[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1974 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 1974
To amend the Export Control Reform Act of 2018 to require export
controls with respect to certain personal data of United States
nationals and individuals in the United States, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 14, 2023
Mr. Wyden (for himself, Ms. Lummis, Mr. Whitehouse, Mr. Hagerty, Mr.
Heinrich, and Mr. Rubio) introduced the following bill; which was read
twice and referred to the Committee on Banking, Housing, and Urban
Affairs
_______________________________________________________________________
A BILL
To amend the Export Control Reform Act of 2018 to require export
controls with respect to certain personal data of United States
nationals and individuals in the United States, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting Americans' Data From
Foreign Surveillance Act of 2023''.
SEC. 2. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) accelerating technological trends have made sensitive
personal data an especially valuable input to activities that
foreign adversaries of the United States undertake to threaten
both the national security of the United States and the privacy
that the people of the United States cherish;
(2) it is therefore essential to the safety of the United
States and the people of the United States to ensure that the
United States Government makes every effort to prevent
sensitive personal data from falling into the hands of malign
foreign actors; and
(3) because allies of the United States face similar
challenges, in implementing this Act, the United States
Government should explore the establishment of a shared zone of
mutual trust with respect to sensitive personal data.
SEC. 3. REQUIREMENT TO CONTROL THE EXPORT OF CERTAIN PERSONAL DATA OF
UNITED STATES NATIONALS AND INDIVIDUALS IN THE UNITED
STATES.
(a) In General.--Part I of the Export Control Reform Act of 2018
(50 U.S.C. 4811 et seq.) is amended by inserting after section 1758 the
following:
``SEC. 1758A. REQUIREMENT TO CONTROL THE EXPORT OF CERTAIN PERSONAL
DATA OF UNITED STATES NATIONALS AND INDIVIDUALS IN THE
UNITED STATES.
``(a) Identification of Categories of Personal Data.--
``(1) In general.--The Secretary shall, in coordination
with the heads of the appropriate Federal agencies, identify
categories of personal data of covered individuals that could--
``(A) be exploited by foreign governments or
foreign adversaries; and
``(B) if exported, reexported, or in-country
transferred in a quantity that exceeds the threshold
established under paragraph (3), harm the national
security of the United States.
``(2) List required.--In identifying categories of personal
data of covered individuals under paragraph (1), the Secretary,
in coordination with the heads of the appropriate Federal
agencies, shall--
``(A) identify an initial list of such categories
not later than one year after the date of the enactment
of the Protecting Americans' Data From Foreign
Surveillance Act of 2023; and
``(B) as appropriate thereafter and not less
frequently than every 5 years, add categories to,
remove categories from, or modify categories on, that
list.
``(3) Establishment of threshold.--
``(A) Establishment.--Not later than one year after
the date of the enactment of the Protecting Americans'
Data From Foreign Surveillance Act of 2023, the
Secretary, in coordination with the heads of the
appropriate Federal agencies, shall establish a
threshold for determining when the export, reexport, or
in-country transfer (in the aggregate) of the personal
data of covered individuals by one person to or in a
restricted country could harm the national security of
the United States.
``(B) Number of covered individuals affected.--
``(i) In general.--Except as provided by
clause (ii), the Secretary shall establish the
threshold under subparagraph (A) so that the
threshold is--
``(I) not lower than the export,
reexport, or in-country transfer (in
the aggregate) by one person to or in a
restricted country during a calendar
year of the personal data of 10,000
covered individuals; and
``(II) not higher than the export,
reexport, or in-country transfer (in
the aggregate) by one person to or in a
restricted country during a calendar
year of the personal data of 1,000,000
covered individuals.
