An executive order from President Biden restricting which countries data brokers can sell American data to took effect on Sunday, but some have expressed doubt about whether it will have much impact.
The executive order prohibits data brokers from selling protected data about Americans to various “countries of concern,” which the US defined in December as Burma, People’s Republic of China, Cuba, Eritrea, Iran, the Democratic People’s Republic of Korea, Nicaragua, Pakistan, Russia, Saudi Arabia, Tajikistan and Turkmenistan. The order defined protected data as “Americans’ most personal and sensitive information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information.”
Although the data protection and privacy issues raised in this executive order are critically important to enterprise IT and security operations, the narrow provisions of this order would seem to limit its impact to data brokers and would not likely directly impact enterprise IT or cybersecurity operations.
But industry watchers have their own opinions about whether this executive order is likely to have any industry impact.
Data localization light
Hearst CIO Atefeh “Atti” Riazi said that her team — and the CISO reports to her, so she was also referring to security — will not at all be impacted by the order , but she raised questions about how much it would impact anyone at all, including data brokers.
“It’s such a paper tiger, so superficial. Politicians often need these wedge issues. It makes news but they are completely unenforceable,” Riazi said in an interview with CIO.com. “It’s foolish. There is no way you can enforce this.”
She added that such data is “continuously stolen” so “how are you going to track it? This is just an empty gesture. Third-party data has not been governed for a very long time. A dam has a million holes in it and we are trying to plug one or two.”
Brian Levine, a managing partner at Ernst & Young who oversees enterprise cybersecurity issues, said that he thought it was too early to analyze the likely impact of this executive order.
“At a high level, these all seem like sensible measures, but the order primarily directs agencies to issue various regulations, so the devil will be in the details,” Levine said. “Some of this sounds like ‘data localization light’ — don’t allow data to visit countries that might improperly exploit it.”
