New legislation introduced this week aims to put a stop to the flow of Americans’ sensitive personal data to countries that threaten national security.
Introduced by U.S. Senator Josh Hawley (R-Mo.), the National Security and Personal Data Protection Act of 2019 (PDF) would require tech companies to only collect user data necessary for their operations and never transfer the data to countries of concern.
By countries of concern, the bill specifically names China and Russia, and any other country that might threaten America’s national security.
Under the legislation, technology companies that collect data necessary for operating website, service, or applications should not use the data for any other secondary purpose, including targeted advertising, unnecessarily sharing with a third party, or unnecessarily facilitating facial recognition technology.
Companies would also be required to provide any user with information on the data they have collected on them, and to permanently “delete any user data held by the company that has been collected, directly or indirectly, from the individual.”
The legislation would also prohibit companies from transferring user data or any information that could be used to decipher that data, including encryption keys, to countries of concern, even if the transfer is made through a third country that is not a country of concern.
Additionally, the bill prohibits the storing of user data outside of the United States.
“The company shall not store any user data collected from citizens or residents of the United States or information needed to decipher that data, such as encryption keys, on a server or other data storage device that is located outside of the United States or a country that maintains an agreement with the United States to share data with law enforcement agencies through a process established by law,” the bill reads.
At least annually, company executives are required to submit to the Federal Trade Commission, the Attorney General of the United States, and the Attorney General of each state, a report that certifies compliance with these requirements.
Compliance with data collection, secondary uses, transfer, and user access requirements, however, is not needed where “data is collected, used, retained, stored, or shared by a covered technology company solely for the purpose of assisting a law enforcement or military agency that is not affiliated with a country of concern,” the legislation reads.
The prohibition to transfer user data to countries of concern or store it outside the United States won’t apply to user data that represents content produced by the user to be shared (social media posts, emails, or data related to a transaction), or information needed to decipher that data.
Companies operating in or affecting interstate or foreign commerce delivering data-based services such as websites or Internet applications, but which are not considered technology companies, are also prohibited from transferring or storing user data collected from individuals in the United States to countries of concern.
The requirements do not apply to data collected, used, retained, stored, or shared when assisting a law enforcement or military agency not affiliated with a country of concern, or data produced by the user for sharing.
All of these requirements shall take effect 90 days after the date of enactment of the legislation and shall be enforced by the Federal Trade Commission, the bill also states.
“Current law makes it far too easy for hostile foreign governments like China to access Americans’ sensitive data. Chinese companies with vast amounts of personal data on Americans are required by Chinese law to provide that data to Chinese intelligence services. If your child uses TikTok, there’s a chance the Chinese Communist Party knows where they are, what they look like, what their voices sound like, and what they’re watching. That’s a feature TikTok doesn’t advertise,” Senator Hawley said.
“And it’s not just Chinese companies that create this risk. Chinese law allows the Communist Party to seize data from American companies operating in China whenever it wants, for whatever reason it wants. This legislation takes crucial steps to stop Americans’ sensitive data from falling into the hands of hostile foreign governments,” he continued.
Related: Cybersecurity Has Become a Political Issue for Americans, Survey Shows
Related: The Global Reach of GDPR