``(ii) Exports by certain foreign
persons.--In the case of a person that
possesses the data of more than 1,000,000
covered individuals, the threshold established
under subparagraph (A) shall be one export,
reexport, or in-country transfer of personal
data to or in a restricted country by that
person during a calendar year if the export,
reexport, or in-country transfer is to--
``(I) the government of a
restricted country;
``(II) a foreign person that owns
or controls the person conducting the
export, reexport, or in-country
transfer and that person knows, or
should know, that the export, reexport,
or in-country transfer of the personal
data was requested by the foreign
person to comply with a request from
the government of a restricted country;
or
``(III) an entity on the Entity
List maintained by the Bureau of
Industry and Security of the Department
of Commerce and set forth in Supplement
No. 4 to part 744 of the Export
Administration Regulations.
``(C) Category thresholds.--The Secretary, in
coordination with the heads of the appropriate Federal
agencies, may establish a threshold under subparagraph
(A) for each category (or combination of categories) of
personal data identified under paragraph (1).
``(D) Updates.--The Secretary, in coordination with
the heads of the appropriate Federal agencies--
``(i) may update a threshold established
under subparagraph (A) as appropriate; and
``(ii) shall reevaluate the threshold not
less frequently than every 5 years.
``(E) Treatment of persons under common ownership
as one person.--For purposes of determining whether a
threshold established under subparagraph (A) has been
met--
``(i) all exports, reexports, or in-country
transfers involving personal data conducted by
persons under the ownership or control of the
same person shall be aggregated to that person;
and
``(ii) that person shall be liable for any
export, reexport, or in-country transfer in
violation of this section.
``(F) Considerations.--In establishing a threshold
under subparagraph (A), the Secretary, in coordination
with the heads of the appropriate Federal agencies,
shall seek to balance the need to protect personal data
from exploitation by foreign governments and foreign
adversaries against the likelihood of--
``(i) impacting legitimate business
activities, research activities, and other
activities that do not harm the national
security of the United States; or
``(ii) chilling speech protected by the
First Amendment to the Constitution of the
United States.
``(4) Determination of period for protection.--The
Secretary, in coordination with the heads of the appropriate
Federal agencies, shall determine, for each category (or
combination of categories) of personal data identified under
paragraph (1), the period of time for which encryption
technology described in subsection (b)(4)(A)(iii) is required
to be able to protect that category (or combination of
categories) of data from decryption to prevent the exploitation
of the data by a foreign government or foreign adversary from
harming the national security of the United States.
``(5) Use of information; considerations.--In carrying out
this subsection (including with respect to the list required
under paragraph (2)), the Secretary, in coordination with the
heads of the appropriate Federal agencies, shall--
``(A) use multiple sources of information,
including--
``(i) publicly available information;
``(ii) classified information, including
relevant information provided by the Director
of National Intelligence;
``(iii) information relating to reviews and
investigations of transactions by the Committee
on Foreign Investment in the United States
under section 721 of the Defense Production Act
of 1950 (50 U.S.C. 4565);
``(iv) the categories of sensitive personal
data described in paragraphs (1)(ii) and (2) of
section 800.241(a) of title 31, Code of Federal
Regulations, as in effect on the day before the
date of the enactment of the Protecting
Americans' Data From Foreign Surveillance Act
of 2023, and any categories of sensitive
personal data added to such section after such
date of enactment;
``(v) information provided by the advisory
committee established pursuant to paragraph
(7); and
``(vi) the recommendations (which the
Secretary shall request) of--
``(I) experts in privacy, civil
rights, and civil liberties, identified
by the National Academy of Sciences;
and
``(II) experts on the First
Amendment to the Constitution of the
United States identified by the
American Bar Association; and
``(B) take into account--
``(i) the significant quantity of personal
data of covered individuals that is publicly
available by law or has already been stolen or
acquired by foreign governments or foreign
adversaries;
``(ii) the harm to United States national
security caused by the theft or acquisition of
that personal data;
``(iii) the potential for further harm to
United States national security if that
personal data were combined with additional
sources of personal data;
``(iv) the fact that non-sensitive personal
data, when analyzed in the aggregate, can
reveal sensitive personal data;
``(v) the commercial availability of
inferred and derived data; and
``(vi) the potential for especially
significant harm from data and inferences
related to sensitive domains, such as health,
work, education, criminal justice, and finance.
