Sec. 3. Requirement to control the export of certain personal data of United States nationals and individuals in the United States
4,522 words·~21 min read·
/bill/117/s/4495/is/section-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Part I of the Export Control Reform Act of 2018 ( 50 U.S.C. 4811 et seq. ) is amended by inserting after section 1758 the following: The Secretary shall, in coordination with the heads of the appropriate Federal agencies, identify categories of personal data of covered individuals that could— be exploited by foreign governments; and if exported, reexported, or in-country transferred in a quantity that exceeds the threshold established under paragraph (3), harm the national security of the United States.
In identifying categories of personal data of covered individuals under paragraph (1), the Secretary, in coordination with the heads of the appropriate Federal agencies, shall— identify an initial list of such categories not later than one year after the date of the enactment of the Protecting Americans' Data From Foreign Surveillance Act of 2022 ; and as appropriate thereafter and not less frequently than every 5 years, add categories to, remove categories from, or modify categories on, that list.
Not later than one year after the date of the enactment of the Protecting Americans' Data From Foreign Surveillance Act of 2022 , the Secretary, in coordination with the heads of the appropriate Federal agencies, shall establish a threshold for determining when the export, reexport, or in-country transfer (in the aggregate) of the personal data of covered individuals by one person to or in a restricted country could harm the national security of the United States. The threshold established under subparagraph
(A)shall be the export, reexport, or in-country transfer (in the aggregate) by one person to or in a restricted country during a calendar year of the personal data of not less than 10,000 covered individuals and not more than 1,000,000 covered individuals. The Secretary, in coordination with the heads of the appropriate Federal agencies, may establish a threshold under subparagraph
(A)for each category of personal data identified under paragraph (1). The Secretary, in coordination with the heads of the appropriate Federal agencies— may update the threshold established under subparagraph
(A)as appropriate; and shall reevaluate the threshold not less frequently than every 5 years. For purposes of determining whether a threshold established under subparagraph
(A)has been met— all exports, reexports, or in-country transfers involving personal data conducted by persons under the ownership or control of the same person shall be aggregated to that person; and that person shall be liable for any export, reexport, or in-country transfer in violation of this section. In establishing a threshold under subparagraph (A), the Secretary, in coordination with the heads of the appropriate Federal agencies, shall seek to balance the need to protect personal data from exploitation by foreign governments against the likelihood of— impacting legitimate business activities, research activities, and other activities that do not harm the national security of the United States; or chilling speech protected by the First Amendment to the Constitution of the United States. The Secretary, in coordination with the heads of the appropriate Federal agencies, shall determine, for each category of personal data identified under paragraph (1), the period of time for which encryption technology described in subsection (b)(4)(A)(iii) is required to be able to protect that category of data from decryption to prevent the exploitation of the data by a foreign government from harming the national security of the United States. In carrying out this subsection (including with respect to the list required under paragraph (2)), the Secretary, in coordination with the heads of the appropriate Federal agencies, shall— use multiple sources of information, including— publicly available information; classified information, including relevant information provided by the Director of National Intelligence; information relating to reviews and investigations of transactions by the Committee on Foreign Investment in the United States under section 721 of the Defense Production Act of 1950 ( 50 U.S.C. 4565 ); the categories of sensitive personal data described in paragraphs (1)(ii) and
(2)of section 800.241(a) of title 31, Code of Federal Regulations, as in effect on the day before the date of the enactment of the Protecting Americans' Data From Foreign Surveillance Act of 2022 , and any categories of sensitive personal data added to such section after such date of enactment; information provided by the advisory committee established pursuant to paragraph (7); and the recommendations (which the Secretary shall request) of— privacy experts identified by the National Academy of Sciences; and experts on the First Amendment to the Constitution of the United States identified by the American Bar Association; and take into account— the significant quantity of personal data of covered individuals that has already been stolen or acquired by foreign governments; the harm to United States national security caused by the theft or acquisition of that personal data; the potential for further harm to United States national security if that personal data were combined with additional sources of personal data; the fact that non-sensitive personal data, when analyzed in the aggregate, can reveal sensitive personal data; and the commercial availability of inferred and derived data. The Secretary shall provide for a public notice and comment period after the publication in the Federal Register of a proposed rule, and before the publication of a final rule— identifying the initial list of categories of personal data under subparagraph
