On April 24, 2024, President Biden signed into law H.R. 815, which includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“the Act”), a bill that passed the House 414-0 as H.R. 7520 on March 20.  The Act is one of several recent actions by the U.S. government to regulate transfers of U.S. personal data for national security reasons, with a particular focus on China.  While the ultimate policy objectives are similar, the Act takes a different approach by comparison to the Biden Administration’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (“the EO”), which the U.S. Department of Justice (“DOJ”) is in the process of implementing.  We summarize below some key features of the Act, which will go into effect on June 23, 2024.

The Act makes it unlawful for data brokers to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual (i.e., people residing in the United States) to any foreign adversary or any entity controlled by a foreign adversary. 

  • Data brokers” for purposes of the Act are any entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity.  The Act exempts certain entities from the meaning of “data broker.”  Specifically, the Act does not apply to an entity to the extent that such entity:
    • (i) is transmitting data of a U.S. individual, including communications of such an individual, at the request or direction of such individual;
    • (ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
    • (iii) is reporting or publishing news or information concerning local, national, or international events or other matters of public interest;
    • (iv) is reporting, publishing, or otherwise making available news or information that is available to the general public; or
    • (v) is acting as a service provider.  A “service provider” is an entity that: (A) collects, processes, or transfers data on behalf of, and at the direction of: (i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or (ii) a Federal, State, Tribal, territorial, or local government entity; and (B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.

As noted above, the Act prohibits making available sensitive data of United States individuals to entities or individuals controlled by a foreign adversary.

  • “Foreign adversary countries” are those specified in 10 U.S.C. § 4872(d)(2), which currently includes the Democratic People’s Republic of North Korea, the People’s Republic of China, the Russian Federation, and the Islamic Republic of Iran.
  • An entity “controlled by a foreign adversary” means an individual or entity that is:
    • (A) a foreign person domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
    • (B) an entity with respect to which a foreign person or combination of foreign persons described in (A) directly or indirectly own at least a 20 percent stake; or
    • (C) a person subject to the direction or control of a foreign person or entity described in (A) or (B).

The Act includes in its definition of “sensitive data” sixteen categories of data plus any data made available by a data broker “for the purpose of identifying the types of data.” Categories of sensitive data include government issued identifiers, biometric information, genetic information, and precise geolocation information, among other things.  “Sensitive data” is considered personally identifiable if it “identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.”

Violations of this Act would be enforced by the Federal Trade Commission (“FTC”) as violations of an unfair or deceptive act or practice under the FTC Act.  It is unclear how the FTC will interpret and enforce the Act, especially in light of ambiguities in the statutory language, the FTC’s lack of national security expertise, and the potential overlap with DOJ’s authority under the EO.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Jonathan Wakely Jonathan Wakely

Jonathan Wakely practices at the intersection of national security and the private sector, advising clients on a range of significant foreign direct investment, national security, cybersecurity, supply chain security, and public policy matters. He has particular expertise representing leading global investors and U.S.

Jonathan Wakely practices at the intersection of national security and the private sector, advising clients on a range of significant foreign direct investment, national security, cybersecurity, supply chain security, and public policy matters. He has particular expertise representing leading global investors and U.S. companies in securing U.S. national security-related regulatory approvals for foreign investments, and has advised on transactions with a combined value of over $250 billion.

Jonathan regularly represents clients before the Committee on Foreign Investment in the United States (CFIUS), the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (better known as “Team Telecom”), and the Defense Counterintelligence and Security Agency (DCSA) in proceedings related to the mitigation of foreign ownership, control, or influence (FOCI). Clients regard Jonathan as an “industry veteran,” commenting that he’s “fantastic,” “an excellent lawyer,” and applauding his “great understanding of CFIUS work” (Chambers USA).

Jonathan has represented clients on national security reviews in virtually all sectors, including semiconductors, telecommunications, financial services, software, IT services, energy, and real estate. His representations include, for example, the landmark CFIUS-based defense of Qualcomm against the attempted hostile takeover by Broadcom; securing CFIUS approval for the $7.9 billion acquisition of Westinghouse by Brookfield Asset Management and Cameco; and securing approval from Team Telecom for Univision’s $4.8 billion merger with Televisa. He has negotiated and advised companies on compliance with many of the most significant, complex, and sensitive national security agreements of the past decade.

Jonathan regularly advises clients on emerging areas of national security regulation, including outbound investment screening and the Biden Administration’s executive orders on protecting sensitive personal data and information and communications technology and services (“ICTS”). Clients also turn to Jonathan for advice on strategic business and policy matters related to U.S.-China competition. He is regularly engaged by multinational businesses—including some of the world’s leading technology companies—to assist in developing legal and business strategies related to positioning with respect to China.

Jonathan has been recognized by various publications for his work on national security matters, including as one of the world’s leading foreign investment lawyers under 40 by Global Competition Review, as a “DC Rising Star” by The National Law Journal, as a “Rising Star” by Law360, and as a leading CFIUS expert by Chambers USA.

In addition to his legal practice, he is an adjunct professor at the Georgetown University Law Center, where he teaches a course on national security and the private sector. Jonathan has also published extensively on matters related to the regulation of foreign investment; his articles have appeared in the Harvard National Security Journal, The International Lawyer, and the Global Trade and Customs Journal.

Before joining Covington, he served as a political analyst with the Central Intelligence Agency (CIA), where he provided strategic analysis to the President and other senior policymakers.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.