H.R. 7520 is limited in its scope, applying only to data brokers that sell or otherwise make personally identifiable sensitive data available to foreign adversaries. Here are the highlights:

• “Data Brokers” includes entities that sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available data of U.S. individuals, if the entities did not collect the information directly from the individual or from the entities’ service providers.
• “Personally Identifiable Sensitive Data” includes 17 data types, including government-issued identifiers (for example, Social Security numbers); biometric or genetic information; precise geolocation information; financial information, health data, and web browsing activity; and data shared for the purpose of identifying the other 16 data types.
• “Foreign Adversaries” are designated by the U.S. Secretary of Defense. As of March 2024, the list includes the People’s Republic of China (including the Hong Kong Special Administrative Region), the Republic of Cuba, the Islamic Republic of Iran, North Korea, the Russian Federation, and regime of the Venezuelan politician Nicolás Maduro.

H.R. 7520 has not yet been voted on in the Senate or signed into law by the President. However, the U.S. government is increasingly focused on limiting the transfer of Americans’ data to countries that are believed to be using the information maliciously. With the continued push on data sharing restrictions, organizations should evaluate their data sharing practices and determine from whom their data comes, with whom they share it, and what they share. If an organization is, or determines it may be, a “data broker,” it may need to adjust its practices. If H.R. 7520 becomes law, data brokers who share sensitive information with foreign adversaries would be subject to enforcement action by the Federal Trade Commission. Data sharing with foreign adversaries would be treated as an unfair or deceptive trade practice and could result in monetary penalties. Companies should continue to monitor these developments to better understand the risks and requirements when sharing data, especially when doing so overseas.

The Constangy Cybersecurity & Data Privacy Team assists entities of all sizes with their information security and privacy needs – from proactive efforts to comply with applicable regulations or guidance to support with a breach.  We are here to help!  The Constangy Cyber Team is available 24/7.  Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.