Senators Introduce the Protecting Sensitive Personal Data Act

Written By Haley Metteauer

On November 2, 2021, U.S. Senators Marco Rubio and Raphael Warnock introduced Senate Bill 3130, the Protecting Sensitive Personal Data Act (the “Act”), which aims to “expand the transactions for which declarations may be required by the Committee on Foreign Investment in the United States (“CFIUS”) to include investments in United States businesses that maintain or collect sensitive personal data.”

Currently, CFIUS imposes a mandatory filing requirement on: 1) transactions involving “an investment that results in the release of critical technologies by an unaffiliated United States businesses to a foreign person in which a foreign government has, directly or indirectly, a substantial interest.” Failure to comply with this filing requirement can result in a significant penalty as well as traditional CFIUS mitigating measures. However, the expansion would require U.S. businesses that “handle sensitive personal data”[1] to become subject to these mandatory notification requirements if they receive foreign investments.

Senator Rubio stated that strengthening the oversight authority of CFIUS would “protect Americans and mitigate [the] serious national security threat . . . of adversaries, like the People’s Republic of China . . . [who] stockpile Americans’ healthcare data, creating both privacy and national security risks.”

Although the Act is merely being introduced at the moment, there is potential for it to gain significant traction since it is a bipartisan proposal. As such, U.S. businesses that “handle sensitive personal data” should be apprised of this pending legislation and should take steps to prepare their organizations for compliance with the new potential requirements.

If you have any questions or concerns about this pending legislation, please contact Kennedy Sutherland.

[1] U.S. companies that handle sensitive personal data include those who transmit:

  • genetic test results;

  • health conditions;

  • insurance applications;

  • financial hardship data;

  • security clearance information;

  • geolocation data;

  • private emails;

  • data for generating government identification; and

  • credit report information.

Haley Metteauer
Previous

Illinois Governor Enacts the Protecting Household Privacy Act, to be Effective Soon
Next

Kansas Enforcement Action Surrounding Data Disposal Puts Businesses on Notice of State Law Violation