(A)of paragraph (2); adding categories to, removing categories from, or modifying categories on, that list under subparagraph
(B)of that paragraph; establishing or updating the threshold under paragraph (3); or setting forth the period of time for which encryption technology described in subsection (b)(4)(A)(iii) is required under paragraph
(4)to be able to protect such a category of data from decryption. The Secretary shall establish an advisory committee to advise the Secretary with respect to privacy and sensitive personal data. The committee established pursuant to subparagraph
(A)shall include the following members selected by the Secretary: Experts on privacy and cybersecurity. Representatives of private sector companies and industry associations. Representatives of civil society groups. Subsections (a)(1), (a)(3), and
(b)of section 10 and sections 11, 13, and 14 of the Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the advisory committee established pursuant to subparagraph (A). In carrying out this subsection, the Secretary may not treat anonymized personal data differently than identifiable personal data if the individuals to which the anonymized personal data relates could reasonably be identified using other sources of data. The Under Secretary of Commerce for Standards and Technology shall issue guidance to the public with respect to methods for anonymizing data and how to determine if individuals to which the anonymized personal data relates can be reasonably identified using other sources of data. It is the sense of Congress that, in identifying categories of personal data of covered individuals under paragraph (1), the Secretary should, to the extent reasonably possible and in coordination with the Secretary of the Treasury, harmonize those categories with the categories of sensitive personal data described in paragraph (5)(A)(iv). Beginning 18 months after the date of the enactment of the Protecting Americans' Data From Foreign Surveillance Act of 2022 , the Secretary shall impose appropriate controls under the Export Administration Regulations on the export or reexport to, or in-country transfer in, all countries (other than countries on the list required by paragraph (2)(D)) of covered personal data in a manner that exceeds the applicable threshold established under subsection (a)(3), including through interim controls (such as by informing a person that a license is required for export, reexport, or in-country transfer of covered personal data), as appropriate, or by publishing additional regulations. Except as provided in subparagraph
(C)or (D), the Secretary shall— require a license or other authorization for the export, reexport, or in-country transfer of covered personal data in a manner that exceeds the applicable threshold established under subsection (a)(3); determine whether that export, reexport, or in-country transfer is likely to harm the national security of the United States— after consideration of the matters described in subparagraph (B); and in coordination with the heads of the appropriate Federal agencies; and if the Secretary determines under clause
(ii)that the export, reexport, or in-country transfer is likely to harm the national security of the United States, deny the application for the license or other authorization for the export, reexport, or in-country transfer. In determining under clause
(ii)of subparagraph
(A)whether an export, reexport, or in-country transfer of covered personal data described in clause
(i)of that subparagraph is likely to harm the national security of the United States, the Secretary, in coordination with the heads of the appropriate Federal agencies, shall take into account— the adequacy and enforcement of data protection, surveillance, and export control laws in the foreign country to which the covered personal data would be exported or reexported, or in which the covered personal data would be transferred, in order to determine whether such laws, and the enforcement of such laws, are sufficient to— protect the covered personal data from accidental loss, theft, and unauthorized or unlawful processing; ensure that the covered personal data is not exploited for intelligence purposes by foreign governments to the detriment of the national security of the United States; and prevent the reexport of the covered personal data to a third country for which a license would be required for such data to be exported directly from the United States; the circumstances under which the government of the foreign country can compel, coerce, or pay a person in or national of that country to disclose the covered personal data; and whether that government has conducted hostile foreign intelligence operations, including information operations, against the United States. The Secretary shall— require a license or other authorization for the export or reexport to, or in-country transfer in, a country on the list required by clause
(ii)of covered personal data in a manner that exceeds the threshold established under subsection (a)(3); and deny an application for such a license or other authorization unless the person seeking the license or authorization demonstrates to the satisfaction of the Secretary that the export, reexport, or in-country transfer will not harm the national security of the United States. Not later than one year after the date of the enactment of the Protecting Americans' Data From Foreign Surveillance Act of 2022 , the Secretary shall, in consultation with the heads of the appropriate Federal agencies and based on the considerations described in subparagraph (B), establish a list of each country with respect to which the Secretary determines that the export or reexport to, or in-country transfer in, the country of covered personal data in a manner that exceeds the applicable threshold established under subsection (a)(3) will be likely to harm the national security of the United States. The Secretary, in consultation with the heads of the appropriate Federal agencies— may add a country to or remove a country from the list required by subclause
