Federal Legislation Would Impose Limits on Transfers of Personal Data From the U.S.April 15, 2021 – Alerts
U.S. Sen. Ron Wyden has introduced legislation requiring export controls with respect to certain personal data of United States nationals and individuals in the U.S.
Titled the "Protecting Americans’ Data From Foreign Surveillance Act of 2021," the bill requires:
- Formation of a list of categories of personal information that may be exploited by foreign governments.
- Formation of a list of countries to which export of personal data would harm national security.
- Formation of a quantitative threshold for annual transfers that, if exceeded, would harm U.S. national security
- Imposition of controls on export, reexport or in-country transfer of personal data that exceeds the thresholds established. Controls can include a license or authorization.
What harms national security? Inadequate enforcement of data protection.
In assessing whether or not a transfer harms the national security of the U.S., the U.S. would consider:
- The adequacy and enforcement of data protection, surveillance and export control laws in the foreign country in order to determine whether such protection is sufficient to (a) protect the personal data from accidental loss, theft or unlawful processing; and (b) ensure that it is not exploited for intelligence purposes by foreign governments.
- The circumstances under which the government of the foreign country can compel, coerce or pay a person or national of that country to disclose covered personal data.
- Whether that government had conducted hostile foreign intelligence operations including against the U.S.
Exceptions to the License/Regulation Requirement
- Export by a service provider when it is necessary for the performance of the service.
- Export of encrypted data if (a) the encryption key is not exported or transferred and (b) the encryption technology is certified by NIST as capable of protecting the data against exploitation by a foreign government.
- People engaged in journalism to the extent that the restrictions directly infringe the journalism practice.
Public Information Not Included in Regulated Categories
- Photos, audio or video recordings in which no individual appearing has a reasonable expectation of privacy.
- Personal data that is a matter of public record, such as a court order or other government record that is generally available to the public, including information about an individual made public by that individual or by the news media.
- Information about a matter of public interest.
- Any other information the publication of which is protected by the First Amendment.
Not Included in the Definition of Export
- The publication of covered personal data on the internet in a manner that makes the data accessible to any member of the general public.
- Any activity protected by the speech or debate clause of the U.S. Constitution.
Violations and Exceptions
- Violations of the law include directing an export, but officers or employees of a company who knew or should have known that another employee was directed to export in violation, can also be determined to be in violation.
- Includes criminal penalties and a private right of action in U.S. District Court if as a result of the export, reexport or in-country transfer of covered personal data in violation of the law, the person is physically harmed or detained or imprisoned in a foreign country.
- Provides certain exceptions for intermediaries and applications installed on an electronic device that transmits or causes the transmission of covered personal data without the knowledge of the owner or user of the device who installed the application. In that case, the developer of the application and not the owner or user of the device would be liable.
Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the firm's GDPR Compliance & International Privacy Practice. For questions about this alert or other issues relating to data transfers, she can be reached at 215.444.7313 or [email protected].