``(6) Notice and comment period.--The Secretary shall
provide for a public notice and comment period after the
publication in the Federal Register of a proposed rule, and
before the publication of a final rule--
``(A) identifying the initial list of categories of
personal data under subparagraph (A) of paragraph (2);
``(B) adding categories to, removing categories
from, or modifying categories on, that list under
subparagraph (B) of that paragraph;
``(C) establishing or updating the threshold under
paragraph (3); or
``(D) setting forth the period of time for which
encryption technology described in subsection
(b)(4)(A)(iii) is required under paragraph (4) to be
able to protect such a category of data from
decryption.
``(7) Advisory committee.--
``(A) In general.--The Secretary shall establish an
advisory committee to advise the Secretary with respect
to privacy and sensitive personal data.
``(B) Membership.--The committee established
pursuant to subparagraph (A) shall include the
following members selected by the Secretary:
``(i) Experts on privacy and cybersecurity.
``(ii) Representatives of United States
private sector companies, industry
associations, and scholarly societies.
``(iii) Representatives of civil society
groups, including such groups focused on
protecting civil rights and civil liberties.
``(C) Applicability of federal advisory committee
act.--Subsections (a)(1), (a)(3), and (b) of section 10
and sections 11, 13, and 14 of the Federal Advisory
Committee Act (5 U.S.C. App.) shall not apply to the
advisory committee established pursuant to subparagraph
(A).
``(8) Treatment of anonymized personal data.--
``(A) In general.--In carrying out this subsection,
the Secretary may not treat anonymized personal data
differently than identifiable personal data unless the
Secretary is confident, based on the method of
anonymization used and the period of time determined
under paragraph (4) for protection of the category of
personal data involved, it will not be possible for
well-resourced adversaries, including foreign
governments, to re-identify the individuals to which
the anonymized personal data relates, such as by using
other sources of data, including non-public data
obtained through hacking and espionage, and reasonably
anticipated advances in technology.
``(B) Guidance.--The Under Secretary of Commerce
for Standards and Technology shall issue guidance to
the public with respect to methods for anonymizing data
and how to determine if individuals to which the
anonymized personal data relates can be, or are likely
in the future to be, reasonably identified, such as by
using other sources of data.
``(9) Sense of congress on identification of categories of
personal data.--It is the sense of Congress that, in
identifying categories of personal data of covered individuals
under paragraph (1), the Secretary should, to the extent
reasonably possible and in coordination with the Secretary of
the Treasury and the Director of the Office of Management and
Budget, harmonize those categories with the categories of
sensitive personal data described in paragraph (5)(A)(iv).
``(b) Commerce Controls.--
``(1) Controls required.--Beginning 18 months after the
date of the enactment of the Protecting Americans' Data From
Foreign Surveillance Act of 2023, the Secretary shall impose
appropriate controls under the Export Administration
Regulations on the export or reexport to, or in-country
transfer in, all countries (other than countries on the list
required by paragraph (2)(D)) of covered personal data in a
manner that exceeds the applicable threshold established under
subsection (a)(3), including through interim controls (such as
by informing a person that a license is required for export,
reexport, or in-country transfer of covered personal data), as
appropriate, or by publishing additional regulations.
``(2) Levels of control.--
``(A) In general.--Except as provided in
subparagraph (C) or (D), the Secretary shall--
``(i) require a license or other
authorization for the export, reexport, or in-
country transfer of covered personal data in a
manner that exceeds the applicable threshold
established under subsection (a)(3);
``(ii) determine whether that export,
reexport, or in-country transfer is likely to
harm the national security of the United
States--
``(I) after consideration of the
matters described in subparagraph (B);
and
``(II) in coordination with the
heads of the appropriate Federal
agencies; and
``(iii) if the Secretary determines under
clause (ii) that the export, reexport, or in-
country transfer is likely to harm the national
security of the United States, deny the
application for the license or other
authorization for the export, reexport, or in-
country transfer.
