US piecemeal approach to data security leaves Americans vulnerable to foreign tech companies
- Joe Biden’s executive order to prevent foreign firms from acquiring Americans’ data offers another limited solution to a pervasive problem
- US data protection laws are patchy, with a distinct lack of national infrastructure for long-term, bipartisan oversight
The order directs the Committee on Foreign Investment in the United States (CFIUS), a government panel that reviews the national security implications of foreign investments in US companies, to pay close attention to deals that could give foreign entities access to the sensitive data of Americans.
The Biden administration’s executive order appears as a strong response to the fragmented data security environment in the US. Currently, TikTok and other firms operating in the US can legally export a good deal of data abroad for access by other governments – a kind of “data trafficking”.
Yet while a crucial step toward limiting data trafficking, the order exemplifies three fundamental flaws in US government data practices.
First, US data security laws are fragmented and leave huge loopholes in data security. Second, rather than these laws being enforced as part of a long-term, bipartisan effort, enforcement varies by administration.
Finally, US data security laws often get to the issue far too late, not considering data acquisitions that are already occurring. Rather than reflecting the toughness of the US government’s approach, the Biden executive order reflects the limitations of the US approach to data regulation.
The United States protects consumer data in a piecemeal and often counterintuitive fashion. At present, no nationwide data security law exists, covering all types of data. Instead, certain sectors have their own individual protections which often can only be applied to specific situations.
For example, when a patient has their heart rate measured by a doctor, the data collected is protected by the Health Insurance Portability and Accountability Act. Yet that same data collected using an Apple Watch or Xiaomi Mi band is the property of the corporation that is logging it.
Data protection policies also vary by state. Platform users in California have different rights to those in Louisiana. In New York, financial data has special protection. Illinois offers biometric data protection. Such divisions both create significant loopholes and complicate enforcement of existing laws.
Biden’s order for greater scrutiny of future acquisitions that include sensitive data is a good start, but it reflects a mentality that, while supportive of business interests, also fails to account for already existing national security concerns. The order focuses on future data acquisitions, not ongoing ones.
The Biden executive order additionally does not account for firms already operating in the US that simply seek to expand their operations into connected devices.
Both Congress and the Biden administration are looking in the right direction for policy responses to weak national data security oversight in the US with new proposed Congressional legislation and more targeted executive orders, but fragmented US data security policy still has a long way to go before it can comprehensively counter data gathering by China and other countries.
Aynne Kokas is a senior faculty fellow at the University of Virginia’s Miller Center for Public Affairs and a professor of Sino-US relations at University of Virginia