U.S. Enacts Sweeping Legislation to Restrict Flows of Sensitive Data to the People’s Republic of China and Other Foreign Adversaries

Introduction

On April 24, President Biden signed a sweeping foreign aid bill into law, which included a critical provision covering privacy and data transfers known as the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”). This Act is separate from the TikTok divestment portion of the legislation, which has received far greater attention in the press.

PADFA generally prohibits data brokers from transferring personally identifiable sensitive data to certain named foreign adversary countries, including the People’s Republic of China (“PRC”), and any entity controlled by certain foreign adversaries. The law includes broad definitions of the terms “data brokers,” “personally identifiable sensitive data,” and “controlled by a foreign adversary,” which means the law applies to a wide range of companies when it takes effect on June 23, 2024. It is worthwhile for companies, even those who at first glance think they may not be covered, to review the law and consider adjusting their practices accordingly.

PADFA goes into effect on June 23, 2024, a mere 60 days from enactment, and there is potential for $50,120 in civil penalties per violation of the law, which may be construed to mean each transfer of personal data. As a result, companies should begin reviewing their practices as soon as possible.

Background

On February 28, 2024, President Biden announced an Executive Order (“EO”) directing the U.S. Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States government-related data and certain countries of concern or covered persons. As directed by the EO, on February 28, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) on topics related to the implementation of the EO. The Ropes & Gray team provided detailed analysis on both the EO and ANPRM here.

Accompanying the EO, President Biden released a fact sheet that included a statement urging Congress to pass comprehensive, bipartisan privacy legislation. On March 20, the House of Representatives unanimously passed PADFA, 414-0, only 15 days after introduction. The bill was then included in the foreign aid package.

As we discuss in more detail below, companies should be aware that the prohibitions in PADFA are significantly more expansive than the similar data broker transaction prohibitions contemplated in the ANPRM.

Summary and Analysis

PADFA makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available the personally identifiable sensitive data of a United States individual (defined as a natural person residing in the United States) to one of the named “foreign adversary” countries, i.e., North Korea, the PRC, Russia, and Iran or any entity controlled by those countries.

The law states that an entity is controlled by a foreign adversary if the entity is:

• A foreign person that is domiciled in, headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
• Owned directly or indirectly by a foreign person described in the first bullet above with at least a 20% stake in the entity; or
• A person subject to the direction or control of a foreign person or entity described in the two bullets above.

This definition sweeps in a broader set of entities than the ANPRM, which applies to entities at least 50%- owned directly or indirectly by “countries of concern” or foreign persons of “countries of concern.”

“Data brokers,” as defined in the law, include entities that make available data of U.S. individuals, that the entity did not collect directly from such individuals, to another entity.  Importantly, the definition does not include entities that:

• Transmit data at the request of an individual to whom the data pertain;
• Provide, maintain, or offer a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
• Make available news or information that is available to the general public; or,
• Are service providers.

The precise contours of these exceptions, which are not further defined in the text of PADFA, will be important in understanding the scope of entities that meet the “data broker” definition. Moreover, whether these exceptions could survive a viewpoint-discrimination First Amendment challenge remains to be seen.

PADFA includes 16 specifically enumerated types of sensitive data as well as an additional category that encompasses any other data made available for the purpose of identifying the specifically enumerated types of sensitive data. The definition of sensitive data includes government-issued identifiers, health care information, financial information, biometric information, genetic information, precise geolocation information, private communications, account or device log-in credentials, sexual behavior information, calendar and address book information, phone or text logs, photos, audio recordings, videos, video content requests, information about individuals under the age of 17, an individual’s race, color, ethnicity, or religion, information about an individual’s online activities, and military status.

PADFA’s definition of sensitive data is significantly more expansive than the definition of sensitive personal data in the ANPRM and does not contain a bulk data threshold trigger like the ANPRM. It is also broader than the definition of sensitive information used in most comprehensive privacy laws, thus potentially applying to many companies that have not historically considered themselves to be processing sensitive categories of information.

Unlike the ANPRM, which contemplates creating and implementing a compliance and enforcement program modeled on the Treasury Department’s IEEPA-based economic sanctions, PADFA treats a violation of the law as a violation of a rule defining an unfair or a deceptive act or practice under the Federal Trade Commission (“FTC”) Act. For rule violations, the FTC can seek up to $50,120 in civil penalties per violation. Further, PADFA does not propose any licensing regime or broad exemptions like those contained in the ANPRM.

Conclusion

PADFA marks an effort by Congress to restrict transfers of U.S. individuals’ personal information to foreign countries, but one which will confront constitutional free speech questions.

The law itself will have significant implications for many U.S. entities that do business with the PRC and other countries that are considered foreign adversaries. Companies should quickly assess the applicability of PADFA and review their compliance accordingly. The Ropes & Gray team will continue to monitor developments surrounding PADFA.