The clock may be ticking for TikTok, but the implications of recent U.S. government actions are far broader than the future of a single social platform.
The U.S. House of Representatives is only half finished with its pursuit of legislation related to the digital activities of companies with alleged connections to China and other "foreign adversaries" of the U.S. After passing House Resolution 7521 to force the divestiture of websites and applications with ties to certain countries this week, the House is scheduled to consider a second bill 18 March, focusing instead on the bulk sale of personal data to those same countries.
The companion bill, HR 7520, is known as the Protecting Americans' Data from Foreign Adversaries Act of 2024. Besides China, both bills would apply to Russia, Iran and North Korea based on a reference to an existing legislative definition of foreign adversary.
Coming so shortly after President Joe Biden's executive order on data security, these efforts bring to light the extraordinary scrutiny over certain data broker activities that has been brewing for some time. Not everyone is convinced focusing on foreign adversaries is the right approach. Even in the short time the bills have been in the public light, advocacy groups have pushed back on the approach. The American Civil Liberties Union led a last-minute coalition letter claiming "H.R. 7521 is censorship—plain and simple."
Neither bill has a companion in the Senate, so the path to passage remains uncertain. Nevertheless, given the speed with which the bills moved through the House, there is a strong chance the same political will could be mustered in the higher chamber.
But what, specifically, would these bills do?
Despite its name, the Protecting Americans from Foreign Adversary Controlled Applications Act applies to "any a website, desktop application, mobile application, or augmented or immersive technology application" controlled by a foreign adversary.
The scope is limited to any such app or website that "(i) permits a user to create an account or profile to generate, share, and view text, images, videos, real-time communications, or similar content; (ii) has more than 1,000,000 monthly active users … (iii) enables 1 or more users to generate or distribute content that can be viewed by other users … and (iv) enables 1 or more users to view content generated by other users." The bill excludes websites and apps with the primary purpose of allowing "users to post product reviews, business reviews, or travel information and reviews."
Other than TikTok, which is expressly included, the bill would only apply to a covered app or website after the president determines it presents "a significant threat" to U.S. national security, after issuing a public notice and a report to Congress.
Once within scope of the act, the covered app or website needs to be sold to a company not controlled by a foreign adversary, or it will be prohibited from operating. Importantly, in the event of a ban, the bill would also prohibit app stores and internet service providers from hosting or providing access to the app or website.
Though this is a remarkable and novel bill, the second bill will likely have more of a profound impact on the work of privacy professionals.
Rather than applications, HR 7520 focuses on data brokers. It would make it unlawful for a data broker to provide access to the "personally identifiable sensitive data" of any U.S. person to an entity controlled by a foreign adversary, including any company with more than 20% ownership by an entity established in a covered country.
The breadth of this prohibition, especially compared with the recent executive order, is stark. This is not limited to the bulk sharing of personal data.
The categories of sensitive data are borrowed from the most recently proposed comprehensive privacy bill from the House Committee on Energy and Commerce. Specifically, the bill covers the following categories:
- Government ID numbers.
- Health data, including "any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual."
- Financial data.
- Biometric information.
- Genetic information.
- Precise geolocation information.
- Private communications.
- Account log-in credentials.
- Sexual behavior.
- "Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual's device or is accessible from that device and is backed up in a separate location."
- Intimate imagery.
- Information revealing video content.
- Information about an individual under 17 years old, with no knowledge standard specified.
- Race, color, ethnicity and religion.
- Web browsing activity.
- Any other data that is shared for the purposes of identifying the above types of data.
To be considered a data broker under the bill, a company would need to be subject to the jurisdiction of the U.S. Federal Trade Commission and expose sensitive data to foreign adversaries. It is not just sales of data that are covered, but transactions in which the company, "for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider."
Other than service providers, the bill exempts transactions "at the request or direction" of the individual, "providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service," as well as those related to news and media.
Unlike the executive order, which creates a regulatory regime administered by the Department of Justice, HR 7520 would empower the FTC to enforce the ban on sensitive data sales to foreign adversaries as an unfair trade practice under the agency's existing enforcement powers.
If brought to the House floor as scheduled 19 March, there is little reason to believe this bill will not pass as easily as HR 7521. The bigger question is what happens in the Senate.
Yet, even if the proposal fails, the policy conclusions are clear: data brokers and anyone who shares sensitive personal data must establish robust processes to know who is buying their data and for what purposes. Without those processes in place, they will be unable to comply with national security-related restrictions.
The clock is ticking for everyone.
Upcoming happenings:
- 26 March: The IAPP's KnowledgeNet chapters in the DMV region jointly host a discussion about FISA Section 702 reauthorization at the Conference Center at the Row on 19th.
- 2 April: The IAPP's D.C. KnowledgeNet chapter hosts a happy hour sponsored by CYPFER at The Dignitary.
- 3-4 April: The IAPP hosts its annual Global Privacy Summit.
Please send feedback, updates and chronometric insights to cobun@iapp.org.