New US foreign-adversary data protection law represents shift in emphasis, view of data transfers

17 June 2024
By Mike Swift

For the first quarter century of the commercial Internet, data privacy has generally been regulated as an individual consumer-protection issue, even as the US has consistently backed the view that personal data should be unfettered in its ability to cross international borders.

The Protecting Americans’ Data from Foreign Adversaries Act (PADFA), signed into law by President Joe Biden in late April and due to take effect in just under a week’s time, is starting to change all that. PADFA is a law whose primary concern is national security, even if it has a consumer protection element like other privacy laws.

Creating one of the first significant restrictions on the flow of Americans’ personal data outside the US, PADFA reflects the new geopolitical reality that personal data won’t just be the oil of the 21st Century, it could often comprise the bullets, as well.

While aimed at controlling the sale, transfer or exchange of US data with just four adversary countries – China, North Korea, Russia and Iran — PADFA carries significant sanctions for violators and broad definitions of personal information and which organizations will be classified as “data brokers.” In some cases, those definitions may be broader than existing state data broker laws in California and other states.

The US Federal Trade Commission is tasked with enforcing the new law, and violators could face a penalty of just over $50,000 per violation. Given the FTC’s demonstrated aggressiveness on privacy enforcement and its specific focus over the past two years on data brokers, the agency is widely expected to be active and engaged in enforcing PADFA.

And unlike landmark privacy laws like Europe’s General Data Protection Regulation and the California Consumer Privacy Act, which gave businesses years to prepare for their effective date, PADFA goes into effect Sunday, a scant two months after it was passed by Congress and signed into law by President Joe Biden.

Nor is US regulation in this space done, with the US Department of Justice expected to release proposed regulations later this summer for a Biden executive order released in February limiting the sale or export of Americans’ personal data to adversary nations. Those regulations are “going to have real teeth,” senior DOJ officials say.

“This is, I think, the start of a trend toward restricting the transfer of data outside the US, driven by broader geopolitical factors,” said Shannon Yavorksy, who heads the global cyber, privacy and data innovation group at Orrick. “The US has always advocated for free flow of data to facilitate international trade. While I hesitate to label this shift as protectionist, it certainly indicates a changing perspective on data sharing and the cross-border transfer of data.”

For all those reasons, Yavorsky and many other privacy lawyers are urging clients to become familiar with PADFA and assess whether their organization’s data practices could trigger regulatory risk under the new law.  While relatively few US companies may do business with companies based in North Korea or Iran, that isn't the case with China.

PADFA makes it illegal “for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual” to a foreign adversary nation.

And significantly, the law expands what information would be considered “personally identifiable sensitive data” to include private communications — including emails, text messages, call logs — and other information stored on phones, including calendar items, photos and audio recordings.

The new law will also bar the sale or transfer of information that identifies Americans’ online activities over time and across websites or online services. It restricts the export of the personal data of teens and children under age 17, representing expanded data protections for young people that typically have only been applied in the US to children under age 13.

“When you look at how they define 'data broker,' which is broader than the traditional definition of data broker that we've seen in US laws, and you look at how they designate personally identifiable sensitive data, which [is] a little bit more broad than what we traditionally think of as sensitive data, then you recognize, 'oh, this has potentially a broad impact',” said James Denvil, a partner with Hogan Lovells who recently co-authored a blog post on PADFA with another partner at the firm, Scott Loughlin.

“All legislation suffers from some level of ambiguity and vagueness, and this one in particular,” Loughlin noted, "has a much wider reach than perhaps folks initially thought, or even maybe [what] the drafters of the legislation intended to.”

PADFA defines “data broker” as an entity that “sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.”

Generally, state data broker laws applied to entities that engaged in commerce with personal data, but which lack a direct relationship with the consumer that data applies to. With PADFA, however, there may be cases where organizations with a first-party relationship with consumers fall under the umbrella of the new law, if they acquire personal data from another source and made it available to a foreign adversary nation or an entity controlled by it through any sort of transaction, the Hogan Lovell lawyers said.

An entity is “controlled” by a foreign adversary, under PADFA, when there is there is at least a 20 percent ownership stake of individuals or companies domiciled or based in a foreign adversary state. Adding to the potential risk is the novel quality of the new law.

“Given the lack of guidance around it or enforcement history, and the lack of precedent for this kind of restriction in the US, it may have substantial impacts,” Denvil said.

The degree to which other countries follow the US to enact similar restrictions on the outflow of their citizens’ sensitive personal information remains to be seen. Also unclear is whether PADFA could trigger private litigation filed by enterprising plaintiff attorneys who might argue a violation comprises an unfair or deceptive business practice.

While Congress continues to struggle to pass a commercial privacy law, the national security identity of PADFA easily and rapidly pushed the legislation through Congress in a closely contested election year as part of a package that included a requirement that TikTok in the US be divested from its Chinese ownership.

But if the new American data protection law is the product of the election-year politics of the moment, US companies will be wise to closely monitor the legal and regulatory ramifications of what US politicians have done, for years into the future.

For the latest regulatory developments in data privacy & security, AI & tech, online safety, content moderation and more, activate your instant trial of MLex today.