Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Protecting Americans' Data from Foreign Adversaries Act enters into force

On June 23, 2024, the Protecting American's Data from Foreign Adversaries Act of 2024 under Division I of House Resolution 815 Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes entered into effect.

What are the provisions of the Act?

The Act highlights a prohibition on the sale, licensing, rent, trade, transfer, release, disclosure, provision of access to, or otherwise making available sensitive data of a US individual to:

  • any foreign adversary country; or
  • any entity that is controlled by a foreign adversary.

A violation of such provision shall be considered as an unfair or deceptive act or practice under the Federal Trade Commission Act (the FTC Act).

Who are foreign adversaries?

A 'foreign adversary country' is one specified under Section 4872(d)(2) Title 10 of the US Code, and includes North Korea, China, Russia, and Iran.

The Act defines the term 'controlled by a foreign adversary' as an entity that is:

  • a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
  • an entity with respect to which a foreign person or combination of foreign persons above directly or indirectly own at least a 20% stake; or
  • a person subject to the direction or control of a foreign person or entity described above.

What are data brokers under the Act?

The Act defines a data broker as an 'entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals, that the entity did not collect directly from such individuals, to another entity that is not acting as a service provider.'

However, data brokers are given not to include an entity that:

  • is transmitting data, including communications of a US individual at the request or direction of such individual;
  • is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
  • is reporting, publishing, or otherwise making available news or information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis, but not including an obscene visual depiction; or
  • is acting as a service provider.

The Act also provides definitions for 'sensitive data,' 'personally identifiable sensitive data,' and 'precise geolocation information.'

You can read the Act here and view its legislative history here.