UPDATE: Adding Division H as well since it’s very relevant, before it was just Division I shown here
DIVISION H—PROTECTING AMERICANS FROM FOREIGN ADVERSARY CONTROLLED APPLICATIONS ACT
SEC. 1. SHORT TITLE. This division may be cited as the “Protecting Americans from Foreign Adversary Controlled Applications Act”.
SEC. 2. PROHIBITION OF FOREIGN ADVERSARY CONTROLLED APPLICATIONS. (a) In General.—
(1) PROHIBITION OF FOREIGN ADVERSARY CONTROLLED APPLICATIONS.—It shall be unlawful for an entity to distribute, maintain, or update (or enable the distribution, maintenance, or updating of) a foreign adversary controlled application by carrying out, within the land or maritime borders of the United States, any of the following:
(A) Providing services to distribute, maintain, or update such foreign adversary controlled application (including any source code of such application) by means of a marketplace (including an online mobile application store) through which users within the land or maritime borders of the United States may access, maintain, or update such application.
(B) Providing internet hosting services to enable the distribution, maintenance, or updating of such foreign adversary controlled application for users within the land or maritime borders of the United States.
(2) APPLICABILITY.—Subject to paragraph (3), this subsection shall apply—
(A) in the case of an application that satisfies the definition of a foreign adversary controlled application pursuant to subsection (g)(3)(A), beginning on the date that is 270 days after the date of the enactment of this division; and
(B) in the case of an application that satisfies the definition of a foreign adversary controlled application pursuant to subsection (g)(3)(B), beginning on the date that is 270 days after the date of the relevant determination of the President under such subsection.
(3) EXTENSION.—With respect to a foreign adversary controlled application, the President may grant a 1-time extension of not more than 90 days with respect to the date on which this subsection would otherwise apply to such application pursuant to paragraph (2), if the President certifies to Congress that—
(A) a path to executing a qualified divestiture has been identified with respect to such application;
(B) evidence of significant progress toward executing such qualified divestiture has been produced with respect to such application; and
© there are in place the relevant binding legal agreements to enable execution of such qualified divestiture during the period of such extension.
(b) Data And Information Portability To Alternative Applications.—Before the date on which a prohibition under subsection (a) applies to a foreign adversary controlled application, the entity that owns or controls such application shall provide, upon request by a user of such application within the land or maritime borders of United States, to such user all the available data related to the account of such user with respect to such application. Such data shall be provided in a machine readable format and shall include any data maintained by such application with respect to the account of such user, including content (including posts, photos, and videos) and all other account information.
© Exemptions.—
(1) EXEMPTIONS FOR QUALIFIED DIVESTITURES.—Subsection (a)—
(A) does not apply to a foreign adversary controlled application with respect to which a qualified divestiture is executed before the date on which a prohibition under subsection (a) would begin to apply to such application; and
(B) shall cease to apply in the case of a foreign adversary controlled application with respect to which a qualified divestiture is executed after the date on which a prohibition under subsection (a) applies to such application.
(2) EXEMPTIONS FOR CERTAIN NECESSARY SERVICES.—Subsections (a) and (b) do not apply to services provided with respect to a foreign adversary controlled application that are necessary for an entity to attain compliance with such subsections.
(d) Enforcement.—
(1) CIVIL PENALTIES.—
(A) FOREIGN ADVERSARY CONTROLLED APPLICATION VIOLATIONS.—An entity that violates subsection (a) shall be subject to pay a civil penalty in an amount not to exceed the amount that results from multiplying $5,000 by the number of users within the land or maritime borders of the United States determined to have accessed, maintained, or updated a foreign adversary controlled application as a result of such violation.
(B) DATA AND INFORMATION VIOLATIONS.—An entity that violates subsection (b) shall be subject to pay a civil penalty in an amount not to exceed the amount that results from multiplying $500 by the number of users within the land or maritime borders of the United States affected by such violation.
(2) ACTIONS BY ATTORNEY GENERAL.—The Attorney General—
(A) shall conduct investigations related to potential violations of subsection (a) or (b), and, if such an investigation results in a determination that a violation has occurred, the Attorney General shall pursue enforcement under paragraph (1); and
(B) may bring an action in an appropriate district court of the United States for appropriate relief, including civil penalties under paragraph (1) or declaratory and injunctive relief.
