Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

H. R. 7520: What You Should Know About Protecting Americans’ Data from Foreign Adversaries Act (PADFA)?

By Anas Baig | Reviewed By Muhammad Ismail and Adeel Hasan

Published September 18, 2024

Over the last few years, geopolitical developments and regulatory necessities have hastened the development of data protection regulations within the United States (US). In the absence of a GDPR-like uniform federal regulation in the US, several states have adopted data privacy regulations within their jurisdictions, such as the CPRA, NDPA, CTDPA, etc., to ensure appropriate data privacy rights and protections for their citizens. While a federal data privacy regulation may not be close in sight, it is not to say there have not been any federal legislative efforts to ensure adequate protection for all Americans’ data online.

The Protecting Americans’ Data From Foreign Adversaries Act (PADFA) of 2024 represents one such effort. President Biden signed the Act into law on April 24, 2024, and took effect on June 23, 2024.PADFA aims to prohibit data brokers from transferring personally identifiable sensitive data of US individuals to foreign adversaries or an entity controlled by a foreign adversary. The Act ensures appropriate protection of American citizens’ data from potential exploitation by foreign adversaries in an era when cyber threats have grown in both volume and variety.

PADFA addresses various critical loopholes that foreign adversaries can theoretically exploit to gain access to Americans’ personally identifiable sensitive data. While the proposed legislation is extensive, its salient features include prohibitions on data brokers from selling, licensing, or in any form transferring such personally identifiable sensitive data to any foreign adversary country or entities deemed as foreign adversaries.

While the Federal Trade Commission (FTC) is responsible for enforcing the PADFA and investigating and penalizing organizations found to be in violation of the Act, the legislation also encourages collaboration between the FTC and other federal and state agencies to ensure thorough oversight and protection of Americans' personally identifiable sensitive data.

Read on to learn more about PADFA's relevant specifics, such as what kind of data transfers it covers, the roles of service providers and data brokers, entities likely to be affected by this legislation, and how your organization can best prepare for compliance.

Data Transfers Covered under PADFA

PADFA covers primarily the transfer of personally identifiable sensitive data of US individuals to countries designated as foreign adversaries or entities that are controlled by foreign adversaries. Hence, the Act covers a range of data transfers that could potentially pose significant risks to the security and privacy of US citizens. These include the following:

Direct Sale of Data

Under the PADFA, data brokers are strictly prohibited from selling United States individuals' personal data to countries labeled as foreign adversaries or entities controlled by foreign adversaries. By doing so, foreign adversaries can be prevented from gaining access to large datasets that could potentially be used for espionage, misinformation campaigns, and other malicious activities.

Licensing & Renting of Data

Besides the sale of personally identifiable sensitive data, data brokers cannot participate in licensing and renting such data to countries labeled as foreign adversaries or entities controlled by them. Licensing data allows foreign entities to use the acquired data under specific conditions, while renting allows temporary and, in some cases, restricted access. However, PADFA restricts both types of access to prevent any likelihood of foreign adversaries gaining access to such sensitive information.

Data Transfers via Intermediaries

In addition to directly selling, licensing, or renting personally identifiable sensitive data, data brokers cannot transfer such data to intermediaries with the intention of having those intermediaries then sell, license, or rent out such data to foreign adversaries. Such transfers are usually designed to circumvent similar restrictions; hence, this provision of PADFA prevents similar transactions. Data broker has been defined broadly in the Act, it may cover organizations that are involved in direct marketing, sale, or similar activities across all sectors. Therefore, they must ensure compliance with the Act to avoid any penalties.

Cross-Border Data Flow

Any cross-border transfer of sensitive personal data to countries deemed as foreign adversaries or entities controlled by them is expressly prohibited. This restriction extends to existing data-sharing agreements, cloud storage solutions, shared digital storage spaces, and any other mechanisms where there is a likelihood of data being stored, processed, and used outside the US in nations deemed as foreign adversaries.

Service Providers & Data Brokers Under PADFA

Service Providers

The term “service provider” means an entity that:

Collects, processes, or transfers data on behalf of, and at the direction of:
1. An individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or
2. A Federal, State, Tribal, territorial, or local government entity; and
Receives data from or on behalf of an individual or entity described above.

Data Brokers

The term “data broker” means an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.

However, the term “data broker” does not include an entity to the extent such entity:

is transmitting data of a United States individual, including communications of such an individual, at the request or direction of such individual;
is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service;
is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest;
is reporting, publishing, or otherwise making available news or information that is available to the general public:
1. including information from—
  1. a book, magazine, telephone book, or online directory;
  2. a motion picture;
  3. a television, internet, or radio program;
  4. the news media; or
  5. an internet site that is available to the general public on an unrestricted basis; and
2. not including an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code); or
is acting as a service provider.

