The bill strengthens export-control enforcement by allowing limited provider reporting and clarifying covered technologies, but it increases privacy risks, regulatory uncertainty, and compliance costs for providers, manufacturers, and customers.
Cloud providers and manufacturers get clearer definitions of key terms (e.g., "AI model," "covered cloud product," "covered integrated circuit"), helping them understand which hardware and software are subject to export-control reporting and easing compliance planning.
Providers can share limited, targeted data with the Commerce Department to verify or report suspected use of covered cloud products by specified foreign entities, strengthening the government's ability to enforce export controls on sensitive chips and cloud services.
Disclosures to Commerce are limited to only the contents reasonably necessary to substantiate a compliance report, which reduces the scope of data sharing and limits unnecessary privacy intrusions.
Customers and businesses risk improper disclosure of private communications or records because providers may share data with Commerce based on a subjective "good faith" belief and because the bill expands exceptions to existing customer-record privacy law (18 U.S.C. §2702), weakening longstanding privacy protections without judicial oversight.
Broad technical definitions, references to ECCNs, and a later modification authority create regulatory uncertainty for suppliers and users of advanced chips and cloud services, making long-term planning and product decisions harder for industry.
Providers and hardware manufacturers will face costs to implement detection, verification, and reporting systems for covered cloud products and integrated circuits, increasing compliance burdens especially for smaller firms.
Based on analysis of 2 sections of legislative text.
Permits cloud/communications providers to disclose limited customer data to Commerce for export-control or statute-authorized verification/reporting about covered cloud products and specified foreign entities.
Official title: To provide for exceptions for notifications to the United States Government relating to specified foreign entities.
Introduced June 30, 2026 by Josh S. Gottheimer · Last progress June 30, 2026
Creates an exception to federal electronic-communications privacy law allowing cloud and communications providers to share limited customer communications and records with the Secretary of Commerce (or Commerce-designated agents) when the provider in good faith believes the information relates to use of certain covered cloud products or covered integrated circuits by specified foreign entities, and when disclosure is for verification, notification, referral, or reporting required or authorized under this Act or Export Control Reform Act regulations. It also adds new definitions (including “AI model,” “covered cloud product,” and a detailed technical definition of “covered integrated circuit”) and sets performance thresholds and Export Control Classification Numbers (ECCNs) that identify targeted hardware, with a mechanism for Commerce to modify the covered integrated circuit list after 24 months. The change narrows the existing privacy protections in 18 U.S.C. §2702 to permit targeted disclosures to Commerce for export-control and national-security screening and reporting, limits disclosures to what is reasonably necessary, and explicitly excludes circuits not designed or marketed for data-center use.