(e) Severability.—
(1) IN GENERAL.—If any provision of this section or the application of this section to any person or circumstance is held invalid, the invalidity shall not affect the other provisions or applications of this section that can be given effect without the invalid provision or application.
(2) SUBSEQUENT DETERMINATIONS.—If the application of any provision of this section is held invalid with respect to a foreign adversary controlled application that satisfies the definition of such term pursuant to subsection (g)(3)(A), such invalidity shall not affect or preclude the application of the same provision of this section to such foreign adversary controlled application by means of a subsequent determination pursuant to subsection (g)(3)(B).
(f) Rule Of Construction.—Nothing in this division may be construed—
(1) to authorize the Attorney General to pursue enforcement, under this section, other than enforcement of subsection (a) or (b);
(2) to authorize the Attorney General to pursue enforcement, under this section, against an individual user of a foreign adversary controlled application; or
(3) except as expressly provided herein, to alter or affect any other authority provided by or established under another provision of Federal law.
(g) Definitions.—In this section:
(1) CONTROLLED BY A FOREIGN ADVERSARY.—The term “controlled by a foreign adversary” means, with respect to a covered company or other entity, that such company or other entity is—
(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or
© a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).
(2) COVERED COMPANY.—
(A) IN GENERAL.—The term “covered company” means an entity that operates, directly or indirectly (including through a parent company, subsidiary, or affiliate), a website, desktop application, mobile application, or augmented or immersive technology application that—
(i) permits a user to create an account or profile to generate, share, and view text, images, videos, real-time communications, or similar content;
(ii) has more than 1,000,000 monthly active users with respect to at least 2 of the 3 months preceding the date on which a relevant determination of the President is made pursuant to paragraph (3)(B);
(iii) enables 1 or more users to generate or distribute content that can be viewed by other users of the website, desktop application, mobile application, or augmented or immersive technology application; and
(iv) enables 1 or more users to view content generated by other users of the website, desktop application, mobile application, or augmented or immersive technology application.
(B) EXCLUSION.—The term “covered company” does not include an entity that operates a website, desktop application, mobile application, or augmented or immersive technology application whose primary purpose is to allow users to post product reviews, business reviews, or travel information and reviews.
(3) FOREIGN ADVERSARY CONTROLLED APPLICATION.—The term “foreign adversary controlled application” means a website, desktop application, mobile application, or augmented or immersive technology application that is operated, directly or indirectly (including through a parent company, subsidiary, or affiliate), by—
(A) any of—
(i) ByteDance, Ltd.;
(ii) TikTok;
(iii) a subsidiary of or a successor to an entity identified in clause (i) or (ii) that is controlled by a foreign adversary; or
(iv) an entity owned or controlled, directly or indirectly, by an entity identified in clause (i), (ii), or (iii); or
(B) a covered company that—
(i) is controlled by a foreign adversary; and
(ii) that is determined by the President to present a significant threat to the national security of the United States following the issuance of—
(I) a public notice proposing such determination; and
(II) a public report to Congress, submitted not less than 30 days before such determination, describing the specific national security concern involved and containing a classified annex and a description of what assets would need to be divested to execute a qualified divestiture.
(4) FOREIGN ADVERSARY COUNTRY.—The term “foreign adversary country” means a country specified in section 4872(d)(2) of title 10, United States Code.
(5) INTERNET HOSTING SERVICE.—The term “internet hosting service” means a service through which storage and computing resources are provided to an individual or organization for the accommodation and maintenance of 1 or more websites or online services, and which may include file hosting, domain name server hosting, cloud hosting, and virtual private server hosting.
(6) QUALIFIED DIVESTITURE.—The term “qualified divestiture” means a divestiture or similar transaction that—
(A) the President determines, through an interagency process, would result in the relevant foreign adversary controlled application no longer being controlled by a foreign adversary; and
(B) the President determines, through an interagency process, precludes the establishment or maintenance of any operational relationship between the United States operations of the relevant foreign adversary controlled application and any formerly affiliated entities that are controlled by a foreign adversary, including any cooperation with respect to the operation of a content recommendation algorithm or an agreement with respect to data sharing.
(7) SOURCE CODE.—The term “source code” means the combination of text and other characters comprising the content, both viewable and nonviewable, of a software application, including any publishing language, programming language, protocol, or functional content, as well as any successor languages or protocols.