``(B) Considerations.--In determining under clause
(ii) of subparagraph (A) whether an export, reexport,
or in-country transfer of covered personal data
described in clause (i) of that subparagraph is likely
to harm the national security of the United States, the
Secretary, in coordination with the heads of the
appropriate Federal agencies, shall take into account--
``(i) the adequacy and enforcement of data
protection, surveillance, and export control
laws in the foreign country to which the
covered personal data would be exported or
reexported, or in which the covered personal
data would be transferred, in order to
determine whether such laws, and the
enforcement of such laws, are sufficient to--
``(I) protect the covered personal
data from accidental loss, theft, and
unauthorized or unlawful processing;
``(II) ensure that the covered
personal data is not exploited for
intelligence purposes by foreign
governments to the detriment of the
national security of the United States;
and
``(III) prevent the reexport of the
covered personal data to a third
country for which a license would be
required for such data to be exported
directly from the United States;
``(ii) the circumstances under which the
government of the foreign country can compel,
coerce, or pay a person in or national of that
country to disclose the covered personal data;
and
``(iii) whether that government has
conducted hostile foreign intelligence
operations, including information operations,
against the United States.
``(C) License requirement and presumption of denial
for certain countries.--
``(i) In general.--The Secretary shall--
``(I) require a license or other
authorization for the export or
reexport to, or in-country transfer in,
a country on the list required by
clause (ii) of covered personal data in
a manner that exceeds the threshold
established under subsection (a)(3);
and
``(II) deny an application for such
a license or other authorization unless
the person seeking the license or
authorization demonstrates to the
satisfaction of the Secretary that the
export, reexport, or in-country
transfer will not harm the national
security of the United States.
``(ii) List required.--
``(I) In general.--Not later than
one year after the date of the
enactment of the Protecting Americans'
Data From Foreign Surveillance Act of
2023, the Secretary shall (subject to
subclause (III)) establish a list of
each country with respect to which the
Secretary determines that the export or
reexport to, or in-country transfer in,
the country of covered personal data in
a manner that exceeds the applicable
threshold established under subsection
(a)(3) will be likely to harm the
national security of the United States.
``(II) Modifications to list.--The
Secretary (subject to subclause
(III))--
``(aa) may add a country to
or remove a country from the
list required by subclause (I)
at any time; and
``(bb) shall review that
list not less frequently than
every 5 years.
``(III) Concurrence; consultations;
considerations.--The Secretary shall
establish the list required by
subclause (I) and add a country to or
remove a country from that list under
subclause (II)--
``(aa) with the concurrence
of the Secretary of State;
``(bb) in consultation with
the heads of the appropriate
Federal agencies; and
``(cc) based on the
considerations described in
subparagraph (B).
``(D) No license requirement for certain
countries.--
``(i) In general.--The Secretary may not
require a license or other authorization for
the export or reexport to, or in-country
transfer in, a country on the list required by
clause (ii) of covered personal data, without
regard to the applicable threshold established
under subsection (a)(3).
``(ii) List required.--
``(I) In general.--Not later than
one year after the date of the
enactment of the Protecting Americans'
Data From Foreign Surveillance Act of
2023, the Secretary shall (subject to
clause (iii) and subclause (III)),
establish a list of each country with
respect to which the Secretary
determines that the export or reexport
to, or in-country transfer in, the
country of covered personal data
(without regard to any threshold
established under subsection (a)(3))
will not harm the national security of
the United States.
``(II) Modifications to list.--The
Secretary (subject to clause (iii) and
subclause (III))--
``(aa) may add a country to
or remove a country from the
list required by subclause (I)
at any time; and
``(bb) shall review that
list not less frequently than
every 5 years.
``(III) Concurrence; consultations;
considerations.--The Secretary shall
establish the list required by
subclause (I) and add a country to or
remove a country from that list under
subclause (II)--
``(aa) with the concurrence
of the Secretary of State;
``(bb) in consultation with
the heads of the appropriate
Federal agencies; and
``(cc) based on the
considerations described in
subparagraph (B).
