Senators urged to block data from hostile nations – MeriTalk
Witnesses at a Senate Judiciary Subcommittee hearing on Sept. 14 urged lawmakers to prevent access to personal data of U.S. citizens by foreign powers hostile to the United States.
Members of the Subcommittee on Privacy, Technology and the Law heard several recommendations from witnesses on how to start tackling this task.
Adam Klein, director of the Strauss Center and senior lecturer at the University of Texas Law School at Austin, explained that hostile foreign intelligence services continue to work to collect sensitive personal data from Americans.
Therefore, “Congress should prohibit transfers of sensitive personal data about Americans to a set of listed hostile foreign powers,” he said. Those countries should include, at a minimum, the People’s Republic of China and the Russian Federation, he said.
Klein also recommended that Congress and the Biden administration take steps to dramatically curtail business practices by Chinese companies that could allow Chinese Communist Party (CCP) authorities large-scale access to sensitive U.S. data.
The Biden administration has stressed the importance of protecting Americans’ personal data, but no visible US strategy to that end has emerged.
In part because of the lack of a national strategy to protect citizens’ data, China “beats the United States and its allies when it comes to harnessing data for commercial, technological and military,” said Matt Pottinger, president of the China Program at the Foundation for Defense of Democracies.
Pottinger explained that CCP General Secretary Xi Jinping has long made clear that “whoever controls big data technologies will control resources for development and will have the upper hand.” Therefore, the United States must implement a national strategy that would defend and protect sensitive personal data against the CCP’s data strategy, Pottinger said.
National strategy steps
When implementing a national strategy, Pottinger recommended lawmakers consider the following steps:
- Direct the Treasury Department’s Committee on Foreign Investment in the United States to do more to block Chinese acquisitions and investments in U.S. companies containing sensitive data;
- Order the Department of Commerce to block data feeds that undermine national security;
- Work alongside democratic allies to promote better data sharing between them while limiting dangerous data flows to China;
- Develop a tailored data denial strategy to curb the flow of sensitive data from the United States and its allies to China that can be exploited by the CCP;
- Consider ways to restrict the sale of sensitive personal data of Americans to high-risk entities, including those controlled or subject to the influence of the CCP; and
- Encourage the adoption of standards for the protection of sensitive personal data held in the private sector.
Samm Sacks, senior fellow at Yale Law School’s Paul Tsai China Center, reiterated Pottinger’s recommendation for a national strategy to protect Americans’ sensitive data, and she added that lawmakers need to understand why data is important to more effective data privacy regulations.
“Failing to provide a positive view of data governance in the United States will make the United States less secure, less prosperous, and less powerful, and leave more room in the world for CCP-controlled corporations to win. ground around the world,” Sacks said.
Amendments to the Privacy Bill
However, according to Susan Landau, Bridge Professor of Cybersecurity and Policy at the Fletcher School and Tufts University School of Engineering, Congress has already crafted legislation that could help protect the sensitive personal data of US citizens.
“American states have stepped in with privacy laws. A better solution would be federal legislation, as federal action would provide the necessary uniformity. The current bill before Congress, the US Data Privacy and Protection Act, is a valuable step forward,” Landau said.
The U.S. Data Privacy and Protection Act — introduced by Rep. Frank Pallone, DN.J., in July 2022 — aims to provide consumers with fundamental data privacy rights by creating strong and by establishing a meaningful application. However, the current version of the legislation could be strengthened, Landau explained.
Currently, the legislation allows the transfer of data to third parties with the consent of the person. But consumers are unable to effectively provide informed consent for uses of metadata and telemetry.
The bill’s solution to this problem is to give FTC regulations the ability to expand the definition of covered sensitive data to other categories as needed. Landau suggested that a better solution would be to limit the use of communications metadata and software and device telemetry to the following purposes:
- Delivery and posting of content;
- Ensure that the system is working properly (for example, for debugging purposes);
- Investigate fraud;
- Provide security, including device and user identification for security purposes;
- Modeling to be planned for future services;
- During publicly declared public health emergencies, provide information on the movement of people as a whole for a very limited time only; Where
- Conduct a public or peer-reviewed research project that is in the public interest and complies with all relevant laws and regulations governing such research.
“Such an addition to the current bill would take a strong bill and make it even stronger,” Landau said. “By making Americans’ data more private, that data becomes more secure. This, in turn, enhances national security. It is a win-win for individuals and society.