Prohibitions on Data Broker Sales to Foreign Adversaries Just Expanded

Keep up with the latest legal and industry insights, news, and events from MoFo

Companies that sell data will have to comply with yet another set of legal restrictions, as the U.S. government continues to seek ways to limit the information that is available to foreign adversaries.

When President Biden recently signed emergency legislation providing additional funding to foreign allies (H.R. 815), he also enacted the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the “Act”). The Act, which enters into force on June 24, 2024, prohibits a “data broker” from sharing and selling personally identifiable sensitive data of a U.S. individual to entities connected to China, Iran, North Korea, and Russia. These new legal prohibitions follow President Biden’s February 2024 Executive Order and the corresponding U.S. Department of Justice (DOJ) Advance Notice of Proposed Rulemaking (collectively, “ANPRM”), which restrict the sale of sensitive data to countries of concern. (See our client alert on the ANPRM.)

The growing concern that foreign adversaries may legally purchase sensitive data about Americans and use it for malicious purposes is underscored by this series of executive and legislative actions. Although both the Act and the ANPRM restrict the sale of personal data of U.S. persons to foreign adversaries, the Act’s prohibitions are significantly more expansive than those in the ANPRM but apply to a narrower group of organizations. The overlapping rules, however, create a complex regulatory regime for data brokers to navigate.

Companies involved in the sale of personal data should take note of the key provisions under the Act and how they compare to the ANPRM (a comparison chart is below).

Key Provisions

Focus on “Data Brokers.” The Act applies only to data brokers, which are defined as entities that for valuable consideration make available the data of natural persons residing in the U.S., that the entity did not collect directly from such individuals, to another entity that is not acting as a service provider. The term excludes certain entities from the definition, such as those that transmit data at the request of the individual, news organizations, and entities that offer publicly available information. In contrast, the ANPRM covers a broader set of transactions that go beyond data broker transactions.
Prohibition on Sale of “Sensitive Data.” The Act makes it illegal for a data broker to make available “personally identifiable sensitive data” of a U.S. individual to a foreign adversary. Unlike the ANPRM, the Act does not require a bulk volume threshold; any amount of sensitive data made available to a restricted recipient is prohibited. And the Act’s definition of “sensitive data” is significantly broader than the definition of sensitive personal data in the ANPRM.

The Act and the ANPRM cover six types of sensitive data to be regulated, including:

personal identifiers,
geolocation data,
biometric identifiers,
genetic data,
health information, and
personal financial data.

The Act also includes 10 additional types of sensitive data, as well as a catch-all category:

private communications;
account login information;
sexual behavior information;
calendar, address book, phone and text logs, photos, videos, and audio recordings maintained for private use;
photographs or videos showing an individual’s naked or undergarmented private area;
information revealing the video content requested or selected by an individual;
information about individuals under the age of 17;
an individual’s race, color, ethnicity, or religion;
information identifying an individual’s online activities over time and across websites or online services;
military status, and
any other data a data broker makes available to a restricted recipient for the purpose of identifying one of the types of sensitive data enumerated above.

Foreign Adversary Countries and Restricted Recipients. The Act targets fewer “foreign adversary” countries than the ANPRM, but includes a broader definition of restricted recipients with ties to those countries: (i) entities that are organized under the laws of, are headquartered in, or have their principal place of business in a foreign adversary country, (ii) entities that are 20% or more owned by entities organized under the laws of, headquartered in, or having their principal place of business in a foreign adversary country, (iii) natural persons domiciled in a foreign adversary country, and (iv) a person subject to the direction or control of any of the categories above. Foreign adversary countries under the Act include China, Iran, North Korea, and Russia.
Civil Enforcement by the FTC. In contrast to the ANPRM, which will be administered by the DOJ through both civil and criminal penalties, the Federal Trade Commission will enforce violations of the Act as unfair or deceptive acts or practices under the Federal Trade Commission Act and will have the authority to seek civil penalties for violations.

In light of increased federal scrutiny and overlapping legal requirements, companies should carefully assess whether and how these rules apply to their data selling and sharing practices, and whether the risks posed by business practices or partners can be mitigated.

	ANPRM	The Act
Responsible Agency	DOJ	FTC
Potential Penalties	Criminal or Civil	Civil
Regulated Entity/Party	Any U.S. person engaged in a covered transaction, including: data-brokerage transactions, genomic data transactions, vendor agreements, employment agreements, and investment agreements.	“Data brokers”
Foreign Adversaries	China, Iran, North Korea, Russia, Venezuela, and Cuba	China, Iran, North Korea, and Russia
Restricted Recipients	(i) An entity that is 50% owned or controlled by a country of concern or subject tot the jurisdiction of any country of concern (ii) A foreign person who is a primary resident in the jurisdiction of a country of concern (iii) A foreign person who is an employee or contractor of a country of concern or covered person (iv) An entity that is owned, directly or indirectly, by an entity or person described in any of the categories above (v) Any person designated by the attorney general acting on behalf of a country of concern or covered personA person subject to the direction or control of any of the categories above	(i) An entity that is organized under the laws of, is headquartered in, or has its principal place of business in a foreign adversary country (ii) An entity that is 20% or more owned by an entity organized under the laws of, headquartered in, or having its principal place of business in a foreign adversary country (iii) A natural person domiciled in a foreign adversary country (iv) A person subject to the direction or control of any of the categories above
Sensitive Data Types	Personal identifiers Geolocation data Biometric identifiers Genetic data Health information Personal financial data	Personal identifiers Geolocation data Biometric identifiers Genetic data Health information Personal financial data Private communications Account login information Sexual behavior information Calendar, address book, phone and text logs, photos, videos, and audio recordings maintain for private use Photographs or videos showing an individual’s naked or undergarmented private area Information revealing the video content requested or selected by an individual Information about individuals under the age of 17 An individual’s race, color, ethnicity, or religion Information identifying an individual’s online activities over time and across websites or online services Military status Any other data a data broker makes available to a restricted recipient for the purpose of identifying one of the types of sensitive data enumerated above

Carson Martinez, Associate, contributed to the drafting of this alert.

Practices

Privacy + Data Security

Industries + Issues

Government Strategies