(8) UNITED STATES.—The term “United States” includes the territories of the United States.
SEC. 3. JUDICIAL REVIEW. (a) Right Of Action.—A petition for review challenging this division or any action, finding, or determination under this division may be filed only in the United States Court of Appeals for the District of Columbia Circuit.
(b) Exclusive Jurisdiction.—The United States Court of Appeals for the District of Columbia Circuit shall have exclusive jurisdiction over any challenge to this division or any action, finding, or determination under this division.
© Statute Of Limitations.—A challenge may only be brought—
(1) in the case of a challenge to this division, not later than 165 days after the date of the enactment of this division; and
(2) in the case of a challenge to any action, finding, or determination under this division, not later than 90 days after the date of such action, finding, or determination.
DIVISION I—PROTECTING AMERICANS’ DATA FROM FOREIGN ADVERSARIES ACT OF 2024
SEC. 1. SHORT TITLE. This division may be cited as the “Protecting Americans’ Data from Foreign Adversaries Act of 2024”.
SEC. 2. PROHIBITION ON TRANSFER OF PERSONALLY IDENTIFIABLE SENSITIVE DATA OF UNITED STATES INDIVIDUALS TO FOREIGN ADVERSARIES. (a) Prohibition.—It shall be unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to—
(1) any foreign adversary country; or
(2) any entity that is controlled by a foreign adversary.
(b) Enforcement By Federal Trade Commission.—
(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this section shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) POWERS OF COMMISSION.—
(A) IN GENERAL.—The Commission shall enforce this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this section.
(B) PRIVILEGES AND IMMUNITIES.—Any person who violates this section shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.
(3) AUTHORITY PRESERVED.—Nothing in this section may be construed to limit the authority of the Commission under any other provision of law.
© Definitions.—In this section:
(1) COMMISSION.—The term “Commission” means the Federal Trade Commission.
(2) CONTROLLED BY A FOREIGN ADVERSARY.—The term “controlled by a foreign adversary” means, with respect to an individual or entity, that such individual or entity is—
(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or
© a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).
(3) DATA BROKER.—
(A) IN GENERAL.—The term “data broker” means an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.
(B) EXCLUSION.—The term “data broker” does not include an entity to the extent such entity—
(i) is transmitting data of a United States individual, including communications of such an individual, at the request or direction of such individual;
(ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
(iii) is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest;
(iv) is reporting, publishing, or otherwise making available news or information that is available to the general public—
(I) including information from—
(aa) a book, magazine, telephone book, or online directory;
(bb) a motion picture;
(cc) a television, internet, or radio program;
(dd) the news media; or
(ee) an internet site that is available to the general public on an unrestricted basis; and
(II) not including an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code); or
(v) is acting as a service provider.
(4) FOREIGN ADVERSARY COUNTRY.—The term “foreign adversary country” means a country specified in section 4872(d)(2) of title 10, United States Code.
(5) PERSONALLY IDENTIFIABLE SENSITIVE DATA.—The term “personally identifiable sensitive data” means any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.
(6) PRECISE GEOLOCATION INFORMATION.—The term “precise geolocation information” means information that—
(A) is derived from a device or technology of an individual; and
(B) reveals the past or present physical location of an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, with sufficient precision to identify street level location information of an individual or device or the location of an individual or device within a range of 1,850 feet or less.
(7) SENSITIVE DATA.—The term “sensitive data” includes the following:
(A) A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.
(B) Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
© A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.
(D) Biometric information.
(E) Genetic information.
(F) Precise geolocation information.
(G) An individual’s private communications such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.
(H) Account or device log-in credentials, or security or access codes for an account or device.
(I) Information identifying the sexual behavior of an individual.
(J) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location.
(K) A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
(L) Information revealing the video content requested or selected by an individual.
(M) Information about an individual under the age of 17.
(N) An individual’s race, color, ethnicity, or religion.
(O) Information identifying an individual’s online activities over time and across websites or online services.
(P) Information that reveals the status of an individual as a member of the Armed Forces.
(Q) Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed in subparagraphs (A) through (P).
(8) SERVICE PROVIDER.—The term “service provider” means an entity that—
(A) collects, processes, or transfers data on behalf of, and at the direction of—
(i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or
(ii) a Federal, State, Tribal, territorial, or local government entity; and
(B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.