(I)at any time; and shall review that list not less frequently than every 5 years. The Secretary may not require a license or other authorization for the export or reexport to, or in-country transfer in, a country on the list required by clause
(ii)of covered personal data, without regard to the applicable threshold established under subsection (a)(3). Not later than one year after the date of the enactment of the Protecting Americans' Data From Foreign Surveillance Act of 2022 , the Secretary shall, in consultation with the heads of the appropriate Federal agencies and based on the considerations described in subparagraph
(B)and subject to clause (iii), establish a list of each country with respect to which the Secretary determines that the export or reexport to, or in-country transfer in, the country of covered personal data (without regard to any threshold established under subsection (a)(3)) will not harm the national security of the United States. The Secretary, in consultation with the heads of the appropriate Federal agencies— may add a country to or remove a country from the list required by subclause
(I)at any time; and shall review that list not less frequently than every 5 years. The list required by clause
(ii)and any updates to that list adding or removing countries shall take effect, for purposes of clause (i), on the date that is 180 days after the Secretary submits to the appropriate congressional committees a proposal for the list or update unless there is enacted into law, before that date, a joint resolution of disapproval pursuant to subclause (II). In this clause, the term joint resolution of disapproval means a joint resolution the matter after the resolving clause of which is as follows: That Congress does not approve of the proposal of the Secretary with respect to the list required by section 1758A(b)(2)(D)(ii) submitted to Congress on ___. , with the blank space being filled with the appropriate date. The procedures set forth in paragraphs (4)(C), (5), (6), and
(7)of section 2523(d) of title 18, United States Code, apply with respect to a joint resolution of disapproval under this clause to the same extent and in the same manner as such procedures apply to a joint resolution of disapproval under such section 2523(d), except that paragraph
(6)of such section shall be applied and administered by substituting the Committee on Banking, Housing, and Urban Affairs for the Committee on the Judiciary each place it appears. This clause is enacted by Congress— as an exercise of the rulemaking power of the Senate and the House of Representatives, respectively, and as such is deemed a part of the rules of each House, respectively, and supersedes other rules only to the extent that it is inconsistent with such rules; and with full recognition of the constitutional right of either House to change the rules (so far as relating to the procedure of that House) at any time, in the same manner, and to the same extent as in the case of any other rule of that House. The Secretary shall, consistent with the provisions of section 1756 and in coordination with the heads of the appropriate Federal agencies— review applications for a license or other authorization for the export or reexport to, or in-country transfer in, a restricted country of covered personal data in a manner that exceeds the applicable threshold established under subsection (a)(3); and establish procedures for conducting the review of such applications. In the case of an application for a license or other authorization for an export, reexport, or in-country transfer described in subparagraph (A)(i) submitted by or on behalf of a joint venture, joint development agreement, or similar collaborative arrangement, the Secretary may require the applicant to identify, in addition to any foreign person participating in the arrangement, any foreign person with significant ownership interest in a foreign person participating in the arrangement. The Secretary shall not impose under paragraph
(1)a requirement for a license or other authorization with respect to the export, reexport, or in-country transfer of covered personal data pursuant to any of the following transactions: The export, reexport, or in-country transfer by an individual of covered personal data that specifically pertains to that individual. The export, reexport, or in-country transfer of the personal data of one or more individuals by a person performing a service for those individuals if the service could not possibly be performed (as defined by the Secretary in regulations) without the export, reexport, or in-country transfer of that personal data. The export, reexport, or in-country transfer of personal data that is encrypted if— the encryption key or other information necessary to decrypt the data is not exported, reexported, or transferred to a restricted country or (except as provided in subparagraph (B)) a national of a restricted country; and the encryption technology used to protect the data against decryption is certified by the National Institute of Standards and Technology as capable of protecting data for the period of time determined under subsection (a)(4) to be sufficient to prevent the exploitation of the data by a foreign government from harming the national security of the United States. The export, reexport, or in-country transfer of personal data that is ordered by an appropriate court of the United States. Subparagraph (A)(iii)(I) does not apply with respect to an individual who is a