``(iii) Congressional review.--
``(I) In general.--The list
required by clause (ii) and any updates
to that list adding or removing
countries shall take effect, for
purposes of clause (i), on the date
that is 180 days after the Secretary
submits to the appropriate
congressional committees a proposal for
the list or update unless there is
enacted into law, before that date, a
joint resolution of disapproval
pursuant to subclause (II).
``(II) Joint resolution of
disapproval.--
``(aa) Joint resolution of
disapproval defined.--In this
clause, the term `joint
resolution of disapproval'
means a joint resolution the
matter after the resolving
clause of which is as follows:
`That Congress does not approve
of the proposal of the
Secretary with respect to the
list required by section
1758A(b)(2)(D)(ii) submitted to
Congress on ___.', with the
blank space being filled with
the appropriate date.
``(bb) Procedures.--The
procedures set forth in
paragraphs (4)(C), (5), (6),
and (7) of section 2523(d) of
title 18, United States Code,
apply with respect to a joint
resolution of disapproval under
this clause to the same extent
and in the same manner as such
procedures apply to a joint
resolution of disapproval under
such section 2523(d), except
that paragraph (6) of such
section shall be applied and
administered by substituting
`the Committee on Banking,
Housing, and Urban Affairs' for
`the Committee on the
Judiciary' each place it
appears.
``(III) Rules of house of
representatives and senate.--This
clause is enacted by Congress--
``(aa) as an exercise of
the rulemaking power of the
Senate and the House of
Representatives, respectively,
and as such is deemed a part of
the rules of each House,
respectively, and supersedes
other rules only to the extent
that it is inconsistent with
such rules; and
``(bb) with full
recognition of the
constitutional right of either
House to change the rules (so
far as relating to the
procedure of that House) at any
time, in the same manner, and
to the same extent as in the
case of any other rule of that
House.
``(3) Review of license applications.--
``(A) In general.--The Secretary shall, consistent
with the provisions of section 1756 and in coordination
with the heads of the appropriate Federal agencies--
``(i) review applications for a license or
other authorization for the export or reexport
to, or in-country transfer in, a restricted
country of covered personal data in a manner
that exceeds the applicable threshold
established under subsection (a)(3); and
``(ii) establish procedures for conducting
the review of such applications.
``(B) Disclosures relating to collaborative
arrangements.--In the case of an application for a
license or other authorization for an export, reexport,
or in-country transfer described in subparagraph (A)(i)
submitted by or on behalf of a joint venture, joint
development agreement, or similar collaborative
arrangement, the Secretary may require the applicant to
identify, in addition to any foreign person
participating in the arrangement, any foreign person
with significant ownership interest in a foreign person
participating in the arrangement.
``(4) Exceptions.--
``(A) In general.--The Secretary shall not impose
under paragraph (1) a requirement for a license or
other authorization with respect to the export,
reexport, or in-country transfer of covered personal
data pursuant to any of the following transactions:
``(i) The export, reexport, or in-country
transfer by an individual of covered personal
data that specifically pertains to that
individual.
``(ii) The export, reexport, or in-country
transfer of the personal data of one or more
individuals by a person performing a service
for those individuals if the service could not
possibly be performed (as defined by the
Secretary in regulations) without the export,
reexport, or in-country transfer of that
personal data.
``(iii) The export, reexport, or in-country
transfer of personal data that is encrypted
if--
``(I) the encryption key or other
information necessary to decrypt the
data is not, at the time of the export,
reexport, or in-country transfer of the
personal data or any other time,
exported, reexported, or transferred to
a restricted country or (except as
provided in subparagraph (B)) a
national of a restricted country; and
``(II) the encryption technology
used to protect the data against
decryption is certified by the National
Institute of Standards and Technology
as capable of protecting data for the
period of time determined under
subsection (a)(4) to be sufficient to
prevent the exploitation of the data by
a foreign government or foreign
adversary from harming the national
security of the United States.
