To enhance data security, federal privacy legislation is just a start

As Chinese companies like TikTok gain access to U.S. markets and ever more data on American citizens, many observers have argued that federal privacy legislation has become a national-security imperative. Yet concerns about China and national security are only two of several reasons for the United States to enact such legislation. When it comes to strengthening privacy, digital trade, and U.S. national security, it’s important to recognize what privacy legislation would and would not accomplish on its own—and why additional steps are needed.

A federal privacy law would provide consumers with overdue protections and establish a more consistent framework for the U.S. government to answer difficult questions about the American relationship with China. But such a law is only a first step toward advancing U.S. security and addressing differences between the United States and other countries—particularly America’s European allies—in their approaches to data governance. To improve U.S. data security while retaining the openness required for innovation and competitive strength, the Biden administration will also need to prioritize cybersecurity liability reform, bolstering U.S. responses to malicious cyber activity, and reforming certain surveillance procedures to address the concerns of American allies and trading partners.

Data privacy as a national security issue

Two main factors have led U.S. officials to treat data privacy as a matter of national security: the nature of new technologies like artificial intelligence, and concerns about the technology policies of rival powers, most notably the Chinese party-state. Strategic technologies such as artificial intelligence are driven by the data that feeds algorithmic development, and AI and related technologies are tools with inherently dual-use (civilian and military) applications. These technologies serve as building blocks for applications or other end-use technologies built upon them, so controlling their use has an impact on a wide array of tools and actors. National economies and defense institutions increasingly rely on these strategic technologies to perform critical functions. Taken together, these factors inevitably blur the lines between economic and national security interests and between privacy and security.

With major Chinese technology companies expanding into the U.S. market, American policymakers have good reason to view these technological risks through a lens that focuses on Beijing’s declared strategic ambitions, its ongoing campaigns of global cyberespionage, and weak legal constraints on the Chinese Communist Party’s coercive power over domestic technology companies, among other factors. Although popular perceptions of China’s legal-policy landscape can be exaggerated, it’s entirely legitimate to be concerned that Chinese companies might become vehicles that exploit the relatively open U.S. data environment for purposes that threaten national security, commercial interests, or political values such as human rights and democratic integrity. The attempted forced sale of TikTok and the effort to exclude Huawei from 5G networks provide real-time case studies in how Washington is currently articulating and navigating these questions.

Just as the cybersecurity risks associated with Huawei’s participation in the buildout of 5G networks are broader than the company itself, risks related to the compromise of personal information and other sensitive data are by no means limited to the activities of Chinese companies. That Equifax and Anthem are headquartered in the United States did not prevent Chinese hackers from pilfering their data. Actors in Russia, North Korea, and other countries have engaged in similar exploits. And U.S. companies routinely collect and share user data much more widely than consumers often realize. Thus, the need for stronger data protection applies not just to companies like TikTok but to all companies that process information on U.S. citizens, regardless of where they are incorporated.

Privacy law can help

It should come as no surprise that there is growing bipartisan agreement about the need for a federal data privacy framework with clear standards for the collection, processing, and sharing of personal data. Aside from the aforementioned virtues of protecting user privacy and securing sensitive information, a consistent national standard would also reduce companies’ compliance costs and avoid the inefficiencies associated with individual U.S. states adopting different standards. Indeed, in the absence of a federal law, Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are instead catalyzing privacy standards for users around the world.

A national privacy statute would also advance other U.S. interests. Among other things, with a coherent data protection regime in place that addresses principles—not nationalities—there would be less need to resort to exceptional presidential authorities for one-off bans or divestment orders regarding individual Chinese technology companies. The United States for years has complained about the fact that American tech platforms such as Google, Facebook, YouTube, Twitter, and WhatsApp are prohibited in China. Longstanding arguments against China’s arbitrary application of “national security” policies to disadvantage U.S. firms are undercut by the perception that the United States is emulating the Chinese approach in targeting Chinese social media platforms TikTok and WeChat. A federal data protection regime would place the United States on stronger footing to address concerns posed by Chinese companies without opening up Washington to charges of hypocrisy.

And where principles-based privacy and consumer protection laws fail to address specific risks, the Committee on Foreign Investment in the United States (CFIUS) can provide an effective, tailored mechanism to safeguard national security while restoring confidence in the United States’ open economic system.

A federal privacy law isn’t enough

Despite the benefits outlined above, it is important to acknowledge what privacy law cannot do on its own and why privacy legislation should be just one aspect of a broader suite of policies to promote data security and technological interoperability.

To begin with, a privacy-focused statute will not do enough to address the cybersecurity concerns associated with safeguarding individuals’ personal data. The duties for safeguarding such data cannot be limited to the entities that collect, process, and share it. To improve data security more broadly, the United States needs to rationalize its cybersecurity liability regime. As recommended by the Cyberspace Solarium Commission, for example, the incoming Biden administration should work with Congress to pass a law “establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.” Software vendors should be responsible for developing and distributing patches in a timely manner. Companies should be incentivized to disclose digital vulnerabilities and implement the basic steps needed to ensure they are regularly updating their systems. These duties of care could be accompanied by requirements for internet-of-things producers to certify the security of systems built into their products and to clarify cyber risks for consumers over the life cycle of their products.

Even these additional measures may not do the trick as long as the benefits of cybertheft of intellectual property and sensitive data continue to dramatically outweigh the perceived costs. The U.S. government will need to be more creative in identifying ways to impose meaningful costs for malicious hackers that go beyond mere “naming and shaming.” If properly calibrated to avoid escalation, the new U.S. strategy of “defending forward” to disrupt malicious cyber activities at their source should continue to be one part of that effort. Targeted and multilaterally coordinated sanctions are a further step the United States might consider, along with incentives for demonstrable changes in behavior—such as an easing of U.S. tariffs in return for Chinese adherence to norms of fair technology transfer.

