24 June 2022
Senior U.S. Senators[1] from both parties introduced legislation yesterday to protect American citizens’ data from being processed in countries with lax data protection enforcement. This threatens Ireland’s digital sector.
The Protecting Americans’ Data From Foreign Surveillance Bill introduces a new test of whether a country’s enforcement of data protection law is “sufficient to protect the covered personal data from accidental loss, theft, and authorized or unlawful processing”.[2] This is intended to protect US citizens and US national security.
This test uses language that is taken almost directly from the EU GDPR’s security principle, which requires "appropriate security ... including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage".[3]
“Countries that do not meet this standard will have to apply for the same kind of export license that is required to export nuclear materials”,[4] said Dr Johnny Ryan of ICCL.
“Ireland, and the EU, should take notice. Given the criticism of the Data Protection Commission there is a clear risk that Ireland will face difficulty under this test”.
Any country found to inadequately enforce data protection law will be subject to the same export controls that the US applies to nuclear material and dual-use (military) technologies under the US Export Control Reform Act of 2018.
US Senators are concerned about Real-Time Bidding and security of personal data
The Senators’ explanatory note accompanying the Bill[5] includes a link to lawmakers’ 2020 letter requesting urgent investigation of the massive online “Real-Time Bidding” (RTB) data breach.[6]
ICCL has taken the Irish Data Protection Commission to the High Court for failing to properly enforce the GDPR’s security principle against this technology – the same principle that now forms part of the test that determines whether a country can freely process the data of US citizens.
Bi-partisan support
The Protecting Americans’ Data From Foreign Surveillance Bill is backed by senior Senators from both Democrat and Republican parties. Its co-sponsors include the most senior Republicans on the Senate Intelligence Committee and the Banking Subcommittee responsible for export controls, and most senior Democrat on Senate Finance Committee. The Bill is closely modelled on a discussion draft from Senator Ron Wyden circulated in April 2021.
For comment:
Dr Johnny Ryan, ICCL
johnny.ryan@iccl.ie
Related
- Economic & Reputational Risk of the DPC’s Failure to Uphold EU Data Rights, ICCL submission to the Oireachtas Justice Committee, 9 April 2021
- “ICCL sues DPC over failure to act on massive Google data breach”, ICCL, 15 March 2022
- Opinion piece, “Ireland blew its chance to be super enforcer for online content across EU”, The Irish Times, 28 April 2022
Notes
[1] Senator Ron Wyden, D-Ore., Senator Cynthia Lummis, R-Wyo., Senator Sheldon Whitehouse, D-R.I., Senator Marco Rubio, R-Fla., and Senator Bill Hagerty, R-Tenn.
[2] §(2)(B)(i)(I) of the Protecting Americans’ Data From Foreign Surveillance Bill. Text of Bill at https://www.wyden.senate.gov/imo/media/doc/Protecting%20Americans%20Data%20From%20Foreign%20Surveillance%20Act%20Text.pdf.
[3] GDPR, Article 5(1)f.
[4] US Export Control Reform Act of 2018.
[5] “One pager - The Protecting Americans’ Data From Foreign Surveillance Act”, 23 June 2022 (URL: https://www.wyden.senate.gov/imo/media/doc/One%20Pager%20Protecting%20Americans%20Data%20From%20Foreign%20Surveillance.pdf).
[6] Senators Wyden, Cantwell, Warren, Cassidy, Brown, Markey, and Congress Members Eshoo, Lofgren, Clarke, Khanna to FTC Chairman Simons, regarding Real Time Bidding, 31 July 2020 (URL: https://www.wyden.senate.gov/imo/media/doc/073120%20Wyden%20Cassidy%20Led%20FTC%20Investigation%20letter.pdf?source=email).