Bipartisan bill would protect Americans’ data from export abroad

U.S. Sens. Ron Wyden (D-OR) and Cynthia Lummis (R-WY) introduced legislation on Wednesday to stop “high-risk” foreign countries from exploiting Americans’ data, applying criminal and civil penalties on companies who illegally export digital information.

A bipartisan group of six legislators from both the Senate and the House of Representatives are co-sponsoring the so-called Protecting Americans’ Data from Foreign Surveillance Act of 2023.

“Massive pools of Americans’ sensitive information — everything from where we go, to what we buy and what kind of health care services we receive — are for sale to buyers in China, Russia and nearly anyone with a credit card,” Wyden said in a statement. “Our bipartisan bill would turn off the tap of data to unfriendly nations, stop TikTok from sending Americans’ personal information to China, and allow nations with strong privacy protections to strengthen their relationships.”

A press release announcing the bill condemned data brokers who distribute Americans’ personal information to foreign companies, calling the practice a national security threat.

The bill intends to guard Americans’ health-care records, geolocations, web-browsing activity and other information from adversaries, the release said.

“Increasingly, data is the new gold — and we need to treat it accordingly,” Sen. Martin Heinrich (D-N.M.), a co-sponsor of the bill, said in a statement.

Director of National Intelligence Avril Haines has long cautioned about the threat posed by unrestricted commercial data sales, saying in 2021 that she was “absolutely committed to trying to do everything we can to reduce that possibility.”

The new bill expands on an earlier version of the same legislation by directing the secretary of Commerce to identify categories of personal data that could threaten national security if sent abroad, preventing countries deemed high-risk from receiving sensitive data. The bill also would design a program for licensing data exports to countries not included on either low- or high-risk lists, according to the press release.

Determinations of risk will be based on the substance and enforcement of a given country’s privacy and export control laws as well as whether the foreign government in question “has conducted hostile foreign intelligence operations against the United States,” the release said.

The bill specifically applies export control penalties to senior executives of corporations “who knew or should have known that employees below them were directed to illegally export Americans’ personal data.”

The bill would regulate all exports of personal data by data brokers and firms like TikTok. Data encrypted with technology approved by the National Institute of Standards and Technology would be exempted from the rule. It also specifies that the export rules would not apply to journalism and other First Amendment-protected speech.