Senator Ron Wyden (D-OR) has proposed a draft bill that would limit the types of information that could be bought and sold by tech companies abroad, and the countries it could be legally sold in. The legislation is imaginative and not highly specific, but it indicates growing concern at the federal level over the international data trade.
“Shady data brokers shouldn’t get rich selling Americans’ private data to foreign countries that could use it to threaten our national security,” said Sen. Wyden in a statement accompanying the bill. They probably shouldn’t get rich selling Americans’ private data at all, but national security is a good way to grease the wheels.
The Protecting Americans’ Data From Foreign Surveillance Act would be a first step toward categorizing and protecting consumer data as a commodity that’s traded on the global market. Right now there are few if any controls over what data specific to a person — buying habits, movements, political party — can be sold abroad.
This means that, for instance, an American data broker could sell the preferred brands and home addresses of millions of Americans to, say, a Chinese bank doing investment research. Some of this trade is perfectly innocuous, even desirable in order to promote global commerce, but at what point does it become dangerous or exploitative?
There isn’t any official definition of what should and shouldn’t be sold to whom, the way we limit sales of certain intellectual property or weapons. The proposed law would first direct the secretary of Commerce to identify the data we should be protecting and to whom it should be protected against.
The general shape of protected data would be that which “if exported by third parties, could harm U.S. national security.” The countries that would be barred from receiving it would be those with inadequate data protection and export controls, recent intelligence operations against the U.S. or laws that allow the government to compel such information to be handed over to them. Obviously this is aimed at the likes of China and Russia, though ironically the U.S. fits the bill pretty well itself.
There would be exceptions for journalism and First Amendment-protected speech, and for encrypted data — for example storing encrypted messages on servers in one of the targeted countries. The law would also create penalties for executives “who knew or should have known” that their company was illegally exporting data, and creates pathways for people harmed or detained in a foreign country owing to illegally exported data. That might be if, say, another country used an American facial recognition service to spot, stop and arrest someone before they left.
If this all sounds a little woolly, it is — but that’s more or less on purpose. It is not for Congress to invent such definitions as are necessary for a law like this one; that duty falls to expert agencies, which must conduct studies and produce reports that Congress can refer to. This law represents the first handful of steps along those lines: getting the general shape of things straight and giving fair warning that certain classes of undesirable data commerce will soon be illegal — with an emphasis on executive responsibility, something that should make tech companies take notice.
The legislation would need to be sensitive to existing arrangements by which companies spread out data storage and processing for various economic and legal reasons. Free movement of data is to a certain extent necessary for globe-spanning businesses that must interact with one another constantly, and to hobble those established processes with red tape or fees might be disastrous to certain locales or businesses. Presumably this would all come up during the studies, but it serves to demonstrate that this is a very complex, not to say delicate, digital ecosystem the law would attempt to modify.
We’re in the early stages of this type of regulation, and this bill is just getting started in the legislative process, so expect a few months at the very least before we hear anything more on this one.