The recent omnibus diplomatic package signed by President Biden on April 24, 2024 includes: The Protecting Americans' Data from Foreign Enemies Act of 2024 (the Act) would require data brokers to share sensitive personal information with a wide range of organizations that may have ties to Russia, China, Iran, and North Korea. A comprehensive set of privacy provisions that prohibit. The Federal Trade Commission (FTC) can enforce these prohibitions and seek civil penalties for violations. This provision becomes effective 60 days after the date of enactment.
Main regulations
What does this law prohibit?
The law makes it illegal for “data brokers” to provide “sensitive personally identifiable data” of U.S. individuals to “foreign adversaries” or “entities controlled by foreign adversaries.”
Who does this law apply to?
“Data broker” is an entity that provides, for valuable consideration, data about individuals in the United States that the entity did not collect directly from the individual to another entity that is not acting as a service provider. . The law includes certain exclusions from the definition, including information sent in response to an individual's request, information reported as part of journalism or entertainment, and information sent to a service provider.
What is “Personally Identifiable Sensitive Data”?
“Personally Identifiable Sensitive Data” is broadly defined. This includes more traditional categories of sensitive information that are considered sensitive data under state law, such as financial information, health and genetic information, biometric information, communications, precise geolocation information, and information about children under 17. included. This includes calendar information, browsing information, “information that reveals the video content that an individual has requested or selected,” and other information sold by data brokers for the purpose of inferring about the categories of sensitive data described in the Act. Includes categories such as personal data. .
Who is a foreign adversary and what is “control” by a foreign adversary?
“Foreign enemy state” is defined as a country as defined in 10 USC § 4872(d)(2), which currently includes Russia, China, Iran, and North Korea.
“Organizations controlled by foreign adversaries” are broadly defined to include three categories:
- First, it includes “alien persons” who reside, are headquartered, have a principal place of business, or are organized under the laws of a foreign hostile country. Although the term does not explicitly include nationals of these countries, it is strongly implied by the language of the law.
- Second, the term includes companies in which “foreigners” own at least 20% of the shares. For example, a data broker will no longer be able to sell sensitive personal information to a U.S. company if one or more Chinese companies owns more than 20% of his stake in the U.S. business, even if the company's headquarters are in the United States. Masu.
- Third, the term covers all individuals who are subject to the direction or control of entities in the first two categories, although what is meant by “subject to the direction or control” of such an entity remains unclear. Not. The FTC's interpretation of this category could potentially have a variety of meanings, based on recent laws and regulations that prohibit or restrict other interactions with entities associated with the same adversary list. , which may include, but are not limited to (a) employees of national entities; The first two groups. (b) Contractors of the first two groups of entities. or (c) a foreign company that has investors in the first two groups, if these investors have some influence over the business.
Duplication with Presidential Decree
This bill was enacted shortly after President Biden presidential order and a corresponding Advance Notice of Proposed Rulemaking (ANPRM) issued by the U.S. Department of Justice (DOJ) in February 2024, which also includes: Restrictions on the sale of information by data brokers to countries of concern. However, there are notable differences between the two approaches that can pose coordination challenges. For example, the law includes a broader definition of sensitive data and does not include a minimum threshold for the amount of data to be disclosed. In contrast, the ANPRM covers a narrower dataset, but a broader set of transactions that go well beyond contracts specifically related to data brokers. Additionally, the law may apply to a broader range of entities (e.g., entities in which a foreign national holds his 20 percent share) and may be under “foreign direction or control.” It opens the door to a broader understanding of what it means. However, the ANPRM has relatively strict and clear definitions of which foreign entities are considered “covered persons” subject to restricted interactions.
The Justice Department will need to write final rules to implement the executive order, a process that is expected to take several months. The bottom line is that the law will go into effect first, but it's unclear how the Justice Department will consider it in its work.
Important points
- This bill is just one example of the federal government's growing interest in the data broker industry. For example, in addition to the Executive Order, the Consumer Financial Protection Bureau recently announced that it intends to issue proposed regulations under the Fair Credit Reporting Act to more broadly address data broker practices.
- The Act's definition of “data broker” is broadly consistent with the definitions in the five current Data Broker Acts, but there are important differences. Because of its broad scope, some entities may be subject to this law even if they are not covered by state law. Therefore, data brokers should carefully assess whether their activities trigger the application of this law.
- Given the broad definition of “sensitive personally identifiable data,” it is likely that many data brokers collect “sensitive personally identifiable data.” Therefore, the key compliance questions are: (1) Does a company fall within the statute's particular definition of a data broker? (2) If so, does the company do business with a foreign adversary or an entity controlled by a foreign adversary?
- Companies that engage in data brokering activities may wish to begin requiring representations from commercial partners as to whether their companies are “controlled by a foreign adversary state” to ensure compliance with the Act. not.
Wilson Sonsini Goodrich & Rosati regularly helps clients navigate complex regulatory schemes and manage risks associated with the enforcement of privacy and data protection laws.For more information please contact us Manisha Mittal Joshua Gruenspect Libby Weingarten or a member of the Company Privacy and Cybersecurity or international security Practice.
Laura Ahmed with Rebecca Weitzel Garcia clinton oxford Contributed to the drafting of this alert.