On April 24, 2024, President Biden signed into law H.R. 815, which includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“the Act”), a bill that passed the House 414-0 as H.R. 7520 on March 20.  The Act is one of several recent actions by the U.S. government to regulate transfers of U.S. personal data for national security reasons, with a particular focus on China.  While the ultimate policy objectives are similar, the Act takes a different approach by comparison to the Biden Administration’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (“the EO”), which the U.S. Department of Justice (“DOJ”) is in the process of implementing.  We summarize below some key features of the Act, which will go into effect on June 23, 2024.

The Act makes it unlawful for data brokers to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual (i.e., people residing in the United States) to any foreign adversary or any entity controlled by a foreign adversary. 

  • Data brokers” for purposes of the Act are any entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity.  The Act exempts certain entities from the meaning of “data broker.”  Specifically, the Act does not apply to an entity to the extent that such entity:
    • (i) is transmitting data of a U.S. individual, including communications of such an individual, at the request or direction of such individual;
    • (ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
    • (iii) is reporting or publishing news or information concerning local, national, or international events or other matters of public interest;
    • (iv) is reporting, publishing, or otherwise making available news or information that is available to the general public; or
    • (v) is acting as a service provider.  A “service provider” is an entity that: (A) collects, processes, or transfers data on behalf of, and at the direction of: (i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or (ii) a Federal, State, Tribal, territorial, or local government entity; and (B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.

As noted above, the Act prohibits making available sensitive data of United States individuals to entities or individuals controlled by a foreign adversary.

  • “Foreign adversary countries” are those specified in 10 U.S.C. § 4872(d)(2), which currently includes the Democratic People’s Republic of North Korea, the People’s Republic of China, the Russian Federation, and the Islamic Republic of Iran.
  • An entity “controlled by a foreign adversary” means an individual or entity that is:
    • (A) a foreign person domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
    • (B) an entity with respect to which a foreign person or combination of foreign persons described in (A) directly or indirectly own at least a 20 percent stake; or
    • (C) a person subject to the direction or control of a foreign person or entity described in (A) or (B).

The Act includes in its definition of “sensitive data” sixteen categories of data plus any data made available by a data broker “for the purpose of identifying the types of data.” Categories of sensitive data include government issued identifiers, biometric information, genetic information, and precise geolocation information, among other things.  “Sensitive data” is considered personally identifiable if it “identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.”

Violations of this Act would be enforced by the Federal Trade Commission (“FTC”) as violations of an unfair or deceptive act or practice under the FTC Act.  It is unclear how the FTC will interpret and enforce the Act, especially in light of ambiguities in the statutory language, the FTC’s lack of national security expertise, and the potential overlap with DOJ’s authority under the EO.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Jonathan Wakely Jonathan Wakely

Jonathan Wakely practices at the intersection of national security and the private sector, advising clients on a range of significant international trade, cross-border investment, national security, supply chain security, and public policy matters.

Mr. Wakely has been recognized by Chambers USA for his…

Jonathan Wakely practices at the intersection of national security and the private sector, advising clients on a range of significant international trade, cross-border investment, national security, supply chain security, and public policy matters.

Mr. Wakely has been recognized by Chambers USA for his leading expertise in securing national security-related regulatory approvals for foreign investments. He regularly represents clients before the Committee on Foreign Investment in the United States (CFIUS), the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (better known as “Team Telecom”), and the Defense Counterintelligence and Security Agency (DCSA) in proceedings related to the mitigation of foreign ownership, control, or influence (FOCI). He was deeply involved on behalf of clients in the development of the Foreign Investment Review Modernization Act of 2018 (“FIRRMA”), which reformed CFIUS’s authorities, and its implementing regulations.

Mr. Wakely has advised on transactions with an aggregate value in excess of $250 billion across virtually all sectors, including semiconductors, telecommunications, financial services, software, IT services, energy, and real estate. His recent representations include successfully defending Qualcomm against the attempted hostile takeover by Broadcom, securing approval for the acquisition of Genworth Financial by China Oceanwide, and representing Ford Motor Company in connection with a $2.6 billion investment by Volkswagen in Ford’s autonomous driving subsidiary, Argo AI. He has negotiated and advised companies on compliance with many of the most significant, complex, and sensitive national security agreements of the past decade.

Mr. Wakely also regularly advises clients on public policy and government relations matters involving international trade, cross-border investment, and national security. He has represented trade associations, Fortune 100 companies, and sovereign states before Congress and the executive branch, including by designing and executing government relations campaigns to achieve policy, regulatory, and legislative goals.

Mr. Wakely is an adjunct professor at the Georgetown University Law Center, where he teaches a course on national security and the private sector. He has also published extensively on matters related to the regulation of foreign investment; his articles have appeared in the Harvard National Security Journal, The International Lawyer, and the Global Trade and Customs Journal. Before joining Covington, he served as a political analyst with the Central Intelligence Agency (CIA), where he provided strategic analysis to the President and other senior policymakers.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.

Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.