§9901. Prohibition on transfer of personally identifiable sensitive data of United States individuals to foreign adversaries
(a) Prohibition
It shall be unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to-
(1) any foreign adversary country; or
(2) any entity that is controlled by a foreign adversary.
(b) Enforcement by Federal Trade Commission
(1) Unfair or deceptive acts or practices
A violation of this section shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of Commission
(A) In general
The Commission shall enforce this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this section.
(B) Privileges and immunities
Any person who violates this section shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.
(3) Authority preserved
Nothing in this section may be construed to limit the authority of the Commission under any other provision of law.
(c) Definitions
In this section:
(1) Commission
The term "Commission" means the Federal Trade Commission.
(2) Controlled by a foreign adversary
The term "controlled by a foreign adversary" means, with respect to an individual or entity, that such individual or entity is-
(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or
(C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).
(3) Data broker
(A) In general
The term "data broker" means an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.
(B) Exclusion
The term "data broker" does not include an entity to the extent such entity-
(i) is transmitting data of a United States individual, including communications of such an individual, at the request or direction of such individual;
(ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
(iii) is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest;
(iv) is reporting, publishing, or otherwise making available news or information that is available to the general public-
(I) including information from-
(aa) a book, magazine, telephone book, or online directory;
(bb) a motion picture;
(cc) a television, internet, or radio program;
(dd) the news media; or
(ee) an internet site that is available to the general public on an unrestricted basis; and
(II) not including an obscene visual depiction (as such term is used in section 1460 of title 18); or
(v) is acting as a service provider.
(4) Foreign adversary country
The term "foreign adversary country" means a country specified in section 4872(d)(2) of title 10.
(5) Personally identifiable sensitive data
The term "personally identifiable sensitive data" means any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.
(6) Precise geolocation information
The term "precise geolocation information" means information that-
(A) is derived from a device or technology of an individual; and
(B) reveals the past or present physical location of an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, with sufficient precision to identify street level location information of an individual or device or the location of an individual or device within a range of 1,850 feet or less.
(7) Sensitive data
The term "sensitive data" includes the following:
(A) A government-issued identifier, such as a Social Security number, passport number, or driver's license number.
(B) Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
(C) A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.
(D) Biometric information.
(E) Genetic information.
(F) Precise geolocation information.
(G) An individual's private communications such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.
(H) Account or device log-in credentials, or security or access codes for an account or device.
(I) Information identifying the sexual behavior of an individual.
(J) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual's device or is accessible from that device and is backed up in a separate location.
(K) A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
(L) Information revealing the video content requested or selected by an individual.
(M) Information about an individual under the age of 17.
(N) An individual's race, color, ethnicity, or religion.
(O) Information identifying an individual's online activities over time and across websites or online services.
(P) Information that reveals the status of an individual as a member of the Armed Forces.
(Q) Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed in subparagraphs (A) through (P).
(8) Service provider
The term "service provider" means an entity that-
(A) collects, processes, or transfers data on behalf of, and at the direction of-
(i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or
(ii) a Federal, State, Tribal, territorial, or local government entity; and
(B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.
(9) United States individual
The term "United States individual" means a natural person residing in the United States.
(d) Effective date
This section shall take effect on the date that is 60 days after April 24, 2024.
(
Editorial Notes
References in Text
The Federal Trade Commission Act, referred to in subsec. (b)(2), is act Sept. 26, 1914, ch. 311,
Statutory Notes and Related Subsidiaries
Short Title
Protecting Americans from Foreign Adversary Controlled Applications
"SEC. 1. SHORT TITLE.
"This division may be cited as the 'Protecting Americans from Foreign Adversary Controlled Applications Act'.
"SEC. 2. PROHIBITION OF FOREIGN ADVERSARY CONTROLLED APPLICATIONS.
"(a)
"(1)
"(A) Providing services to distribute, maintain, or update such foreign adversary controlled application (including any source code of such application) by means of a marketplace (including an online mobile application store) through which users within the land or maritime borders of the United States may access, maintain, or update such application.
"(B) Providing internet hosting services to enable the distribution, maintenance, or updating of such foreign adversary controlled application for users within the land or maritime borders of the United States.
