US senators introduce bill to further restrict Chinese acquisitions of American personal data
- Marco Rubio of Florida and Raphael Warnock of Georgia seek to extend federal oversight of foreign deals for US businesses handling personal data
- ‘Adversaries like the People’s Republic of China,’ they say, use acquisitions to stockpile data, ‘creating both privacy and national security risks’
Two US senators introduced bipartisan legislation on Tuesday to further restrict Chinese acquisition of American personal data, citing the threat to national security.
The Protecting Sensitive Personal Data Act of 2021, sponsored by Marco Rubio, Republican of Florida, and Raphael Warnock, Democrat of Georgia, aims to expand the oversight authority by the Committee on Foreign Investment in the US (CFIUS), an inter-agency regulator that can compel foreign buyers of US businesses to submit their purchases for review.
The bill, according to the senators, seeks to protect data including genetic test results, health conditions and insurance applications. Other sensitive data would include information about financial hardship, security clearance, geolocation data, private emails, data for generating government identification and credit reports.
CFIUS reviews do not single out Chinese acquisitions, and the legislation does not mention China by name. However, Rubio was not shy about his intent.
“Americans should be deeply concerned about foreign investments in US companies that handle their personal information, which pose a risk of exposing personal data, like genetic testing results and private financial transactions, to harmful actors in China and elsewhere,” Rubio said in the statement.
Warnock added that there was an urgency to protect personal data and information “from foreign entities that may wish to exploit them”.
“Foreign investment is one of the legal means that adversaries, like the People’s Republic of China, use to stockpile Americans’ health care data, creating both privacy and national security risks,” the statement said.
The bipartisan bill is likely to garner strong support in Congress as the governments around the world race to establish their own laws to secure personal data. On Monday, China’s first comprehensive law on personal data – the Personal Information Protection Law – went into effect.
The Chinese law is modelled on the European Union’s General Data Protection Regulation, and largely targets domestic and some foreign companies that own the data. Companies that want to send Chinese personal data overseas, for example, must first obtain approval from the Chinese government.
Some US lawmakers have raised concerns that data-protection regulations are lagging in the US, and could jeopardise US technological leadership and potentially cause security threats if crucial American data is obtained by foreign governments.
CFIUS has stepped up reviews on such deals in recent years. In 2019, for example, the panel required China’s Beijing Kunlun Tech to divest Grindr, a gay dating app it bought for US$245 million, citing concerns that sensitive personal data such as private messages and HIV status could be seen by Beijing and be used against US personnel who used the site.
Tuesday’s legislation signals that at least some in Congress agree the current US oversight on personal data protection needs to go further. The bill seeks an expansion in the mandatory filings by foreign companies acquiring US businesses “that maintain or collect sensitive personal data”.
In February, the National Counterintelligence and Security Centre reportedly warned that China’s collection of health care data from the US, through both legal and illegal means, poses “serious risks not only to the privacy of Americans, but also to the economic and national security of the US”.
Author: Jodi Xu Klein, SCMP