On April 24, 2024, President Biden signed into law H.R. 815, which includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“the Act”), a bill that passed the House 414-0 as H.R. 7520 on March 20. The Act is one of several recent actions by the U.S. government to regulate transfers of U.S. personal data for national security reasons, with a particular focus on China. While the ultimate policy objectives are similar, the Act takes a different approach by comparison to the Biden Administration’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (“the EO”), which the U.S. Department of Justice (“DOJ”) is in the process of implementing. We summarize below some key features of the Act, which will go into effect on June 23, 2024.
The Act makes it unlawful for data brokers to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual (i.e., people residing in the United States) to any foreign adversary or any entity controlled by a foreign adversary.
- “Data brokers” for purposes of the Act are any entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity. The Act exempts certain entities from the meaning of “data broker.” Specifically, the Act does not apply to an entity to the extent that such entity:
- (i) is transmitting data of a U.S. individual, including communications of such an individual, at the request or direction of such individual;
- (ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
- (iii) is reporting or publishing news or information concerning local, national, or international events or other matters of public interest;
- (iv) is reporting, publishing, or otherwise making available news or information that is available to the general public; or
- (v) is acting as a service provider. A “service provider” is an entity that: (A) collects, processes, or transfers data on behalf of, and at the direction of: (i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or (ii) a Federal, State, Tribal, territorial, or local government entity; and (B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.
As noted above, the Act prohibits making available sensitive data of United States individuals to entities or individuals controlled by a foreign adversary.
- “Foreign adversary countries” are those specified in 10 U.S.C. § 4872(d)(2), which currently includes the Democratic People’s Republic of North Korea, the People’s Republic of China, the Russian Federation, and the Islamic Republic of Iran.
- An entity “controlled by a foreign adversary” means an individual or entity that is:
- (A) a foreign person domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
- (B) an entity with respect to which a foreign person or combination of foreign persons described in (A) directly or indirectly own at least a 20 percent stake; or
- (C) a person subject to the direction or control of a foreign person or entity described in (A) or (B).
The Act includes in its definition of “sensitive data” sixteen categories of data plus any data made available by a data broker “for the purpose of identifying the types of data.” Categories of sensitive data include government issued identifiers, biometric information, genetic information, and precise geolocation information, among other things. “Sensitive data” is considered personally identifiable if it “identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.”
Violations of this Act would be enforced by the Federal Trade Commission (“FTC”) as violations of an unfair or deceptive act or practice under the FTC Act. It is unclear how the FTC will interpret and enforce the Act, especially in light of ambiguities in the statutory language, the FTC’s lack of national security expertise, and the potential overlap with DOJ’s authority under the EO.