UPDATE: Adding Division H as well since it’s very relevant, before it was just Division I shown here


DIVISION H—PROTECTING AMERICANS FROM FOREIGN ADVERSARY CONTROLLED APPLICATIONS ACT

SEC. 1. SHORT TITLE. This division may be cited as the “Protecting Americans from Foreign Adversary Controlled Applications Act”.

SEC. 2. PROHIBITION OF FOREIGN ADVERSARY CONTROLLED APPLICATIONS. (a) In General.—

(1) PROHIBITION OF FOREIGN ADVERSARY CONTROLLED APPLICATIONS.—It shall be unlawful for an entity to distribute, maintain, or update (or enable the distribution, maintenance, or updating of) a foreign adversary controlled application by carrying out, within the land or maritime borders of the United States, any of the following:

(A) Providing services to distribute, maintain, or update such foreign adversary controlled application (including any source code of such application) by means of a marketplace (including an online mobile application store) through which users within the land or maritime borders of the United States may access, maintain, or update such application.

(B) Providing internet hosting services to enable the distribution, maintenance, or updating of such foreign adversary controlled application for users within the land or maritime borders of the United States.

(2) APPLICABILITY.—Subject to paragraph (3), this subsection shall apply—

(A) in the case of an application that satisfies the definition of a foreign adversary controlled application pursuant to subsection (g)(3)(A), beginning on the date that is 270 days after the date of the enactment of this division; and

(B) in the case of an application that satisfies the definition of a foreign adversary controlled application pursuant to subsection (g)(3)(B), beginning on the date that is 270 days after the date of the relevant determination of the President under such subsection.

(3) EXTENSION.—With respect to a foreign adversary controlled application, the President may grant a 1-time extension of not more than 90 days with respect to the date on which this subsection would otherwise apply to such application pursuant to paragraph (2), if the President certifies to Congress that—

(A) a path to executing a qualified divestiture has been identified with respect to such application;

(B) evidence of significant progress toward executing such qualified divestiture has been produced with respect to such application; and

© there are in place the relevant binding legal agreements to enable execution of such qualified divestiture during the period of such extension.

(b) Data And Information Portability To Alternative Applications.—Before the date on which a prohibition under subsection (a) applies to a foreign adversary controlled application, the entity that owns or controls such application shall provide, upon request by a user of such application within the land or maritime borders of United States, to such user all the available data related to the account of such user with respect to such application. Such data shall be provided in a machine readable format and shall include any data maintained by such application with respect to the account of such user, including content (including posts, photos, and videos) and all other account information.

© Exemptions.—

(1) EXEMPTIONS FOR QUALIFIED DIVESTITURES.—Subsection (a)—

(A) does not apply to a foreign adversary controlled application with respect to which a qualified divestiture is executed before the date on which a prohibition under subsection (a) would begin to apply to such application; and

(B) shall cease to apply in the case of a foreign adversary controlled application with respect to which a qualified divestiture is executed after the date on which a prohibition under subsection (a) applies to such application.

(2) EXEMPTIONS FOR CERTAIN NECESSARY SERVICES.—Subsections (a) and (b) do not apply to services provided with respect to a foreign adversary controlled application that are necessary for an entity to attain compliance with such subsections.

(d) Enforcement.—

(1) CIVIL PENALTIES.—

(A) FOREIGN ADVERSARY CONTROLLED APPLICATION VIOLATIONS.—An entity that violates subsection (a) shall be subject to pay a civil penalty in an amount not to exceed the amount that results from multiplying $5,000 by the number of users within the land or maritime borders of the United States determined to have accessed, maintained, or updated a foreign adversary controlled application as a result of such violation.

(B) DATA AND INFORMATION VIOLATIONS.—An entity that violates subsection (b) shall be subject to pay a civil penalty in an amount not to exceed the amount that results from multiplying $500 by the number of users within the land or maritime borders of the United States affected by such violation.