In addition, privacy law would not necessarily resolve the question of how to “localize” data that cannot be transferred to certain countries due to concerns about a lack of adequate legal protections. If the proposed data-hosting partnership between TikTok and U.S. software company Oracle moves forward, what will be the terms of the arrangement to keep U.S. user data within the United States? Will that structure become a blueprint for the future? Will it resemble the models used by Apple, Microsoft, and Amazon to store mainland Chinese users’ data within China through partnerships with local cloud service providers, as required by Chinese law? If companies’ data is encrypted, where will the encryption keys be stored and under what circumstances will law-enforcement agencies have access? Finally, assuming a future U.S. privacy regime leaves flexibility for institutions to adopt technical solutions to secure data while enabling productive means of sharing it, what might those solutions look like? Can federal law and regulation provide sufficiently clear guidance for segregating types of data that require special protection from data that can flow freely?

Working with allies on digital trade

How the United States structures its privacy and data-security regime has important implications for how Washington can cooperate most effectively with “like-minded” allies and partners on digital trade. There are hopes in some quarters that the United States under a Biden administration will lead an alliance of “techno-democracies” to coordinate a unified response to authoritarian norms and practices. Such proposals, however, are fanciful unless they grapple with important differences in how the United States and its allies and partners approach questions of technology governance.

The issue of cross-border data flows between the United States and Europe illustrates the challenge. A nationwide U.S. privacy law could go some way toward assuaging the concerns of European countries about the United States’ lack of a comprehensive data governance framework. But even with a new statute in place, questions would almost certainly remain about how to bridge the gaps between U.S. and EU privacy law. Here’s why.

The EU-U.S. Privacy Shield was designed to provide mechanisms for companies to transfer data from the European Union to the United States in compliance with Europe’s GDPR. The EU Court of Justice (CJEU) recently invalidated the Privacy Shield (for a second time), casting uncertainty over the future of cloud services and transatlantic data transfers for a wide range of companies. The central reasoning for the CJEU’s decision has little to do with the United States’ lack of a federal privacy law. It was instead based on the fact that under U.S. law regarding government surveillance for national security purposes, foreign citizens located outside the United States are not granted the same legal protections and rights of judicial redress as U.S. citizens and people within the United States.

There is more than a little self-contradiction in the CJEU’s ruling. EU member states retain the discretion to determine what level of privacy is “necessary and proportionate” under EU law in the context of national security surveillance, but the CJEU has taken it upon itself to determine the meaning of those terms as applied to the U.S. government. As Joshua Meltzer has written, “This dissonance between what the EU is expecting of other governments and what it is able to ask of its member states is compounded by various findings that EU data may in fact be safer and accorded better due process when in the U.S. than in the EU.” In her book Cyber Privacy, April Falcon Doss makes a similar point: “The very uses [of data] that have raised the most concern in the United States—and that have caused the EU to harshly criticize the U.S.—aren’t addressed by EU law with respect to their own member states. If privacy is truly a fundamental human right, then the fact that European Union law offers no protections against overreach by its own intelligence and law enforcement agencies seems like a significant oversight.” 

These compelling critiques of the EU approach do not change the reality that the CJEU’s judgment, having been rendered, presents challenges for digital trade that U.S. and EU policymakers must now work to overcome. Regardless of whether the United States passes a national privacy law, Washington and Brussels will need to negotiate a solution to reconstitute or replace the Privacy Shield with a more durable framework. A close reading of the CJEU decision suggests that perhaps this could be accomplished through U.S. reforms to introduce more adversarial, “tribunal-like” processes into the operation of the EU-U.S. Privacy Shield Ombudsperson, an entity based in the State Department that reviews and responds to individual complaints regarding alleged U.S. surveillance activities. Perhaps the Trump administration’s recent release of federal agency procedures for targeted data collection and minimization under the Foreign Intelligence Surveillance Act (FISA) will provide some reassurance to foreign audiences about the degree of “proportionality” afforded to non-U.S. person subjects of surveillance. Under Presidential Policy Directive 28, issued in 2014, “U.S. signals intelligence activities must . . . include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides.”

Whatever misperceptions might exist among European jurists about whether FISA permits U.S. agencies to engage in “bulk collection” of data on foreign individuals, the need for FISA reform has become clear in the wake of recent reports by the U.S. Justice Department’s Inspector General citing weaknesses in the FISA process. If the Biden administration can work internally and with Congress to improve the procedural checks on government surveillance, this could potentially improve public confidence at home with no harm to U.S. security, and it might also reshape the context for transatlantic discussions on data flows. Those discussions could in turn create the foundations for a broader and stronger digital trade framework that builds on the U.S.-Mexico-Canada Agreement and the U.S.-Japan Digital Trade Agreement. Such a plurilateral agreement could benefit American workers and the innovation base while creating long-term incentives for countries such as China to improve their domestic legal regimes and align with global norms.

In short, the United States stands to benefit in multiple ways from adopting sensible federal privacy legislation. But in a world where data privacy, digital trade, and national security are increasingly intertwined, the data governance agenda for the next administration cannot stop there.

Robert Williams is the executive director of the Paul Tsai China Center and a senior research scholar and lecturer at Yale Law School. He is also a nonresident senior fellow at the Brookings Institution.

Amazon, Apple, Facebook, Google, Microsoft and Twitter provide financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.