Prepared Remarks of CFPB Director Rohit Chopra at the White House on Data Protection and National Security

Thank you to the White House Office of Science and Technology Policy for bringing together data protection enforcement authorities from all over the United States and from across the globe for joining us today.

The Consumer Financial Protection Bureau is the primary regulator charged with enforcing and updating rules under the Fair Credit Reporting Act, one of the only cross-sectoral data protection laws in the United States. This law protects the public when it comes to third party aggregations of personal data.

While our work has long focused on protecting consumers from the serious harms stemming from inaccurate background reports related to employment, credit, and housing, there is an emerging consensus that intrusive surveillance and aggregation of personal data can create the conditions for harming national security and undermining freedom.

There was a time where the dominant thinking was something like this: in order to protect national security, invasive and unlimited data collection should be the norm. In untangling the concerning reports and credible threats we find today, it may be just the opposite.

Today, I want to discuss some of the issues outlined in the Executive Order to Protect Americans’ Sensitive Personal Data signed by President Biden five weeks ago. I then want to describe how the Consumer Financial Protection Bureau’s plans to develop rules to ensure greater accountability for so-called “data brokers.”

Evolving Consensus

A few years ago, during my time as a Federal Trade Commissioner, I served as the enforcement cooperation co-chair for the International Conference on Data Protection and Privacy Commissioners (now known as the Global Privacy Assembly). While much of our work together focused on the issues we were collectively confronting on the business practices of large tech conglomerates, I also noticed the beginnings of a shift in how data protection enforcers were collaborating with national security agencies.

Intensive surveillance by commercial firms raised a whole new set of questions. In the United States, three data breaches are especially worth noting: the 2015 intrusion into Anthem (a major health insurer), the 2017 breach at Equifax (the credit reporting conglomerate), and the 2018 breach at Marriott (the global hotel giant).

Data breaches lead to losses in the form of identity theft and misuse of account information. But in these three breaches, as well as others, many have linked the breaches to activity by entities and actors based in China. For example, in 2020, the Justice Department charged four members of the Chinese People’s Liberation Army with orchestrating the operation at Equifax to obtain personal data on 145 million Americans. When Americans’ health information, financial information, and even their travel whereabouts can be assembled into detailed dossiers, it’s no surprise that this raises risks when it comes to safety and security.

Several weeks ago, President Biden signed an Executive Order to Protect Americans’ Sensitive Personal Data. The announcement spelled out many of the reasons for actions:

"The President’s Executive Order focuses on Americans’ most personal and sensitive information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information. Bad actors can use this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy."

Importantly, the focus of the order is not limited to unauthorized intrusions, such as breaches. Over the years, a significant number of “data brokers” ingest and sell data to a wide range of entities, usually without the knowledge of the subject. The Executive Order notes:

"Companies are collecting more of Americans’ data than ever before, and it is often legally sold and resold through data brokers. Commercial data brokers and other companies can sell this data to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments. The sale of Americans’ data raises significant privacy, counterintelligence, blackmail risks and other national security risks—especially for those in the military or national security community."

Data brokers make this easy by assigning users to categories. Reporting and reviews of online market suggest that data brokers can help entities target “decision makers at government organizations primarily engaged in national security and international affairs” and “military service-members and government employees.” Data brokers also support targeting of specific geographic locations like government or military installations.

For example, data brokers can facilitate the targeting of individuals by allowing entities to purchase lists that match multiple categories, like “Intelligence and Counterterrorism” with “substance abuse,” “heavy drinker,” or even “behind on bills.” In other contexts, entities can purchase records for pennies per person, allowing relatively small investments to be leveraged into mass collection.

The Executive Order asks the Consumer Financial Protection Bureau to protect Americans from data brokers that are assembling and selling extremely sensitive data, including that of United States military personnel.

Consideration of New Rules

The United States has a long history of laws designed to protect our people from unchecked surveillance. The Fourth Amendment to the Constitution, state Peeping Tom laws, and many more provisions of law seek to protect privacy. Pursuant to authorities under the Fair Credit Reporting Act, the CFPB is taking steps to ensure that the public is protected from harmful data broker practices.

We are aiming to propose rules this year to ensure that data brokers comply with the Fair Credit Reporting Act. The Act would restrict certain business practices and ensure higher levels of accountability for companies engaged in this business model.

The proposals under consideration would define a data broker that sells certain types of consumer data as a “consumer reporting agency” to better reflect today’s market realities. Under such a proposal, a company’s sale of data regarding, for example, a consumer’s payment history, income, or criminal records would generally be a consumer report, triggering requirements for ensuring accuracy and handling disputes of inaccurate information, as well as prohibiting other misuse.

Conclusion

To conclude, this is one of many examples where the United States is taking action to protect the public from abuse and misuse of personal data. Given broad reach of commercial firms to harvest and monetize data, protecting personal data can also advance our safety, security, and freedom.