A bipartisan group of senators introduced legislation Thursday that would create export controls for sensitive U.S. user data.
The legislation takes aims at growing concerns about data brokers selling data like health information and military member location data to foreign adversaries.
Specifically, the bill would direct the secretary of Commerce to identify which types of personal data could harm U.S. national security and designate which countries would require licenses to export to or be denied as a default. Risk status would be based on a country’s privacy laws, the foreign government’s ability to compel private entities to share data and if the nation has hostile intelligence operations against the U.S.
The bills’ sponsors include Sens. Ron Wyden, D-Ore., Cynthia Lummis, R-Wyo., Sheldon Whitehouse, D-R.I., Marco Rubio, R-Fla. and Bill Hagerty, R-Tenn.
“It is common sense to prevent our adversaries from obtaining the highly sensitive personal information of millions of Americans,” co-sponsor Senator Marco Rubio, R-Fla., said in a statement. “We cannot trust private companies to protect Americans’ private data, especially given how many of them do business in China. Our bill would address this massive national security threat and protect Americans’ privacy.”
Justin Sherman, fellow and research lead at Duke’s Sanford School of Policy Data Brokerage Project, said the legislation could push the widely unregulated data broker industry to more widely embrace know-your-customer laws and other compliance standards to make sure they’re not selling to banned actors.
“You should have to know if the data you’re selling is going to customers tracking COVID or some Chinese front,” Sherman told CyberScoop.
The bill only limits direct sales, which means other potential exposure, like a U.S. company using non-sanctioned foreign code or software, would not be covered. The bill also does not address foreign ownership, something already monitored by the interagency Committee on Foreign Investment in the United States.
Congress’s scrutiny of the data broker industry isn’t limited to foreign sales. Wyden has also co-sponsored bills that would prevent data brokers from selling health and location data and prevent police from using data brokers to get around warrants.
Sherman and other experts acknowledged that the bill is not a stand-in for comprehensive privacy legislation, a version of which advanced to the House’s full Energy and Commerce Committee Thursday. But they say the bill is a step in the right direction.
“It is past time that Congress enact a strong, comprehensive privacy law,” Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, wrote in a statement. “But in the meantime we must urgently protect Americans’ personal data from being sold to foreign companies and governments.”
The Commerce Department did not immediately return a request for comment.