Press Releases

Washington, D.C. U.S. Senators Marco Rubio (R-FL), Ron Wyden (D-OR), Cynthia Lummis (R-WY), Sheldon Whitehouse (D-RI), and Bill Hagerty (R-TN) introduced the Protecting Americans’ Data from Foreign Surveillance Act. The bipartisan legislation would create new protections against selling or transferring Americans’ sensitive personal information to high-risk foreign countries. 
 
“It is common sense to prevent our adversaries from obtaining the highly sensitive personal information of millions of Americans,” Rubio said. “We cannot trust private companies to protect Americans’ private data, especially given how many of them do business in China. Our bill would address this massive national security threat and protect Americans’ privacy.”
 
“Right now it’s perfectly legal for a company in China to buy huge databases of sensitive information from data brokers about the movements or health records of millions of Americans, and then share that information with the Chinese government. That’s a huge problem for our country’s security,” Wyden said. “Our bipartisan legislation sets common-sense guardrails to block bulk exports of private, sensitive information from going to high-risk foreign nations and protect the safety of Americans against foreign criminals and spies. It will empower the United States to build a coalition of trusted allies where information can be shared without fear of misuse by authoritarian actors.” 
 
A one page summary of the bill is available here.
 
A section-by-section summary of the bill is available here
 
The Protecting Americans’ Data from Foreign Surveillance Act:
  • Directs the Secretary of Commerce, in consultation with other key agencies, to identify categories of personal data that, if exported, could harm U.S. national security.
  • Directs the Secretary of Commerce to compile a list of low-risk countries for which exports will be unrestricted and to require licenses for bulk exports of the identified, sensitive categories of personal data to other countries. Exports to high-risk countries will be presumptively denied. The risk status of countries will be determined based on:
    • the adequacy and enforcement of the country’s privacy and export control laws.
    • the circumstances under which the foreign government can compel, coerce, or pay a person in that country to disclose personal data.
    • whether that foreign government has conducted hostile foreign intelligence operations against the United States.
  • Exempts from the new export rules certain data encrypted with NIST-approved technology.
  • Ensures the export rules do not apply to journalism & other First Amendment-protected speech. 
  • Applies export control penalties to senior executives who knew or should have known that employees below them were directed to illegally export Americans’ personal data.