``(iv) The export, reexport, or in-country
transfer of personal data that is ordered by an
appropriate court of the United States.
``(B) Exception for certain nationals of restricted
countries.--Subparagraph (A)(iii)(I) does not apply
with respect to an individual who is a national of a
restricted country if the individual is also a citizen
of the United States or a noncitizen described in
subsection (l)(5)(C).
``(c) Requirements for Identification of Categories and
Determination of Appropriate Controls.--In identifying categories of
personal data under subsection (a)(1) and imposing appropriate controls
under subsection (b), the Secretary, in coordination with the heads of
the appropriate Federal agencies, as appropriate--
``(1) may not regulate or restrict the publication or
sharing of--
``(A) personal data that is a matter of public
record, such as a court record or other government
record that is generally available to the public,
including information about an individual made public
by that individual or by the news media;
``(B) information about a matter of public
interest; or
``(C) any other information the publication or
sharing of which is protected by the First Amendment to
the Constitution of the United States; and
``(2) shall consult with the appropriate congressional
committees.
``(d) Penalties.--
``(1) Liable persons.--
``(A) In general.--In addition to any person that
commits an unlawful act described in subsection (a) of
section 1760, an officer or employee of an organization
has committed an unlawful act subject to penalties
under that section if the officer or employee knew or
should have known that another employee of the
organization who reports, directly or indirectly, to
the officer or employee was directed to export,
reexport, or in-country transfer covered personal data
in violation of this section and subsequently did
export, reexport, or in-country transfer such data.
``(B) Exceptions and clarifications.--
``(i) Intermediaries not liable.--An
intermediate consignee (as defined in section
772.1 of the Export Administration Regulations
(or any successor regulation)) or other
intermediary is not liable for the export,
reexport, or in-country transfer of covered
personal data in violation of this section when
acting as an intermediate consignee or other
intermediary for another person.
``(ii) Special rule for certain
applications.--In a case in which an
application installed on an electronic device
transmits or causes the transmission of covered
personal data without being directed to do so
by the owner or user of the device who
installed the application, the developer of the
application, and not the owner or user of the
device, is liable for any violation of this
section.
``(2) Criminal penalties.--In determining an appropriate
term of imprisonment under section 1760(b)(2) with respect to a
person for a violation of this section, the court shall
consider--
``(A) how many covered individuals had their
covered personal data exported, reexported, or in-
country transferred in violation of this section;
``(B) any harm that resulted from the violation;
and
``(C) the intent of the person in committing the
violation.
``(e) Report to Congress.--
``(1) In general.--Not less frequently than annually, the
Secretary, in coordination with the heads of the appropriate
Federal agencies, shall submit to the appropriate congressional
committees a report on the results of actions taken pursuant to
this section.
``(2) Inclusions.--Each report required by paragraph (1)
shall include a description of the determinations made under
subsection (b)(2)(A)(ii) during the preceding year.
``(3) Form.--Each report required by paragraph (1) shall be
submitted in unclassified form but may include a classified
annex.
``(f) Disclosure of Certain License Information.--
``(1) In general.--Not less frequently than every 90 days,
the Secretary shall publish on a publicly accessible website of
the Department of Commerce, including in a machine-readable
format, the information specified in paragraph (2), with
respect to each application--
``(A) for a license for the export or reexport to,
or in-country transfer in, a restricted country of
covered personal data in a manner that exceeds the
applicable threshold established under subsection
(a)(3); and
``(B) with respect to which the Secretary made a
decision in the preceding 90-day period.
``(2) Information specified.--The information specified in
this paragraph with respect to an application described in
paragraph (1) is the following:
``(A) The name of the applicant.
``(B) The date of the application.
``(C) The name of the foreign party to which the
applicant sought to export, reexport, or transfer the
data.
``(D) The categories of covered personal data the
applicant sought to export, reexport, or transfer.
