Five US senators recently introduced legislation that would amend US export control laws to protect sensitive personal data. The bipartisan bill, titled the Protecting Americans’ Data from Foreign Surveillance Act of 2022, would provide additional authorities to the secretary of commerce, who is already charged with administering the US export control regime.
The legislation first directs the secretary of commerce to identify, in consultation with other agencies, categories of personal data that, if exported, could harm US national security, as well as a threshold of the number of individuals whose data in the aggregate could be used to harm national security. Although the legislation establishes a presumption of denial of such exports to high-risk countries, it also requires the secretary of commerce to compile a list of low-risk countries to which such exports are unrestricted.
The legislation further exempts data encrypted with technology approved by the National Institute of Standards and Technology (NIST), if such encryption is capable of protecting data for a period of time determined by the secretary of commerce in coordination with other agencies. For countries that are designated as neither high- nor low-risk, the legislation requires licenses for bulk exports of the identified categories of sensitive personal data. To offset costs incurred by the Department of Commerce in implementing the new authority, the bill permits the Department of Commerce to charge fees for data export licenses.
To determine the risk status of countries, the bill lists the following factors: the adequacy and enforcement of a country’s privacy and export control laws; the circumstances under which the country can compel, coerce, or pay a person in that country to disclose personal data; and whether a country has conducted hostile foreign intelligence operations against the United States, which includes information operations.
An interesting provision of the bill is that it would not apply to journalism or to other types of speech protected by the First Amendment. This provision is intended to protect the legislation from being challenged as a violation of a provision of the Export Control Reform Act of 2018 (ECRA) (codified at 50 USC § 4817(b)(4)(A)(i)), that incorporates by reference the type of “personal communication” and “informational materials” described in the International Emergency Economic Powers Act (IEEPA). 50 USC § 1702(b).
The new authority conferred by the Act would be, to put it mildly, a novel expansion of current export control laws and of the way export control laws have historically been used to advance US policy objectives. The “items” typically controlled for export are defined by ECRA as “commodities, software, or technology,” and the general objective of the US government is to prevent dual-use items from being exported to an adversary nation that could use such items to the detriment of US national security.
Although the Act would therefore be a departure from the technology transfer and other concerns that have traditionally formed the basis for export controls, its focus on sensitive personal data is consistent with myriad other US government actions over the past few years to protect such data. For instance, a major component of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) was the new jurisdiction it gave the Committee on Foreign Investment in the United States (CFIUS) to review even non-controlling but non-passive transactions that involve sensitive personal data. Similarly, reviews by the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (CAFPUSTSS, more commonly known as Team Telecom) focus heavily on the potential for foreign adversaries to access US persons’ sensitive personal data as a result of Federal Communications Commission (FCC) licenses.
The US government also gave the secretary of commerce new authorities to review transactions involving information and communications technology and services (ICTS) that present supply chain risk, in large part to fill an authorities gap that existed because certain high-risk transactions fell under the authority of neither CFIUS nor Team Telecom. That authority, contained in Executive Order 13873 and its implementing regulations, enables the secretary of commerce to review transactions separate and apart from the secretary’s export control authorities, and it is anticipated that reviews of such transactions would include the risk to sensitive personal data.
There have been reports that the White House is also considering a new executive order that would give the Department of Justice new authorities to prevent foreign adversaries from accessing sensitive personal data. Interestingly, that reporting notes that the draft executive order comes as administration officials have grown frustrated with the Department of Commerce over delays in issuing rules and investigating transactions under the ICTS supply chain executive order discussed above. The new legislation introduced last month, if enacted, could potentially avoid similar delays by using as a vehicle the export control regime that the Department of Commerce has more experience in administering.
Like all draft bills, the Protecting Americans’ Data from Foreign Surveillance Act of 2022 may or may not progress in Congress, and it is too early at this point to predict whether the bill will garner sufficient support to stand any chance of passing. However, it is worth watching closely, because its significant expansion of US export control laws could potentially open up huge new swaths of transactions to regulatory action.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Carl A. Valenstein