U.S. Bans Sale of Americans’ Sensitive Data to Foreign Adversaries: 5 Things to Know

4 minute read | May.02.2024

President Biden recently signed into law the Protecting Americans’ Data from Foreign Adversaries Act as a part of H.R. 815, an emergency appropriations bill that primarily provides assistance to Israel, Ukraine and Taiwan. The act will prohibit data brokers from making available personally identifiable sensitive data of U.S. individuals to any foreign adversary country or entity controlled by a foreign adversary.

The act follows an executive order directing the Department of Justice (DOJ) to draft regulations to prohibit or restrict transactions that enable countries of concern – today, China, Russia, Iran, North Korea and Venezuela – to access certain sensitive U.S. personal and government data. Although similar to DOJ’s proposed rule under that order, the Act will apply to more entities and more transactions.

1. What transactions are prohibited?

The Act prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to or otherwise making available personally identifiable sensitive data of a U.S. individual to any foreign adversary country or entity controlled by a foreign adversary.

2. Who is covered?

A “data broker” is defined as an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to or otherwise makes available data of U.S. individuals, in which the entity did not collect directly from such individuals, to another entity that is not acting as a service provider.

The definition does not apply to an entity to the extent that the entity is:

Transmitting an individual’s data at the individual’s request or direction.
Providing, maintaining or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product of service.
Reporting or publishing certain news or public information.
Acting as a “service provider” that meets statutory criteria.

3. What data is covered?

The term “personally identifiable sensitive data” means any sensitive data (as defined below) that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.

“Sensitive data” includes government-issued identifiers; health information; financial account and payment information; genetic information; biometric information; precise geolocation information; private communications; log-in credentials; information revealing sexual behavior; calendar or address book information, phone or text logs or photos, videos or audio recordings intended for private use; photos and videos of an individual’s naked or undergarment-clad private areas; video content selection information; information about a minor under the age of 17; an individual’s race, color, ethnicity or religion; an individual’s online activities over time and across websites; information that reveals the status of an individual as a member of the armed forces and any other data that a data broker makes available to a foreign adversary country or entity controlled by a foreign adversary for the purpose of identifying the above types of data.

Notably, this list includes several categories of data that are not considered sensitive under state privacy laws, such as information about an individual’s online activities over time and across websites and information that reveals an individual’s status as a member of the armed forces. The definition generally aligns with the definition of sensitive covered data under the proposed American Privacy Rights Act (APRA) with some slight differences.

4. What is a “foreign adversary?”

Under the Act, “foreign adversaries” are North Korea, China, Russia and Iran, as defined in 10 U.S.C. § 4872(d)(2).

The term “controlled by a foreign adversary” encompasses an individual or entity that is one or more of the following:

A foreign person that is domiciled or headquartered in, has its principal place of business in or is organized under the laws of a foreign adversary country.
An entity in which a foreign person or combination of foreign persons described above directly or indirectly owns at least a 20 percent stake.
A person subject to the direction or control of a foreign person or entity as described above.

The extension of the prohibition to entities “controlled by a foreign adversary” increases risk for data brokers that do not already have Know-Your-Customer (KYC) compliance programs or similar vetting processes for export controls or trade sanctions.

5. How will the Act be enforced?

The Federal Trade Commission (FTC) will enforce the Act, treating violations as unfair or deceptive acts or practices subject to civil penalties of up to $51,744. The Act takes effect June 23, 2024, leaving companies little time to build compliance programs.

Next Steps

The broad applicability, strict prohibition and imminent effective date mean companies should take steps now to confirm applicability with counsel and, if necessary, prioritize building a compliance program. Companies may be able to leverage existing KYC compliance programs and similar vetting processes for export controls or trade sanctions to limit the risk of inadvertently violating the new requirements.

Want to know more? Contact the authors (Shannon Yavorsky, David Curtis, or Cosmas Robless) or another member of the Orrick team.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

David Curtis Senior Associate, Cyber, Privacy & Data Innovation, Technology Transactions

Seattle; Boston

See my bio

D:+1 206 839 4338
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

David Curtis Senior Associate

Seattle; Boston

David drafts and negotiates data licenses and other commercial contracts in which privacy and security issues are a key concern. In addition, he regularly advises clients on privacy policies, website terms and conditions and data processing agreements. David also counsels clients on digital advertising, Internet law and consumer protection, with a particular focus on compliance with the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act (CPRA), the EU General Data Protection Regulation (GDPR), restrictions on unfair and deceptive trade practices and app store privacy requirements. David helped develop Orrick’s CCPA Readiness Assessment Tool, which enables companies to test how ready they are to comply with the CCPA as a first step to constructing a strategic compliance roadmap.

Before joining Orrick, David was an associate at Ropes & Gray LLP and an adjunct professor at Harvard Law School, where he taught legal research, writing and analysis. David clerked for Justice Barbara Lenk of the Supreme Judicial Court of Massachusetts.

Cosmas Robless Associate, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

D:+1 202 339 8663
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation

vCard

See full bio

Cosmas Robless Associate

Washington, D.C.

Cosmas provides guidance on issues relating to numerous privacy and cybersecurity laws, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, state data breach notification laws, and Europe’s General Data Protection Regulation (GDPR).

Cosmas graduated with honors from Harvard Law School. During law school, he participated in the Berkman Klein Center's Cyberlaw Clinic, completed a clinical placement in the Securities, Financial & Cyber Fraud Unit of the United States Attorney’s Office for the District of Massachusetts, and interned with the Special Assistant for Legal & Legislative Matters to the Secretary of the Navy. Prior to law school, Cosmas served as a submarine officer in the U.S. Navy.

Cosmas is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US).