President Joe Biden took a step forward in protecting American’s data this week and issued an executive order (EO) to protect Americans’ personal information from hostile governments. It comes a year after a government report outlining how China is buying the data from legitimate data brokers and the mysterious “third-parties” and “certain partners” identified in online terms and conditions.
Almost as soon as it was published the cybersecurity world was disparaging it.
“He’s not protecting our data from being bought and sold,” said a comment on the Cybersecurity subreddit. “Google, Facebook, Microsoft and so on will still treat you like a commodity.”
Another said, “It’s a great way to pretend to do something without actually doing anything.”
What and EO can and can’t do
The comments were accurate but also indicate a lack of understand regarding what Presidential EOs can do and cannot. executive orders can be powerful tools for presidential action, they are not without constraints and can be subject to various forms of oversight and limitations.
First, EO’s are not laws and they cannot appropriate funds. Instead, they implement and enforce existing laws or policies. In this case it is a policy announcement as the US currently has no laws protecting citizens personal data.
A new president can revoke or modify previous executive orders. Neither can EOs infringe on the Constitutional powers of other government branches or override laws passed by Congress. If they do they can be struck down in court.
Sometimes, public opinion drives a president to issue an EO to get Congress to move on a particular issue. In that case, Congess may create a law or they can override it with a veto-proof majority. Public opinion can also turn against a president for taking a side.
Corporate endorsement
In that sense, President Biden’s actions, while they may be inadequate overall, are a step in the right direction according to industry experts.
Luciano Allegro, Founder and Brand Protection Advisor at BforeAI, said “I think the President is taking a very forward-thinking stance on protecting the personal data of American citizens with this executive order. Company data has been a commodity of choice for ‘free’ services for over a decade, dating back to the Cambridge Analytica scandal, so taking steps to prevent the sale or transfer of our most sensitive information is a wise step in the right direction. The executive order is a good first step toward a GDPR-styled policy for Americans to ensure they can enjoy the same level of privacy as EU citizens. Though to fully execute on this, Congress will need to consider legislation to codify this protection long-term.”
Roger Neal, Head of Product at Apona Security said the order forces IT security teams to ramp up efforts to identify, monitor and encrypt all forms of sensitive data in their organizations “This serves as a call for organizations to prioritize the security of their data and to align their practices with the evolving cybersecurity landscape to avoid being the next on the news.”
Coordinated efforts
The EO directs the Department of Justice (DOJ) to issue regulations establishing “clear protections” for sensitive personal data including genomic, biometric, personal health, geolocation, financial, and personal identifiers. The order other vaguely identifies countries with “a track record of collecting and misusing data on Americans.” News reports bout China and Russia hacking US infrastructure and elections make it fairly easy to identify those as targets. However, Pakistan, Saudi Arabia, India, Iran, North Korea and several smaller countries have also been actively probing US data centers.
The EO outlines a multi interdepartmental effort involving the Justice, Homeland Security, Health and Human Services, Defense, and Veterans Affairs departments. It also directs the DOJ’s Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector to consider the threats to Americans’ sensitive personal data in its reviews of submarine cable licenses.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.