``(E) The number of covered individuals whose
information the applicant sought to export, reexport,
or transfer.
``(F) Whether the application was approved or
denied.
``(g) News Media Protections.--A person that is engaged in
journalism is not subject to restrictions imposed under this section to
the extent that those restrictions directly infringe on the journalism
practices of that person.
``(h) Citizenship Determinations by Persons Providing Services to
End-Users Not Required.--This section does not require a person that
provides products or services to an individual to determine the
citizenship or immigration status of the individual, but once the
person becomes aware that the individual is a covered individual, the
person shall treat covered personal data of that individual as is
required by this section.
``(i) Fees.--
``(1) In general.--Notwithstanding section 1756(c), the
Secretary may, to the extent provided in advance in
appropriations Acts, assess and collect a fee, in an amount
determined by the Secretary in regulations, with respect to
each application for a license submitted under subsection (b).
``(2) Deposit and availability of fees.--Notwithstanding
section 3302 of title 31, United States Code, fees collected
under paragraph (1) shall--
``(A) be credited as offsetting collections to the
account providing appropriations for activities carried
out under this section;
``(B) be available, to the extent and in the
amounts provided in advance in appropriations Acts, to
the Secretary solely for use in carrying out activities
under this section; and
``(C) remain available until expended.
``(j) Regulations.--The Secretary may prescribe such regulations as
are necessary to carry out this section.
``(k) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary and to the head of each of the
appropriate Federal agencies participating in carrying out this section
such sums as may be necessary to carry out this section, including to
hire additional employees with expertise in privacy.
``(l) Definitions.--In this section:
``(1) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(A) the Committee on Banking, Housing, and Urban
Affairs, the Committee on Foreign Relations, the
Committee on Finance, and the Select Committee on
Intelligence of the Senate; and
``(B) the Committee on Foreign Affairs, the
Committee on Ways and Means, and the Permanent Select
Committee on Intelligence of the House of
Representatives.
``(2) Appropriate federal agencies.--The term `appropriate
Federal agencies' means the following:
``(A) The Department of Defense.
``(B) The Department of State.
``(C) The Department of Justice.
``(D) The Department of the Treasury.
``(E) The Office of the Director of National
Intelligence.
``(F) The Office of Science and Technology Policy.
``(G) The Department of Homeland Security.
``(H) The Consumer Financial Protection Bureau.
``(I) The Federal Trade Commission.
``(J) The Federal Communications Commission.
``(K) The Department of Health and Human Services.
``(L) Such other Federal agencies as the Secretary
considers appropriate.
``(3) Covered individual.--The term `covered individual',
with respect to personal data, means an individual who, at the
time the data is acquired--
``(A) is located in the United States; or
``(B) is--
``(i) located outside the United States or
whose location cannot be determined; and
``(ii) a citizen of the United States or a
noncitizen lawfully admitted for permanent
residence.
``(4) Covered personal data.--The term `covered personal
data' means the categories of personal data of covered
individuals identified pursuant to subsection (a).
``(5) Export.--
``(A) In general.--The term `export', with respect
to covered personal data, includes--
``(i) subject to subparagraph (D), the
shipment or transmission of the data out of the
United States, including the sending or taking
of the data out of the United States, in any
manner, if the shipment or transmission is
intentional, without regard to whether the
shipment or transmission was intended to go out
of the United States; or
``(ii) the release or transfer of the data
to any noncitizen (other than a noncitizen
described in subparagraph (C)), if the release
or transfer is intentional, without regard to
whether the release or transfer was intended to
be to a noncitizen.
``(B) Exceptions.--The term `export' does not
include--
``(i) the publication of covered personal
data on the internet in a manner that makes the
data discoverable by and accessible to any
member of the general public; or
``(ii) any activity protected by the speech
or debate clause of the Constitution of the
United States.
``(C) Noncitizens described.--A noncitizen
described in this subparagraph is a noncitizen who is
authorized to be employed in the United States.
