Protecting Americans’ Data from Foreign Adversaries Act of 2024
On April 24, 2024, President Biden signed into law H.R. 815, a national security and foreign aid package which includes the “Protecting Americans’ Data from Foreign Adversaries Act of 2024” (“PADFA”). The Act establishes new restrictions, as unfair or deceptive acts regulated by the Federal Trade Commission (FTC), on transfers of certain personally identifiable sensitive data to foreign adversary countries and entities controlled by a foreign adversary.
The law will take effect on June 23, 2024.
Background
PADFA passed very quickly after introduction and is distinct from the Biden Administration’s February 28, 2024, Executive Order 14117 (“EO 14117”) directing the Department of Justice (DOJ) to promulgate restrictions on the bulk flow of sensitive personal data and U.S. government-related data to “countries of concern.”1 In conjunction with EO 14117, the DOJ issued an Advance Notice of Proposed Rulemaking (“ANPRM”) to identify the proposed scope of the restrictions.
While both PADFA and the DOJ’s proposed program under EO 14117 create additional protections for – and restrictions on – transfers of sensitive data, in order to accomplish national security aims, more types of data are covered under the PADFA while more types of transactions are covered under the ANPRM. Akin’s client alert can be read here for more information on the EO and ANPRM. PADFA is also separate from the “Protecting Americans from Foreign Adversary Controlled Applications Act,” which was also passed under H.R. 815 and seeks to address concerns over foreign governments obtaining U.S. data through popular software and social media applications.
What Data Transfers are Covered under PADFA?
PADFA prohibits data brokers to “sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available” personally identifiable sensitive data of a U.S. individual to any foreign adversary country or any entity controlled by a foreign adversary country.2 The foreign adversaries countries in question are China, Russia, Iran, and North Korea.3
The law has an expansive definition of “sensitive data,” encompassing a broad range of categories including but not limited to: government issued identification (e.g., Social Security numbers, driver’s licenses); any information revealing past, present, or future physical or mental health diagnosis, condition, or treatment; financial account numbers or information revealing a person’s income level or bank balance; biometric information; genetic information; precise geolocation information; private communications (e.g., emails and text messages), including related information like time and participants; information on a person’s sexual behavior; information about a person under the age of 17; or information about a person’s race, color, ethnicity, or religion.4
Covered “personally identifiable sensitive data” refers to any sensitive data that identifies or is linked or reasonably linkable, either alone or combined with other data, to either an individual or a device that identifies that individual or that is linked or reasonably linkable to an individual.5
What Entities are Covered under PADFA?
Data brokers under PADFA include entities that, for valuable consideration, sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available data of U.S. individuals, not collected directly from the individuals by that entity, to another entity that is not acting as a service provider.6 A“service provider” under PADFA is an entity that collects, processes or transfers data on behalf of, and at the direction of (i.) an individual or entity that is not a foreign adversary or controlled by a foreign adversary, or (ii.) a government entity, and receives data from or on behalf of either of those entities.7
The law specifically excludes from the “data broker” definition, entities that:
- Transmit data of U.S. individuals at their request or direction, including their communications;
- Provide, maintain or offer a product or service where personally identifiable sensitive data, or access to such data, is not the product or service;
- Report or publish news or information concerning local, national or international events or matters of public interest;
- Report, publish or make available news or information to the general public (including information from books, magazines, phone books, movies, internet, radio, news media or internet sites available to the general public) not including obscene visual depictions;8 or
- Act as a service provider.9
In addition to transferring covered data to foreign adversaries, the restriction also applies to transfers to entities “controlled by a foreign adversary.” Under PADFA this refers to an individual or entity that is:
- A foreign person domiciled in, headquartered in, has its principal place of business in, or is organized under the laws of, a foreign adversary country; or
- An entity that is at least 20 percent owned by a foreign person or combination of foreign persons from the previous category, either directly or indirectly; or
- A person under the control of either of the previous two entities.10
Who Enforces PADFA?
The law grants the FTC authority to enforce as part of its unfair or deceptive acts and practices authority under the FTC Act.11The FTC regulates other data practices under the same authority, such as data sharing outside the scope of privacy policies or terms of service. At this stage, it is unclear how the FTC will coordinate with the DOJ, which, as noted above, will be enforcing the bulk sensitive personal data rules under EO 14117 that overlap, at least in part, with the PADFA restrictions.
Conclusion
With broad definitions of data brokers and covered information, PADFA is an expansive law that adds new considerations for companies in a growing international regulatory ecosystem for data transfers. Companies should review their data policies and procedures, especially any transfers to “foreign adversary” countries or companies, for potential updates in response to these new federal requirements.
If you have any questions about this new law or its impact on your company, please contact a member of the Akin cybersecurity, privacy and data protection team.
1 The DOJ is considering applying the Department of Commerce’s list of “foreign adversaries,” under the ICTS regulations, as the “countries of concern” for this new program, i.e., China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela.
2 Pub. Law. No. 118-50(I)(2)(a).
3 Id. at § 2(c)(4) (defining foreign adversary countries as those listed in 10 U.S.C. § 4872(d)(2)).
4 Id. at § 2(c)(7).
5 Id. at § 2(c)(5).
6 Id. at § 2(c)(3)(A).
7 Id. at § 2(c)(8).
8 As referred to under 18 U.S.C. § 1460.
9 Pub. Law. No. 118-50(I)(2)(c)(3)(B).
10 Id. at § 2(c)(2) (The FTC has authority to regulate unfair or deceptive acts or practices under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
11 15 U.S.C. § 57a(a)(1)(B).