Décret exécutif : Sécurisation des données personnelles sensibles Transferts de données aux États-Unis

In recent years, data protection has become a national emergency in the US, especially without a Federal Data Privacy and Protection Bill. The widespread sharing of US données personnelles et sensibles has been seen as exploitative, particularly from “countries of concern.” To address this glaring problem, the Biden Administration has issued an Executive Order (EO) to prevent those countries from accessing Americans’ sensitive personal data.

What is the Sensitive Personal Data Protection Order: A Glimpse

On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern” (the EO). The executive order marks the president’s most significant executive order to protect America’s data security. The EO authorizes the Attorney General to prevent massive transfers of Americans’ data to countries of concern and safeguards to prevent access to American’s sensitive data. The EO focuses on Americans’ most personal and sensitive information, including genomic data, données biométriques, personal health data, geolocation data, données financières, and certain types of les informations personnellement identifiables.

Here are some essential aspects of the sensitive and personal data protection executive order:

Countries of Concern

The EO doesn’t call out specific countries, but senior administrators are identifying those countries as China, Russia, North Korea, Iran, Cuba, and Venezuela. TikTok, a subsidiary of Chinese technology firm ByteDance Ltd, is a significant point of contention, as it boasts over 150 million American users — which U.S. leaders have been most vocal about over the last few years. The Biden administration is worried about TikTok trafficking sensitive data. White House press secretary Karine Jean-Pierre stated, “We do have concerns — that’s why we put out” the executive order.

Security Risks, Privacy Rights, and Civil Liberties

A major motivating factor behind the EO is the ability of l'intelligence artificielle (IA) to leverage large datasets for problematic reasons (or to build new AI models) that could harm the American public. Any organization processing personal and sensitive data must understand how AI impacts risks and may potentially expose the business to regulatory investigation.

The EO represents a growing effort by the administration to police data transactions that could empower hostile foreign powers to weaponize data and utilize AI to target Americans. The tracking of Americans potentially enables intrusive surveillance, scams, blackmail, privacy violations, and security risks – especially for those in the military or involved in the national security community.

Another area of concern is the ability of these countries to access sensitive personal data to collect information on journalists, activists, political personalities, and marginalized groups to intimidate, create dissent, alter the political landscape, or limit America’s freedoms and civil liberties.

Government Agencies Directed to Protect Data

The Executive Order enables federal agencies to issue regulations that prevent large-scale transfers of certain types of sensitive data from “countries of concern.” To protect Americans’ sensitive personal data, the Biden administration is directing:

• The Department of Justice will issue regulations that protect Americans’ sensitive data from access and exploitation. The data protection will consist of données biométriques, personal health data, genomic data, geolocation data, financial data, and specific personal identifiers. The DOJ will prevent the large-scale transfer of that data —which is known to be collected and misused. Additionally, the DOJ must extensively protect sensitive government-related data, specifically geolocation information on sensitive government sites and information about military members.
• The Departments of Justice and Homeland Security will work together to set high-security standards to prevent data access to Americans’ data through commercial means, such as data availability through investments, vendors, and employment relationships.
• The Departments of Health and Human Services, Defenseet Veterans Affairs will help ensure that contracts, grants, and awards do not facilitate access to sensitive health data by countries of concern, including through companies in the United States.
• The Consumer Financial Protection Bureau will act with existing legal authorities to protect Americans from data brokers selling extremely sensitive data illegally.

Restrictions on Certain Transfers of Personal Information

The Executive Order should continue the flow of information necessary for financial services, consumer, economic, scientific, and trade relationships with other countries. The EO insists there will be consistency with the US’s support for the trusted free flow of data.

In addition to the EO, the DOJ released an Advance Notice of Proposed Rulemaking (ANPRM), which defines its plan to implement these regulations. The DOJ is directed to regulate and restrict transactions involving data brokerages, bulk sensitive data transfers, or US Government-related data. The ANPRM may also impose notable security requirements and restrictions on three bulk data transaction types: vendor, employment, and investment agreements.

Data Brokers & Bulk Data Sales

In the US, data brokers can legally collect personal information to build profiles on the American public that can then be rented or sold. It is relatively common practice for data brokers to sell and resell information, but they can legally sell data to countries of concern or controlled by those countries. Data brokers create a gap in the nation’s national security protection when data can quickly end up in the hands of foreign intelligence agencies, militaries, or companies owned by foreign governments.

Compliance and Enforcement

The ANPRM currently doesn’t provide strict liability for violations of the new regulation. However, the DOJ is considering imposing civil penalties with mechanisms for pre-penalty notices, responses, and final decisions. Additionally, there is an expectation to establish risk-based compliance programs; when a violation occurs, the DOJ, in any enforcement action, would consider the compliance program.

How BigID Helps Organizations Protect Personal & Sensitive Data

The Executive Order aligns with several global initiatives to safeguard the flow and transfer of information across countries. The EO highlights the importance of companies understanding what data they collect, how it is used, and potential use by third parties.

BigID enables organizations to meet the EO requirements by identifying, managing, monitoring, and protecting all personal and sensitive data – including cross-border transfers and data access requirements. With BigID, organizations can:

• Découvrez les données : Découvrez et cataloguez vos données sensibles, y compris structurées, semi-structurées et non structurées, dans des environnements sur site et dans le cloud.
• Bénéficier d'une visibilité totale : Automatically classify, categorize, tag, and label sensitive data with unmatched accuracy, granularity, and scale to build a cohesive data inventory to prepare for regulatory audits from the DOJ.
• Atténuer les risques liés à l'accès aux données : Surveiller, détecter et répondre de manière proactive à l'exposition interne non autorisée, à l'utilisation et à l'activité suspecte autour des données sensibles.
• Validated Data Transfers: Créez des politiques et attribuez la résidence aux sources de données et aux données des individus pour appliquer les exigences de résidence des données et surveiller et alerter sur les transferts de données.
• Streamline Remediation: BigID helps to define the remediation actions to provide audit records with integration to ticketing systems like Jira for seamless remediation workflows.
• Assurer la conformité : Respecter automatiquement les règles de sécurité, de confidentialité et de conformité à l'IA et les cadres à l'échelle mondiale, quel que soit l'endroit où résident les données.

Planifiez une démo avec nos experts to see how BigID can help your organization secure access and protect personal sensitive data to align with the new executive order requirements.

Auteur

Verrion Wright

Stratégie et développement du contenu

Verrion Wright est un spécialiste du marketing très expérimenté et ambitieux, avec plus de 20 ans d'expérience dans le marketing produit, le développement de contenu et la stratégie numérique. Il a occupé des postes de direction dans divers secteurs, notamment les services informatiques, la confidentialité des données, le marketing et la publicité (planification des médias), en mettant l'accent sur les connaissances fondées sur les données et le marketing intégré. Chez BigID, Verrion est le directeur de la stratégie et du développement de contenu, qui aide à élever le contenu à travers tous les piliers, les régions et les acheteurs, en créant systématiquement un contenu convaincant sur plusieurs supports - y compris la vidéo, les articles, les listes de contrôle, les livres blancs et les guides.