Bill Would Prohibit Sale of Americans’ Personal Data to Adversarial Countries

Legislation introduced this week would make it illegal for companies to export data generated by people living in the U.S. to certain countries where that data could pose a national security risk.

Federal agencies already regulate the kinds of technologies and industrial data that can be sold abroad, but a new bill introduced by Sen. Ron Wyden, D-Ore., would be the first to prohibit the sale of individuals’ data by a third party.

“Shady data brokers shouldn’t get rich selling Americans’ private data to foreign countries that could use it to threaten our national security,” Wyden said in a statement after introducing the legislation. “My bill would set up common sense rules for how and where sensitive data can be shared overseas, to make sure that foreign criminals and spies don’t get their hands on it.”

But in order to protect the data, regulators first must know exactly what they’re regulating.

The Protecting Americans’ Data from Foreign Surveillance Act would first categorize the types of personal data people generate each day, and identify which data types could be used by foreign adversaries to the detriment of the U.S. In establishing the categories, regulators would be instructed to look at data collected by commercial entities; data that has already been shared with foreign adversaries; and both identifiable and anonymized data, if the latter can be reverse engineered using other data sources.

The categorization work—spread across multiple agencies, working together—would be completed one year after the bill was enacted.

“In compiling the list of categories, the interagency process shall consider publicly available information, classified information from the intelligence community, the Committee on Foreign Investment in the United States, the categories of personal data specified under 31 CFR 800.241, input from an advisory committee established by the Commerce Department, the recommendations of independent privacy experts and First Amendment experts, and a public notice and comment period,” according to a one-sheet released by Wyden’s office.

Once those categories are established, the Commerce Department would be charged with creating “export control regulations on the export, reexport, or in-country transfer” of data under those restricted categories and develop a list of countries “for which exports will be presumptively banned, unless the potential exporter can demonstrate that the export, reexport or in-country transfer will not harm the national security of the United States.”

Conversely, the department will also be tasked with creating a list of countries where companies won’t require a license to import U.S. data, such as allies that don’t pose a risk to national security. But that list won’t be easy to get on.

“Countries can only be added or removed from this list after notifying Congress and giving Congress 180 days to object via a joint resolution of disapproval,” according to a summary breakdown of the bill.

The legislation, as written, also outlines the criteria Commerce should use in developing both lists:

• The adequacy and enforcement of data protection, surveillance, and export control laws in foreign countries in order to determine whether such laws are sufficient to: protect personal data from accidental loss, theft, and unauthorized or unlawful processing; ensure that personal data is not exploited for intelligence purposes by foreign governments to the detriment of the national security of the United States; and prevent the reexport of personal data to third countries for which a license would be required for such data to be exported directly from the United States.
• The circumstances under which the government of a foreign country can compel, coerce, or pay a person in or national of that country to disclose personal data.
• Whether a foreign government has conducted hostile foreign intelligence operations, including information operations, against the United States.

None of this would apply to how people manage their own data, which individuals would still be free to export—or withhold—of their own accord.

The law would also not apply to journalism and other speech protected by the First Amendment or encrypted data, so long as the decryption keys are not exported.

The senator is currently taking feedback on the language in the legislation at  ExportControl_Feedback@wyden.senate.gov.