Alston & Bird Privacy, Cyber & Data Strategy Blog

Article: White Paper on Clarifying Definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024

By and

Peter Swire, Senior Counsel at Alston & Bird, has published a white paper at the Cross-Border Data Forum (“CBDF”), analyzing the definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”), which was passed on April 24, 2024 and will take effect on June 23, 2024. The white paper discusses some ambiguities in the text of the new law, and the consequences that may result from differing interpretations of the language. It also includes an Appendix comparing the PADFAA definitions to those in the Executive Order on bulk sensitive data (“Executive Order”).

Swire argues that the interconnected and overly broad definitions of data broker, service provider, “provides access”, and “controlled by a foreign adversary” (“CBFA”) may create a regulatory regime that could prevent US service providers from providing services involving sensitive US data to their US clients. The argument can be summarized as follows:

  • The general prohibition on sales of sensitive data to foreign adversary countries or CBFA entities applies to data brokers, which is defined broadly.
  • Sensitive data is defined more broadly than typical US privacy law definitions and captures data that may be difficult to exclude from company systems, such as private communications and online activity. Furthermore, there is no bulk sensitive data requirement like in the Executive Order, meaning that the law covers the sensitive data of even one U.S. individual.
  • The broad definition of data broker goes beyond entities that sell data and captures entities that merely provide access to data of US individuals. While there is a service provider exception in the definition, entities that provide services to CBFA entities are excluded from this exception and would thus be considered data brokers even if only one of their many clients is CBFA.
  • There is a low threshold for being considered CBFA, which can be triggered even if there is only a single employee residing in a foreign adversary country and the other criteria are met.
  • Service providers must often provide access to sensitive data about US-based employees or individuals to perform their intended functions, so when an American service provider falls under this broad data broker definition because it provides services to a CBFA entity and thus cannot claim the protection of the service provider exception, it may be prohibited from servicing its American clients.

This argument, along with other ambiguities that Swire discusses in the white paper, highlights how the final text of PADFAA may be interpreted in a way that creates detrimental economic consequences likely not intended by legislators.

For a more detailed explanation of Swire’s argument, along with examples on the key points, read the full white paper on the CBDF’s website here.

LinkedIn
Headshot of Dan Felz

About Daniel Felz

Dan’s clients receive operations-ready management of their complex privacy, security, and technology issues, as well as seamless interactions with stakeholders. Fluent in German with a U.S. litigation background, Dan helps companies of all sizes across industries and jurisdictions resolve data-related matters at the local, national, and international levels.

[Read Bio]

headshot of Santi Villar

About Santi Villar

Santiago “Santi” Villar is an associate in Alston & Bird’s Technology & Privacy Group. With a passion for understanding the impact of global developments on his clients, he draws on his experience to provide them with creative and unique solutions to their privacy and technology needs.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly