By Alexandra Alper and Kanishka Singh
WASHINGTON (Reuters) - President Joe Biden's administration on Wednesday unveiled an executive order barring genomic data transfers to China, as it seeks to protect American personal data over national security concerns.
The order, first reported by Reuters, will also curb bulk transfers of Americans' geolocation, biometric, health and financial information to specific "countries of concern," including Russia Iran, North Korea, Cuba and Venezuela.
The directive appeared to zero in on Chinese gene companies like BGI, barring transfer of any volume of genomic data to countries of concern.
"This is the White House's way of tackling a set of very specific China and Russia focused security threats, including the threat posed by genomics companies like BGI," said Peter Harrell, a former National Security Council official, describing genomic information as "extremely high risk data" and adding there was "little need for that to be processed in China."
BGI did not immediately respond to a request for comment.
Washington has been trying to stem the flow of American personal data to China, part of a years-long struggle over trade and technology.
The U.S. Congress is considering legislation to ban federal agencies from contracting with China's BGI Group and Wuxi APPTEC, part of an effort to keep China from accessing American genetic data and personal health information..
This month, BGI Group said it supports protecting personal data, but the legislation "which will effectively drive BGI from the U.S. market, will not accomplish this goal." The company said that in the U.S., it does not collect patient samples or have access to personal or genetic data.
Reuters reported in 2021 that BGI has made sales worldwide of prenatal tests developed in collaboration with China's military and has used them to collect genetic data from millions of women for sweeping research on traits of populations.
Other types of data transfers to China have also come into Washington's crosshairs. In 2018, a U.S. panel that reviews foreign investments for potential national security threats rejected a plan by China's Ant Financial to acquire U.S. money transfer company MoneyGram International, because of concerns over safety of data that can be used to identify U.S. citizens.
"China and Russia are buying American sensitive personal data from data brokers" and leveraging it "to engage in a variety of nefarious activities including malicious cyber-enabled activities, espionage and blackmail," senior administration officials told reporters on Tuesday evening.
"Buying data through data brokers is currently legal in the United States. That reflects a gap in our national security toolkit," they added, saying Wednesday's order aimed to fill that gap.
The officials said transactions will be banned with data brokers who know the information will end up in "countries of concern", as will the transfer of any data on U.S. government personnel.
Transfers of other classes of data - from biometric to financial - would only be banned if they met certain volume thresholds and were being sent to those countries.
The White House said companies are collecting more of Americans' data than ever before. It is often legally sold and resold through data brokers who can then transfer it to foreign intelligence services, militaries, or companies controlled by foreign governments.
To allay concerns that the new rules would unnecessarily hamper economic activity, certain types of data including corporate payroll and compliance are exempted, they added.
Certain transactions such as cloud service, employment and investment agreements would also be permitted, subject to some security requirements such as encryption and anonymization.
The order also directs the Department of Justice to give industry ample opportunity to comment before proposals take effect.
Responding to Biden’s order, the U.S. Consumer Financial Protection Bureau also said Wednesday it would develop rules in 2024 to limit data brokers’ international sale of Americans’ personal data.
The agency, which under credit reporting laws can regulate consumer data collection, cited research from Duke University showing the personal data of U.S. military personnel and veterans was available online for as little as 12 cents per record and was vulnerable to exploitation by hostile actors.