Sen Ron Wyden files a bill requiring export controls with respect to certain personal data of United States nationals and individuals in the United States.
Entitled the "Protecting Americans’ Data From Foreign Surveillance Act of 2021" the bill requires:
- Forming a list of categories of personal information which may be exploited by foreign governments.
- Forming a list of countries to which export of personal data would harm national security.
- Forming a quantitative threshold for annual transfers that, if exceed, would harm the national security of the US; and
- Imposing controls will be imposed on export, reexport or in-country transfer of personal data that exceeds the thresholds established. Controls can include: a license or authorization.
What harms national security? Inadequate enforcement of data protection
In assessing whether or not a transfer harms the national security of the US, the US will consider:
- the adequacy and enforcement of data protection, surveillance and export control laws in the foreign country in order to determine whether such protection is sufficient to (a) protect the personal data from accidental loss, theft or unlawful processing; (b) ensure that it is not exploited for intelligence purposes by foreign governments;
- the circumstances under which the government of the foreign country can compel, coerce or pay a person or national of that country to disclose covered personal data
- whether that government had conducted hostile foreign intelligence operations including against the US.
Exceptions to the license /regulation requirement include:
- export by a service provider when it is necessary for the performance of the service.
- export of encrypted data if (a) the encryption key is not exported or transferred and (b) the encryption technology is certified by NIST as capable of protecting the data against exploitation by a foreign government.
- people engaged in journalism to the extent that the restrictions directly infringe the journalism practice.
About that public information - Not included in regulated categories are:
- photos, audio or video recordings in which no individual appearing has a reasonable expectation of privacy.
- personal data that is a matter of public record, such as a court order or other government record that is generally available to the public, including information about an individual made public by that individual or by the news media.
- information about a matter of public interest.
- any other information the publication of which is protected by the first amendment.
Not included in the definition of export are:
- the publication of covered personal data on the internet in a manner that makes the data accessible to any member of the general public.
- any activity protected by the speech or debate clause of the Constitution of the US.
Violations and Exceptions:
- Violations of the law include directing an export but also officers or employees of a company that knew or should have known that another employee was directed to export in violation.
- It includes criminal penalties and a private right of action in District Court if as a result of the export, reexport of in country transfer of covered personal data in violation of the law the person is physically harmed or detained or imprisoned in a foreign country.
- Certain exceptions for intermediaries and applications installed on an electronic device that transmits or causes the transmission of covered personal data without the knowledge of the owner or user of the device who installed the application. In that case, the liability would be that of the developer of the application and not the owner or user of the device.
Article provided by: Odia Kagan (Fox Rothschild, United States)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)