On February 28, 2024, President Biden announced an Executive Order (“EO”) directing the Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. As directed by the EO, on February 28, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) on topics related to the implementation of the EO. The Ropes & Gray team provided detailed analysis on both the EO and ANPRM here.

Accompanying the EO, President Biden released a fact sheet summarizing the actions in the EO, but in the fact sheet’s last paragraph, President Biden urged Congress to pass comprehensive, bipartisan privacy legislation. Well, the House of Representatives took that instruction to heart (albeit without the “comprehensive” aspect). On March 20, the House of Representatives unanimously passed H.R. 7520, the Protecting Americans’ Data from Foreign Adversaries Act, 414-0.

While only limited to data brokers, companies should be aware that the prohibitions proposed in the bill are significantly more expansive than the similar data broker transaction prohibition contemplated in the ANPRM. As we highlighted in our previous analysis, it is a prudent time for businesses to assess their controls on international transfers of personal data and potentially add additional restrictions as necessary.

Bill Summary and Analysis

The bill, introduced on March 5 by Energy and Commerce Committee Ranking Member Frank Pallone makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available the personally identifiable sensitive data of a United States individual to North Korea, the People’s Republic of China, Russia, and Iran or any entity controlled by those countries. Unlike the ANPRM, the bill does not specifically include Hong Kong or Macau and does not include Cuba or Venezuela.

The bill states that an entity is controlled by a foreign adversary if the entity is a foreign person that is domiciled in, headquartered in, has its principal place of business in, or organized under the laws of a foreign adversary country; owned directly or indirectly by a foreign person with at least a 20 percent stake; or a person subject to the direction or control of a foreign person. Critically, the ANPRM only applies to entities at least 50 percent owned directly or indirectly by a foreign person.

In the bill, data brokers include entities that make available data of U.S. individuals, that the entity did not collect directly from such individuals, to another entity, but does not include entities that: transmit data at the request of an individual; provide, maintain, or offer a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service; make available news or information that is available to the general public; or, are service providers. The ANPRM also proposes prohibiting data broker transactions and uses similar language to define data broker, but without the specific exemptions provided for in the bill.

Additionally, the bill includes at least 16 specifically enumerated types of sensitive data as well as any other data made available for the purpose of identifying the specifically enumerated types of sensitive data. The definition of sensitive data includes government-issued identifiers, health care information, financial information, biometric information, genetic information, precise geolocation information, private communications, account or device log-in credentials, sexual behavior information, calendar and address book information, phone or text logs, photos, audio recordings, videos, video content requests,  information about individuals under the age of 17, an individual’s race, color, ethnicity, or religion, online activities, and military status.

The bill’s definition is significantly more expansive than the definition of sensitive personal data in the ANPRM and does not contain a bulk data threshold trigger like the ANPRM.

Unlike the ANPRM, which contemplates creating and implementing a compliance and enforcement program modeled on the Treasury Department’s IEEPA-based economic sanctions, the bill proposes treating a violation of the bill as a violation of a rule defining an unfair or a deceptive act or practice under the Federal Trade Commission Act. Further, the bill does not propose any licensing regime or broad exemptions like those contained in the ANPRM. The bill would take effect 60 days after its enactment into law.

Conclusion

The bill now gets sent to the Senate, most likely the Senate Committee on Commerce, Science, and Transportation. Even though H.R. 7520 passed the House unanimously, there is no guarantee that the Senate will swiftly consider the legislation. However, companies that potentially engage in the above data transfers should closely follow any action taken in the Senate. The Ropes & Gray team will continue to monitor the bill closely.