Skip to main content

Sen. Hawley Introduces Big Tech Security Bill

Hawley Bill in the wake of a hearing two weeks ago on Big Tech and its ties to China, Sen. Josh Hawley (R-Mo.) has introduced the National Security and Personal Data Protection Act which would attempt to stem the flow of info to that and other countries that pose national security threats.

That would include by assuming a merger in which a foreign-controlled company buys a U.S. web site or social media platform was prohibited unless a U.S. security review said it was OK.

Related: House Continues Deep Dive into Big Tech and Antitrust

Apple, in particular, took hits in absentia at the hearing--it did not send a witness--for providing cloud services to China and storing both data and the tools to decrypt it in that country. Chinese social media platform TikTok also came in for heavy criticism.

“Current law makes it far too easy for hostile foreign governments like China to access Americans' sensitive data," said Hawley in introducing the bill. "If your child uses TikTok, there's a chance the Chinese Communist Party knows where they are, what they look like, what their voices sound like, and what they’re watching. That's a feature TikTok doesn't advertise."

For U.S. companies, the bill: 1) "prohibits [them] from transferring user data or encryption keys to China and other countries that similarly threaten America’s national security,:' and 2) "prohibits American companies from storing data in China and other countries that similarly threaten America’s national security."

If they violate those prohibitions, it will be considered an unfair or deceptive act enforceable by the Federal Trade Commission.

For Chinese companies, the bill: 1) "Prohibits transferring user data or encryption keys to those countries or storing that data in those countries, "2) "prohibits collecting more data than necessary to provide a service here," and 3) "prohibits using collected data for secondary purposes."

The bill also changes the default for merger reviews of "certain companies" to block them unless they get pre-approval from the Committee on Foreign Investment in the United States (CFIUS).

That default disapproval would apply to "a transaction that could result in foreign control of a United States company "that collects, sells, buys, or processes user data ...and whose business consists substantially more of transferring data than manufacturing, delivering, repairing, or servicing physical goods or providing physical services or that operates a social media platform or website."