(9) UNITED STATES INDIVIDUAL.—The term “United States individual” means a natural person residing in the United States.
(d) Effective Date.—This section shall take effect on the date that is 60 days after the date of the enactment of this division.
I, as a European, want a PROTECTING EUROPEANS’ DATA FROM FOREIGN ADVERSARIES ACT OF 2024.
Sell or dissolve X, Facebook, Google, Amazon, Instagram, Microsoft, Apple, etc.
First of all, the EU does have protections for their people’s data
Second of all, are you asking the USA to pass an act protecting Europeans? That seems a little odd, but sure I’ll support it. When it gets introduced I’ll call my reps.
Yes, the EU has such regulations, but does not enforce them, especially not against US companies. So, having an explicit law in the European Union that would force it to finally get the asses moving in Brussels would be a nice thing.
Thanks for the write up!
IMO, in general, the more important policy would be to protect our data from domestic companies and gov’ts, as regular citizens.
Our data being collected from domestic companies and gov’t agencies infringes on our rights, while also being a closer threat than foreign gov’ts, lookingat this from regular citizens view.
Gov’t, contractors, and military personnel already have their own way of protecting themselves from foreign countries. Using secure devices and connections, while following their own policies.
In the end, it seems to be pointing toward Tiktok Ban so not sure how well this will go.
From the perspective of our data that’s true, but there’s also the problem of foreign governments using social media as propaganda tools. That’s actually worse, a lot of people believe actual falsehoods due to what they see on social media
For example, tons of people have been misled to think this bill is a TikTok ban.
The bill literally mentioned tiktok and bytedance on the first page when first introduced. They wrote the bill to ban tiktok.
Update, you were right, Division H “PROTECTING AMERICANS FROM FOREIGN ADVERSARY CONTROLLED APPLICATIONS ACT” does in fact mention them by name. The text above was only Division I “PROTECTING AMERICANS’ DATA FROM FOREIGN ADVERSARIES ACT OF 2024”. I’ve updated the post to include both acts, now.
It’s literally not in the entire text of the Bill hovering directly above this thread. You’re literally wrong.
The version of the bill I saw just earlier today (linked from a CNN article a few days ago) mentioned TikTok and ByteDance by name:
Relevant section
(3) FOREIGN ADVERSARY CONTROLLED APPLI -8 CATION .—The term ‘‘foreign adversary controlled application’’ means a website, desktop application, mobile application, or augmented or immersive technology application that is operated, directly or indirectly (including through a parent company, subsidiary, or affiliate), by—
(A) any of—
(i) ByteDance, Ltd.;
(ii) TikTok;
(iii) a subsidiary of or a successor to an entity identified in clause (i) or (ii) that is controlled by a foreign adversary; or
(iv) an entity owned or controlled, directly or indirectly, by an entity identified in clause (i), (ii), or (iii);
This was under the definition of “adversary company.” So it was there at one point.
But that’s a big change, so I’m going to reread the bill to see if I need to revise my opinion on it. But the bill I read linked from CNN earlier today was bad in several ways.
If the bill identified tiktok and byte dance by name they would just rename the app and company to avoid the regulation.
The fact that this law identifies byte dance in the overly verbose and broad language typical of how laws are written does not change the intent.
It sounds like this is your first time reading the full text of a bill, and you are drawing uninformed conclusions.
lol yeah just change your name and you can’t be persecuted for your crimes. Great advice, armchair lawyer.
If the text of this law said that the app “Tiktok” and company “ByteDance” cannot operate in the US, it would be trivial create a new company called, “BitSamba” which operates the “Tuktuk” app, and this specific law would not apply to them.
That is why the bill uses the term “entity that is controlled by a foreign adversary.” Try reading at least one more bill, or any municipal code, then you might start to understand. This is how laws are written. Lawyers are very good at finding loopholes, which is why laws are specifically written defensively to avoid unintended loopholes.
The language of this bill will apply to tiktok. Tiktok is the most notable app that will be effected by it. Which is why everyone who knows what they’re talking about has been calling this the bill that bans tiktok because that is what it does.
Especially the authors of this bill that but the part about it banning tiktok in the first page summary for all the legislators who don’t actually read the full text.
Ah, thanks for explaining your point of view!
