New US data broker law bans transfers to Iran, China, Russia and North Korea

code projected over woman
Photo by ThisIsEngineering on Pexels.com

Most headlines today are dominated by news that the United States has signed into law an act that bans TikTok unless it is sold off. What has gone unnoticed is another law also signed by the United States President: The Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA).

Purpose of the law

The PADFA law – HR7520 – is described as an act for “preventing apps controlled by foreign adversaries from targeting, surveilling, and manipulating the American people” and will specifically serve to:

  • prevent any data broker from selling personal information of Americans to China, Russia, North Korea or Iran or (and this is the key part) any entities controlled by them.
  • Create broad limitations on how data brokers may share the data of Americans outside the North American country.
  • Appoint the Fair Trading Commission as the enforcer of the law.

Data Broker

The definition of data broker is interesting. Under the definitions section, it refers to “an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.”

Sensitive Data

The privacy geek in me couldn’t help but to zoom in on the novel definition of ‘sensitive data’ in HR7520. Experience teaches that the definition of ‘sensitive data’ in a country’s privacy laws is often the quickest route to understanding the business imperatives and wider cultural and social norms impacting that society at the time of passage. Here, sensitive data covers many of the usual suspects: health status, biometrics, race, color ethnicity. It goes further to include a number of novel categories of sensitive data including precise geolocation, information about someone’s armed forces status, account log-in credentials and, my personal favourite: private communications including texts, emails, DMs etc.

Implications

HR7520 is meant to be a companion law to the more widely reported HR7521. Yes, the so-called ‘TikTok banning law’. HR7521 serves to prohibit TikTok, and entities like it, from operating in the US, unless those entities are divested via a process the law calls a ‘qualified divestiture’ (a whole other post, trust me!).

As is pretty obvious, with both bills being signed into law, the collective impact is (officially) to prevent TikTok and other entities deemed to be under the control of Russia, China, Iran or North Korea from surreptitiously accessing, collating and interpreting meaningful data about Americans.