National Security and Personal Data Protection Act of 2019

National Security and Personal Data Protection Act of 2019

This bill prohibits the transfer of data to, and storage of data within, foreign countries that threaten U.S. national security.

Specifically, the bill requires the Department of State to designate as a country of concern any country, including the People's Republic of China and the Russian Federation, whose data privacy and security requirements pose a substantial risk to U.S. national security.

A technology company that is subject to the jurisdiction of a country of concern and that provides a website or internet application operating in interstate or foreign commerce shall

• not collect unnecessary user data or use any user data for a purpose that is secondary to the operation of the website, service, or application;
• not transfer user data or information to a country of concern;
• not store user data on a server outside either the United States or a country that has agreed to share data with U.S. law enforcement agencies; and
• allow individuals to view and delete their individual user data.

Additionally, any company that provides a website or internet application operating in interstate or foreign commerce but which is not subject to the jurisdiction of a country of concern is prohibited from transferring data to a country of concern or storing user data on a server located in a country of concern.

The Federal Trade Commission shall enforce these requirements; however, the bill also provides for civil actions brought by either an individual or the attorney general of a state to enjoin the engagement of any person in a practice that violates the prohibitions in this bill.