October 6, 2022

Protecting Americans’ Data from Foreign Surveillance Act

Alexis Early, Taylor Green, Jamieson Greer, Christine Savage

King & Spalding

+ Follow Contact

Send

Embed

A bipartisan group of U.S. senators introduced legislation on June 23, 2022, to provide the federal government authority to limit or prevent the sale of Americans’ personal data to “high-risk” countries and malign foreign actors.

The bill seeks to amend the Export Control Reform Act of 2018 (50 U.S.C § 4811 et seq.), which is the basis for U.S. export controls and dual-use items. The bill provides the Secretary of Commerce (the “Secretary”), in coordination with the appropriate heads of other federal agencies, to identify categories of non-public personal data (anonymous or identifiable) that could be exploited by a foreign government and impact U.S. national security. The bill includes within their scope categories of information capturing personal data, above a threshold ranging between 10,000 and 1 million people.

The Secretary must establish the covered categories of data and a list of countries considered high-risk or low-risk. The Secretary will also consider the impact of legitimate business needs and activities that do not harm the United States when making the categories and list. The bill does not apply to journalism or First Amendment protected speech. If the bill is passed, a notice and comment period will be provided following publication in the Federal Register of the proposed rule and before the publication of the final rule.

Licensing Regime

Like other export control measures, the bill includes a licensing regime for exporting covered personal data. An export license is a government authorization that allows a party to export a U.S. item. The Secretary must analyze how the data will be protected, the export destination, and data protection laws of the export destination. The bill also spells out two main factors for a license application to be subject to a presumption of denial: 1) covered data being sent to high-risk countries and 2) the export of covered data which will harm U.S. national security. Where a license is required, the Act would require applicants to disclose “any foreign person with significant ownership interest in a foreign person participating in the arrangement.” This is a potentially burdensome requirement, particularly for the U.S. subsidiaries of foreign companies that plan on exporting covered personal data to China, where ownership can be opaque.

The bill identifies limited situations where a license is not required. A few examples are below:

An entity or individual exports covered data that belongs to them;
Service providers exporting data of individuals whose data is covered, and the services could not be performed without the export of the covered individuals’ personal data;
Encrypted personal data exported in compliance with the National Institute of Standards and Technology (NIST) and not going to a high-risk country; or
A U.S. court orders data to be exported.

One controversial aspect of this bill is that the Secretary must publish a list every 90 days of all entities/persons to whom Commerce granted or denied a license application. The information will include the business’ name, date of application, name of the foreign party, categories of covered data, number of covered individuals, and whether the application was approved or denied.

Liable Persons and Penalties

The bill defines which parties would be liable for an unlawful action and criminal penalties for unlawfully exporting covered data. Any persons who violated the Act, or any entity or person, who knew or should have known (i.e., executives or supervisors) that an employee was directed to export and exported the covered data may be subject to liability. The bill states that for criminal penalties Commerce should take into account the number of covered individuals’ data that was exported, the harm that resulted from the export, and the intent of the person who committed the violation. The bill does not provide specific details on fines and criminal sentencing.

Cyber Security Requirements

In addition to controlling the amount and type of data to be exported, the bill also requires exporters of the data to ensure the security of the data. For example, the export of data may require encryption. The Secretary will issue guidance with respect to methods to anonymize and encrypt data. The bill stipulates that the Secretary will establish an advisory committee to advise the Secretary on privacy and sensitive data issues, including data security. The advisory committee must include members who are experts in privacy and cyber security, representatives of the private sector, and representatives of civil society.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

King & Spalding

Contact + Follow

Alexis Early

+ Follow

Taylor Green

+ Follow

Jamieson Greer

+ Follow

Christine Savage

+ Follow

less

Published In:

Cybersecurity

+ Follow

Data Protection

+ Follow

Data Security

+ Follow

DFSA

+ Follow

Export Control Reform Act (ECRA)

+ Follow

Export Controls

+ Follow

Licensing Rules

+ Follow

National Security

+ Follow

NIST

+ Follow

Personal Data

+ Follow

Proposed Legislation

+ Follow

International Trade

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

King & Spalding on:

Protecting Americans’ Data from Foreign Surveillance Act

Licensing Regime

Liable Persons and Penalties

Cyber Security Requirements

Related Posts

Latest Posts

Written by:

Published In:

King & Spalding on:

"My best business intelligence, in one easy email…"