[House Report 118-418]
[From the U.S. Government Publishing Office]
118th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 118-418
======================================================================
PROTECTING AMERICANS' DATA FROM FOREIGN ADVERSARIES ACT OF 2024
_______
March 11, 2024.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mrs. Rodgers of Washington, from the Committee on Energy and Commerce,
submitted the following
R E P O R T
[To accompany H.R. 7520]
The Committee on Energy and Commerce, to whom was referred
the bill (H.R. 7520) to prohibit data brokers from transferring
sensitive data of United States individuals to foreign
adversaries, and for other purposes, having considered the
same, reports favorably thereon without amendment and
recommends that the bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 1
Background and Need for Legislation.............................. 2
Committee Action................................................. 3
Committee Votes.................................................. 3
Oversight Findings and Recommendations........................... 5
New Budget Authority, Entitlement Authority, and Tax Expenditures 5
Congressional Budget Office Estimate............................. 5
Federal Mandates Statement....................................... 5
Statement of General Performance Goals and Objectives............ 5
Duplication of Federal Programs.................................. 5
Related Committee and Subcommittee Hearings...................... 5
Committee Cost Estimate.......................................... 6
Earmark, Limited Tax Benefits, and Limited Tariff Benefits....... 6
Advisory Committee Statement..................................... 6
Applicability to Legislative Branch.............................. 6
Section-by-Section Analysis of the Legislation................... 6
Changes in Existing Law Made by the Bill, as Reported............ 6
PURPOSE AND SUMMARY
The purpose of the bill is to prohibit data brokers from
transferring sensitive data of United States individuals to
foreign adversaries, and for other purposes.
BACKGROUND AND NEED FOR LEGISLATION
Data brokers are businesses that make money by aggregating
and selling vast amounts of Americans' sensitive information
for profit.\1\ These businesses have collected and stored
billions of data elements on nearly every consumer in the
United States, including information about children and active
members of the military.\2\ These data elements capture
sensitive information, such as data about an individual's
religious affiliation, purchasing history, online search
habits, height and weight, ethnicity, and travel patterns.\3\
---------------------------------------------------------------------------
\1\Federal Trade Commission, Data Brokers (May 2014) (https://
www.ftc.gov/system/files/documents/reports/data-brokers-call-
transparency-accountability-report-federal-trade-commission-may-2014/
140527databrokerreport.pdf).
\2\Id.; Justin Sherman et al., Data Brokers and the Sale of Data on
the U.S. Military Personnel (Nov. 2023) (https://
techpolicy.sanford.duke.edu/data-brokers-and-the-sale-of-data-on-us-
military-personnel/); The Markup, The Popular Family Safety App Life360
Is Selling Precise Location Data on Its Tens of Millions of Users (Dec.
6, 2021) (https://themarkup.org/privacy/2021/12/06/the-popular-family-
safety-app-life360-is-selling-precise-location-data-on-its-tens-of-
millions-of-user).
\3\See note 1; Justin Sherman, Data Brokers and Sensitive Data on
U.S. Individuals (2021) (https://techpolicy.sanford.duke.edu/wp-
content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-
Individuals-Sherman-2021.pdf).
---------------------------------------------------------------------------
Currently, there is no comprehensive federal law that
regulates, broadly, the collection, processing, and transfer of
Americans personal information. Several states have enacted
laws that establish varying privacy protections for their
residents, some of which include limitations on data broker
activity. For Americans, who are not protected by a
comprehensive data privacy and security law, however, data
brokers may be permitted to sell their sensitive information to
any entity of the data broker's choosing, including foreign
adversaries. Researchers from Duke University were successfully
able to purchase sensitive information about active-duty
members of the military, their families, and veterans from data
brokers.\4\ The study concluded that foreign and malicious
actors could use data from data brokers to undermine America's
national security.\5\ According to reports, China and Russia
have used information from data brokers to conduct espionage,
blackmail, and cyberattacks.\6\
---------------------------------------------------------------------------
\4\Justin Sherman et al., Data Brokers and the Sale of Data on the
U.S. Military Personnel (Nov. 2023) (https://
techpolicy.sanford.duke.edu/data-brokers-and-the-sale-of-data-on-us-
military-personnel/).
\5\Id.
\6\The Wall Street Journal, U.S. Limits Sales of Americans'
Personal Data to China, Other Adversaries (Feb. 28, 2024) (https://
www.wsj.com/politics/national-security/u-s-to-limit-sales-of-americans-
personal-data-to-china-other-adversaries-e82a3ca5); Office of the
Director of National Intelligence, Panel on Commercially Available
Information (Jan. 27, 2022) (https://www.dni.gov/files/ODNI/documents/
assessments/ODNI-Declassified-Report-on-CAI-January2022.pdf); The
Economic Times, Joe Biden to Crack Down on US Data Flows to China,
Russia (Feb. 28, 2024) (https://economictimes.indiatimes.com/tech/
technology/joe-biden-to-crack-down-on-us-data-flows-to-china-russia/
articleshow/108074871.cms).
---------------------------------------------------------------------------
Americans are relatively powerless to stop this data
harvesting without a comprehensive data privacy and security
law. Data brokers rarely have a direct relationship with the
individual to which the data pertains.\7\ Instead, data brokers
frequently collect American's sensitive information from a
variety of sources, including mobile applications, online
services, and other data brokers.\8\
---------------------------------------------------------------------------
\7\See note 1.
