Witnesses at a Senate Judiciary subcommittee hearing on September 14 urged action by lawmakers to wall off access to personal data of United States citizens by foreign powers who are hostile toward the U.S.
Members of the Subcommittee on Privacy, Technology, and the Law heard several recommendations from witnesses on how to begin tackling that task.
Adam Klein, director for the Strauss Center and senior lecturer at the School Of Law at the University of Texas at Austin, explained that hostile foreign intelligence services continue to work to gather the sensitive personal data of Americans.
Therefore, “Congress should prohibit transfers of sensitive personal data concerning Americans to a set of enumerated hostile foreign powers,” he said. Those countries should include, at a minimum, the People’s Republic of China and the Russian Federation, he said.
Klein also recommended that Congress and the Biden administration take action to sharply curtail the business practices of Chinese companies that could enable Chinese Communist Party (CCP) authorities to access sensitive U.S. data at scale.
The Biden administration has underscored the importance of protecting the personal data of Americans, but no visible American strategy toward that end has emerged.
Due in part to the lack of a national strategy to protect citizen data, China is “beating the United States and its allies when it comes to harnessing data to achieve commercial, technological, and military advantages,” said Matt Pottinger, the chairman of the China Program at the Foundation for Defense of Democracies.
Pottinger explained that the CCP’s General Secretary Xi Jinping has for a long time made clear that “whoever controls big data technologies will control the resources for development and have the upper hand.” Therefore, the United States must implement a national strategy that would defend and protect personal sensitive data against the CCP’s data strategy, Pottinger said.
National Strategy Steps
When implementing a national strategy, Pottinger recommended that lawmakers consider the following moves:
- Direct the Treasury Department’s Committee on Foreign Investment in the United States to do more to block Chinese acquisitions of and investments in U.S. companies with sensitive data;
- Direct the Commerce Department to block data flows that undermine national security;
- Work alongside democratic allies to promote enhanced data sharing among themselves while also limiting dangerous data flows to China;
- Develop a tailored data denial strategy to curb the flow of sensitive U.S. and allied data to China that can be exploited by the CCP;
- Consider ways to restrict the sale of Americans’ sensitive personal data to high-risk entities, including those controlled by or subject to the influence of the CCP; and
- Encourage the adoption of standards for the protection of sensitive personal data held in the private sector.
Samm Sacks, a senior fellow at the Paul Tsai China Center at Yale Law School, reiterated Pottinger’s recommendation of a national strategy to protect the sensitive data of Americans, and she added that lawmakers must understand why data matters for more effective data privacy regulations.
“Failure to offer an affirmative vision for U.S. data governance will make the United States less secure, less prosperous, and less powerful, and allow more space around the world for companies controlled by the CCP to gain ground across the world,” Sacks said.
Privacy Bill Tweaks
However, according to Susan Landau, a Bridge Professor in Cybersecurity and Policy at the Fletcher School and the School of Engineering at Tufts University, Congress already has legislation teed up that could help protect the sensitive personal data of American citizens.
“U.S. states have stepped in with privacy laws. A better solution would be a Federal law, for Federal action would provide needed uniformity. The current bill in front of Congress, the American Data Privacy and Protection Act, is a valuable step forward,” Landau said.
The American Data Privacy and Protection Act – introduced by Rep. Frank Pallone, D-N.J., in July 2022 – aims to provide consumers with fundamental data privacy rights by creating strong oversight mechanisms and establishing meaningful enforcement. However, the present version of the legislation could be made stronger, Landau explained.
Currently, the legislation permits transferring data to third parties with the consent of the individual. But consumers are not able to effectively provide informed consent for uses of metadata and telemetry.
The bill’s solution to this issue is to give the FTC rulemaking ability to extend the definition of sensitive covered data to other categories as needed. Landau suggested that a better solution would be to limit the use of communications metadata and software and device telemetry to the following purposes:
- Delivery and display of content;
- Ensuring the system is working properly (e.g., for debugging purposes);
- Investigating fraud;
- Ensuring security, including device and user identification done for security purposes;
- Modeling to provide for future services;
- During publicly declared public health emergencies, providing information on the movement of people in aggregate for a very limited time only; or
- Conducting a public or peer-reviewed research project that is in the public interest and adheres to all relevant laws and regulations governing such research.
“Such an addition to the present bill would take a strong bill and make it even stronger,” Landau said. “By making Americans’ data more private, such data becomes more secure. This, in turn, strengthens national security. That is a win-win for both individuals and society.”