U.S. Passes Social Media and Data Broker Bills Targeting Data Use Practices

Prohibition on Foreign Adversary-Controlled Applications
After years of false starts, Congress passed legislation to make it unlawful for an entity to distribute, maintain or update (or enable the distribution, maintenance or updating of) a website, desktop application, mobile application, or augmented or immersive technology application that is operated, directly or indirectly (including through a parent company, subsidiary, or affiliate), by a foreign adversary.

Now that President Biden has signed the bill, the nine-month countdown begins for covered companies to either execute a qualified divestiture or face getting removed from U.S. app stores. The deadline for such a forced sale would be January 19, 2025. The President could grant a one-time extension of not more than 90 days if the President certifies to Congress that (A) a path to executing a qualified divestiture has been identified with respect to such application; (B) evidence of significant progress toward executing such qualified divestiture has been produced with respect to such application; and (C) there are in place the relevant binding legal agreements to enable execution of such qualified divestiture during the period of such extension.

The bill also provides that, during the 270-day period, all entities who own or control such foreign adversary-controlled applications must provide all users with the data that they have collected on them upon request by the user.

Scope and Applicability
The Protecting Americans from Foreign Adversary Controlled Applications Act aims to prevent platforms controlled by foreign adversaries from operating in the U.S. This bill would specifically prohibit entities from distributing, maintaining or updating a “foreign adversary controlled application” by carrying out within the U.S. (1) services to distribute, maintain or update such apps by means of a marketplace through which users within the borders of the U.S. can access, maintain or update such apps, or (2) providing internet-hosting services to enable the distribution, maintenance or updating of such apps for users within the borders of the U.S. The prohibition restrictions apply not only to the application owner, but, for example, to application stores (Google Play or Apple App Store) that distribute the applications.

The focus of the restrictions is on ‘‘foreign adversary controlled applications.’’ The law specifically names TikTok and ByteDance but also includes any website, desktop application, mobile application, or augmented or immersive technology application that is operated, directly or indirectly (including through a parent company, subsidiary or affiliate), by

   (i) A covered company that is controlled by a foreign adversary; or

   (ii) Any others determined by the President to present a significant threat to U.S. national security.

This means the U.S. would have the ability to designate additional companies as “covered companies” that are owned or “controlled by a foreign adversary” following an affirmative determination that designation is needed in light of a significant U.S. national security threat. 

Key terms are defined below:

“Covered companies” include entities that operate, directly or indirectly, a website, desktop application, mobile application, or augmented or immersive technology application that:

• permits a user to create an account or profile to generate, share and view text, images, videos, real-time communications or similar content;
• has more than 1,000,000 monthly active users with respect to at least two of the three months preceding the date on which a relevant determination of the President is made which declares the company to present a significant threat to the national security of the U.S.;
• enables one or more users to generate or distribute content that can be viewed by other users of the website, desktop application, mobile application, or augmented or immersive technology application; and
• enables one or more users to view content generated by other users of the website, desktop application, mobile application, or augmented or immersive technology application. 

The term “controlled by a foreign adversary” means that an entity is one of three things:

• a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
• an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly owns at least a 20 percent stake; or
• a person subject to the direction or control of a foreign person or entity described above.

The bill would require the issuance of a public notice proposing such determination and a public report to Congress, submitted at least 30 days prior to the determination, describing the specific national security concern involved, before an application would be subject to the bill’s prohibitions.

Civil Penalties
Violations of the Act’s prohibition provision could subject the violating entity to civil penalties. An entity that fails to stop the distribution, maintenance or updating of a foreign adversary-controlled application, or an entity that continues to provide internet-hosting services for such applications, may be fined up to $5,000 per U.S. user. If a covered company were to have 150 million U.S. users, that would result in a statutory maximum $750 billion fine.

Civil penalties will apply (1) 270 days after enactment for TikTok/ByteDance; and (2) 270 days following any public determination finding that an application is a “foreign adversary controlled application.” The bill also provides that during the 270-day period, all entities who own or control such foreign adversary-controlled applications must provide all users with the data that they have collected on them upon request by the user. Failing to share the data collection metrics with the users may result in the imposition of a civil penalty up to $500 per affected U.S. user.

Legal Challenges
The White House, the Justice Department and the drafters of the bill were keenly aware of the opposition and the legal challenges this bill might face. A number of Democrats and Republicans in both chambers voiced concerns that the bill gives too much power to the federal government to restrict businesses or that it curtails speech online. Covered companies are expected to challenge the measure, setting up a high-stakes and potentially lengthy legal battle over the apps’ fate. Specifically, legal issues related to the First Amendment, due process, the Takings Clause, and the Bill of Attainder Clause are expected to be raised. Section 3 of the bill seeks to limit judicial review of challenges by (1) limiting a petition for review challenging this bill to be filed only in the U.S. Court of Appeals for the District of Columbia Circuit (D.C. Circuit), (2) giving the D.C. Circuit exclusive jurisdiction and (3) imposing a short statute of limitations for bringing such challenges (in this case, 165 days after the date of the enactment of the bill). Immediately following the bill’s passage, covered companies have released public statements calling the law “unconstitutional.” Opponents of the bill will presumably seek an injunction to stop the clock and put the bill on pause. In May 2023, Montana passed similar ownership restrictions, and in November a federal judge blocked the measure. That case is working its way to a federal appeals court. 

A National Data Broker Bill
While all eyes are on the social media company’s ownership question, a national data broker bill, introduced by Ranking Member of the Energy and Commerce Committee Rep. Frank Pallone Jr. (D-N.J.), was passed as part of the foreign aid package on April 23. This bill was introduced in February following the issuance of the Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. This bill should be read within the larger context of the debate surrounding the new federal draft privacy bill, unveiled on April 7, as many of the terms and concepts appear to expand upon the privacy requirements introduced in the draft federal privacy bill.

The Protecting Americans’ Data from Foreign Adversaries Act of 2024 would prohibit a data broker from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to or otherwise making available personally identifiable sensitive data of a United States individual to (1) any foreign adversary country; or (2) any entity that is controlled by a foreign adversary. The law would apply to a broad set of “data brokers,” which means any entity that, for valuable consideration (read: not monetary consideration), sells, licenses, rents, trades, transfers, releases, discloses, provides access to or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider. Since the law focuses on companies that do not collect data directly from individuals, this law would disproportionately affect B2B companies.

Effective 60 days after the law is enacted, the law provides enforcement authority to the FTC and uses the same broad definition for “sensitive data” as it is defined under the American Privacy Rights Act, currently undergoing markup with the House Energy and Commerce Committee, for which Rep. Pallone is Ranking Member. This definition of sensitive data is broader than any previously enacted global privacy law standard and includes a simply worded category, “information about an individual under the age of 17.”