(2) ACTIONS BY ATTORNEY GENERAL.—The Attorney General—

(A) shall conduct investigations related to potential violations of subsection (a) or (b), and, if such an investigation results in a determination that a violation has occurred, the Attorney General shall pursue enforcement under paragraph (1); and

(B) may bring an action in an appropriate district court of the United States for appropriate relief, including civil penalties under paragraph (1) or declaratory and injunctive relief.

(e) Severability.—

(1) IN GENERAL.—If any provision of this section or the application of this section to any person or circumstance is held invalid, the invalidity shall not affect the other provisions or applications of this section that can be given effect without the invalid provision or application.

(2) SUBSEQUENT DETERMINATIONS.—If the application of any provision of this section is held invalid with respect to a foreign adversary controlled application that satisfies the definition of such term pursuant to subsection (g)(3)(A), such invalidity shall not affect or preclude the application of the same provision of this section to such foreign adversary controlled application by means of a subsequent determination pursuant to subsection (g)(3)(B).

(f) Rule Of Construction.—Nothing in this division may be construed—

(1) to authorize the Attorney General to pursue enforcement, under this section, other than enforcement of subsection (a) or (b);

(2) to authorize the Attorney General to pursue enforcement, under this section, against an individual user of a foreign adversary controlled application; or

(3) except as expressly provided herein, to alter or affect any other authority provided by or established under another provision of Federal law.

(g) Definitions.—In this section:

(1) CONTROLLED BY A FOREIGN ADVERSARY.—The term “controlled by a foreign adversary” means, with respect to a covered company or other entity, that such company or other entity is—

(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;

(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or

© a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).

(2) COVERED COMPANY.—

(A) IN GENERAL.—The term “covered company” means an entity that operates, directly or indirectly (including through a parent company, subsidiary, or affiliate), a website, desktop application, mobile application, or augmented or immersive technology application that—

(i) permits a user to create an account or profile to generate, share, and view text, images, videos, real-time communications, or similar content;

(ii) has more than 1,000,000 monthly active users with respect to at least 2 of the 3 months preceding the date on which a relevant determination of the President is made pursuant to paragraph (3)(B);

(iii) enables 1 or more users to generate or distribute content that can be viewed by other users of the website, desktop application, mobile application, or augmented or immersive technology application; and

(iv) enables 1 or more users to view content generated by other users of the website, desktop application, mobile application, or augmented or immersive technology application.

(B) EXCLUSION.—The term “covered company” does not include an entity that operates a website, desktop application, mobile application, or augmented or immersive technology application whose primary purpose is to allow users to post product reviews, business reviews, or travel information and reviews.

(3) FOREIGN ADVERSARY CONTROLLED APPLICATION.—The term “foreign adversary controlled application” means a website, desktop application, mobile application, or augmented or immersive technology application that is operated, directly or indirectly (including through a parent company, subsidiary, or affiliate), by—

(A) any of—

(i) ByteDance, Ltd.;

(ii) TikTok;

(iii) a subsidiary of or a successor to an entity identified in clause (i) or (ii) that is controlled by a foreign adversary; or

(iv) an entity owned or controlled, directly or indirectly, by an entity identified in clause (i), (ii), or (iii); or

(B) a covered company that—

(i) is controlled by a foreign adversary; and

(ii) that is determined by the President to present a significant threat to the national security of the United States following the issuance of—

(I) a public notice proposing such determination; and

(II) a public report to Congress, submitted not less than 30 days before such determination, describing the specific national security concern involved and containing a classified annex and a description of what assets would need to be divested to execute a qualified divestiture.

(4) FOREIGN ADVERSARY COUNTRY.—The term “foreign adversary country” means a country specified in section 4872(d)(2) of title 10, United States Code.

(5) INTERNET HOSTING SERVICE.—The term “internet hosting service” means a service through which storage and computing resources are provided to an individual or organization for the accommodation and maintenance of 1 or more websites or online services, and which may include file hosting, domain name server hosting, cloud hosting, and virtual private server hosting.

