The move could disrupt the multibillion-dollar data-broker economy that seeks to monetize the digital footprints Americans leave behind every day — cellphone locations, browsing histories and credit card purchases that are gathered, bundled and sold for marketing and intelligence purposes without government regulation or oversight and without most people being aware of what information is being shared.
“Our country’s intelligence leaders have made it clear that putting Americans’ sensitive information in the hands of unfriendly foreign governments is a major risk to national security,” Wyden said in a statement. The new legislation, he added, would “ensure that countries that can’t be trusted with Americans’ private information don’t get it.”
The proposal, the Protecting Americans’ Data From Foreign Surveillance Act, would effectively treat large volumes of personal data with the same caution as powerful technology or weaponry, regulating it under existing export-control laws that would govern its purchase and trade, according to a copy of the draft bill reviewed by The Washington Post.
The proposal would direct the Commerce Department to identify what kinds of personal data could harm national security if exported overseas, with exemptions for some encrypted data and First Amendment-protected speech.
The export-license requirements would apply only to countries designated as potential security threats, based on the countries’ data-protection and surveillance laws; whether they had conducted “hostile foreign intelligence operations” against the United States; and the extent to which the countries’ governments can “compel, coerce or pay” people within the country to hand over personal data.
The bill also would require U.S. advertisers to obtain export licenses before companies in those “unfriendly” foreign countries could receive ad-targeting data that estimates Americans’ tastes and preferences. If U.S. regulators denied those requests, the exports would be blocked.
The bill would include penalties for senior executives at companies where employees illegally exported Americans’ personal data, and would offer potential legal remedies to people who were detained, imprisoned or physically harmed as a result of the illegal data trade.
The draft bill could change substantively during a rulemaking process and carries no guarantee of approval. But the proposal could require potentially massive changes for America’s largest tech giants, data brokers and other companies that have made data sales a key part of their business.
Federal authorities have alleged that state-sponsored cyberattacks by China and other countries were designed to gather Americans’ personal information en masse. Regulators have also moved to block foreign companies from buying U.S.-based firms that hold large caches of personal data, on the basis that the transaction could expose sensitive details about Americans’ personal lives.
However, no laws block foreign buyers from paying for just the information itself. William Evanina, the former director of the U.S. National Counterintelligence and Security Center, told Foreign Policy magazine in December that China was “one of the leading collectors of bulk personal data around the globe, using both illegal and legal means.”
The Committee on Foreign Investment in the United States forced a Chinese company to sell the gay-dating app Grindr in 2019 over concerns about what personal data the site shared. And last year, the Trump administration ordered the Beijing-based tech giant ByteDance to sell its wildly popular video app TikTok; the company has challenged that demand in court.
A Wyden aide said the proposal’s export restrictions could impose criminal penalties if TikTok’s U.S. branch sent Americans’ data to China or shared it with Chinese partner companies. (TikTok officials have said that they store American user data in Virginia and Singapore, and that the company’s U.S.-based teams operate independently from their Chinese ownership.)
A separate Wyden-backed bill, the Fourth Amendment Is Not for Sale Act, would cover the sale of Americans’ personal data to U.S. law enforcement and intelligence agencies. Another bill first circulated by Wyden in 2018, the Mind Your Own Business Act, would cover the gathering and sharing of Americans’ personal information by U.S. companies.
Speaking to Wyden at a Senate Intelligence Committee hearing on Wednesday, Director of National Intelligence Avril Haines said that “there’s a concern about foreign adversaries getting commercially acquired information,” and that the intelligence community was “absolutely committed to trying to do everything we can to reduce that possibility.”
Asked about rules governing the way Americans’ personal data can be purchased and used by the U.S. government, Haines called for a “framework that is clear and that has privacy and civil liberties at its heart and also addresses the functionality of it for the intelligence community.”
Those rules, she said, should allow “the American public to see what the framework is, essentially, even if they don’t have visibility into the particular transactions or what we’re doing to push for that.”
Discussion of the bill further highlights how government officials, both foreign and domestic, have used commercially run databases to access and amass personal information at a huge scale.
U.S. Immigration and Customs Enforcement officers have tapped a private database containing hundreds of millions of Americans’ phone, water and utility records, The Post reported in February. And officials with the Defense Intelligence Agency, the Department of Homeland Security and other agencies have tracked people without a warrant by buying cellphone location records from private marketplaces that gather data through a jumble of weather and gaming apps.
It’s unclear how much of Americans’ personal data is transferred legally in this way. Wyden and a bipartisan group of lawmakers sent letters this month to major online advertising exchanges seeking details on how ad-targeting data could be bought and compiled by foreign firms. In a January speech, Wyden criticized how governments can buy “the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law.”
Justin Sherman, a cyber-policy fellow at Duke University’s Technology Policy Lab, said an export-control change could address one major threat but may not cover all of the ways that personal data is gathered, bundled, licensed, shared, sold and transmitted across the Internet, including through an opaque market of apps, ad networks, data brokers and other operations most Americans know nothing about.
“Direct collection or direct purchasing by a foreign company is one vector, but it’s obviously not the only one,” Sherman said. “If we really want to tackle these kinds of risks, we have to talk about the whole ecosystem.”