In addition to its well-publicized move to prohibit more than 150 million Americans from posting embarrassing dance videos of themselves on TikTok (at least while it is Chinese-owned), the U.S. federal government recently adopted two significant federal data transfer prohibitions: (1) the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFA”); and (2) an Executive Order entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Any organization that currently shares, or is considering sharing, sensitive personally identifiable information with anyone in China, Russia, Iran or any other “foreign adversaries” of the United States should determine whether these new prohibitions require them to change their data transfer activities.
The Protecting Americans’ Data from Foreign Adversaries Act of 2024. PADFA prohibits “data brokers” from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable “sensitive data” of U.S. residents to a foreign adversary country or an entity controlled by them. Currently, only those countries who are members of the club dubbed by Foreign Affairs magazine as the “Axis of Upheaval” (China, Russia, Iran, and North Korea) are identified as “foreign adversaries” under PADFA.
“Sensitive data” under the Act includes: government-issued identifiers (e.g., Social Security numbers, passport numbers, driver’s license numbers); account or device log-in credentials; information about a person’s health or sexual behavior; financial data (account numbers, income levels, bank balances); biometric information; genetic data; precise geolocation data; private communications (e.g., voicemails, emails, texts, etc.); calendar and contact information maintained for private use; any information about children under age 17; and certain other categories of information. PADFA applies solely to “data brokers,” which are defined as any entity that, for valuable consideration, either sells, licenses, transfers, releases, discloses, provides access to, or otherwise makes available data of U.S. individuals where (a) the entity did not collect the data directly from those individuals and (b) the recipient is not acting as a service provider.
PADFA includes certain exceptions, such as for news media and where the entity is engaged in transmitting data at the request or direction of the individual. The exceptions, although not further defined in PADFA, are a critical concept under PADFA that is intended to delineate the full scope of the “data broker” definition.
PADFA goes into effect on June 23, 2024, and is enforceable by the Federal Trade Commission under the FTC Act. For violations of the Act, the FTC can seek up to $50,120 in civil penalties per violation.
Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. In addition to having a catchy title, this Executive Order (the “EO”), signed by President Biden under authority of the International Emergency Economic Powers Act, directs federal agencies, including the Department of Justice and the Department of Homeland Security, to, among other things: (a) issue targeted regulations on bulk sensitive personal data transfers to certain countries; (b) publish security requirements (based on NIST’s Cybersecurity and Privacy Frameworks) that address risks posed by restricted transactions; (c) establish a licensing process authorizing transactions that would otherwise be prohibited; and (d) review licenses for submarine cable systems owned or operated by persons connected to countries of concern.
While the EO does not define the term “bulk sensitive personal data,” it authorizes the Attorney General to do so, and defines “sensitive personal data” to include human genomic data, geolocation and related sensor data, biometric identifiers, human genomic data, personal health data, personal financial data, and other “personal identifiers.”
Without identifying any specific countries, the Executive Order lays out a framework by which the Attorney General may designate “counties of concern” based on a foreign government’s “long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons” and which “poses a significant risk of exploiting bulk sensitive personal data or United States Government-related data to the detriment of the national security of the United States or the security and safety of United States persons.” Undoubtedly, members of the “Axis of Upheaval” will likewise be invited to join this new club.
