Over the last few years, geopolitical developments and regulatory necessities have hastened the development of data protection regulations within the United States (US). In the absence of a GDPR-like uniform federal regulation in the US, several states have adopted data privacy regulations within their jurisdictions, such as the CPRA, NDPA, CTDPA, etc., to ensure appropriate data privacy rights and protections for their citizens. While a federal data privacy regulation may not be close in sight, it is not to say there have not been any federal legislative efforts to ensure adequate protection for all Americans’ data online.
The Protecting Americans’ Data From Foreign Adversaries Act (PADFA) of 2024 represents one such effort. President Biden signed the Act into law on April 24, 2024, and took effect on June 23, 2024.PADFA aims to prohibit data brokers from transferring personally identifiable sensitive data of US individuals to foreign adversaries or an entity controlled by a foreign adversary. The Act ensures appropriate protection of American citizens’ data from potential exploitation by foreign adversaries in an era when cyber threats have grown in both volume and variety.
PADFA addresses various critical loopholes that foreign adversaries can theoretically exploit to gain access to Americans’ personally identifiable sensitive data. While the proposed legislation is extensive, its salient features include prohibitions on data brokers from selling, licensing, or in any form transferring such personally identifiable sensitive data to any foreign adversary country or entities deemed as foreign adversaries.
While the Federal Trade Commission (FTC) is responsible for enforcing the PADFA and investigating and penalizing organizations found to be in violation of the Act, the legislation also encourages collaboration between the FTC and other federal and state agencies to ensure thorough oversight and protection of Americans' personally identifiable sensitive data.
Read on to learn more about PADFA's relevant specifics, such as what kind of data transfers it covers, the roles of service providers and data brokers, entities likely to be affected by this legislation, and how your organization can best prepare for compliance.
Data Transfers Covered under PADFA
PADFA covers primarily the transfer of personally identifiable sensitive data of US individuals to countries designated as foreign adversaries or entities that are controlled by foreign adversaries. Hence, the Act covers a range of data transfers that could potentially pose significant risks to the security and privacy of US citizens. These include the following:
Direct Sale of Data
Under the PADFA, data brokers are strictly prohibited from selling United States individuals' personal data to countries labeled as foreign adversaries or entities controlled by foreign adversaries. By doing so, foreign adversaries can be prevented from gaining access to large datasets that could potentially be used for espionage, misinformation campaigns, and other malicious activities.
Licensing & Renting of Data
Besides the sale of personally identifiable sensitive data, data brokers cannot participate in licensing and renting such data to countries labeled as foreign adversaries or entities controlled by them. Licensing data allows foreign entities to use the acquired data under specific conditions, while renting allows temporary and, in some cases, restricted access. However, PADFA restricts both types of access to prevent any likelihood of foreign adversaries gaining access to such sensitive information.
In addition to directly selling, licensing, or renting personally identifiable sensitive data, data brokers cannot transfer such data to intermediaries with the intention of having those intermediaries then sell, license, or rent out such data to foreign adversaries. Such transfers are usually designed to circumvent similar restrictions; hence, this provision of PADFA prevents similar transactions. Data broker has been defined broadly in the Act, it may cover organizations that are involved in direct marketing, sale, or similar activities across all sectors. Therefore, they must ensure compliance with the Act to avoid any penalties.
Cross-Border Data Flow
Any cross-border transfer of sensitive personal data to countries deemed as foreign adversaries or entities controlled by them is expressly prohibited. This restriction extends to existing data-sharing agreements, cloud storage solutions, shared digital storage spaces, and any other mechanisms where there is a likelihood of data being stored, processed, and used outside the US in nations deemed as foreign adversaries.
Service Providers & Data Brokers Under PADFA
Service Providers
The term “service provider” means an entity that:
- Collects, processes, or transfers data on behalf of, and at the direction of:
- An individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or
- A Federal, State, Tribal, territorial, or local government entity; and
- Receives data from or on behalf of an individual or entity described above.
Data Brokers
The term “data broker” means an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.
However, the term “data broker” does not include an entity to the extent such entity:
- is transmitting data of a United States individual, including communications of such an individual, at the request or direction of such individual;
- is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
- is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest;
- is reporting, publishing, or otherwise making available news or information that is available to the general public:
- including information from—
- a book, magazine, telephone book, or online directory;
- a motion picture;
- a television, internet, or radio program;
- the news media; or
- an internet site that is available to the general public on an unrestricted basis; and
- not including an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code); or
- is acting as a service provider.
Personally Identifiable Sensitive Data
The term “personally identifiable sensitive data” means any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.
Sensitive Data Under PADFA
The term “sensitive data” includes the following:
- A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.
- Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
- A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.
- Biometric information.
- Genetic information.
- Precise geolocation information.
- An individual’s private communications, such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.
- Account or device log-in credentials, or security or access codes for an account or device.
- Information identifying the sexual behavior of an individual.
- Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location.
- A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
- Information revealing the video content requested or selected by an individual.
- Information about an individual under the age of 17
- An individual’s race, color, ethnicity, or religion.
- Information identifying an individual’s online activities over time and across websites or online services.
- Information that reveals the status of an individual as a member of the Armed Forces.
- Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed above.
Foreign Adversary Country
The term “foreign adversary country” means a country specified in section 4872(d)(2) of title 10, United States Code. These countries include:
- the Democratic People’s Republic of North Korea;
- the People’s Republic of China;
- the Russian Federation; and
- the Islamic Republic of Iran.
Controlled by a Foreign Adversary
The term “controlled by a foreign adversary” means, with respect to an individual or entity, that such individual or entity is:
- a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
- an entity with respect to which a foreign person or combination of foreign persons described above directly or indirectly own at least a 20 percent stake; or
- a person subject to the direction or control of a foreign person or entity described above.
United States Individual
The term “United States individual” means a natural person residing in the United States.
Who Enforces PADFA
The Federal Trade Commission will be primarily responsible for ensuring that the subject entities comply with the PADFA’s provisions. The FTC is empowered in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this Act.
Enforcement Date
The Act was enacted on June 23, 2024, 60 days after its enactment.
Civil Penalties
A violation of this Act would be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act. The FTC has the legal right to impose penalties of up to $50,120 for each instance of a violation by an entity.
How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Numerous reputable and esteemed global enterprises rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.
This is owing to the Data Command Center being equipped with numerous solutions and modules that are designed to ensure swift and effective compliance. These modules, ranging from cookie consent management to assessment automation, universal consent, and vendor risk management, empower an organization to maintain real-time oversight of its compliance with all relevant regulatory requirements via the centralized dashboard. This enables proactiveness on the part of an organization if it notices any possible non-compliance and makes relevant adjustments as necessary.
Request a demo today to learn more about how Securiti can help you comply with all major data privacy-related regulations in the US and globally.
Here are some other frequently asked questions you may have about the Protecting Americans’ Data from Foreign Adversaries Act:
