Bipartisan Bill Could Impose New Export Controls Over Data Exports
A bipartisan group of senators last week introduced a bill that could place new controls on certain exports of U.S. personal data to foreign companies and governments. The Protecting Americans’ Data From Foreign Surveillance Act would require the Commerce Department, along with other agencies, to identify “categories of personal data” that could harm U.S. national security if they were exported, and to place export restrictions on those items.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Under the bill, Commerce would need to impose export license requirements for certain “bulk exports of the identified categories of personal data” to certain countries, which would be subject to a review policy of presumption of denial. Other countries, which would be identified by Commerce on a list of “low-risk” nations, would not be subject to the controls.
If the bill becomes law, Commerce would determine which countries are high risk or low risk by examining the “adequacy and enforcement” of that country’s privacy and export control laws. The agency also would need to consider whether a foreign government can “compel, coerce, or pay a person in that country to disclose personal data,” or whether the foreign government has conducted “hostile foreign intelligence operations” against the U.S.
Commerce also would be directed to penalize senior executives who “knew or should have known that employees below them were directed to illegally export Americans’ personal data.” The bill also would call on Commerce to publish a public, quarterly report on licensing data for the controlled exports, including the names of parties in license applications, the items requested for export and whether the license was approved or denied.
Certain items would be exempt from the controls, including data encrypted with technology approved by the National Institute of Standards and Technology. The controls also wouldn’t apply to journalism activities and other speech protected by the U.S. Constitution.
The bill -- introduced by Sens. Ron Wyden, D-Ore., Cynthia Lummis, R-Wyo., Sheldon Whitehouse, D-R.I., Marco Rubio, R-Fla., and Bill Hagerty, R-Tenn. -- is partly aimed at closing what lawmakers say is a loophole in sales of personal data. Although the Committee on Foreign Investment in the U.S. can block sales to foreign firms of U.S. companies that hold “large amounts of sensitive data,” CFIUS can “only stop the sale of the company, not the sale of data,” the lawmakers said.
“Right now it’s perfectly legal for a company in China to buy huge databases of sensitive information from data brokers about the movements or health records of millions of Americans, and then share that information with the Chinese government,” Wyden said. The legislation will set "common-sense guardrails" to block exports of the data and “empower” the U.S. to “build a coalition of trusted allies where information can be shared without fear of misuse by authoritarian actors.”
The bill has support from some data privacy advocates. Justin Sherman, a researcher at Duke University’s Data Brokerage Project, said it’s “far too easy for foreign governments to purchase sensitive data on the demographic information, political preferences, internet search histories, mental health conditions, and GPS movements” of Americans. Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, said the “unrestricted collection of personal data” from foreign governments poses a “dire threat” to the U.S. “It is past time that Congress enact a strong, comprehensive privacy law.”