Connect with us

Hi, what are you looking for?


Data Protection

New Legislation Would Block US Firms From Storing Personal Data in China, Russia

New legislation introduced this week aims to put a stop to the flow of Americans’ sensitive personal data to countries that threaten national security. 

New legislation introduced this week aims to put a stop to the flow of Americans’ sensitive personal data to countries that threaten national security. 

Introduced by U.S. Senator Josh Hawley (R-Mo.), the National Security and Personal Data Protection Act of 2019 (PDF) would require tech companies to only collect user data necessary for their operations and never transfer the data to countries of concern.

By countries of concern, the bill specifically names China and Russia, and any other country that might threaten America’s national security.

National Security and Personal Data Protection Act of 2019

Under the legislation, technology companies that collect data necessary for operating website, service, or applications should not use the data for any other secondary purpose, including targeted advertising, unnecessarily sharing with a third party, or unnecessarily facilitating facial recognition technology.

Companies would also be required to provide any user with information on the data they have collected on them, and to permanently “delete any user data held by the company that has been collected, directly or indirectly, from the individual.”

The legislation would also prohibit companies from transferring user data or any information that could be used to decipher that data, including encryption keys, to countries of concern, even if the transfer is made through a third country that is not a country of concern.

Additionally, the bill prohibits the storing of user data outside of the United States. 

Advertisement. Scroll to continue reading.

“The company shall not store any user data collected from citizens or residents of the United States or information needed to decipher that data, such as encryption keys, on a server or other data storage device that is located outside of the United States or a country that maintains an agreement with the United States to share data with law enforcement agencies through a process established by law,” the bill reads. 

At least annually, company executives are required to submit to the Federal Trade Commission, the Attorney General of the United States, and the Attorney General of each state, a report that certifies compliance with these requirements. 

Compliance with data collection, secondary uses, transfer, and user access requirements, however, is not needed where “data is collected, used, retained, stored, or shared by a covered technology company solely for the purpose of assisting a law enforcement or military agency that is not affiliated with a country of concern,” the legislation reads. 

The prohibition to transfer user data to countries of concern or store it outside the United States won’t apply to user data that represents content produced by the user to be shared (social media posts, emails, or data related to a transaction), or information needed to decipher that data. 

Companies operating in or affecting interstate or foreign commerce delivering data-based services such as websites or Internet applications, but which are not considered technology companies, are also prohibited from transferring or storing user data collected from individuals in the United States to countries of concern. 

The requirements do not apply to data collected, used, retained, stored, or shared when assisting a law enforcement or military agency not affiliated with a country of concern, or data produced by the user for sharing. 

All of these requirements shall take effect 90 days after the date of enactment of the legislation and shall be enforced by the Federal Trade Commission, the bill also states.

“Current law makes it far too easy for hostile foreign governments like China to access Americans’ sensitive data. Chinese companies with vast amounts of personal data on Americans are required by Chinese law to provide that data to Chinese intelligence services. If your child uses TikTok, there’s a chance the Chinese Communist Party knows where they are, what they look like, what their voices sound like, and what they’re watching. That’s a feature TikTok doesn’t advertise,” Senator Hawley said.

“And it’s not just Chinese companies that create this risk. Chinese law allows the Communist Party to seize data from American companies operating in China whenever it wants, for whatever reason it wants. This legislation takes crucial steps to stop Americans’ sensitive data from falling into the hands of hostile foreign governments,” he continued.

Related: Cybersecurity Has Become a Political Issue for Americans, Survey Shows

Related: The Global Reach of GDPR

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...