Governments around the world now use our personal information to pose threats over each other. The actual or potential control that a foreign country has over domestic personal data highly impact geopolitical relations, but also cross-border business flows and compliance requirements. What’s happening around Huawei, the TikTok ban or Wechat are the best known examples of the weaponization of personal data, that is unlikely to stop anytime soon.
I started to work on that phenomenon during my PhD, and I’m now researching it further. In September, I had the opportunity to talk a little about how personal data is being weaponized and used for geopolitical purposes with Digital Privacy News.
The Weaponization of Personal Data: A Definition
The weaponization of personal data is a phenomenon in which a country has the power to influence the use of personal data from another country’s citizens, which could result in national security issues for the country undergoing such power. The mere threat raises concerns, which provoke changes of legal frameworks in various jurisdictions. It also brings significant hurdles on cross-border business operations. Where traditional data privacy protects the right of individuals, weaponizing their data creates the need to protect the national security.
The US is the jurisdiction that acted the most to update its legal framework to tackle this new issue. China represents the main source of worries, while it is also upgrading its laws. The EU, which otherwise features strong requirements for foreign data access, is so far unable to match the US’ response; mainly because national security is under the competence of its Member States – but some of them did enact new measures.
The best illustrations of the weaponization of personal data are the recent cases opposing China and the U.S., such as Huawei, TikTok and Wechat. In all of them, we have three group of actors concerned: the States, the companies heavily involved in personal data processing, the individuals behind those personal information. A targeted State (the US), is concerned that a foreign State (China) could use domestic companies (Huawei, TikTok, Wechat…) to access and/or influence the use of personal data belonging to the targeted State (US citizens) to threaten its national security.
Weaponizing personal data is all about the power of information, knowledge and influence. In this sense, I won’t talk here about the military use of AI and other data processing technologies in the context of warfare.
The Strategic Value of Personal Data for National Security
Personal data now have a strategic value for national security that they didn’t feature in the past.
Traditional National Security Reviews
Taking the US jurisdiction as an example, the strategic sectors where foreign investment is subject to special scrutiny are related to the military and warfare, such as weapon producers or army suppliers. The concept of strategic sector has then gradually expanded over time to encompass telecommunication, energy, finance or the food industries.
A foreign power able to control or influence the operations on strategic assets in those sectors could threaten national security. Therefore, a foreign investor proposing to acquire an enterprise in those sectors may find itself subject to a national security review, such as the one performed by CFIUS in the US. Determining the existence of that threat on national security is not a straightforward analysis; especially considering the high level of discretionary power that is attached to those reviews. They typically involve the acquisition of assets that foreign intelligence could use against the US, or assets that could gravely hurt the US if tampered with (such as food or energy supplies).
Extension of National Security Reviews to Controllers of “Sensitive Data”
With the development of big data capabilities, espionage revelations such as Edward Snowden’s, and scandals involving personal data processing to influence the outcome of elections such with Cambridge Analytica, personal data and the controllers of such data are increasingly part of a strategic sector, likely to involve national security issues. New rules increasingly protect such strategic sectors, enabling states to block foreign actors from buying domestic companies seen as strategic.
This area becomes more and more a battlefield for international relations and influence. China, for example, is developing its “Digital Silk Road” program, and has made artificial intelligence, an important consumer of personal data, one of its top priorities. In the West, U.S. tech companies have acquired an unprecedented capital strength and are purchasing many European companies. It is an opportunity for European entrepreneurs and early-stage investors, but also hinders EU technological development and independence.
To tackle the weaponization of personal data, the US recently enacted the Foreign Risk Review Modernization Act (FIRRMA), which allows CFIUS to perform a national security review when there is a foreign investment made in a US company holding “sensitive data”. This type of data receives a broad definition and should not be confused with GDPR’s sensitive data.
A Sufficient Way to Control Foreign Data Access?
Unlike the EU, the US doesn’t restrict data transfers outside its borders. Europe allows to send personal data outside only under strict requirements, that amount to guaranteeing appropriate safeguards. Other countries, like China or Russia, directly mandate that certain types of data cannot leave the country.
The current US approach is radically different. It supports the view that data should move freely across borders; and US data privacy laws don’t restrict these flows like those other jurisdictions do. Free data flows have benefited US tech behemoths, but the risks associated with this position have now increased.
Using national security laws against the weaponization of personal data, i.e. to forbid a foreign actor to hold US citizens’ data, is certainly an effective and innovative way to compel foreign investors to maintain data in the US. But it’s a lengthy and costly process that needs to be repeated for each case. High profile cases heavily impact political relations too. Certainly, including some EU-style data transfers restrictions in the future US Data Protection Act will help. However, some of the EU safeguards remain paper rights; and once data has effectively crossed borders, the risk that intelligence activities unlawfully tap into them is high. As I like to put it, the US government is less worried about what the Chinese law says than what the Chinese government can do. The US knows this risk well, for having indulged these practices, as we know too well.