The US Senate is to debate a proposal to limit foreign countries’ access to US citizens’ personal data and to introduce a licence requirement for foreign companies that trade in this information.
The draft "Protecting Americans' Data From Foreign Surveillance Act", presented on Thursday by Democratic Senator Ron Wyden of Oregon, is aimed primarily at curbing the sale and theft of data by "shady data brokers" to "hostile" foreign governments such as China.
The Irish Council on Civil Liberties (ICCL) has warned the draft Bill could pose a “multi-billion threat to the Irish economy” because of what it views as the ongoing failure of the Republic to enforce effectively the EU’s data protection rulebook (GDPR).
“My Bill would set up common-sense rules for how and where sensitive data can be shared overseas,” said Senator Wyden, “to make sure that foreign criminals and spies don’t get their hands on it.”
The draft Bill proposes collating a list of sensitive personal data categories and then instructing federal agencies to “take into account the adequacy and enforcement of data protection, surveillance, and export control laws” in foreign countries where this information is processed.
Under the proposed legislation, foreign companies dealing in US citizens’ data could be required to obtain a licence from US Department of Commerce before being allowed to continue their transatlantic trade.
The draft Bill puts large volumes of personal data in the same critical export controls category as arms and high-end technology, requiring the applicant to prove the data transfer does not pose a US national security risk.
Given the global nature of online data collection, sale and analysis, the Bill – if passed – would have far-reaching implications for the international business – and for open economies such as that of the State.
In a letter to the Government, Dr Johnny Ryan, a senior ICCL fellow on data and privacy matters, suggests this draft Bill provides another argument to reform the Data Protection Commission here "so that it is capable of performing" its work as a regulator of data privacy issues.
“The Government has obligations to ensure effective protection of rights across Europe where the DPC is the lead authority,” he writes.
Lead regulator
The location of so many large US tech multinationals in Ireland has made the DPC a lead regulator in many data privacy cases.
The DPC has faced criticism from fellow EU regulators and the European Parliament. Last month the parliament passed a resolution expressing concern at DPC operations, noting that cases filed with the Irish regulator, dating back to 2018 "have not even reached the stage of a draft decision".
One of those cases involves a complaint of Austrian privacy campaigner Max Schrems against Facebook's export of EU user data.
Mr Schrems, a DPC representative and others have been invited to attend a meeting of the Oireachtas justice committee on April 27th to discuss data protection issues.
In written submissions ahead of the meeting, Mr Schrems has described Ireland's approach to protecting European Union citizens' data as a "Kafkaesque" waste of Irish taxpayers' money.
Requests for comment have been lodged with the Department of Justice and the DPC.