The Proverbial Other Foot: Proposed U.S. Legislation Could Ban Personal Data Transfers to Ireland and Other U.S. Allies

Digital giants and other data-driven businesses that have moved their companies from the United Kingdom to Ireland in the wake of Brexit could soon be bracing for a new shake-up in light of legislation recently proposed in the United States by Oregon Senator Ron Wyden. The draft bill, Protecting Americans' Data From Foreign Surveillance Act (the Act), would ban the sale of Americans' personal data not only to "unfriendly" foreign countries who pose a threat to national security, but also to countries without adequate data protections in place. While primarily aimed at China and Russia, the Act's reach could extend to countries like Ireland, which so far has failed to impose serious fines for General Data Protection Regulation (GDPR) violations. Having strong regulations in place under the Act is not enough if those regulations are not being enforced.

On this side of the pond, the Act would create penalties for senior executives who knew or should have known that junior employees were directed to export Americans' personal data illegally. It would also create a private right of action for Americans who have been physically harmed, arrested, or detained in a foreign country due to the illegally exported data. Theoretically, under the Act, an American arrested in Ireland because of illegally sold facial recognition data could return to the U.S. and file a lawsuit against the seller of that data. Given the potential exposure and the emphasis on executive responsibility, companies in the U.S. should take notice. Indeed, there is no question that the U.S. is looking to make its mark on the international data regulatory environment and that part of its efforts will be self-facing.

Of course, the Act is still in its infancy and there is no guarantee that it will become law. Any final draft of the Act would need to be sensitive to pre-existing agreements to avoid disrupting the transatlantic digital ecosystem and the United States' relationship with "friendly" countries and allies. If the Act eventually becomes law, data aggregators in the United States may need to adjust their business models and countries like Ireland will need to re-assess their obligations to stay competitive in the international data market. Either way, given the European Union's longstanding concern over personal data transfers to the U.S., it is more than a bit ironic that a U.S. Senator is proposing legislation that could put the shoe on the proverbial other foot.