``(D) Transmissions through restricted countries.--
``(i) In general.--On and after the date
that is 5 years after the date of the enactment
of the Protecting Americans' Data From Foreign
Surveillance Act of 2023, and except as
provided in clause (iii), the term `export'
includes the transmission of data through a
restricted country, without regard to whether
the person originating the transmission had
knowledge of or control over the path of the
transmission.
``(ii) Exceptions.--Clause (i) does not
apply with respect to a transmission of data
through a restricted country if--
``(I) the data is encrypted as
described in subsection (b)(4)(A)(iii);
or
``(II) the person that originated
the transmission received a
representation from the party
delivering the data for the person
stating that the data will not transit
through a restricted country.
``(iii) False representations.--If a party
delivering covered personal data as described
in clause (ii)(II) transmits the data directly
or indirectly through a restricted country
despite making the representation described in
clause (ii)(II), that party shall be liable for
violating this section.
``(6) Foreign adversary.--The term `foreign adversary' has
the meaning given that term in section 8(c)(2) of the Secure
and Trusted Communications Networks Act of 2019 (47 U.S.C.
1607(c)(2)).
``(7) In-country transfer; reexport.--The terms `in-country
transfer' and `reexport', with respect to personal data, shall
have the meanings given those terms in regulations prescribed
by the Secretary.
``(8) Lawfully admitted for permanent residence;
national.--The terms `lawfully admitted for permanent
residence' and `national' have the meanings given those terms
in section 101(a) of the Immigration and Nationality Act (8
U.S.C. 1101(a)).
``(9) Noncitizen.--The term `noncitizen' means an
individual who is not a citizen or national of the United
States.
``(10) Restricted country.--The term `restricted country'
means a country for which a license or other authorization is
required under subsection (b) for the export or reexport to, or
in-country transfer in, that country of covered personal data
in a manner that exceeds the applicable threshold established
under subsection (a)(3).''.
(b) Statement of Policy.--Section 1752 of the Export Control Reform
Act of 2018 (50 U.S.C. 4811) is amended--
(1) in paragraph (1)--
(A) in subparagraph (A), by striking ``; and'' and
inserting a semicolon;
(B) in subparagraph (B), by striking the period at
the end and inserting ``; and''; and
(C) by adding at the end the following:
``(C) to restrict, notwithstanding section 203(b)
of the International Emergency Economic Powers Act (50
U.S.C. 1702(b)), the export of personal data of United
States citizens and other covered individuals (as
defined in section 1758A(l)) in a quantity and a manner
that could harm the national security of the United
States.''; and
(2) in paragraph (2), by adding at the end the following:
``(H) To prevent the exploitation of personal data
of United States citizens and other covered individuals
(as defined in section 1758A(l)) in a quantity and a
manner that could harm the national security of the
United States.''.
(c) Limitation on Authority To Make Exceptions to Licensing
Requirements.--Section 1754 of the Export Control Reform Act of 2018
(50 U.S.C. 4813) is amended--
(1) in subsection (a)(14), by inserting ``and subject to
subsection (g)'' after ``as warranted''; and
(2) by adding at the end the following:
``(g) Limitation on Authority To Make Exceptions to Licensing
Requirements.--The Secretary may create under subsection (a)(14)
exceptions to licensing requirements under section 1758A only for the
export, reexport, or in-country transfer of covered personal data (as
defined in subsection (l) of that section) by or for a Federal
department or agency.''.
(d) Relationship to International Emergency Economic Powers Act.--
Section 1754(b) of the Export Control Reform Act of 2018 (50 U.S.C.
4813(b)) is amended by inserting ``(other than section 1758A)'' after
``this part''.
SEC. 4. SEVERABILITY.
If any provision of or any amendment made by this Act, or the
application of any such provision or amendment to any person or
circumstance, is held to be unconstitutional, the remainder of the
provisions of and amendments made by this Act, and the application of
such provisions and amendments to any other person or circumstance,
shall not be affected.
<all>