"(2)
"(A) in the case of an application that satisfies the definition of a foreign adversary controlled application pursuant to subsection (g)(3)(A), beginning on the date that is 270 days after the date of the enactment of this division [Apr. 24, 2024]; and
"(B) in the case of an application that satisfies the definition of a foreign adversary controlled application pursuant to subsection (g)(3)(B), beginning on the date that is 270 days after the date of the relevant determination of the President under such subsection.
"(3)
"(A) a path to executing a qualified divestiture has been identified with respect to such application;
"(B) evidence of significant progress toward executing such qualified divestiture has been produced with respect to such application; and
"(C) there are in place the relevant binding legal agreements to enable execution of such qualified divestiture during the period of such extension.
"(b)
"(c)
"(1)
"(A) does not apply to a foreign adversary controlled application with respect to which a qualified divestiture is executed before the date on which a prohibition under subsection (a) would begin to apply to such application; and
"(B) shall cease to apply in the case of a foreign adversary controlled application with respect to which a qualified divestiture is executed after the date on which a prohibition under subsection (a) applies to such application.
"(2)
"(d)
"(1)
"(A)
"(B)
"(2)
"(A) shall conduct investigations related to potential violations of subsection (a) or (b), and, if such an investigation results in a determination that a violation has occurred, the Attorney General shall pursue enforcement under paragraph (1); and
"(B) may bring an action in an appropriate district court of the United States for appropriate relief, including civil penalties under paragraph (1) or declaratory and injunctive relief.
"(e)
"(1)
"(2)
"(f)
"(1) to authorize the Attorney General to pursue enforcement, under this section, other than enforcement of subsection (a) or (b);
"(2) to authorize the Attorney General to pursue enforcement, under this section, against an individual user of a foreign adversary controlled application; or
"(3) except as expressly provided herein, to alter or affect any other authority provided by or established under another provision of Federal law.
"(g)
"(1)
"(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
"(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or
"(C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).
"(2)
"(A)
"(i) permits a user to create an account or profile to generate, share, and view text, images, videos, real-time communications, or similar content;
"(ii) has more than 1,000,000 monthly active users with respect to at least 2 of the 3 months preceding the date on which a relevant determination of the President is made pursuant to paragraph (3)(B);
"(iii) enables 1 or more users to generate or distribute content that can be viewed by other users of the website, desktop application, mobile application, or augmented or immersive technology application; and
"(iv) enables 1 or more users to view content generated by other users of the website, desktop application, mobile application, or augmented or immersive technology application.
"(B)
"(3)
"(A) any of-
"(i) ByteDance, Ltd.;
"(ii) TikTok;
"(iii) a subsidiary of or a successor to an entity identified in clause (i) or (ii) that is controlled by a foreign adversary; or
"(iv) an entity owned or controlled, directly or indirectly, by an entity identified in clause (i), (ii), or (iii); or
"(B) a covered company that-
"(i) is controlled by a foreign adversary; and
"(ii) that is determined by the President to present a significant threat to the national security of the United States following the issuance of-
"(I) a public notice proposing such determination; and
"(II) a public report to Congress, submitted not less than 30 days before such determination, describing the specific national security concern involved and containing a classified annex and a description of what assets would need to be divested to execute a qualified divestiture.
"(4)
"(5)
"(6)
"(A) the President determines, through an interagency process, would result in the relevant foreign adversary controlled application no longer being controlled by a foreign adversary; and
"(B) the President determines, through an interagency process, precludes the establishment or maintenance of any operational relationship between the United States operations of the relevant foreign adversary controlled application and any formerly affiliated entities that are controlled by a foreign adversary, including any cooperation with respect to the operation of a content recommendation algorithm or an agreement with respect to data sharing.
"(7)
"(8)
"SEC. 3. JUDICIAL REVIEW.
"(a)
"(b)
"(c)
"(1) in the case of a challenge to this division, not later than 165 days after the date of the enactment of this division [Apr. 24, 2024]; and
"(2) in the case of a challenge to any action, finding, or determination under this division, not later than 90 days after the date of such action, finding, or determination."