On April 20, 2024, the House of Representatives passed H.R.8038, the 21st Century Peace through
Strength Act (“supplemental”), which includes a version
of H.R.7520, the Protecting Americans’ Data
from Foreign Adversaries Act (the “act” or
“H.R.7520”). The Senate passed the package on April 23,
and the President signed the supplemental into law on April 24.
H.R.7520 passed the House earlier this year by a unanimous vote
but was not taken up in the Senate. As a result of the inclusion of
H.R.7520 in the supplemental, the final enactment of the package
creates new restrictions on data brokers’ ability to provide
data to certain companies with operations in foreign countries such
as China and Russia and could limit how companies access the
services of data brokers, including those used to help secure the
online environment for consumers.
In February 2024, President Biden issued an executive order (“Order”)
intended to protect sensitive personal data of Americans from
exploitation by certain foreign countries of concern.
Implementation of the Order is under way, with the Department of
Justice issuing an advance notice of proposed
rulemaking last month to seek public comment on various topics
related to the Order. It is unclear how this new law will interact
with the Order, as the scope and coverage of the two differ in
substance.
1. Do Not Transfer Data Restrictions
The act includes a broad prohibition on “data brokers”
from selling, licensing, renting, trading, transferring, releasing,
disclosing, providing access to, or otherwise making available
personally identifiable sensitive data of U.S. residents to (1)
foreign adversary countries or (2) entities “controlled by a
foreign adversary.” The current list of foreign adversary
countries includes China, Iran, North Korea, and Russia.
The act does not include a “knowledge” standard,
meaning inadvertent transfers could be a violation. Because there
are no exceptions to the ban on transfers by data brokers, vital
uses of data-driven services could be cut off to companies.
Industries that rely on data brokers to provide critical data to
address security vulnerabilities and to detect and prevent fraud,
corruption, and money laundering, for example, may be restricted in
accessing these services.
2. “Data Broker Defined”
“Data broker” is defined to include entities that, for
valuable consideration, sell, license, rent, trade, transfer,
release, disclose, provide access to, or otherwise make available
data of U.S. residents that the entity did not collect directly
from those residents to another entity that is not acting as a
service provider.
The act excludes from the definition of data broker entities
that (1) transmit data of U.S. residents, including communications
of such residents, at the request or direction of such residents;
(2) provide, maintain, or offer a product or service with respect
to which personally identifiable sensitive data, or access to such
data, is not the product or service; (3) report or publish news or
information that concerns local, national, or international events
or other matters of public interest; (4) a set of entities that
report, publish, or otherwise make available news or information
that is available to the general public; or (5) act as a service
provider.
3. “Controlled by a Foreign Adversary” Defined
“Controlled by a foreign adversary” is defined to
include individuals or entities that (1) are foreign persons that
are “domiciled in, headquartered in, [have their] principal
place of business in” or organized under the laws of a foreign
adversary country; (2) are entities that have at least a 20 percent
stake directly or indirectly owned by foreign persons; or (3) are a
person “subject to the direction or control of a foreign
person or entity,” as defined, in certain countries including
China and Russia.
Many companies not based in foreign adversary countries could be
swept into this broad class of covered entities that could be cut
off from data broker services. This outcome could be due to
existing ownership stakes by foreign persons, business locations,
or individual employees or contractors that may be living
internationally that could be “domiciled in” a foreign
adversary and/or deemed to be “subject to the direction or
control” of that adversary country.
4. “Personally Identifiable Sensitive Data”
Defined
“Personally identifiable sensitive data” is defined to
include any sensitive data that identifies or is linked or
reasonably linkable, alone or in combination with other data, to an
individual or a device that identifies or is linked or reasonably
linkable to an individual. Sensitive data includes government
identifiers; financial account information, including information
that describes income level; precise geolocation data; information
about race, ethnicity, or religion; information about video viewing
and online activity history; and information that reveals the
status of being a member of the Armed Forces.
5. Enforcement
The act provides the Federal Trade Commission (FTC) with
exclusive enforcement authority to treat alleged violations of the
law as unfair or deceptive acts or practices under Section
18(a)(1)(B) of the FTC Act, which would allow the FTC to seek civil
penalties for each violation and consumer redress.
6. Short Implementation Period
The act will become effective 60 days after final enactment.
This leaves companies with little time to determine whether they
are impacted by the act’s restrictions, how to comply with
those restrictions, and the potential ramifications for their
business of providing data to third parties or operations that rely
on data services provided by data brokers.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Data #Restrictions #21st #Century #Peace #Strength #Act #Data #Protection