(6) QUALIFIED DIVESTITURE.—The term “qualified divestiture” means a divestiture or similar transaction that—

(A) the President determines, through an interagency process, would result in the relevant foreign adversary controlled application no longer being controlled by a foreign adversary; and

(B) the President determines, through an interagency process, precludes the establishment or maintenance of any operational relationship between the United States operations of the relevant foreign adversary controlled application and any formerly affiliated entities that are controlled by a foreign adversary, including any cooperation with respect to the operation of a content recommendation algorithm or an agreement with respect to data sharing.

(7) SOURCE CODE.—The term “source code” means the combination of text and other characters comprising the content, both viewable and nonviewable, of a software application, including any publishing language, programming language, protocol, or functional content, as well as any successor languages or protocols.

(8) UNITED STATES.—The term “United States” includes the territories of the United States.

SEC. 3. JUDICIAL REVIEW. (a) Right Of Action.—A petition for review challenging this division or any action, finding, or determination under this division may be filed only in the United States Court of Appeals for the District of Columbia Circuit.

(b) Exclusive Jurisdiction.—The United States Court of Appeals for the District of Columbia Circuit shall have exclusive jurisdiction over any challenge to this division or any action, finding, or determination under this division.

© Statute Of Limitations.—A challenge may only be brought—

(1) in the case of a challenge to this division, not later than 165 days after the date of the enactment of this division; and

(2) in the case of a challenge to any action, finding, or determination under this division, not later than 90 days after the date of such action, finding, or determination.


DIVISION I—PROTECTING AMERICANS’ DATA FROM FOREIGN ADVERSARIES ACT OF 2024

SEC. 1. SHORT TITLE. This division may be cited as the “Protecting Americans’ Data from Foreign Adversaries Act of 2024”.

SEC. 2. PROHIBITION ON TRANSFER OF PERSONALLY IDENTIFIABLE SENSITIVE DATA OF UNITED STATES INDIVIDUALS TO FOREIGN ADVERSARIES. (a) Prohibition.—It shall be unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to—

(1) any foreign adversary country; or

(2) any entity that is controlled by a foreign adversary.

(b) Enforcement By Federal Trade Commission.—

(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this section shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(2) POWERS OF COMMISSION.—

(A) IN GENERAL.—The Commission shall enforce this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this section.

(B) PRIVILEGES AND IMMUNITIES.—Any person who violates this section shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

(3) AUTHORITY PRESERVED.—Nothing in this section may be construed to limit the authority of the Commission under any other provision of law.

© Definitions.—In this section:

(1) COMMISSION.—The term “Commission” means the Federal Trade Commission.

(2) CONTROLLED BY A FOREIGN ADVERSARY.—The term “controlled by a foreign adversary” means, with respect to an individual or entity, that such individual or entity is—

(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;

(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or

© a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).

(3) DATA BROKER.—

(A) IN GENERAL.—The term “data broker” means an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.

(B) EXCLUSION.—The term “data broker” does not include an entity to the extent such entity—

(i) is transmitting data of a United States individual, including communications of such an individual, at the request or direction of such individual;

(ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;

(iii) is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest;

(iv) is reporting, publishing, or otherwise making available news or information that is available to the general public—

(I) including information from—

(aa) a book, magazine, telephone book, or online directory;

(bb) a motion picture;

(cc) a television, internet, or radio program;

(dd) the news media; or

(ee) an internet site that is available to the general public on an unrestricted basis; and

(II) not including an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code); or

(v) is acting as a service provider.

(4) FOREIGN ADVERSARY COUNTRY.—The term “foreign adversary country” means a country specified in section 4872(d)(2) of title 10, United States Code.

(5) PERSONALLY IDENTIFIABLE SENSITIVE DATA.—The term “personally identifiable sensitive data” means any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.

