Privacy Dynamics Woven into Recent Foreign Aid Package

Introduction

On April 24, 2024, President Biden signed H.R. 815 into law, which included the “Foreign Adversary Controlled Applications Act” (FACAA) as Division H and “Protecting Americans’ Data from Foreign Adversaries Act of 2024” (PADFAA) as Division I, foreign aid for Ukraine, Israel and Indo-Pacific security, humanitarian aid in Gaza, and other national security and related matters.

Let’s dive into the details.

Foreign Adversary Controlled Applications Act

The FACAA prohibits entities from providing services to distribute, maintain, or update (or enable) a “foreign adversary-controlled application” (including any source code of such application) by either making such an application available on an app store or similar marketplace or providing internet hosting services to enable the applications distribution, maintenance, or updating for users within the land or maritime borders of the U.S. may access, maintain, or update such foreign adversary-controlled application.

Defining “Controlled by a Foreign Adversary”

The law defines “controlled by a foreign adversary” as a company or entity that is:

• a foreign person domiciled in, headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
• an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or
• a person subject to the direction or control of a foreign person or entity described in subparagraphs (A) or (B).

Defining “Covered Company”

The law defines “covered company” as an entity that operates, directly or indirectly (including through a parent company, subsidiary, or affiliate), a website, desktop application, mobile application, or augmented or immersive technology application that:

• permits a user to create an account or profile to generate, share, and view text, images, videos, real-time communications, or similar content;
• has more than 1,000,000 monthly active users;
• enables 1 or more users to generate or distribute content that can be viewed by other users of the website, desktop application, mobile application, or augmented or immersive technology application; and
• enables 1 or more users to view content generated by other users of the website, desktop application, mobile application, or augmented or immersive technology application.

Notably, the act currently only specifies that applications of ByteDance Ltd. and TikTok (subsidiaries and successors) are subject to these restrictions, but, importantly, these restrictions could be applied to any other application that meets the definition of a “foreign adversary-controlled application” based upon a determination by the President that the application at issue presents a significant threat to U.S. national security.

Yes, that is right. Such a decision is not dependent on Congress; such a determination may be made by the President merely 30 days after submitting a report to Congress. While Congress is the only authority that can change the definition of a “foreign adversary,” determinations based upon such definitions rest in the executive branch.

Content Creator Friendlies

The law requires a covered application to provide a user with all available account data (including posts, photos, and videos) at the user’s request before the prohibition takes effect.

Exclusions

A pertinent exclusion from what is considered a “covered company” is an entity that operates a website, desktop application, mobile application, or augmented or immersive technology application whose primary purpose is to allow users to post product reviews, business reviews, or travel information and reviews.

On April 24, 2024, the President’s signature started the clock on the divestment deadline. If TikTok does not divest by January 19, 2025, a prohibition on TikTok in the U.S. will go into effect. TikTok announced that it plans to contest the ban. There is an option for the President to extend the deadline by 90 days if it appears that a deal is imminent.

Protecting Americans’ Data from Foreign Adversaries Act of 2024

The PADFAA establishes strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data.

The law prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available U.S. individuals’ personally identifiable sensitive data (extensive list below) to a “foreign adversary country” or any entity that is controlled by a foreign adversary country and designates the Federal Trade Commission as the overseeing regulatory agency.

Foreign adversary countries include China, Russia, Iran, and North Korea. See the definition of “controlled by a foreign adversary” in this article above.

What is classified as Sensitive Data?

Sensitive data under the PADFAA includes the following personally identifying data:

• Government-issued identifiers and any account or device log-in credentials, including security or access codes
• Data revealing past, present, or future health conditions, treatments, or information about an individual’s sexual behavior or intimate imagery
• Financial, biometric, or genetic data
• Precise geolocation data
• Private information, namely:
  • private communications, including voicemails, emails, messages, mail, video conferences, or metadata about those communications; and
  • calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private individual use
• A photograph, film, video recording, or other similar medium that shows an individual’s naked or undergarment-clad private area
• Information revealing an individual’s:
  • video content requests or selections; or
  • activities over time and across websites or online services
• Children’s data (under age 17)
• An individual’s race, ethnicity, religion, or status as a member of the armed forces
• Any other data provided to identify sensitive data

No Threshold

Notably, the law does not include a volume threshold for covered transactions involving such data.

Who is Implicated?

The PADFAA applies to data brokers, defined as any entity that sells, licenses, transfers, releases, discloses, provides access to, or otherwise makes available:

• U.S. individuals’ data it did not directly collect from the individual.
• To another entity not acting as its service provider.
• For valuable consideration.

Exclusions

The Act excludes entities when they:

• Transmit an individual’s data at their request.
• Offer a product or service where the sensitive data itself (or access thereto) is not the product or service.
• Report or publish news or information that:
  • concerns local, national, or international events or other matters of public interest; or
  • is publicly available, including from books, directories, movies, television, radio, news media, or public unrestricted internet sites, unless it includes an obscene visual depiction as defined by 18 U.S.C. §1460.
• Act as a service provider (on behalf of or at the direction of an individual or entity that is not a foreign adversary country or controlled by a foreign adversary).

Conclusion

These Acts certainly shift the long-standing U.S. approach to data transfers. It is interesting to see how this will work in practice, whether ByteDance Ltd. chooses to divest and how other companies may respond.

We are following TikTok’s claims to contest the ban and the weight of such action in addition to helping clients prepare. If you have any questions, please reach out to a member of our Data Privacy & Cybersecurity team.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.