April 15, 2021

Wyden Releases Draft Legislation to Protect Americans’ Personal Data From Hostile Foreign Governments

Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., released a discussion draft of legislation to regulate the export of Americans’ sensitive personal information to potentially hostile foreign nations.

The Protecting Americans’ Data from Foreign Surveillance Act would create new safeguards against exporting sensitive personal information to foreign countries if doing so could harm U.S. national security.

“Shady data brokers shouldn’t get rich selling Americans’ private data to foreign countries that could use it to threaten our national security,” Wyden said. “My bill would set up common sense rules for how and where sensitive data can be shared overseas, to make sure that foreign criminals and spies don’t get their hands on it. This legislation is another piece in a slate of bills I’m introducing this Congress to provide comprehensive protection for Americans’ sensitive information.”

Director of National Intelligence Avril Haines testified on Wednesday that the transfer of personal information to foreign adversaries represents a security threat:

“I agree with you that there’s a concern about foreign adversaries getting commercially-acquired information as well and am absolutely committed to trying to do everything we can to reduce that possibility,” she said, in response to a question from Wyden.

This bill builds on the 2018 Foreign Investment Risk Review Modernization Act, in which Congress directed CFIUS to review and if necessary, stop the purchase of U.S. firms holding large amounts of Americans’ personal data, and an executive order from earlier this year requiring recommendations to restrict the transfer of data to foreign adversaries.

Read the full bill here. Wyden is seeking comments on the proposal at ExportControl_Feedback@wyden.senate.gov.

The draft legislation:

  • Directs the Secretary of Commerce to lead an interagency process to identify categories of personal data that, if exported by third parties, could harm U.S. national security.
  • Directs the Secretary of Commerce to compile a list of countries to which exports of Americans’ personal data would not harm national security, and to require licenses for exports of the identified categories of personal data to other countries in bulk, based on:Exempts from the new export controls any data encrypted with NIST-approved algorithms, if the key protecting the data is not exported.
    • the adequacy and enforcement of data protection, surveillance, and export control laws in the foreign country.
    • the circumstances under which the government of the foreign country can compel, coerce, or pay a person in that country to disclose personal data.
    • whether that government has conducted hostile foreign intelligence operations against the United States.
  • Ensures that the export rules do not apply to journalism and other speech protected by the First Amendment.
  • Applies export control penalties to senior executives who knew or should have known that employees below them were directed to illegally export Americans’ personal data. 
  • Creates a private right of action for individuals who have been physically harmed or arrested or detained in a foreign country as a result of the illegal export of personal data.
  • Requires the Commerce Department to publish quarterly reports on personal data exports.

Wyden is the leading Congressional advocate for securing Americans’ private information, against threats from hackers and foreign governments, as well as protecting Americans’ rights against unnecessary government surveillance. He introduced the Mind Your Own Business Act last year, to provide strong new protections against unauthorized sharing Americans data for commercial reasons.

A one page summary of the bill is available here.

A section-by-section summary of the bill is available here.