Personally Identifiable Sensitive Data

The term “personally identifiable sensitive data” means any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.

Sensitive Data Under PADFA

The term “sensitive data” includes the following:

A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.
Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.
Biometric information.
Genetic information.
Precise geolocation information.
An individual’s private communications, such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.
Account or device log-in credentials, or security or access codes for an account or device.
Information identifying the sexual behavior of an individual.
Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location.
A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
Information revealing the video content requested or selected by an individual.
Information about an individual under the age of 17
An individual’s race, color, ethnicity, or religion.
Information identifying an individual’s online activities over time and across websites or online services.
Information that reveals the status of an individual as a member of the Armed Forces.
Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed above.

Foreign Adversary Country

The term “foreign adversary country” means a country specified in section 4872(d)(2) of title 10, United States Code. These countries include:

the Democratic People’s Republic of North Korea;
the People’s Republic of China;
the Russian Federation; and
the Islamic Republic of Iran.

Controlled by a Foreign Adversary

The term “controlled by a foreign adversary” means, with respect to an individual or entity, that such individual or entity is:

a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
an entity with respect to which a foreign person or combination of foreign persons described above directly or indirectly own at least a 20 percent stake; or
a person subject to the direction or control of a foreign person or entity described above.

United States Individual

The term “United States individual” means a natural person residing in the United States.

Who Enforces PADFA

The Federal Trade Commission will be primarily responsible for ensuring that the subject entities comply with the PADFA’s provisions. The FTC is empowered in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this Act.

Enforcement Date

The Act was enacted on June 23, 2024, 60 days after its enactment.

Civil Penalties

A violation of this Act would be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act. The FTC has the legal right to impose penalties of up to $50,120 for each instance of a violation by an entity.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Numerous reputable and esteemed global enterprises rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.

This is owing to the Data Command Center being equipped with numerous solutions and modules that are designed to ensure swift and effective compliance. These modules, ranging from cookie consent management to assessment automation, universal consent, and vendor risk management, empower an organization to maintain real-time oversight of its compliance with all relevant regulatory requirements via the centralized dashboard. This enables proactiveness on the part of an organization if it notices any possible non-compliance and makes relevant adjustments as necessary.

Request a demo today to learn more about how Securiti can help you comply with all major data privacy-related regulations in the US and globally.

Here are some other frequently asked questions you may have about the Protecting Americans’ Data from Foreign Adversaries Act:

The Protecting Americans’ Data from Foreign Adversaries Act is a regulatory effort aimed at minimizing and potentially eliminating investments in US companies by foreign organizations and countries the US has determined to be adversaries. By doing so it prevents such hostile entities from gaining control over US organizations as well as real estate that may be vital to the country’s infrastructure and other technological needs and compromising national security.

The Committee on Foreign Investment in the United States (CFIUS) usually provides both information and oversight related to foreign investment in the US. The CFIUS also reviews all transactions that may result in the control of US businesses falling into foreign control depending on their impact on national security.

Yes, foreign investors that generate income within the US have to pay taxes. The exact tax amount can depend on various factors, but these taxes are usually levied on all dividends, interest, and capital gains made by a foreign investor within the US. Furthermore, the US has tax treaties with various countries, so that may affect the exact tax amount as well, depending on the foreign investment organization’s country of origin.

H. R. 7520: What You Should Know About Protecting Americans’ Data from Foreign Adversaries Act (PADFA)?

Data Transfers Covered under PADFA

Direct Sale of Data

Licensing & Renting of Data

Data Transfers via Intermediaries

Cross-Border Data Flow

Service Providers & Data Brokers Under PADFA

Service Providers

Data Brokers

Personally Identifiable Sensitive Data

Sensitive Data Under PADFA

Foreign Adversary Country

Controlled by a Foreign Adversary

United States Individual

Who Enforces PADFA

Enforcement Date

Civil Penalties

How Securiti Can Help

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

H. R. 7520: What You Should Know About Protecting Americans’ Data from Foreign Adversaries Act (PADFA)?

Data Transfers Covered under PADFA

Direct Sale of Data

Licensing & Renting of Data

Data Transfers via Intermediaries

Cross-Border Data Flow

Service Providers & Data Brokers Under PADFA

Service Providers

Data Brokers

Personally Identifiable Sensitive Data

Sensitive Data Under PADFA

Foreign Adversary Country

Controlled by a Foreign Adversary

United States Individual

Who Enforces PADFA

Enforcement Date

Civil Penalties

How Securiti Can Help

FAQs Related To PADFA

Join Our Newsletter

Share

More Stories that May Interest You

An Overview of Australia’s Privacy and Other Legislation Amendment Bill 2024

An Overview of Austria’s DSB FAQs Addressing AI and Data Protection

Uber’s $324 Million Problem: Lessons In Data Protection For Businesses In The EU

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New