Apple potential target of proposed bill that would limit flow of data to China

article thumbnail

U.S. Sen. Josh Hawley (R-Mo.) on Monday introduced a bill that aims to protect American interests by prohibiting companies from transferring user data or encryption keys to China, legislation that could impact Apple's Chinese business strategy.

Hawley's National Security and Personal Data Protection Act "cuts off the flow" of sensitive data to China and other countries that pose a threat to national security, as well as the security of individual Americans, according to a one-page summary (PDF link) of the bill.

"As revealed last week, China could use images of our servicemen and women' obtained from sites like TikTok to train its autonomous weapons," the release reads. "U.S. officials currently are assessing TikTok for national security reasons. China also could build or steal massive profiles on Americans. And China could use aggregate location data from phones to identify bridges or roads to target for sabotage."

Language in the overview released today appears to take issue with app makers and other entities that store user data on servers operated on Chinese soil, a consideration granted in exchange for entrance into the Asian market, Hawley says. A second function of the legislation forbids the transfer of encryption keys, a stipulation that would threaten cloud services like Apple's iCloud business.

Specifically, the bill prohibits "American companies from transferring user data or encryption keys to China and other countries that similarly threaten America's national security" and likewise bans offsite storage of data in those same regions.

Hawley's bill applies many of those same data management regulations to Chinese companies operating in the U.S., while adding concessions for excessive data collection. A third stipulation conditions the merger or sale of American companies to Chinese entities on prior approval from the Committee on Foreign Investment in the United States (CFIUS).

Whether Hawley's proposed legislation would impact Apple's Chinese operation is unclear. The company currently operates iCloud services in China, but data stored on Chinese servers is solely that of Chinese citizens.

To conform to Chinese cybersecurity laws, Apple in 2018 migrated iCloud encryption keys to Chinese servers run by Guizhou-Cloud Big Data Industry Co. Ltd.

Apple says it maintains sole control over Chinese iCloud encryption keys and claims the solution contains no government backdoors. Critics, however, note Apple might be forced to hand over the keys at any time through an official warrant system underpinned by a regime-friendly judicial process.

Though Apple was not named in the brief released today, Hawley has in the past associated the tech giant with TikTok, saying both flout U.S. security interests as they pander to China's massive commercial market.

Earlier this month, Hawley, an outspoken critic of Big Tech, called Apple, TikTok and others to a congressional hearing on China's supposed influence on the U.S. tech industry and how that relationship impacts consumer data. Both companies declined to participate. In June, the senator sent a letter to CEO Tim Cook asking for additional "Do Not Track" privacy options in iOS.