“Our country’s intelligence leaders have made it clear that putting Americans’ sensitive information in the hands of unfriendly foreign governments is a major risk to national security,” Wyden stated. “Shady data brokers shouldn’t get rich selling Americans’ private data to foreign countries that could use it to threaten our national security."
The Protecting Americans’ Data From Foreign Surveillance Act bill “would set up common-sense rules for how and where sensitive data can be shared overseas, to make sure that foreign criminals and spies don’t get their hands on it,” he said.
The bill is one of several data-protection bills Wyden is introducing during this Congressional session. Other bills seek to restrict the sale of personal information to U.S. companies, intelligence agencies and the police.
The bills "could disrupt the multibillion-dollar data-broker economy that seeks to monetize the digital footprints Americans leave behind every day — cellphone locations, browsing histories and credit card purchases that are gathered, bundled and sold for marketing and intelligence purposes without government regulation or oversight and without most people being aware of what information is being shared," sums up The Washington Post.
“Vast troves of personal information about Americans, including records of cell phone locations, credit card purchases, and web browsing, are available for purchase on the open market to both foreign and domestic buyers,” states a summary of the latest bill. “The top U.S counter-intelligence official has said that China is ‘one of the leading collectors of bulk personal data around the globe, using both illegal and legal means.’”
“Right now there are few if any controls over what data specific to a person — buying habits, movements, political party — can be sold abroad,” notes TechCrunch’s Devin Coldewey. “Some of this trade is perfectly innocuous, even desirable in order to promote global commerce, but at what point does it become dangerous or exploitative?”
The draft bill builds on the 2018 Foreign Investment Risk Review Modernization Act, in which Congress directed the Committee on Foreign Investment in the United States (CFIUS) to review and, if necessary, stop the purchase of U.S. firms holding large amounts of Americans’ personal data. It also builds on an executive order from earlier this year requiring recommendations to restrict the transfer of data to foreign adversaries.
The draft includes exceptions for journalism and First Amendment-protected speech, and for encrypted data — storing encrypted messages on servers in one of the targeted countries, for instance.
It provides penalties for executives “who knew or should have known” that their companies were illegally exporting data, and creates a private right of action for individuals physically harmed, arrested or detained in a foreign country as a result of the illegal export of personal data.
The legislation would direct the Secretary of Commerce to lead an interagency process to identify categories of personal data that could harm national security if exported by third parties. That agency would also be directed to compile a list of countries to which exports of Americans’ personal data would not harm national security, and to require licenses for exports of the identified categories of personal data to other countries in bulk.
Licenses would be based on the adequacy and enforcement of data protection, surveillance, and export control laws in the foreign country; the circumstances under which the government of the foreign country can compel, coerce, or pay a person in that country to disclose personal data; and whether that government has conducted hostile foreign intelligence operations against the U.S.
The Commerce Department would be required to publish quarterly reports on personal data exports.