Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Protecting Americans' Data from Foreign Adversaries Act enters into force - impact on businesses

The US privacy landscape has seen significant change in the past year, through the introduction of various state privacy legislation and federal initiatives. On June 23, 2024, the Protecting Americans' Data from Foreign Adversaries Act of 2024 (the Act) under Division I of House Resolution 815 Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes (House Resolution 815) entered into force. OneTrust DataGuidance breaks down the key provisions of the Act with expert comments from Mark Francis, Partner at Holland & Knight LLP.

Brian Eden/Moment via Getty Images

Cross-border data transfers

The Act provides that it shall be unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a US individual to:

  • any foreign adversary country; or
  • any entity that is controlled by a foreign adversary.

A 'foreign adversary country' is one specified under §4872(d)(2) of Title 10 of the U.S. Code, and includes North Korea, China, Russia, and Iran.

The Act clarifies that the term 'controlled by a foreign adversary' refers to an entity that is:

  • a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
  • an entity with respect to which a foreign person or combination of foreign persons in point one directly or indirectly own at least a 20% stake; or
  • a person subject to the direction or control of a foreign person or entity described in the two bullet points above.

In relation to the impact of the Act, Mark states that "The prohibitions in the Act are significantly broader than the requirements introduced by President Biden's February 28, 2024, Executive Order 14117 on Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the Executive Order) together with the Department of Justice's Advance Notice of Proposed Rulemaking (ANPRM). This Act doubles down on restrictions intended to prevent the dissemination of sensitive personal information about US residents to foreign adversaries, with broad bipartisan support. Businesses will need to (i) incorporate these new prohibitions into their data/privacy/cyber programs, (ii) assess their current data flows across numerous eco-systems (e.g., digital advertising and data sharing), and (iii) potentially make difficult decisions on data activities that may, even inadvertently, fall within the scope of the new law.

While the Act is directed at data brokers, the term is defined very broadly and can capture a significant percentage of US businesses that are engaged in some form of data-sharing activities with third parties for digital marketing, online engagement, and other commonplace activities."

Who are service providers and data brokers under the Act?

A 'service provider' under the Act means an entity that:

  • collects, processes, or transfers data on behalf of, and at the direction of:
    • an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or
    • a federal, state, tribal, territorial, or local governmental entity; and
  • receives data from or on behalf of an individual or entities described above.

The Act defines a data broker as an 'entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of US individuals, that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.'

Nevertheless, data brokers will not include an entity that:

  • is transmitting data, including communications of a US individual at the request or direction of such individual;
  • is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
  • is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest;
  • is reporting, publishing, or otherwise making available news or information that is available to the general public; or
  • is acting as a service provider.

Regarding data brokers, Mark explains that "this seems to implicate some significant issues:

  • there is no knowledge qualifier on this prohibition, so there may be an affirmative need to investigate third party data recipients that may be located in or affiliated with a foreign adversary;
  • the term 'data broker' is broadly defined and, subject to a few exceptions, includes any entity that 'for valuable consideration' makes personally identifiable sensitive data of US residents to third parties (who are not a service provider) – note that 'valuable consideration' does not appear limited to monetary payments; and
  • 'personally identifiable sensitive data' is broadly defined and includes government identifiers, health information, biometric and genetic information, precise geolocation information, the content and metadata associated with private communications, private content, calendar and contact information, video viewing activity, demographic information and online activities.

Collectively, the language in this Act will likely result in compliance burdens for a wide spectrum of organizations beyond traditional data brokers."

What is 'sensitive data' under the Act?

'Sensitive data' is given extensive coverage under the Act, and includes:

  • a government-issued identifier (social security, passport, driver's license numbers);
  • information that reveals physical or mental health, disability, diagnosis, or healthcare condition or treatment of an individual;
  • biometric information;
  • genetic information;
  • precise geolocation information;
  • an individual's private communications;
  • account or device log-in credentials;
  • security or access codes for an account or device;
  • information identifying the sexual behavior of an individual;
  • calendar information, address book information;
  • information revealing the video content requested or selected by an individual.
  • information about an individual under the age
  •  an individual’s race, color, ethnicity, or religion;
  • information identifying an individual's online activities over time and across websites or online services; and
  • any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country or entity, for the purpose of identifying the above data.

Whereas 'personally identifiable sensitive data' is considered by the Act to mean 'any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.'

Precise geolocation information means information that:

  • is derived from a device or technology of an individual; and
  • reveals the past or present physical location of an individual or device that identifies or is linked or reasonably linkable to one or more individuals, with sufficient precision to identify street-level location information of an individual or device or the location of an individual or device within a range of 1,850 feet or less.

Enforcement

The Act clarifies that a violation of its provisions will be treated as a violation of a rule defining an unfair or deceptive act or practice under §18(a)(1)(B) of the Federal Trade Commission Act (the FTC Act). To this end, the Federal Trade Commission (FTC) will enforce the Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the FTC Act were incorporated into and made a part of the Act.

On this point, Mark noted that "Businesses should keep in mind that unlike the Executive Order, enforcement of this law is assigned to the FTC, and given the FTC's heavy focus on consumer privacy this is a significant new tool they can use to pursue investigations and impose financial penalties."

Impact on data transfers framework and federal privacy legislation

Mark noted that "There are strategic alignments with Data Privacy Framework (DPF) and other cross-border frameworks since businesses need to take a more informed and vigilant approach to tracking data flows and data recipients. However, there are still enormous practical differences between Act and existing approaches (e.g., focus on contracting terms and privacy risk vs. an outright ban on certain sharing activities)."

Mark also highlighted that, in relation to privacy legislation and executive orders, "The Act will likely be complimentary to American Privacy Rights Act (APRA) (if and as passed), and privacy programs will need to remain flexible enough to address compliance needs across multiple laws, rather than focus on any particular law. The Act will have a significant impact on the Executive Order and the ANPRM, which may be rendered moot given that the Act is broader in many respects, including a much broader definition of sensitive information and no 'bulk data' threshold trigger."

Next steps

Mark concluded "the Act goes into effect on June 23, 2024, just 60 days after enactment, with up to $50,120 in civil penalties per violation. This means organizations need to move quickly to assess compliance with this new law. I believe the natural first step is to leverage data maps and inventories used for privacy and cyber programs (e.g., California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR)) to identify data sharing activities that involve potential gain and then take a closer look at those activities to assess whether they could be in scope of the law. Documenting findings may help establish a good faith basis where the Act is believed to be inapplicable."

Harry Chambers Senior Privacy Analyst
[email protected]

With comments provided by:

Mark Francis Partner
[email protected]
Holland & Knight LLP, New York