Senator Ron Wyden (D-OR) has proposed bill that would restrict the types of information that technology companies could buy and sell overseas and the countries in which it could be legally sold. The legislation is resourceful and not very specific. However, this indicates growing federal concerns about international data trading.
“Shady data brokers shouldn’t get rich selling American private data to foreign countries that could endanger our national security,” said Sen. Wyden in a statement accompanying the bill. You probably shouldn’t get rich selling Americans’ private information, but national security is a great way to keep the wheels running.
The Act to Protect American Data from Foreign Surveillance would be a first step towards categorizing and protecting consumer data as a commodity traded in the world market. There are currently few controls over what personal data – buying habits, movements, political party – can be sold abroad.
This means that, for example, an American data broker could sell the preferred brands and home addresses of millions of Americans to, for example, a Chinese bank that conducts investment research. Some of this trade is perfectly harmless, even desirable to promote global trade, but when does it become dangerous or exploitative?
There is no official definition of what should and should not be sold to whom, how we restrict the sale of certain intellectual property rights or weapons. The proposed law would first instruct the Minister of Commerce to identify the data we should protect and from which it should be protected.
The general form of proprietary information would be that “if exported by a third party, could compromise US national security”. The countries that would be prohibited from receiving would be those with inadequate data protection and export controls, recent intelligence operations against the US, or laws that allow the government to force the delivery of such information to them. Obviously, this is aimed at people like China and Russia, although ironically, the US fits the bill pretty well.
There would be exceptions for journalism and First Amendment protected language, as well as for encrypted data – for example, storing encrypted messages on servers in one of the target countries. The law would also provide penalties for executives “who knew or should have known” that their company was illegally exporting data, and opening up avenues for people injured or imprisoned in a foreign country for illegally exporting data. For example, this could be the case when another country uses an American facial recognition service to recognize, stop, and arrest someone before they leave.
If this all sounds a bit woolly, it is – but that’s more or less on purpose. It is not for Congress to come up with such definitions as are necessary for a law like this; This duty rests with the expert agencies, who are required to carry out studies and produce reports that Congress can refer to. This law represents the first handful of steps in that direction: making the general shape of things clear and fair warning that certain classes of unsolicited data trafficking will soon be illegal – with an emphasis on executive responsibility for what tech companies take note of should .
The legislation would have to react sensitively to existing regulations with which companies distribute the storage and processing of data for various economic and legal reasons. Free movement of data is necessary to some extent for global businesses that need to interact with each other all the time. To hamper these established processes with bureaucracy or fees, this can be catastrophic for certain locations or companies. Presumably, all of this would come up during the studies, but it serves to show that this is a very complex, not to say fragile, digital ecosystem that the law would try to change.
We are at an early stage in this type of regulation and this bill is only at the beginning of the legislative process. So expect at least a couple of months before we hear more about it.