June 23, 2022

Wyden, Lummis, Whitehouse, Rubio and Hagerty Introduce Bipartisan Legislation to Protect Americans’ Private Data from Hostile Foreign Governments

The Protecting Americans’ Data from Foreign Surveillance Act Creates New Rules for Bulk Exports of Personal Data To Unfriendly Nations

Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., Senator Cynthia Lummis, R-Wyo., Senator Sheldon Whitehouse, D-R.I., Senator Marco Rubio, R-Fla., and Senator Bill Hagerty, R-Tenn., introduced bipartisan legislation today to create new protections against Americans’ sensitive personal information being sold or transferred to high-risk foreign countries.

“Right now it’s perfectly legal for a company in China to buy huge databases of sensitive information from data brokers about the movements or health records of millions of Americans, and then share that information with the Chinese government. That’s a huge problem for our country’s security,” Wyden said. “Our bipartisan legislation sets common-sense guardrails to block bulk exports of private, sensitive information from going to high-risk foreign nations and protect the safety of Americans against foreign criminals and spies. It will empower the United States to build a coalition of trusted allies where information can be shared without fear of misuse by authoritarian actors.”

“Allowing foreign adversaries unrestricted access to Americans’ private, sensitive data places US companies at a competitive disadvantage and threatens our national security. I’m proud to cosponsor the Protecting Americans’ Data from Foreign Surveillance Act to keep your data out of the hands of bad actors like the Chinese Communist Party,” Senator Lummis said.

“Data brokers dolling out Americans’ personal information to companies in foreign nations can be more than a violation of privacy – it can be a serious national security threat. We need sensible rules of the road to prevent our personal data from falling into the wrong hands,” Senator Whitehouse said.

“It is common sense to prevent our adversaries from obtaining the highly sensitive personal information of millions of Americans,” Senator Rubio said. “We cannot trust private companies to protect Americans’ private data, especially given how many of them do business in China. Our bill would address this massive national security threat and protect Americans’ privacy.”

“The ability for foreign companies to legally get their hands on Americans’ sensitive and private information is a dangerous power that puts the American people’s safety and privacy in jeopardy,” Senator Hagerty said. “I’m pleased to work with my colleagues to safeguard Americans’ data from malign foreign actors.”

The legislation is largely similar to a discussion draft released last year, with a number of technical improvements.

The Protecting Americans’ Data from Foreign Surveillance Act:

  • Directs the Secretary of Commerce, in consultation with other key agencies, to identify categories of personal data that, if exported, could harm U.S. national security.
  • Directs the Secretary of Commerce to compile a list of low-risk countries for which exports will be unrestricted and to require licenses for bulk exports of the identified categories of personal data to other countries. Exports to high-risk countries will be presumptively denied. The risk status of countries will be determined based on:
    • the adequacy and enforcement of the country’s privacy and export control laws.
    • the circumstances under which the foreign government can compel, coerce, or pay a person in that country to disclose personal data.
    • whether that foreign government has conducted hostile foreign intelligence operations against the United States.
  • Exempts from the new export rules data encrypted with NIST-approved technology.
  • Ensures the export rules do not apply to journalism & other First Amendment protected speech. 
  • Applies export control penalties to senior executives who knew or should have known that employees below them were directed to illegally export Americans’ personal data.

Wyden is the leading Congressional advocate for securing Americans’ private information against threats from hackers and foreign governments, as well as protecting Americans’ rights against unnecessary government surveillance. He introduced the Mind Your Own Business Act, to provide strong new protections against unauthorized sharing of Americans data for commercial reasons. In 2021, Wyden led a bipartisan investigation into the online advertising industry’s data practices, which revealed that major U.S. online advertising companies are sharing Americans’ web browsing data with foreign companies, including firms in China and Russia.

The bill text is here.

A one page summary of the bill is available here.

A section-by-section summary of the bill is available here.

The bill is endorsed by prominent privacy advocates and experts in national security and in the market for personal information.  

Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC): “U.S. consumers, businesses, and the U.S. government face a dire threat from the unrestricted collection of personal data without adequate legal and technical protections. This data is now the target of foreign adversaries. It is past time that Congress enact a strong, comprehensive privacy law. But in the meantime we must urgently protect Americans' personal data from being sold to foreign companies and governments. The Protecting Americans’ Data From Foreign Surveillance Act will strengthen consumer privacy, democratic institutions, and national security in the United States.”

Tatyana Bolton, Policy Director, Cybersecurity & Emerging Threats, R Street Institute: “Gathering data and using it for nefarious purposes has become the new front of our competition with our adversaries. To protect Americans’ privacy and maintain national security, we must make clear, through policy and law, that American data cannot and should not be used against us. I applaud Senator Wyden for not only for taking the threat seriously, but by standing up and doing something about it through the Protecting American Data from Foreign Surveillance Act.”

Justin Sherman, Fellow and Research Lead, Data Brokerage Project, Duke University Sanford School of Public Policy*: “We should not allow foreign adversaries to purchase highly sensitive data from the open market, from U.S. companies, on hundreds of millions of Americans. Right now, it is far too easy for foreign governments to purchase sensitive data on the demographic information, political preferences, internet search histories, mental health conditions, and GPS movements of American citizens, politicians, judges, government officials, and even intelligence officers and members of the military — all without running into any substantive controls. Senator Wyden’s bill deserves serious attention, as it proposes practical mechanisms to reduce these risks to national security.”

David Hoffman, Steed Family Professor of the Practice of Cybersecurity Policy, Duke University Sanford School of Public Policy*

*affiliations for identification purposes; does not represent the views of Duke University.

###

Press Contact

Keith Chu (202) 224-5244