President Biden just issued an executive order leading to new restrictions on the transfer of sensitive personal data to China and other “countries of concern,” which imposes massive new compliance obligations on organizations. There is a possibility that You may not consider your business to be a data collection or transfer business, but if tracking technology on your website or third-party vendors have access to your employees’ and other personal data, Wednesday’s may be affected by the measures. Here’s what you need to know and the four steps you need to take to ensure your business complies with this important new requirement.
How we got here
The executive order addresses concerns about how foreign adversaries can obtain “large amounts of sensitive personal data” on Americans through legal means. The United States remains the Wild West when it comes to privacy laws. Although some states have comprehensive laws, there are no comprehensive federal or state privacy laws that prohibit the transfer of data storage to foreign countries. Furthermore, there are no laws requiring foreign countries to pass laws to meet minimum standards for respecting data privacy.
This allows American data to flow abroad with few obstacles. It is then used for malicious activities such as espionage, intrusive surveillance, fraud, extortion, intimidation of political opponents, suppression of dissent, restrictions on Americans’ freedom of expression and other civil liberties, and other invasions of privacy. There is a possibility. These risks will be further exacerbated by the advent of more advanced artificial intelligence.
The executive order seeks to stop unimpeded data leaks by directing the Attorney General and the Department of Homeland Security to issue regulations limiting the data that can be transferred to “countries of concern.” Although the term is not defined in the executive order, it is widely understood that China is the primary target.
There are good reasons for this. China’s privacy laws significantly restrict the transfer of data outside of the country once it arrives in China. In many cases, international transfers must first be evaluated by the Cyberspace Administration of China (CAC). This requirement gives the CAC nearly unlimited power to access and review data it deems “sensitive.”
What does the Executive Order require?
This will be an evolving story, as the executive order itself leaves the details up to state governments and the Department of Homeland Security. However, some things have now become clear.
- First, the Executive Order defines sensitive personal data to include financial, genetic makeup, personal health, biometrics, geolocation information, and certain other types of personally identifiable information, and the AG A broader definition may be developed.
- Second, it requires the AG (with the assistance of the Department of Homeland Security) to conduct large-scale investigations into countries of concern, including determining what types of transactions pose an unacceptable risk to national security. Requires the issuance of regulations to prevent data transfers.
- Third, the AG and the Department of Homeland Security should work together to set higher security standards and protect other commercial entities, such as data available through data intermediaries, third-party vendor agreements, investment agreements, employment agreements, etc. access by countries of concern through legal means is required. .
All industries are affected
The reality is that no industry can escape the effects of this executive order. Rather, the question is how, or to what extent, the industry will be affected.
On a general level, all companies that operate websites should know what cookies, pixels, web beacons, and other tracking technologies are on their websites, and in what countries they are located. You need to take a closer look to see if it belongs to you. Concerns” list.
- The obvious center of concern right now is TikTok, a popular social media platform owned by ByteDance Limited, a privately held company headquartered in Beijing, China.
- Pixels are pieces of code that websites can use for things like analytics and targeted advertising. Similar to cookies, they can track individuals as they move across different websites on the web and build a profile of the individual based on their interactions with different websites.
- And, crucial to the executive order, all information collected through the pixel will be disclosed to TikTok.
Apart from the website, you should carefully check what companies and vendors they work with and whether their information is being sent to countries of concern. This review should not be limited to any particular industry, but if you work in the medical field, you may need to make significant adjustments to your practice. Genetic information is of particular concern, given that much of the U.S. health care system outsources genetic testing and genome sequencing to Chinese companies.
next step
1. Check the website
Please take a close look at our website and evaluate what cookies, pixels, web beacons, and other tracking tools it contains. Identify the company behind each tracking tool (including its owners) and the country in which it is located, allowing you to act quickly once a country of concern is identified. Additionally, if you have Chinese-owned tracking tools (such as TikTok), you can proactively remove them now.
2. Conduct vendor reviews
Investigate vendors that disclose sensitive personal information and assess whether any are located in countries of concern. If applicable, companies should find new vendors to fill that niche and cease doing business with vendors located in countries of concern.
3. Ask for guarantees
If a vendor disclosing sensitive data is not located in a country of concern, seek assurances that it will comply with the executive order and not transfer data to the country of concern. Please consider negotiating contract terms to that effect in the future.
4. Stay alert
Please stay tuned for further updates. The executive order calls for new regulations to prohibit or restrict transactions that provide countries of concern with access to government-related data or sensitive personal data that pose an unacceptable risk to national security.
