Five US senators are set to reintroduce legislation Wednesday that would block companies including TikTok from transferring Americans’ personal data to countries such as China, as part of a proposed broadening of US export controls.
The bipartisan bill led by Oregon Democratic Sen. Ron Wyden and Wyoming Republican Sen. Cynthia Lummis would, for the first time, subject exports of US data to the same type of licensing requirements that govern the sale of military and advanced technologies. It would apply to thousands of companies that rely on routinely transferring data from the United States to other jurisdictions, including data brokers and social media companies.
The legislation comes amid a flurry of proposals to regulate how TikTok and other companies may handle the sensitive and valuable data of Americans — not just their names, email addresses and phone numbers but also potentially their behavioral data such as location information, search and browsing histories and personal interests.
“Massive pools of Americans’ sensitive information — everything from where we go, to what we buy and what kind of health care services we receive — are for sale to buyers in China, Russia and nearly anyone with a credit card,” Wyden said in a statement. “Our bipartisan bill would turn off the tap of data to unfriendly nations, stop TikTok from sending Americans’ personal information to China, and allow nations with strong privacy protections to strengthen their relationships.”
Lawmakers have scrutinized TikTok, in particular, for its ties to China through its parent company, ByteDance. Much of the existing legislation addressing TikTok at the federal and state level has focused on bans of the app. But Wyden’s bill subjecting US data to export licensing could address the issue without wading into the thorny legal issues surrounding a potential ban, an aide said, and simultaneously avoid giving broad new powers to the executive branch.
Wednesday’s legislation, known as the Protecting Americans’ Data From Foreign Surveillance Act, does not identify TikTok by name. Instead, it directs the Commerce Department to maintain lists of countries that are considered trustworthy and untrustworthy for the purposes of receiving US data.
There would be no restrictions applied to personal information transferred to trustworthy states, and no restrictions on individual internet users’ own transfers of their personal data, but companies seeking to transfer Americans’ personal information to countries outside of the trustworthy list would be required to apply for a license. Transfers to countries on the untrustworthy list would be automatically prohibited unless companies could prove they have a valid reason for a transfer, according to a copy of the bill text reviewed by CNN.
Factors the Commerce Department would need to consider when building its lists include whether a country has enough of its own privacy safeguards — reflected in laws, regulations and norms — to prevent sensitive US data from being transferred further to one of the untrustworthy countries. Another factor includes whether a country has engaged in “hostile foreign intelligence operations, including information operations, against the United States,” language that appears to refer to China, Russia and other foreign adversaries.
The Commerce Department would also be authorized to identify the specific types of information that would be subject to licensing requirements, based on their sensitivity, as well as how much information a company could transfer to a non-approved country before needing a license.
Indirectly targeting TikTok, and its parent company
A previous version of the bill was introduced last summer. The newest version, the Wyden aide said, includes fresh language that targets TikTok indirectly by prohibiting data transfers from one company to a parent company that may receive data requests by a hostile foreign government, when the company holds data on more than one million users.
TikTok has faced criticism from US officials who say the company’s links to China pose a national security risk. TikTok has said it has never received a request for US user data from the Chinese government and would never comply with such a request.
TikTok has also said it is working on securing US user data by storing it on servers controlled by Oracle and by establishing special US access protocols to prevent unauthorized use of the information.
Should TikTok abide by its plan, known as Project Texas, Wednesday’s legislation would not affect the company, according to the Wyden aide, but if TikTok or ByteDance did seek to move US user data to China, then those transfers would potentially be subject to the proposed Commerce Department restrictions.
Congress has made several attempts in recent months to address data transfers to foreign adversaries. In February, House lawmakers advanced a bill that would all but require the Biden administration to ban TikTok over national security concerns about the app. The next month, Senate lawmakers introduced a bill that would give the Commerce Department wide latitude to assess all foreign-linked technologies and to take virtually any measures, up to and including imposing a nationwide ban, to restrict their domestic use.
Those bills have provoked a backlash from industry and civil liberties groups, as well as among some fellow lawmakers. Among the concerns are their potential impact on Americans’ First Amendment rights and a potential conflict with laws facilitating the free flow of media to and from foreign rivals. Other concerns include whether the breadth of the legislation could give the US government too much power and whether it could end up harming industries that are not the target of the legislation.
Taking a broader approach
The new bill includes language requiring more input from privacy, civil rights and civil liberties experts, said Justin Sherman, founder and CEO of the research firm Global Cyber Strategies and a senior fellow at Duke University’s Sanford School of Public Policy who has seen the bill.
“You don’t load up Excel sheets in a shipping crate and send them to a foreign port,” Sherman said, but data transfers are a “hugely and often ignored problem in national security.”
“We need to get beyond just looking at a couple mobile apps and platforms, and start looking at all parts of this ecosystem, including how data gets sold and transferred,” Sherman added, “and this bill takes an important look at that issue.”
Other senators co-sponsoring Wednesday’s legislation include Rhode Island Democratic Sen. Sheldon Whitehouse, Tennessee Republican Sen. Bill Hagerty, New Mexico Democratic Sen. Martin Heinrich and Florida Republican Sen. Marco Rubio. A companion bill in the House will also be unveiled Wednesday, sponsored by Ohio Republican Rep. Warren Davidson and California Democratic Rep. Anna Eshoo.