On April 24, 2024, Congress made headlines by passing a complex foreign aid package, which included the much-discussed TikTok “divest-or-ban” legislation. What received less attention was the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”), which was also passed as part of that same package and has the potential to impact a much broader range of businesses than addictive social media apps.

PADFA prohibits “data brokers” from disclosing personally identifiable sensitive data of United States individuals to “foreign adversary” countries, or to an entity that is controlled by a foreign adversary. PADFA takes effect on June 23, 2024, giving organizations only 60 days to determine whether they are subject to PADFA and build the necessary compliance programs. Violations are considered an unfair and deceptive trade practice under the FTC Act.

This post breaks down key concepts in PADFA and offers some practical takeaways to organizations that might fall within PADFA’s surprisingly broad reach.

1. What is a “Data Broker” under PADFA?

PADFA defines a data broker as “an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.” (emphasis added). This definition is broader than most state data broker laws, which typically only apply to entities that engage in the collection, sales, or licensing of personal data about individuals with whom the organization does not have a “direct relationship” (e.g., data broker laws in California and Vermont).

PADFA does not define what it means to “directly” collect personal data, resulting in significant uncertainty the law’s scope. SDKs, third-party pixels, and cookies, for example, could be considered as tools for indirect data collection. Organizations that use these tools to collect personal data should pay close attention as the contours of the concept develop in the coming months.

PADFA does, however, explicitly exempt certain entities from its definition of “data broker,” including:

• service providers acting on behalf of another entity;
• entities transmitting data at the individual’s request;
• entities providing a product or service where the personal data is not the product itself;
• news organizations reporting information of public interest; and
• entities disclosing publicly available information from various sources like books, directories, and media.

2. What is a “Foreign Adversary Country”?

PADFA defines the term “foreign adversary country” as any country listed in 10 U.S.C. § 4872(d)(2). That list currently includes China, Iran, North Korea, and Russia. The law prohibits data brokers from disclosing sensitive data to those countries, or to any entity controlled by one of those countries.

PADFA considers an entity to be “controlled by” a foreign adversary if the entity is:

(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;

(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or

(C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B). (emphasis added).

If an organization qualifies as a “data broker” under PADFA, therefore, that organization must clearly understand who its customers are, and what connections they may have to foreign adversary countries.

3. What is “Sensitive Data”?

PADFA prohibits data brokers from sharing personally identifiable “sensitive data” with foreign adversaries or entities controlled by foreign adversaries. PADFA includes a list of 17 categories of sensitive data. Some of the categories are not unexpected, and mirror the categories of data that are often covered by state privacy laws’ definitions of sensitive data, including:

• Government-issued identifiers;
• Health information;
• Genetic information;
• Biometric information; and
• Precise geolocation information.

Other categories are less common and drastically expand the scope of the “sensitive data” as most privacy lawyers familiar with that term would understand it. To that end, PADFA considers all of the following to be sensitive data to the extent it identifies or is linked or reasonably linkable to an individual:

• Information identifying an individual’s online activities over time and across websites or online services.;
• Information revealing the video content requested or selected by an individual;
• Calendar and address book information;
• Information that reveals the status of an individual as a member of the Armed Forces; and
• Financial information including information that describes or reveals an individual’s bank account balance or income level.

Organizations that may be considered data brokers under PADFA will therefore need to carefully review each of the 17 categories and determine whether the data they sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available falls within PADFA’s counterintuitively broad “sensitive data” definition.

4. What About President Biden’s Executive Order and DOJ’s ANPRM on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern?

Those paying close attention to this area may be experiencing déjà vu. Back on February 28, 2024, the Biden administration announced an Executive Order and an Advance Notice of Proposed Rulemaking (“ANPRM”) intended to restrict the bulk flow of sensitive data to “countries of concern.” PADFA’s prohibitions are considerably broader than those outlined in the ANPRM: PADFA applies to a larger set of entities than the ANPRM, and PADFA does not contain a “bulk” data qualifier.

These regulations contemplated by the ANPRM, once issued, would be separate from PADFA and enforceable by a different agency (the ANPRM will be enforced by the Department of Justice and PADFA will be enforced by the Federal Trade Commission) and create different prohibitions and obligations. Organizations subject to PADFA should not, therefore, assume that compliance with PADFA will equate to compliance with regulations issued by DOJ as contemplated by the ANPRM. Similarly, organizations should not assume that if they are not subject to those regulations, they will also avoid being subject to PADFA.