On March 20, the U.S. House of Representatives passed House Resolution 7520, the Protecting Americans’ Data from Foreign Adversaries Act of 2024, targeting companies that sell sensitive information to “foreign adversaries.” H.R. 7520 comes on the heels of two other major developments. First, House Resolution 7521 would require TikTok to divest from its Chinese parent company. Second, President Biden’s Executive Order 14117, requires, among other things, that the Attorney General make rules restricting data brokers from selling bulk sensitive personal data to “countries of concern.” The two resolutions and the E.O. are part of a growing, bipartisan trend to restrict access to sensitive information by foreign adversaries.
H.R. 7520 is limited in its scope, applying only to data brokers that sell or otherwise make personally identifiable sensitive data available to foreign adversaries. Here are the highlights:
- “Data Brokers” includes entities that sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available data of U.S. individuals, if the entities did not collect the information directly from the individual or from the entities’ service providers.
- “Personally Identifiable Sensitive Data” includes 17 data types, including government-issued identifiers (for example, Social Security numbers); biometric or genetic information; precise geolocation information; financial information, health data, and web browsing activity; and data shared for the purpose of identifying the other 16 data types.
- “Foreign Adversaries” are designated by the U.S. Secretary of Defense. As of March 2024, the list includes the People’s Republic of China (including the Hong Kong Special Administrative Region), the Republic of Cuba, the Islamic Republic of Iran, North Korea, the Russian Federation, and regime of the Venezuelan politician Nicolás Maduro.
H.R. 7520 has not yet been voted on in the Senate or signed into law by the President. However, the U.S. government is increasingly focused on limiting the transfer of Americans’ data to countries that are believed to be using the information maliciously. With the continued push on data sharing restrictions, organizations should evaluate their data sharing practices and determine from whom their data comes, with whom they share it, and what they share. If an organization is, or determines it may be, a “data broker,” it may need to adjust its practices. If H.R. 7520 becomes law, data brokers who share sensitive information with foreign adversaries would be subject to enforcement action by the Federal Trade Commission. Data sharing with foreign adversaries would be treated as an unfair or deceptive trade practice and could result in monetary penalties. Companies should continue to monitor these developments to better understand the risks and requirements when sharing data, especially when doing so overseas.
