The US Senate is set to debate a proposal to curtail “unfriendly” foreign companies and governments obtaining US citizens’ personal data. While squarely aimed at ‘adversarial states’ such as China, there’s a chance Europe could be caught in the crosshairs – as conflict continues over the Irish data commission’s lack of bite.
The ‘Protecting Americans’ Data From Foreign Surveillance Act’ draft bill, introduced by Oregon’s Democratic senator Ron Wyden, proposes that sensitive personal data should be subject to export controls set by the Secretary of Commerce. This body should also devise “a list of countries for which exports will be presumptively banned”.
If exported, this data “could be exploited by foreign governments to the detriment of the national security of the United States”, the bill says. “Our country’s intelligence leaders have made it clear that putting Americans’ sensitive information in the hands of unfriendly foreign governments is a major risk to national security,” Wyden explained in a statement.
The proposed legislation would be a major blow to the multi-billion-dollar data-brokering economy, where third-party sellers package up personal data – including location data, browsing history and IP addresses – and sell it on for marketing purposes. “The data brokering business is relatively unregulated in the USA, which is a significant cause for concern as it is believed that the information gathered from data brokers and data breaches – some of which were orchestrated by China – has been compiled into databases by intelligence services in China for ulterior purposes,” says Subhajit Basu, associate professor of information technology law at the University of Leeds.
The bill represents increasing concerns around the weaponisation of personal data of US citizens by foreign adversaries. In April 2021, Wyden and a bipartisan group of senators quizzed online ad exchanges, including Google, Twitter and AT&T, on the sharing of Americans’ data with foreign firms through real-time bidding auctions. “This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns,” the group of senators wrote. CIA officials recently said they believed China was able to use stolen troves of sensitive personal data, such as travel and health data, to identify American spies living in Europe and Africa.
Caginess around the misuse of personal data (as well as geopolitical grandstanding) motivated the Trump administration to try to force Chinese social media app TikTok to divest its American operations. In 2019, the Committee on Foreign Investment instructed Chinese company Beijing Kunlun Tech to sell the dating app Grindr over similar concerns.
US data nationalism: could it affect Europe?
The Irish Council on Civil Liberties (ICCL), has been quick to suggest that the US draft bill is aimed at Ireland’s Data Protection Commission (DPC), due to its ineffectual enforcement of GDPR.
“If Ireland (and any other jurisdiction) is designated as a jurisdiction with inadequate enforcement, then every significant company operating here will be unable to process the data of customers in the United States, unless the company first obtains an export license from the US Department of Commerce,” the ICCL said in a statement. Because of this, it suggested the bill represented a “multi-billion euro threat to the Irish economy”.
Because Ireland is home to major US tech companies, the DPC is a lead regulator in many data privacy cases. But fellow EU regulators and the European Parliament have criticised its performance. “Ireland’s Data Protection Commission’s lacklustre attitude towards enforcement has highlighted weakness in the ‘one-stop-shop’ system of the EU,” says Basu. “It has resulted in a significant backlog with more than 27 cross-border investigations ongoing. This raises significant questions about DPC’s capacity and effectiveness, particularly if it has adequate resources to carry out these very complex and bureaucratic investigations.”
Part of the US Bill uses identical wording to article five of GDPR, where it says the Secretary of Commerce would consider whether a country’s laws are sufficient to “protect the covered personal data from accidental loss, theft, and unauthorised or unlawful processing”. ICCL has interpreted this as targeting Ireland’s weak enforcement of GDPR, but experts Tech Monitor consulted say this is probably a stretch. “It is true that the Irish Data Protection Commissioner’s office has been the subject of criticism for ineffectual enforcement in recent weeks,” says Karen McCullagh, Lecturer in IT, IP and media law at the University of East Anglia. “As for whether Ireland or an EU country would be found to be an inadequate country because of its ineffectual enforcement, that’s a leap too far in my opinion.”
The bill says that export-license requirements would apply only to countries defined as potential security threats, based on the country’s data protection and surveillance laws and whether they have carried out “hostile foreign intelligence operations” against the US. Experts say this means the bill is unlikely to be aimed at Ireland because the country complies with GDPR – the gold standard for data protection – and is not considered hostile by the US. However, Basu says: “There is no question that this bill creates a sense of urgency for DPC to get its act together and start concluding investigations and taking steps towards stricter regulatory actions.”
The EU has twice invalidated the data-sharing agreements between the US and the EU, due to the US’s pervasive surveillance practices and otherwise lax data protections. “It’s kind of amusing that this is the US worrying about foreign powers acquiring US citizen data… when the US continues to insist on being able to read relevant data of non-US citizens where it’s stored outside the US but in US-controlled cloud services (such as AWS or Microsoft Azure) – even though the service providers themselves have been somewhat unhappy about this,” says Lilian Edwards, professor of law, innovation and society at Newcastle University.
Although this is ostensibly for ‘legitimate’ law enforcement purposes, Edwards says the actions of security forces exposed by the Snowden leaks in 2013 showed that non-US data has “long flowed to the US government via US private companies on somewhat dubious grounds”. With this in mind, it would be ironic if the United States decided that Ireland’s data protection mechanisms weren’t strong enough.