Sens. Marco Rubio (R-Fla.) and Raphael Warnock (D-Ga.) unveiled the Protecting Sensitive Personal Data Act of 2021 (pdf) which seeks to expand the oversight authority of the Committee on Foreign Investment in the United States (CFIUS) over transactions that may involve the sensitive personal data of Americans.
The CFIUS is a U.S. interagency panel overseen by the Treasury Department that scrutinizes foreign deals for national security implications.
The legislation would expand the panel’s authority to issue regulations that require mandatory declarations to foreign investments in U.S. companies that maintain or collect sensitive personal data.
The senators say the legislation would protect sensitive information, including genetic test results, health conditions, and insurance applications. It would also protect financial hardship data, security clearance information, geolocation data, private emails, data for generating government identification, and credit reports, Rubio and Warnock outlined in a press release.
Rubio said in a statement that Americans should be “deeply concerned” about foreign investments in American companies that handle personal information.
These companies “pose a risk of exposing personal data, like genetic testing results and private financial transactions, to harmful actors in China and elsewhere,” Rubio said.
The Republican senator added, “We need to strengthen CFIUS’s oversight authority of these transactions to protect Americans and mitigate this serious national security threat.”
“We must do everything in our power to protect the personal data and information of our constituents and governmental agencies from foreign entities that may wish to exploit them,” Warnock added.
The senators noted in their joint release that there are currently limited circumstances in which CFIUS is able to require companies to make a mandatory declaration prior to completing a transaction.
“Foreign investment is one of the legal means that adversaries, like the People’s Republic of China, uses to stockpile Americans’ health care data, creating both privacy and national security risks,” they said.
Beijing has for years been collecting large amounts of American health care data, using illegal methods such as cyber hacking, investments in American biotech companies, and partnerships with hospitals and universities to gain access to sensitive information.
Shenzhen-based company Beijing Genomics Institute (BGI), for example, has been previously flagged by lawmakers for purchasing U.S. companies. On Sept. 30, Sen. Tom Cotton (R-Ark.), and Rep. Mike Gallagher (R-Wis.) on Sept. 30 called on the Biden administration to blacklist the BGI and others, saying that it is working to “undercut the global DNA sequencing market” using state subsidies.
In February, the National Counterintelligence and Security Center (NCSC) said in a fact sheet (pdf) that vast amounts of genomic information (a person’s entire genetic sequence) can fuel developments in the cutting-edge field of precision medicine (or personalized medicine), allowing China to overtake the United States to become a global leader in biotech.
Such data can also be weaponized to target individuals in the country for intelligence and military operations, according to the NCSC.
Cathy He contributed to this report.