national of a restricted country if the individual is also a citizen of the United States or a noncitizen described in subsection (k)(5)(C). In identifying categories of personal data under subsection (a)(1) and imposing appropriate controls under subsection (b), the Secretary, in coordination with the heads of the appropriate Federal agencies, as appropriate— may not regulate or restrict the publication or sharing of— personal data that is a matter of public record, such as a court record or other government record that is generally available to the public, including information about an individual made public by that individual or by the news media; information about a matter of public interest; or consistent with the goal of protecting the national security of the United States, any other information the publication of which is protected by the First Amendment to the Constitution of the United States; and shall consult with the appropriate congressional committees. In addition to any person that commits an unlawful act described in subsection
(a)of section 1760, an officer or employee of an organization has committed an unlawful act subject to penalties under that section if the officer or employee knew or should have known that another employee of the organization who reports, directly or indirectly, to the officer or employee was directed to export, reexport, or in-country transfer covered personal data in violation of this section and subsequently did export, reexport, or in-country transfer such data. An intermediate consignee (as defined in section 772.1 of the Export Administration Regulations (or any successor regulation)) or other intermediary is not liable for the export, reexport, or in-country transfer of covered personal data in violation of this section when acting as an intermediate consignee or other intermediary for another person. In a case in which an application installed on an electronic device transmits or causes the transmission of covered personal data without being directed to do so by the owner or user of the device who installed the application, the developer of the application, and not the owner or user of the device, is liable for any violation of this section. In determining an appropriate term of imprisonment under section 1760(b)(2) with respect to a person for a violation of this section, the court shall consider— how many covered individuals had their covered personal data exported, reexported, or in-country transferred in violation of this section; any harm that resulted from the violation; and the intent of the person in committing the violation. Not less frequently than annually, the Secretary, in coordination with the heads of the appropriate Federal agencies, shall submit to the appropriate congressional committees a report on the results of actions taken pursuant to this section. Each report required by paragraph
(1)shall include a description of the determinations made under subsection (b)(2)(A)(ii) during the preceding year. Each report required by paragraph
(1)shall be submitted in unclassified form but may include a classified annex. Not less frequently than every 90 days, the Secretary shall publish on a publicly accessible website of the Department of Commerce, including in a machine-readable format, the information specified in paragraph (2), with respect to each application— for a license for the export or reexport to, or in-country transfer in, a restricted country of covered personal data in a manner that exceeds the applicable threshold established under subsection (a)(3); and with respect to which the Secretary made a decision in the preceding 90-day period. The information specified in this paragraph with respect to an application described in paragraph
(1)is the following: The name of the applicant. The date of the application. The name of the foreign party to which the applicant sought to export, reexport, or transfer the data. The categories of covered personal data the applicant sought to export, reexport, or transfer. The number of covered individuals whose information the applicant sought to export, reexport, or transfer. Whether the application was approved or denied. A person that is engaged in journalism is not subject to restrictions imposed under this section to the extent that those restrictions directly infringe on the journalism practices of that person. This section does not require a person that provides products or services to an individual to determine the citizenship or immigration status of the individual, but once the person becomes aware that the individual is a covered individual, the person shall treat covered personal data of that individual as is required by this section. Notwithstanding section 1756(c), the Secretary may, to the extent provided in advance in appropriations Acts, assess and collect a fee, in an amount determined by the Secretary in regulations, with respect to each application for a license submitted under subsection (b). Notwithstanding section 3302 of title 31, United States Code, fees collected under paragraph
