A newly-proposed draft bill aims to curb the export of U.S. citizens’ personal data to “potentially hostile foreign nations,” showcasing increased anxiety around the international sale of Americans’ information.
The Protecting Americans’ Data From Foreign Surveillance Act, introduced on Thursday by Sen. Ron Wyden (D-Ore.), would introduce a license requirement for foreign companies to trade U.S. citizens’ personal information. Wyden said, there are currently no legal restrictions preventing the trade of Americans’ personal data to companies and governments overseas.
“Shady data brokers shouldn’t get rich selling Americans’ private data to foreign countries that could use it to threaten our national security,” said Wyden in a statement. “My bill would set up common sense rules for how and where sensitive data can be shared overseas, to make sure that foreign criminals and spies don’t get their hands on it.”
Under the draft bill’s proposed rules, the commerce secretary - responsible for representing U.S. businesses within the President’s Cabinet and promoting economic growth - would be tasked with identifying categories of personal information that could “harm U.S. national security” if exported, and detailing countries to which the export of data would "not harm national security."
Licenses would be required in order to export personal data to other countries “in bulk.” These licenses would be based on how countries enforce data protection, their surveillance and export control laws, the circumstances under which the countries’ governments can compel or pay a person in that country to disclose data and whether the government has previously conducted hostile foreign intelligence operations against the United States.
Other requirements under the draft bill would mandate the commerce department to publish quarterly reports on personal data exports, enforce penalties for senior executives who knew about illegal personal data exports and create a private “right of action” for those who have been physically harmed, arrested or detained in a foreign country due to the illegal export of personal data. The draft bill also makes a point to ensure that export regulations would not apply to journalism or speech protected under the First Amendment.
Wyden’s overview of the bill called out China in particular as a country that obtains vast troves of personal data from the U.S. - not merely through hacking, said Wyden, but also through the open market. This data can include records of cell phone locations, credit card purchases and web browsing history, according to Wyden.
“The biggest challenge is our homegrown business models that create enormous platforms to track people, from sensors to location.”
The bill would be helpful in pushing for accountability when it comes to the innumerable ways that data is shared and collected, said Alex Howard, director of the Digital Democracy Project.
“This bill calls attention to a specific concern whereby authoritarian states have been building a map based on the backbone of publicly available data, and that has progressed to the point where there are valid national security concerns,” said Howard.
At the same time, the required licenses for countries regarding exports of personal data would have widespread consequences for both countries and companies conducting international business, as highlighted in a Thursday letter by Johnny Ryan, senior fellow the Irish Council for Civil Liberties. The letter, penned to various Irish politicians, urged more stringent enforcement measures for the General Data Protection Regulation (GDPR), warning that under the new bill a failure to enforce GDPR could mean companies based in Ireland would not be able to deliver digital services to the U.S.
“If Ireland (and any other jurisdiction) is designated as a jurisdiction with inadequate enforcement, then every significant company operating here will be unable to process the data of customers in the United States, unless the company first obtains an export license from the US Department of Commerce,” according to Ryan. “Obtaining these licenses is difficult: these are the same restrictions that are applied to nuclear material,” he said.
The draft bill builds on previous efforts by the U.S. to reel in data shared with foreign countries, such as the 2018 Foreign Investment Risk Review Modernization Act. This act directed the Committee on Foreign Investment in the United States (CFIUS) to review and potentially block the purchase of U.S. firms that hold large quantities of U.S. citizens’ personal data. An executive order from earlier this year also mandated recommendations to restrict the transfer of data to foreign adversaries.
However, Wyden's bill goes a step further, said Sean Vitka, senior policy counsel for Demand Progress. He stressed, “the data brokers have proven that it is not who owns the firm that’s the issue,” referring to the 2018 Foreign Investment Risk Review Modernization Act.
“The key difference here is that this new bill is about protecting the data,” Vitka said, “Anyone who can buy a company that holds vast troves of data can also license that information or buy it outright in bulk. There’s no question that the public would be disturbed to know that other governments are getting Americans’ data in this way.”
The bill also joins a slew of proposed regulatory efforts that have been centralized around data privacy. In February, Virginia enacted a comprehensive data privacy law, called the Virginia Data Protection Act, which gives consumers the right to access data that organizations have collected about them. Overall, Howard said that while foreign data collection is certainly significant, domestic issues around data collection - notably the advertising industry’s widespread collection and sharing of personal data - should not be ignored.
“The biggest challenge is our homegrown business models that create enormous platforms to track people, from sensors to location,” he said. “It shows how we have been far too lax in allowing a degree of self regulation.”