factors. Identifying “data brokers” and assessing their respective national security risks remains complex. While the ANPRM employs a thoughtful approach, the long-term viability of these classifications is uncertain. Defining “sensitive” data and establishing thresholds for bulk treatment presents ongoing challenges, especially as AI technologies enable new insights from seemingly innocuous data.

Connected Vehicles: The ANPRM highlights the risks posed by foreign adversaries utilizing technology to collect personal data from various consumer goods. As Intelligence Community leaders caution, the proliferation of Internet-connected devices creates new opportunities for adversaries, amplifying the potential impact of their access to our digital systems. The question arises: what new consumer devices might emerge next?

A Framework for National Data Protection Strategy:

Addressing the inquiries poses a formidable task for current interagency mechanisms, even with enhanced staffing. Confronting such a significant challenge requires a strategic approach. What is the fundamental character of the threat? Which existing legal frameworks can be leveraged in response? What new legislative mandates are necessary? How can the full spectrum of national capabilities be effectively employed? Which governmental bodies are essential participants in this endeavor?

Crucially, formulating a national strategy necessitates meticulous evaluation of the comprehensive efficacy of proposed measures, considering the perpetual evolution of technologies and the dynamic nature of threat landscapes. Indeed, sustainable responses require a holistic approach that acknowledges the intrinsic value of personal data and comprehends the diverse ways it can be exploited, manipulated, and abused by various entities.

The risk to personal data extends beyond “covered persons” under the influence of “countries of concern”; criminals and other malicious entities also actively pursue personal data for nefarious ends. Components of such a strategy would encompass comprehensive engagement with the public and Congress, extending beyond singular proposed regulations to address broader inquiries into optimal methodologies for safeguarding personal data from national security threats. Additionally, collaboration with international partners and allies would be integral, ensuring coordinated actions among democratic nations to enable secure data flows to trusted entities, while implementing equivalent measures to shield data from exploitation by untrusted parties.

This strategy underscores the necessity for comprehensive federal privacy legislation that establishes uniform and fundamental privacy protections nationwide, thereby guiding companies in their practices. By ensuring transparent and legally defined access to commercially accessible personal data by the U.S. government, the United States could assert leadership and differentiate itself from adversaries in safeguarding privacy and civil liberties. In essence, a national strategy would enhance the United States’ ability to fulfill the commitment of the Executive Order 14117 safeguarding personal data as a critical national security imperative.

Suggested Citation: Muhammad Siddique Ali Pirzada, The Imperative for a Comprehensive National Data Protection Strategy in the United States, Cornell J.L. & Pub. Pol’y, The Issue Spotter, (Nov. 1, 2024), https://jlpp.org/the-imperative-for-a-comprehensive-national-data-protection-strategy-in-the-united-states.