\8\See note 1; The Brennan Center for Justice, Closing the Data
Broker Loophole (https://www.brennancenter.org/our-work/research-
reports/closing-data-broker-loophole) (Mar. 7, 2014).
---------------------------------------------------------------------------
The Protecting Americans' Data from Foreign Adversaries Act
will help curb the amount of sensitive information foreign
adversaries can purchase from data brokers.
COMMITTEE ACTION
On April 19, 2023, the Subcommittee on Oversight and
Investigation held a hearing titled ``Who is Selling Your Data:
A Critical Examination of the Role of Data Brokers in the
Digital Economy.'' The Subcommittee received testimony from:
Justin Sherman, Senior Fellow and Research
Lead Data Brokerage Project, Duke University Sanford
School of Public Policy;
Marshall Erwin, VP and Chief Security
Officer, Mozilla Corporation; and
Professor Laura Moy, Associate Professor of
Law; Faculty Director, Center on Privacy and Technology
Georgetown Law Center.
On March 7, 2024, the Committee on Energy and Commerce held
a full committee hearing to review H.R. 7520. The title of the
hearing was ``Legislation to Protect Americans from the
National Security Threats Posed by Foreign Adversary Controlled
Applications.'' The Committee met in executive session pursuant
to a motion by Chair Rodgers, which was adopted by a record
vote of 43 yeas and 0 nays.
On March 7, 2024, the full Committee on Energy and Commerce
met in open markup session and ordered H.R. 7520, without
amendment, favorably reported to the House by a record vote of
50 yeas and 0 nays.
COMMITTEE VOTES
Clause 3(b) of rule XIII requires the Committee to list the
record votes on the motion to report legislation and amendments
thereto. The following reflects the record votes taken during
the Committee consideration:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
OVERSIGHT FINDINGS AND RECOMMENDATIONS
Pursuant to clause 2(b)(1) of rule X and clause 3(c)(1) of
rule XIII, the Committee held hearings and made findings that
are reflected in this report.
NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES
Pursuant to clause 3(c)(2) of rule XIII, the Committee
finds that H.R. 7520 would result in no new or increased budget
authority, entitlement authority, or tax expenditures or
revenues.
CONGRESSIONAL BUDGET OFFICE ESTIMATE
Pursuant to clause 3(c)(3) of rule XIII, at the time this
report was filed, the cost estimate prepared by the Director of
the Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act of 1974 was not available.
FEDERAL MANDATES STATEMENT
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
Pursuant to clause 3(c)(4) of rule XIII, the general
performance goal or objective of this legislation is to
prohibit data brokers from transferring sensitive data of
United States individuals to foreign adversaries.
DUPLICATION OF FEDERAL PROGRAMS
Pursuant to clause 3(c)(5) of rule XIII, no provision of
H.R. 7520 is known to be duplicative of another Federal
program, including any program that was included in a report to
Congress pursuant to section 21 of Public Law 111-139 or the
most recent Catalog of Federal Domestic Assistance.
RELATED COMMITTEE AND SUBCOMMITTEE HEARINGS
Pursuant to clause 3(c)(6) of rule XIII, the following
hearings were used to develop or consider H.R. 7520:
On April 19, 2023, the Subcommittee on
Oversight and Investigation held a hearing titled ``Who
is Selling Your Data: A Critical Examination of the
Role of Data Brokers in the Digital Economy.'' The
Subcommittee received testimony from:
Justin Sherman, Senior Fellow
and Research Lead Data Brokerage Project, Duke
University Sanford School of Public Policy;
Marshall Erwin, VP and Chief
Security Officer, Mozilla Corporation; and
Professor Laura Moy, Associate
Professor of Law; Faculty Director, Center on
Privacy and Technology Georgetown Law Center.
On March 7, 2024, the Committee on Energy
and Commerce held a full committee hearing to review
H.R. 7520. The title of the hearing was ``Legislation
to Protect Americans from the National Security Threats
Posed by Foreign Adversary Controlled Applications.''
The Committee met in executive session pursuant to a
motion by Chair Rodgers, which was adopted by a record
vote of 43 yeas and 0 nays.
COMMITTEE COST ESTIMATE
Pursuant to clause 3(d)(1) of rule XIII, the Committee
adopts as its own the cost estimate prepared by the Director of
the Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act of 1974. At the time this report was
filed, the estimate was not available.
EARMARK, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS
Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the
Committee finds that H.R. 7520 contains no earmarks, limited
tax benefits, or limited tariff benefits.
ADVISORY COMMITTEE STATEMENT
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
APPLICABILITY TO LEGISLATIVE BRANCH
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short title
This section provides that the Act may be cited as the
``Protecting Americans' Data from Foreign Adversaries Act of
2024.''
Section 2. Prohibition on transfer of sensitive data of United States
individuals to foreign adversaries
Subsection (a) prohibits data brokers from selling,
licensing, renting, trading, transferring, releasing,
disclosing, providing access to, or otherwise making available
the sensitive data of United States individuals to any foreign
adversary country or any entity that is controlled by a foreign
adversary country.
Subsection (b) establishes that a violation of this section
is a violation of a rule defining an unfair or a deceptive act
or practice under section 18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)(1)(B)).
Subsection (c) defines key terms.
Subsection (d) states that this section shall take effect
60 days after the date of enactment.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation does not amend any existing Federal
statute.
[all]