I see the gov’t and domestic companies being a way bigger threat than foriegn gov’ts and companies.
Our gov’t has way more control on our media and what we see and hear.
Propaganda from your own gov’t is a much bigger deal. Once you start criticizing and questioning why the status quo has not changed over the last many decades/half century.
This being: more endless wars, more bailouts required for banks, more policing, and more medical debt, more mental health problems, more student debt, and it continues…
All while people are not experiencing an improvement in their day to day lives, it seems.
All in all, I may be in the minority, when it comes to this topic; when talking about the issues that are caused by all of these systematic problems we will continue to face in the future.
Stay hopeful and keep learning!
Is the propaganda from our government in the room with us right now?
I’m sorry to hear living in China is so hard for you.
Ah, humor, thanks for trying to make this bleak topic a bit more enjoyable with some comedy!
I currently live in China and I can’t access TikTok here without a VPN
Skill Issue.
Idk why you need a VPN for 抖音
I have 抖音, it’s TikTok that’s blocked
lmfao
I didn’t do much of the writing up, it copied over from a dot gov website with minimal editing needed. If something formatted incorrectly then I hope somebody lets me know.
I place the priority of stopping hostile foreign actors before hostile domestic actors, but yeah both bad.
And here’s US Code 4872(d)(2) for reference:
(2) Covered nation.—The term “covered nation” means—
(A) the Democratic People’s Republic of North Korea;
(B) the People’s Republic of China;
© the Russian Federation; and
(D) the Islamic Republic of Iran.
Edit: OP, could you link the bill? I had trouble finding it and read a version linked from CNN a few days ago, and it seems it’s quite different (doesn’t mention TikTok or ByteDance by name anymore in the definitions).
Edit 2: found it. Reading now.
Anyone remember when TikTok was Vine? Just use Vine.
Apologies… it didn’t actually used to be Vine, that was more just sarcasm about how TikTok was actually just a Vine ripoff but somehow more successful.
Part of it is that Vine was a little too early. Phone screens were smaller, and people weren’t used to watching videos on their phone as much as they do today.
Ok, I’ve had a chance to read through the bill, so here are some notes:
- (g)(3)(A) - mentions TikTok and ByteDance by name as a “foreign adversary controlled application” - so it’s absolutely a “TikTok ban”
- (g)(2)(B) - exclusion for primarily review sites - not sure who this loophole is for, maybe Yelp?
- (a)(1)(A) - it might be illegal for me to host and distribute a way to get access to a foreign controlled application as a private citizen, depending on the definition of “marketplace,” even if it’s just source code
- (g)(1)(b) - applies to applications with 20% ownership by someone in an adversary company - I think this means Fortnite and EGS could be impacted
- (g)(3)(B)(ii) - presidential powers
- (d)(2) and (f) - Attorney General powers and restrictions
I think the bill is problematic, but it’s not nearly as bad as I thought it would be. Powers granted to the Attorney General are pretty limited, though the President seems to have a little less restrictions.
I’m mostly concerned about collateral damage for things like FOSS, but theoretically popular forums hosted in China or Russia could be caught, though I’m guessing enforcement would be minimal.
The most troubling parts to me are:
- 20% ownership standard - doesn’t just apply to the CCP, but anyone in an adversary country, so I think this includes Fortnite and Epic Games generally, and probably other popular games and services funded by Chinese investors (as long as you can post something, it counts)
- the President can decide that propose pretty much any piece of software as an “adversary controlled application” with only a notice given to Congress
- precedent set by calling out a specific product and org (TikTok and ByteDance are mentioned by name)
Okay, I see the source of confusion on my part, the act was split into two separate divisions: Division H and Division I, and Division H that you linked to does in fact mention TikTok and ByteDance.
If you’re not controlled by an adversarial nation as defined in Division I as a country specified in section 4872(d)(2) of title 10, United States Code, then you’re not gonna have to worry about your FOSS code getting taken down. If you do, then just stop sending userdata within 165 days and have those nations divest, then you can keep hosting FOSS.
I originally was Division H, so I was kinda confused. I still need to finish Division I. Division I seems a bit less controversial. Your post is properly labeled, it’s just less interesting than Division H imo.
Initially, ©(3)(B) seems like it has potential for loopholes, but that whole division of the bill seems generally ok.
