Wyden, Lummis, Whitehouse, Hagerty, Heinrich and Rubio Introduce Bipartisan Senate Companion Bill to Protect Americans’ Data from Unfriendly Foreign Nations

Washington, D.C. – Reps. Warren Davidson (R-OH) and Anna Eshoo (D-CA) today introduced legislation to protect Americans’ data from being exploited by unfriendly foreign nations, and apply tough criminal and civil penalties to prevent employees of foreign corporations like TikTok from accessing U.S. data from abroad. The Protecting Americans’ Data from Foreign Surveillance Act of 2023 was also introduced in the Senate today by Sen. Ron Wyden and Sen. Cynthia Lummis, along with co-sponsors Sen. Sheldon Whitehouse, Sen. Bill Hagerty, Sen. Martin Heinrich, and Sen. Marco Rubio.  

“Freedom surrendered is rarely reclaimed. This bipartisan legislation represents progress on the effort to protect privacy by banning the export of sensitive personal data. Our data has been sold, hacked, stolen, and exploited by foreign entities—Congress is fighting back,” said Rep. Warren Davidson.

“Today, there are no laws preventing foreign companies from purchasing and sharing large quantities of Americans’ personal data,” said Rep. Eshoo. “Our national security is at risk, and the bipartisan Protecting Americans’ Data from Foreign Surveillance Act will stop the export of large amounts of Americans’ personal information to foreign adversaries and preserve Americans’ right to privacy.”

“Massive pools of Americans’ sensitive information — everything from where we go, to what we buy and what kind of health care services we receive — are for sale to buyers in China, Russia and nearly anyone with a credit card,” Wyden said. “Our bipartisan bill would turn off the tap of data to unfriendly nations, stop TikTok from sending Americans’ personal information to China, and allow nations with strong privacy protections to strengthen their relationships.”

“The privacy and security of our data is essential to the freedoms we hold dear. If foreign adversaries can access our data, they can control it. We need to ensure the data that people in Wyoming put online is not available to nations that threaten our safety and security. With this bipartisan legislation, we will ensure that companies like TikTok are not funneling your personal data to those adversaries,” said Senator Lummis.

“Data brokers dolling out Americans’ personal information to companies in foreign nations can be more than a violation of privacy – it can be a serious national security threat,” said Senator Whitehouse.  “We need sensible rules of the road to prevent our personal data from falling into the wrong hands.”

“The ability for foreign companies to legally obtain Americans’ sensitive and private information undermines national security and infringes personal privacy,” said Senator Hagerty. “I’m pleased to work with my colleagues to protect Americans’ personal data from being weaponized by adversaries.”

“We don’t export advanced technologies or weapon systems to our adversaries for good reason. We shouldn’t allow data brokers to export Americans’ personal data either,” Senator Heinrich said. “This bill would protect Americans’ health care records, geolocations, web browsing activity, and other information from adversaries who could use it for nefarious purposes. Increasingly, data is the new gold – and we need to treat it accordingly.”

“It is common sense to prevent our adversaries from obtaining the highly sensitive personal information of millions of Americans. We cannot trust private companies to protect Americans’ private data, especially given how many of them do business in China. Our bill would address this massive national security threat and protect Americans’ privacy,” said Senator Rubio.

In April 2021, Director of National Intelligence Avril Haines warned of the threat posed by unrestricted commercial data sales: “There’s a concern about foreign adversaries getting commercially-acquired information as well, and [I] am absolutely committed to trying to do everything we can to reduce that possibility.”

The Protecting Americans’ Data From Foreign Surveillance Act of 2023 updates the previously introduced bill to include new protections against foreign-owned companies like TikTok accessing U.S. data from abroad, or sending data to unfriendly foreign nations. This bill:

  • Directs the Secretary of Commerce, in consultation with other key agencies, to identify categories of personal data that, if exported, could harm U.S. national security.
  • Directs the Secretary of Commerce to compile a list of low-risk countries, where data can be shared without restrictions, a list of high-risk countries where exports of sensitive data will be blocked, and create a system to issue licenses for data exports to nations not on either list. The risk status of countries will be determined based on:
    • the adequacy and enforcement of the country’s privacy and export control laws
    • the circumstances under which the foreign government can compel, coerce, or pay a person in that country to disclose personal data
    • whether that foreign government has conducted hostile foreign intelligence operations against the United States.
  • In addition to regulating bulk exports, the bill also regulates all exports of personal data by data brokers and firms like TikTok directly to restricted foreign governments, to parent companies in restricted foreign countries and to persons designated on the Bureau of Industry and Security’s Entity List. 
  • Exempts from the new export rules data encrypted with NIST-approved technology.
  • Ensures the export rules do not apply to journalism and other First Amendment protected speech. 
  • Applies export control penalties to senior executives who knew or should have known that employees below them were directed to illegally export Americans’ personal data.

The bill has been endorsed by the Electronic Privacy Information Center, the R Street Institute and Justin Sherman, senior fellow and data brokerage research lead, and David Hoffman, professor of cybersecurity policy, Duke University Sanford School of Public Policy, experts on the sale and exploitation of Americans’ data.