How a Biden order intended to protect Americans' privacy could actually harm it

Late last month, President Joe Biden signed an executive order that claims to protect Americans’ most sensitive information from foreign countries. However, the restrictions pushed by the Administration won't curb rampant data abuses because they do nothing to stop the companies selling and transferring our data from collecting it in the first place. Ironically, the Administration’s actions may make us more vulnerable to privacy harms, limit our ability to choose what online services we want to use, and re-open the door to bans on platforms that people around the world use to communicate every day.  

Understandably, the Administration focuses on types of data that can lead to very real harms, such as information on our location, health, or finances. The order grants the U.S. attorney general — not normally an official who deals in either data or international trade — sweeping emergency powers to restrict “any United States person” from transferring that information to a still-undefined list of “countries of concern” or any “covered person” — which includes not just those countries’ officials and agencies, but any business or person under their jurisdiction and even anyone who merely resides there. 

However good that might sound, those are not meaningful protections. The order will not stop the flow of data abroad because it does not limit the flood of constant, ubiquitous data collection. The administration has built a sea wall around only half the city in a vain effort to hold back a tsunami of data. If policymakers are serious about addressing abuses of our data (and they should be), they need to follow the problem back to its source. Without addressing the root of the problem, foreign countries, Big Tec and our own government will continue to quietly seize and abuse our data.  

Moreover, the administration’s efforts will undermine privacy and security, as they restrict the ability of individuals, cloud storage providers, social media platforms, and more to choose where to host their data. The order also grants the attorney general and the secretary of the U.S. Department of Homeland Security the broad authority to establish undefined “security requirements” for transferring data. These security requirements could very well end up including “backdoors” in encryption. Strong encryption protects our private messages, online browsing, financial transactions, and more from ad tracking and profiling by Big Tech, surveillance by our government and others, and cyberattacks by hackers. Backdoors, if mandated by the attorney general under this order, would eviscerate those protections.  

The order will also undermine an open internet — a key administration priority embodied in the net neutrality rules proposed by the Federal Communications Commission. The basic premise of those rules is simple: our internet access should not be blocked or filtered based on where the data is coming from, where it is going, or what it contains. The order flips that on its head, making data transmissions to undefined countries contingent on the attorney general’s approval. 

These harms are compounded by the fact that the order grants sweeping powers to the attorney general and lacks concrete, enforceable limitations. Although the Administration described the order as focused on “bulk” exports of sensitive data to foreign countries, the attorney general can easily expand the scope of the order, as it leaves even basic terms such as “bulk,” “country of concern,” and “covered personal identifiers” to be defined by the attorney general.  

These provisions do not just open the door to abuse—they invite it. Nothing in the order would preclude the Attorney General from deeming the data transfers needed to operate a popular social media app — like, say, TikTok — a “national security concern” and then banning the app. While such a ban would violate both current law and the First Amendment, the White House appears to be openly contemplating that possibility — describing TikTok as “why we put out” the order. 

More broadly, unilateral actions by the executive branch to prohibit data transfers are sure to raise serious legal questions. The administration is relying on a Trump-era emergency declaration and the authorities supposedly granted to it under the 1977 International Emergency Economic Powers Act — a law that was first exercised in response to the Iran hostage crisis. Not only does the international flow of information contrast starkly with the scenarios Congress had in mind when passing IEEPA, but IEEPA itself precludes presidential authority to restrict the flow of information in a provision known as the “Berman Amendment.” 

The Berman Amendment specifically prevents the President from regulating or prohibiting “the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials.” Congress’s intent is clear: Even in an emergency, the President does not have authority over the free flow of information. Yet, the Administration does not explicitly address the Berman Amendment’s limitation on the executive’s authority, nor does it provide any framework for protecting free expression and ensuring an open and secure internet. 

 No president should be able to seize for themselves the decision to restrict access to information, ban social media platforms, or threaten the privacy of encrypted communications. The harms the administration seeks to remedy are best addressed by Congress, and those remedies should be aimed at the heart of the issue: the sheer amount of data that is surreptitiously collected on us every day.