Companies with websites or apps subject to Chinese or Russian law couldn’t transfer U.S. residents’ data to those countries or others deemed national security threats under a bill a U.S. senator is unveiling Nov. 18.
Sen. Josh Hawley (R-Mo.) is targeting countries with laws that force companies to store data locally and provide access to it when ordered. Lawmakers and U.S. officials have raised concerns about such laws in China, Russia and other countries, saying they threaten the security of U.S. data.
The National Security and Personal Data Protection Act aims to limit the flow of personal data to such countries. It would prohibit the transfer or storage of user data or encryption keys in designated countries. It also would restrict covered companies from collecting more data than needed to provide a service to their customers.
“Current law makes it far too easy for hostile foreign governments like China to access Americans’ sensitive data,” Hawley said in a statement. “Chinese companies with vast amounts of personal data on Americans are required by Chinese law to provide that data to Chinese intelligence services.”
The bill applies to online data-based services organized in China, Russia, or another country “of concern,” or that’s subject to the laws of such nations. Russia and China are “of concern” under the bill, and the Secretary of State can designate other countries.
“It’s not just Chinese companies that create this risk,” Hawley said. “Chinese law allows the Communist Party to seize data from American companies operating in China whenever it wants, for whatever reason it wants.”
Hawley wants to make it harder for companies in countries such as China to buy certain U.S. businesses as a means of accessing U.S. data. The bill, targeted at social media platforms and data-intensive businesses, would block such mergers by default without pre-approval from the Committee on Foreign Investment in the United States.