On April 20, 2024, the House of Representatives passed H.R.8038, the 21st Century Peace through Strength Act ("supplemental"), which includes a version of H.R.7520, the Protecting Americans' Data from Foreign Adversaries Act (the "act" or "H.R.7520"). The Senate passed the package on April 23, and the President signed the supplemental into law on April 24.
H.R.7520 passed the House earlier this year by a unanimous vote but was not taken up in the Senate. As a result of the inclusion of H.R.7520 in the supplemental, the final enactment of the package creates new restrictions on data brokers' ability to provide data to certain companies with operations in foreign countries such as China and Russia and could limit how companies access the services of data brokers, including those used to help secure the online environment for consumers.
In February 2024, President Biden issued an executive order ("Order") intended to protect sensitive personal data of Americans from exploitation by certain foreign countries of concern. Implementation of the Order is under way, with the Department of Justice issuing an advance notice of proposed rulemaking last month to seek public comment on various topics related to the Order. It is unclear how this new law will interact with the Order, as the scope and coverage of the two differ in substance.
1. Do Not Transfer Data Restrictions
The act includes a broad prohibition on "data brokers" from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable sensitive data of U.S. residents to (1) foreign adversary countries or (2) entities "controlled by a foreign adversary." The current list of foreign adversary countries includes China, Iran, North Korea, and Russia.
The act does not include a "knowledge" standard, meaning inadvertent transfers could be a violation. Because there are no exceptions to the ban on transfers by data brokers, vital uses of data-driven services could be cut off to companies. Industries that rely on data brokers to provide critical data to address security vulnerabilities and to detect and prevent fraud, corruption, and money laundering, for example, may be restricted in accessing these services.
2. "Data Broker Defined"
"Data broker" is defined to include entities that, for valuable consideration, sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available data of U.S. residents that the entity did not collect directly from those residents to another entity that is not acting as a service provider.
The act excludes from the definition of data broker entities that (1) transmit data of U.S. residents, including communications of such residents, at the request or direction of such residents; (2) provide, maintain, or offer a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service; (3) report or publish news or information that concerns local, national, or international events or other matters of public interest; (4) a set of entities that report, publish, or otherwise make available news or information that is available to the general public; or (5) act as a service provider.
3. "Controlled by a Foreign Adversary" Defined
"Controlled by a foreign adversary" is defined to include individuals or entities that (1) are foreign persons that are "domiciled in, headquartered in, [have their] principal place of business in" or organized under the laws of a foreign adversary country; (2) are entities that have at least a 20 percent stake directly or indirectly owned by foreign persons; or (3) are a person "subject to the direction or control of a foreign person or entity," as defined, in certain countries including China and Russia.
Many companies not based in foreign adversary countries could be swept into this broad class of covered entities that could be cut off from data broker services. This outcome could be due to existing ownership stakes by foreign persons, business locations, or individual employees or contractors that may be living internationally that could be "domiciled in" a foreign adversary and/or deemed to be "subject to the direction or control" of that adversary country.
4. "Personally Identifiable Sensitive Data" Defined
"Personally identifiable sensitive data" is defined to include any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual. Sensitive data includes government identifiers; financial account information, including information that describes income level; precise geolocation data; information about race, ethnicity, or religion; information about video viewing and online activity history; and information that reveals the status of being a member of the Armed Forces.
5. Enforcement
The act provides the Federal Trade Commission (FTC) with exclusive enforcement authority to treat alleged violations of the law as unfair or deceptive acts or practices under Section 18(a)(1)(B) of the FTC Act, which would allow the FTC to seek civil penalties for each violation and consumer redress.
6. Short Implementation Period
The act will become effective 60 days after final enactment. This leaves companies with little time to determine whether they are impacted by the act's restrictions, how to comply with those restrictions, and the potential ramifications for their business of providing data to third parties or operations that rely on data services provided by data brokers.
About Venable
Venable's Privacy and Data Security Practice Group Practice Group has extensive experience counseling clients on obligations as data brokers or those using data broker services. Please feel free to reach out to us if you would like to learn more about federal or state privacy legislation, applicability to your organization, or what you can do to assess your compliance posture with respect to new laws.