(1)shall— be credited as offsetting collections to the account providing appropriations for activities carried out under this section; be available, to the extent and in the amounts provided in advance in appropriations Acts, to the Secretary solely for use in carrying out activities under this section; and remain available until expended. The Secretary may prescribe such regulations as are necessary to carry out this section. There are authorized to be appropriated to the Secretary and to the head of each of the appropriate Federal agencies participating in carrying out this section such sums as may be necessary to carry out this section, including to hire additional employees with expertise in privacy. In this section: The term appropriate congressional committees means— the Committee on Banking, Housing, and Urban Affairs, the Committee on Foreign Relations, the Committee on Finance, and the Select Committee on Intelligence of the Senate; and the Committee on Foreign Affairs, the Committee on Ways and Means, and the Permanent Select Committee on Intelligence of the House of Representatives. The term appropriate Federal agencies means the following: The Department of Defense. The Department of State. The Department of Justice. The Department of the Treasury. The Office of the Director of National Intelligence. The Cybersecurity and Infrastructure Security Agency. The Consumer Financial Protection Bureau. The Federal Trade Commission. The Federal Communications Commission. The Department of Health and Human Services. Such other Federal agencies as the Secretary considers appropriate. The term covered individual , with respect to personal data, means an individual who, at the time the data is acquired— is located in the United States; or is— located outside the United States or whose location cannot be determined; and a citizen of the United States or a noncitizen lawfully admitted for permanent residence. The term covered personal data means the categories of personal data of covered individuals identified pursuant to subsection (a). The term export , with respect to covered personal data, includes— subject to subparagraph (D), the shipment or transmission of the data out of the United States, including the sending or taking of the data out of the United States, in any manner, if the shipment or transmission is intentional, without regard to whether the shipment or transmission was intended to go out of the United States; or the release or transfer of the data to any noncitizen (other than a noncitizen described in subparagraph (C)), if the release or transfer is intentional, without regard to whether the release or transfer was intended to be to a noncitizen. The term export does not include— the publication of covered personal data on the internet in a manner that makes the data discoverable by and accessible to any member of the general public; or any activity protected by the speech or debate clause of the Constitution of the United States. A noncitizen described in this subparagraph is a noncitizen who is authorized to be employed in the United States. On and after the date that is 5 years after the date of the enactment of the Protecting Americans' Data From Foreign Surveillance Act of 2022 , and except as provided in clause (iii), the term export includes the transmission of data through a restricted country, without regard to whether the person originating the transmission had knowledge of or control over the path of the transmission. Clause
(i)does not apply with respect to a transmission of data through a restricted country if— the data is encrypted as described in subsection (b)(4)(A)(iii); or the person that originated the transmission received a representation from the party delivering the data for the person stating that the data will not transit through a restricted country. If a party delivering covered personal data as described in clause (ii)(II) transmits the data directly or indirectly through a restricted country despite making the representation described in clause (ii)(II), that party shall be liable for violating this section. The terms in-country transfer and reexport , with respect to personal data, shall have the meanings given those terms in regulations prescribed by the Secretary. The terms lawfully admitted for permanent residence and national have the meanings given those terms in section 101(a) of the Immigration and Nationality Act ( 8 U.S.C. 1101(a) ). The term noncitizen means an individual who is not a citizen or national of the United States. The term restricted country means a country for which a license or other authorization is required under subsection
(b)for the export or reexport to, or in-country transfer in, that country of covered personal data in a manner that exceeds the applicable threshold established under subsection (a)(3). . Section 1752 of the Export Control Reform Act of 2018 ( 50 U.S.C. 4811 ) is amended— in paragraph (1)— in subparagraph (A), by striking ; and and inserting a semicolon; in subparagraph (B), by striking the period at the end and inserting ; and ; and by adding at the end the following: to restrict, notwithstanding section 203(b) of the International Emergency Economic Powers Act ( 50 U.S.C. 1702(b) ), the export of personal data of United States citizens and other covered individuals (as defined in section 1758A(l)) in a quantity and a manner that could harm the national security of the United States. ; and in paragraph (2), by adding at the end the following: To prevent the exploitation of personal data of United States citizens and other covered individuals (as defined in section 1758A(l)) in a quantity and a manner that could harm the national security of the United States. . Section 1754 of the Export Control Reform Act of 2018 ( 50 U.S.C. 4813 ) is amended— in subsection (a)(14), by inserting and subject to subsection
(g)after as warranted ; and by adding at the end the following: The Secretary may create under subsection (a)(14) exceptions to licensing requirements under section 1758A only for the export, reexport, or in-country transfer of covered personal data (as defined in subsection
(l)of that section) by a Federal department or agency. . Section 1754(b) of the Export Control Reform Act of 2018 ( 50 U.S.C. 4813(b) ) is amended by inserting (other than section 1758A) after this part .
Connectionstraces to 5
Citation graph
cites case law
Sec. 3
Requirement to control the export of certain personal data of United States nationals and individuals in the United States
Cites 5Cited by 0 across 0 sources