In late April 2024, the U.S. enacted the 21st Century Peace through Strength Act. In addition to approving aid for Israel, Taiwan and Ukraine and advancing other U.S. policy objectives, the 21st Century Peace through Strength Act establishes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the “Act”), which prohibits “data brokers” from making available personally identifiable sensitive data of U.S. individuals to “foreign adversary countries” — namely, North Korea, the People’s Republic of China, Russia and Iran — and entities under their control.
The aim of the Act is consistent with President Biden’s Executive Order 14117 of February 28, 2024 (“EO”), which also seeks to restrict outbound transfers of bulk sensitive personal data to certain “countries of concern.” The Department of Justice draft rulemaking listed as countries of concern the same countries targeted by the Act, as well as Venezuela, Cuba, Hong Kong and Macau. Our analysis of the EO and related Department of Justice rulemaking is available here.
Despite their common aims, the Act is different in key respects from the EO and Department of Justice (“DOJ”) draft rules, such as a broader definition of sensitive data (discussed below). Companies should carefully assess whether they qualify as a “data broker” under the Act and, if so, whether they may make available “sensitive data” of U.S. residents to restricted recipients. Data brokers that do so should then assess whether they fall within any of the exceptions under the Act or else stop engaging in such transfers by late June 2024, when the Act takes effect. Below are some additional details about the Act.
Whose data does the Protecting Americans’ Data from Foreign Adversaries Act of 2024 protect?
U.S. residents who are natural persons.
What types of data does the Act protect?
Personally identifiable sensitive data. The Act’s definition of “sensitive data” includes a few types of categories that are not commonly found in other laws’ definitions of sensitive data, such as calendar information, address book information, photos, videos, and online browsing history.
The Act’s definition of “sensitive data” also includes categories of data more traditionally viewed as sensitive, including government-issued identifiers, health data, financial data, biometric information, genetic information, precise geolocation information, an individual’s private communications, login credentials and codes, information about an individual under the age of 17, and an individual’s race, color, ethnicity or religion.
Who must comply with the Act?
Data brokers, which the Act defines as an entity that, for valuable consideration, makes available data of U.S. residents that the entity did not collect directly from such individuals to another entity that is not acting as a service provider. The Act enumerates several exclusions to the definition of “data broker,” including entities that transmit a U.S. resident’s data at the individual’s request or direction, entities that provide access to sensitive data where the data is not the product or service, and publishers of news or information that is available to the general public.
Who are restricted recipients?
Foreign adversary countries and entities under their control. Foreign adversary countries are North Korea, the People’s Republic of China, Russia and Iran. An entity is controlled by a foreign adversary where the entity is:
(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
(B) an entity with respect to which a foreign person or combination of foreign persons described in (A) directly or indirectly own at least a 20 percent stake; or
(C) a person subject to the direction or control of a foreign person or entity described in (A) or (B).
Who will enforce the Act and what are the penalties for non-compliance?
The Federal Trade Commission will enforce the Act and has all of the powers that it has in enforcing against unfair or deceptive acts or practices in or affecting commerce, including to impose civil penalties of up to $51,744 per violation (an amount that increases from year to year).
Will the adoption of the Act result in the withdrawal of the draft DOJ regulations on bulk sensitive data transfers under the EO?
Although the specifics are not clear, it is likely that DOJ’s consideration of draft regulations on outbound transfers of sensitive personal data under the EO will continue. The DOJ rulemaking is meant to address national security risks arising from data flows that the Department has been working to mitigate in individual transactions reviewed by the Committee on Foreign Investment in the United States. As a consequence, the DOJ’s rules will apply to a far broader range of companies than just “data brokers.” Also, the DOJ rules will likely carry potential criminal (not just civil) penalties for non-compliance, and therefore will require special attention for companies and their business partners to assure compliance.
We will continue to monitor these legislative and regulatory developments on outbound data transfers as they are likely to remain active in the coming months.