U.S. Bans Sale of Americans’ Sensitive Data to Foreign Adversaries: 5 Things to Know

President Biden recently signed into law the Protecting Americans’ Data from Foreign Adversaries Act as a part of H.R. 815, an emergency appropriations bill that primarily provides assistance to Israel, Ukraine and Taiwan. The act will prohibit data brokers from making available personally identifiable sensitive data of U.S. individuals to any foreign adversary country or entity controlled by a foreign adversary.

The act follows an executive order directing the Department of Justice (DOJ) to draft regulations to prohibit or restrict transactions that enable countries of concern – today, China, Russia, Iran, North Korea and Venezuela – to access certain sensitive U.S. personal and government data. Although similar to DOJ’s proposed rule under that order, the Act will apply to more entities and more transactions.

1. What transactions are prohibited?

The Act prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to or otherwise making available personally identifiable sensitive data of a U.S. individual to any foreign adversary country or entity controlled by a foreign adversary.

2. Who is covered?

A “data broker” is defined as an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to or otherwise makes available data of U.S. individuals, in which the entity did not collect directly from such individuals, to another entity that is not acting as a service provider.

The definition does not apply to an entity to the extent that the entity is:

• Transmitting an individual’s data at the individual’s request or direction.
• Providing, maintaining or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product of service.
• Reporting or publishing certain news or public information.
• Acting as a “service provider” that meets statutory criteria.

3. What data is covered?

The term “personally identifiable sensitive data” means any sensitive data (as defined below) that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.

“Sensitive data” includes government-issued identifiers; health information; financial account and payment information; genetic information; biometric information; precise geolocation information; private communications; log-in credentials; information revealing sexual behavior; calendar or address book information, phone or text logs or photos, videos or audio recordings intended for private use; photos and videos of an individual’s naked or undergarment-clad private areas; video content selection information; information about a minor under the age of 17; an individual’s race, color, ethnicity or religion; an individual’s online activities over time and across websites; information that reveals the status of an individual as a member of the armed forces and any other data that a data broker makes available to a foreign adversary country or entity controlled by a foreign adversary for the purpose of identifying the above types of data.

Notably, this list includes several categories of data that are not considered sensitive under state privacy laws, such as information about an individual’s online activities over time and across websites and information that reveals an individual’s status as a member of the armed forces. The definition generally aligns with the definition of sensitive covered data under the proposed American Privacy Rights Act (APRA) with some slight differences.

4. What is a “foreign adversary?”

Under the Act, “foreign adversaries” are North Korea, China, Russia and Iran, as defined in 10 U.S.C. § 4872(d)(2).

The term “controlled by a foreign adversary” encompasses an individual or entity that is one or more of the following:

• A foreign person that is domiciled or headquartered in, has its principal place of business in or is organized under the laws of a foreign adversary country.
• An entity in which a foreign person or combination of foreign persons described above directly or indirectly owns at least a 20 percent stake.
• A person subject to the direction or control of a foreign person or entity as described above.

The extension of the prohibition to entities “controlled by a foreign adversary” increases risk for data brokers that do not already have Know-Your-Customer (KYC) compliance programs or similar vetting processes for export controls or trade sanctions.

5. How will the Act be enforced?

The Federal Trade Commission (FTC) will enforce the Act, treating violations as unfair or deceptive acts or practices subject to civil penalties of up to $51,744. The Act takes effect June 23, 2024, leaving companies little time to build compliance programs.

Next Steps

The broad applicability, strict prohibition and imminent effective date mean companies should take steps now to confirm applicability with counsel and, if necessary, prioritize building a compliance program. Companies may be able to leverage existing KYC compliance programs and similar vetting processes for export controls or trade sanctions to limit the risk of inadvertently violating the new requirements.

Want to know more? Contact the authors (Shannon Yavorsky, David Curtis, or Cosmas Robless) or another member of the Orrick team.