Bipartisan bill seeks to safeguard US data from foreign exploitation

A bipartisan group of lawmakers reintroduced legislation on Wednesday that would restrict exports of Americans’ personal data to hostile nations and prevent foreign-owned companies — like popular video app TikTok — from accessing U.S. users’ data from abroad. 

The bill, from Sens. Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo., would amend the Export Control Reform Act “to require export controls with respect to certain personal data of United States nationals and individuals in the United States.” The 2018 law placed additional restrictions on exports of critical technologies and other commodities that could be used for civilian and military purposes by hostile nations. 

The legislation — known as the Protecting Americans’ Data from Foreign Surveillance Act — is co-sponsored by Sens. Bill Hagerty, R-Tenn., Martin Heinrich, D-N.M., Marco Rubio, R-Fla., and Sheldon Whitehouse, D-R.I. Wyden introduced a similar version of the bill during the 117th Congress, although it did not advance beyond the Senate Banking, Housing and Urban Affairs Committee. 

In a press release, the lawmakers said that Wednesday’s legislation “updates the previously introduced bill to include new protections against foreign-owned companies like TikTok accessing U.S. data from abroad, or sending data to unfriendly foreign nations.”

“Massive pools of Americans’ sensitive information — everything from where we go, to what we buy and what kind of health care services we receive — are for sale to buyers in China, Russia and nearly anyone with a credit card,” Wyden said in a statement. “Our bipartisan bill would turn off the tap of data to unfriendly nations, stop TikTok from sending Americans’ personal information to China and allow nations with strong privacy protections to strengthen their relationships.”

The bill directs the Commerce Secretary, in consultation with other agencies, to identify “categories of personal data that, if exported, could harm U.S. national security.” The department would also be tasked with compiling lists of so-called low-risk countries — “where data can be shared without restrictions” — and high-risk countries — ”where exports of sensitive data will be blocked.” 

A country’s risk status will be determined based on several factors, according to the lawmakers, including whether or not it “has conducted hostile foreign intelligence operations” against the U.S., the “adequacy and enforcement” of its privacy and export controls and if its government “can compel, coerce or pay a person in that country to disclose personal data.” Commerce would also be required to “create a system to issue licenses for data exports to nations not on either list.”

While the legislative proposal does not mention TikTok by name, the bill’s sponsors said it would restrict “all exports of personal data by data brokers and firms like TikTok directly to restricted foreign governments, to parent companies in restricted foreign countries and to persons designated on the Bureau of Industry and Security’s entity list.”

The bill’s sponsors highlighted the importance of limiting data transfers to companies based in hostile nations, with Hagerty saying in a statement that “the ability for foreign companies to legally obtain Americans’ sensitive and private information undermines national security and infringes personal privacy.”

Lawmakers and the U.S. intelligence community have expressed national security concerns in recent years about TikTok’s relationship with the Chinese government. The app is owned by Chinese-based parent company ByteDance, and officials have warned that Beijing could gain access to U.S. users’ personal data. 

Congress previously banned TikTok from being downloaded or used on government devices as part of last year’s omnibus spending bill, and lawmakers have floated a variety of proposals in recent months that would further restrict or ban the app’s use across the country. 

Wednesday’s bill, however, noticeably avoids imposing an outright ban on TikTok by only restricting data transfers to countries that Commerce deems to be high-risk. 

TikTok has been negotiating with the Committee on Foreign Investment in the United States for at least two years to address national security concerns with its service, and has floated a proposal — known as Project Texas — that would keep U.S. users’ data on domestic servers managed by Oracle. If TikTok maintains Americans’ personal data inside the U.S., then it would not be subjected to the bill’s restrictions. 

Companion legislation to the Protecting Americans’ Data from Foreign Surveillance Act is also poised to be introduced in the House by Reps. Warren Davidson, R-Ohio, and Anna Eshoo, D-Calif.

“Today, there are no laws preventing foreign companies from purchasing and sharing large quantities of Americans’ personal data,” Eshoo said in a statement. “Our national security is at risk, and the bipartisan Protecting Americans’ Data from Foreign Surveillance Act will stop the export of large amounts of Americans’ personal information to foreign adversaries and preserve Americans’ right to privacy.”