(6) PRECISE GEOLOCATION INFORMATION.—The term “precise geolocation information” means information that—

(A) is derived from a device or technology of an individual; and

(B) reveals the past or present physical location of an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, with sufficient precision to identify street level location information of an individual or device or the location of an individual or device within a range of 1,850 feet or less.

(7) SENSITIVE DATA.—The term “sensitive data” includes the following:

(A) A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.

(B) Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.

© A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.

(D) Biometric information.

(E) Genetic information.

(F) Precise geolocation information.

(G) An individual’s private communications such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.

(H) Account or device log-in credentials, or security or access codes for an account or device.

(I) Information identifying the sexual behavior of an individual.

(J) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location.

(K) A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.

(L) Information revealing the video content requested or selected by an individual.

(M) Information about an individual under the age of 17.

(N) An individual’s race, color, ethnicity, or religion.

(O) Information identifying an individual’s online activities over time and across websites or online services.

(P) Information that reveals the status of an individual as a member of the Armed Forces.

(Q) Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed in subparagraphs (A) through (P).

(8) SERVICE PROVIDER.—The term “service provider” means an entity that—

(A) collects, processes, or transfers data on behalf of, and at the direction of—

(i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or

(ii) a Federal, State, Tribal, territorial, or local government entity; and

(B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.

(9) UNITED STATES INDIVIDUAL.—The term “United States individual” means a natural person residing in the United States.

(d) Effective Date.—This section shall take effect on the date that is 60 days after the date of the enactment of this division.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    7 months ago

    Ok, I’ve had a chance to read through the bill, so here are some notes:

    • (g)(3)(A) - mentions TikTok and ByteDance by name as a “foreign adversary controlled application” - so it’s absolutely a “TikTok ban”
    • (g)(2)(B) - exclusion for primarily review sites - not sure who this loophole is for, maybe Yelp?
    • (a)(1)(A) - it might be illegal for me to host and distribute a way to get access to a foreign controlled application as a private citizen, depending on the definition of “marketplace,” even if it’s just source code
    • (g)(1)(b) - applies to applications with 20% ownership by someone in an adversary company - I think this means Fortnite and EGS could be impacted
    • (g)(3)(B)(ii) - presidential powers
    • (d)(2) and (f) - Attorney General powers and restrictions

    I think the bill is problematic, but it’s not nearly as bad as I thought it would be. Powers granted to the Attorney General are pretty limited, though the President seems to have a little less restrictions.

    I’m mostly concerned about collateral damage for things like FOSS, but theoretically popular forums hosted in China or Russia could be caught, though I’m guessing enforcement would be minimal.

    The most troubling parts to me are:

    • 20% ownership standard - doesn’t just apply to the CCP, but anyone in an adversary country, so I think this includes Fortnite and Epic Games generally, and probably other popular games and services funded by Chinese investors (as long as you can post something, it counts)
    • the President can decide that propose pretty much any piece of software as an “adversary controlled application” with only a notice given to Congress
    • precedent set by calling out a specific product and org (TikTok and ByteDance are mentioned by name)
    • FiniteBanjoOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      7 months ago

      Okay, I see the source of confusion on my part, the act was split into two separate divisions: Division H and Division I, and Division H that you linked to does in fact mention TikTok and ByteDance.

      If you’re not controlled by an adversarial nation as defined in Division I as a country specified in section 4872(d)(2) of title 10, United States Code, then you’re not gonna have to worry about your FOSS code getting taken down. If you do, then just stop sending userdata within 165 days and have those nations divest, then you can keep hosting FOSS.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        7 months ago

        I originally was Division H, so I was kinda confused. I still need to finish Division I. Division I seems a bit less controversial. Your post is properly labeled, it’s just less interesting than Division H imo.

        Initially, ©(3)(B) seems like it has potential for loopholes, but that whole division of the bill seems generally ok.