On March 20, 2024, the House unanimously passed the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) (H.R. 7520), which prohibits data brokers from disclosing the sensitive data of individuals residing in the U.S. to “foreign adversaries” and entities controlled by such foreign adversaries.
PADFAA is the latest in a series of federal actions directed toward curtailing access to U.S. data by foreign actors designated as national security threats by the U.S. government. PADFAA heads to the Senate one week after the House passed its companion bill, Protecting Americans from Foreign Adversary Controlled Applications Act (H.R. 7521). Colloquially referred to as the “TikTok bill”, the latter legislation requires companies that own applications that are controlled by a foreign adversary and host internet services (e.g.,TikTok) to either sell the application to an entity beyond the control of a foreign adversary or face civil penalties. The House voted on both bills shortly after the Biden Administration announced the issuance of Executive Order 13873, which restricts “bulk” transfers of personal data to “countries of concern.”
What activity is restricted under PADFAA?
Under PADFAA, data brokers may not “sell, license, rent, transfer, release, disclose or otherwise make available sensitive data of a United States individual” to foreign adversaries or entities under their control.
PADFAA defines “data broker” as an entity that makes available the data of U.S. individuals that the entity did not collect directly from the individual to a separate entity in exchange for valuable consideration. Notably, the bill excludes the following entities from the definition of data broker: entities that act as service providers, provide news or information to the general public, or transmit the data of a U.S. individual at the individual’s request.
The draft definition of “sensitive data” covers a wide swathe of data such as government-issued identifiers; past or present health conditions or diagnoses; the content of communications; precise geolocation data; and account login credentials. The bill’s definition of sensitive data goes beyond the definition of sensitive data in many state and federal laws to include calendar and contact data; browser and online search activity; call logs; information about an individual under the age of 17; and an individual’s status as a member of the Armed Forces.
Who is a foreign adversary?
PADFAA labels four countries as foreign adversaries— China, Iran, North Korea, and Russia—a shorter list of countries than the proposed rules published by the Department of Justice pursuant to Executive Order 13873.
In addition to foreign adversaries, PADFAA prohibits data brokers from disclosing sensitive data to entities controlled by a foreign adversary. The bill defines such entities broadly to include:
- any foreign entity domiciled in, headquartered in, with its principal place of business in, or organized under the laws of a foreign adversary country; or
- an entity that is 20 percent or more owned, directly or indirectly, by a foreign adversary.
Enforcement authority
PADFAA grants the Federal Trade Commission enforcement authority and directs it to treat any violation of the Act as an unfair or deceptive practice under Section 18 of the Federal Trade Commission Act.
Bottom line If PADFAA is signed into law, it will prohibit data brokers from making certain data transfers and require them to conduct extra diligence to verify no sensitive personal data is being shared with foreign adversaries or entities controlled by foreign adversaries. Businesses should pay close attention to PADFAA and its companion bill as they come before the Senate. Both bills stand to heighten the federal government’s regulation of activities that could put the personal data of Americans in the hands of hostile foreign governments and related entities. It remains to be seen whether the overwhelming support for the bills in the House signals momentum for more comprehensive federal data privacy legislation.