Money to Other Countries and US Rights Restrictions – Data Broker Restrictions Signed Into Law

By: Linda Goodman

In the recent omnibus foreign relations package signed by President Biden on April 24, 2024, includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“the Act”), a set of sweeping privacy provisions prohibiting U.S. data brokers from sharing “sensitive personal information” with a broad range of businesses that may have ties to Russia, China, Iran, and North Korea. The Federal Trade Commission (“FTC”) will enforce these prohibitions and will seek civil penalties for violations. The provision takes effect 60 days after the date of enactment of the Act – July 2024.

Act Prohibitions

The Act makes it illegal for a “data broker” to make available “personally identifiable sensitive data” of a U.S. individual to a “foreign adversary country” or “entity that is controlled by a foreign adversary.”

A “data broker” is broadly defined as a U.S. entity that transfers consumer data which it did not directly collect to another entity who is not acting as a service provider.

“Personally identifiable sensitive data” is defined broadly and includes financial information, health and genetic information, biometric information, contents of communications, precise geolocation information, and information about children under 17. It also includes categories such as calendar information, browsing information, “information revealing the video content requested or selected by an individual,” and any personal data a data broker may sell for the purpose of making inferences about the individual.

A “foreign adversary country” is defined as any country specified in 10 U.S.C. § 4872(d)(2), which currently lists Russia, China, Iran, and North Korea. It also covers any person subject to the direction or control of the entities controlled by a foreign adversary. What it means to be “subject to the direction or control” of such entities is not defined. But we expect the FTC’s interpretation of this category could be substantial broad.

An “entity controlled by a foreign adversary” is defined broadly to include three categories:

First, it includes any “foreign person” domiciled in, headquartered in, having a principal place of business in, or organized under the laws of a foreign adversary country.
Second, it includes entities in which “foreign persons” have at least a 20 percent stake. For example, even if an entity is headquartered in the U.S., if one or more Chinese entities hold more than a 20 percent stake in the U.S. business, a data broker would not be able to sell sensitive personal information to the U.S. business.

Overlap with Executive Order

The legislation comes on the heels of President Biden’s Executive Order and the corresponding Advance Notice of Proposed Rulemaking (“ANPRM”) released by U.S. Department of Justice (“DOJ”) in February 2024, which also included restrictions on data brokers’ sale of information to countries of concern. It is clear that there was coordination between the two branches. The Executive Order includes a much more expansive definition of sensitive data than does the legislation and does not include minimum thresholds for the amount of data disclosed. The ANPRM, by contrast, covers a narrower set of data and the Act provides a tighter and clearer definition of which foreign entities are considered “covered persons” subject to restricted interactions.

Given the broad nature of this law, many data brokers would likely collect “personally identifiable sensitive data.” Therefore, the key questions for compliance would be: (1) does a company fall within the Act’s specific definition of data broker; and (2) if so, does the company do business with a foreign adversary country or an entity controlled by a foreign adversary country.

Now is the time for data brokers to start making inquiries and amending their agreements – asking for representations from their commercial partners about whether they are “controlled by a foreign adversary country” to ensure compliance with the Act.

_____________________________________________________________________________________________________________

This article was originally posted on Cliclaw.com as part of my ongoing efforts to share valuable legal insights. I regularly contribute guest blogs to leading websites in the field of internet compliance. In these posts, I cover a range of topics to help businesses stay compliant in the ever-evolving digital world. You can read my latest guest contributions on Cliclaw.com.

This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.

Linda L. Goodman is an attorney specializing in internet compliance and privacy law. With years of experience helping businesses navigate complex legal landscapes, Linda contributes expert insights on compliance issues in the digital space. To learn more about her services and insights, visit her law firm website at The Goodman Law Firm.