The U.S. Protecting Americans’ Data from Foreign Adversaries (PADFA) Act of 2024, effective June 23, 2024, imposes new restrictions on data brokers concerning cross-border data transfers. The Act specifically targets the provision of personally identifiable sensitive data of U.S. individuals to foreign adversary countries or entities controlled by such countries. While initially seeming limited, the PADFA Act’s broad definitions could impact a wide range of organizations, with significant civil penalties of up to $50,120 per violation.
PADFA expands the definition of “data broker” beyond traditional expectations. It includes entities that sell, license, or transfer data collected from U.S. individuals indirectly, rather than directly. Organizations that handle personal data from various sources, including affiliates and third parties, need to evaluate whether their operations fall under this broad definition.
The Act also broadly defines “personally identifiable sensitive data,” encompassing government identifiers, health and financial information, biometric and genetic data, and other types of sensitive personal information. Organizations must determine if their data transfers involve this broad category and assess if the recipients are controlled by foreign adversaries like China, Russia, Iran, or North Korea.
To comply, entities must scrutinize their data collection, usage, and transfer practices. They need to ensure their data-sharing arrangements do not violate PADFA’s restrictions, especially concerning foreign adversary-controlled recipients. Organizations should prepare for enforcement by the FTC and consider any applicable exemptions, such as those for publicly available information or service providers.
Reference:
