U.S. Finally Restricts Sale Of Location Data To Foreign Adversaries, But We’re Still Too Corrupt To Pass A Basic Internet-Era Privacy Law

Techdirt. 2024-10-24

Back in February, the Biden administration issued an executive order preventing the “large-scale transfer” of Americans’ personal data to “countries of concern.” The restrictions cover genomic data, biometric data, personal health data, geolocation data, and financial data, with the goal of preventing this data from being exploited by foreign intelligence agencies.

This week the administration fleshed out their planned restrictions in more detail. In a new fact sheet outlining plans for a new national-security program restricting the bulk transfer of consumer data, the government says it will focus primarily of the sale to “countries of concern” including China, Cuba, Iran, North Korea, Russia, and Venezuela.

The executive order and proposed rule defines “bulk” as such:

“The proposed rule would establish the following bulk thresholds: human genomic data on over 100 U.S. persons, biometric identifiers on over 1,000 U.S. persons, precise geolocation data on over 1,000 U.S. devices, personal health data on over 10,000 U.S. persons, personal financial data on over 10,000 U.S. persons, certain covered personal identifiers on over 100,000 U.S. persons, or any combination of these data types that meets the lowest threshold for any category in the dataset.”

While it’s certainly smart to finally start tracking the sale of sensitive U.S. consumer data to foreign countries in more detail (and blocking direct sales to some of the more problematic adversaries), it’s kind of like building barn doors four years after all the animals have already escaped.

We’ve noted for most of the last two decades how a huge variety of apps, telecoms, hardware vendors, and other services and companies track pretty much your every click, physical movement, and behavior, then sell access to that data to a broad array of super dodgy and barely regulated data brokers.

These data brokers then turn around and sell access to this data to a wide assortment of random nitwits, quite often without any sort of privacy and security standards. That’s resulted in a flood of scandals from stalkers tracking women to anti-abortion zealots buying clinic visitor data in order to target vulnerable women with health care misinformation.

This continues to happen for two reasons: at every last step, U.S. leaders put making money above public safety and consumer protection. And the U.S. government has discovered that buying this data is a fantastic way to avoid having to get pesky warrants. This all occurs to the backdrop of a relentless effort to turn all U.S. consumer protection regulators into decorative cardboard cutouts.

So nothing has changed foundationally. We’re literally too corrupt to pass even a baseline privacy law for the internet era, and outside some scattered efforts we really don’t consistently regulate data brokers. Those data brokers in turn have been so fast and loose with broad consumer datasets, it’s been utterly trivial for foreign intelligence agencies around the world to gain access to that data.

It’s nice that it’s 2024 and the U.S. government only just realized this is all a problem, and some basic guard rails are better than nothing, but it’s still not good enough. The U.S. needs comprehensive internet-era privacy laws that hold companies and executives accountable for lax security and privacy standards, and anything short of that (like freaking out exclusively about TikTok) is performance.