Listen to this post

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

HR 7520 would:

  • Prohibit data brokers from selling certain sensitive U.S. personal data to foreign adversaries or organizations/entities under their control. The list of foreign adversaries currently includes Russia, China, Iran, and North Korea, pursuant to 10 U.S.C. § 4872;
  • Protect sensitive data including health data, precise geolocation information, biometric and genetic data, Social Security numbers, passport numbers and other government identifiers, certain financial data (including income level), certain protected class-related data, and information about minors, among others; and
  • Authorize the Federal Trade Commission to enforce the law under Section 18 of the FTC Act and penalize data brokers for violating the law.

“Data brokers” are entities that exchange with another entity, for valuable consideration, U.S. individuals’ data that the entity did not collect directly from the individual (that is, “for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available”). This does not include entities acting as “service providers,” entities transmitting data at the request of the individual, or in the context of reporting or publishing news to the general public. The Bill will require data brokers to stop transferring an extensive list of sensitive personal data elements to several known foreign adversaries and at least one major trading partner – China. HR 7520 is significant not only for its national security implications and impact on data brokers, but for the unanimous vote it garnered in an otherwise divided Congress. The Bill moves to the Senate for approval.

Update: On April 23, 2024, the Senate passed a national security and foreign aid package (HR 815) that includes legislation requiring the divestment of TikTok from the app’s Chinese owners. On April 24, 2024, President Biden signed the bills into law, starting the clock on the divestment deadline. If TikTok does not divest within 270 days (that is, by January 19, 2025), a prohibition on TikTok in the U.S. will go into effect.  TikTok announced that it plans to contest the ban.  There is an option for the President to extend the deadline by 90 days if it appears that a deal is imminent. The House packaged the legislation with foreign aid for Ukraine, Israel and Indo-Pacific security, as well as other national security and related matters.