A new law addressing the national security risks of the data brokerage industry took effect on June 23, 2024, following bipartisan approval in January. The bill, known as the Protecting Americans’ Data from Foreign Adversaries Act or PADFAA, seeks to limit the transfer of sensitive American data to firms owned or controlled by Russia, China, North Korea, and Iran. 

PADFAA is the first piece of federal legislation to take aim at the data brokerage ecosystem, an industry that buys, sells, and analyzes online data for third-party usage. Furthermore, the bill represents growing bipartisan efforts to address data privacy at large. While advocates celebrate the narrow and targeted nature of the bill to address specific challenges in the data brokerage industry, some claim that the bill either goes too far or doesn’t go far enough. 

What is the data brokerage industry? 

The data brokerage industry encompasses the wide network of buyers, sellers, and contractors who collect, license, and share data from public and private sources online. The data broker industry generates $200 billion in annual revenue in the United States alone. 

Data brokers collect information from both public and private sources. Companies may sell the data they collect on their platforms to data brokers, including user details, purchase history, and cookie information. Alternatively, data brokers can scrape the internet for publicly available information found on public sites and social media platforms. 

Data collected online is then analyzed and aggregated to create packages of information tied to certain groups, such as their purchase habits, interests, health history, ideology, and identity. Even if a data broker doesn’t specifically collect personal information such as names and phone numbers, holistic data can still be used to identify individual users. 

The demand for packaged data is wide-reaching across sectors. Packaged data can be used for advertising, fraud detection, risk assessment, and populating people-search sites: websites where users can search for an individual’s personal details given only their name. Potential buyers include banks, credit agencies, insurance firms, internet service providers, loan companies, advertisers, and law enforcement agencies.  A Duke University study shows that data buyers can acquire access with varying levels of vetting, suggesting that nefarious actors can often buy access to data for dangerous purposes.

Arguments in Favor of PADFAA

Proponents of PADFAA praise the bill for its comprehensive approach to data privacy. Six months before PADFAA came into effect, President Biden passed an executive order to address similar concerns about adversarial countries acquiring sensitive American data. PADFAA not only enshrines the executive order’s provisions into law, but expands its scope from government-affiliated Americans to all Americans. Additionally, the bill applies to all data transactions, both big and small, which supporters argue will better protect the average American citizen. 

Supporters also argue that PADFAA creates an even national standard for data privacy, replacing a patchwork web of state laws and more niche federal laws. Through its comprehensive definition of “sensitive data,” PADFAA also creates a legal precedent that can be used as the basis for future legislation in the area of data brokerage. Under the bill, sensitive data includes geolocation data, passport information, social security and driver’s license numbers, bank details, biometric and genetic information, private communication, personal identities such as age, gender, and race, and online activity. Proponents argue the breadth of this definition will make it difficult for data brokers to exploit loopholes in existing data privacy laws. 

Arguments Against PADFAA

Critics argue that the law’s focus on third-party data brokers, who collect and analyze data for sale, leaves much of the industry unregulated. PADFAA’s definition of a “data broker” does not include first-party data collectors, allowing apps, social media platforms, and healthcare services to sell American data directly to companies owned or controlled by Russia, China, North Korea, or Iran.

Additionally, the law does not prohibit selling American data to the four listed countries if the seller does not reside in one of those countries. Data privacy advocates stress that under PADFAA, if a company licensed outside of Russia, China, North Korea, or Iran acquires American data, it is still permissible for that company to sell American data to any of the four countries. 

Opponents also claim that PADFAA will overburden the Federal Trade Commission (FTC). The FTC has long specialized in consumer privacy and data protection. However, critics argue that the FTC does not have the capacity to enforce foreign policy. Mainly, the FTC lacks the security clearances necessary for obtaining critical intelligence information about adversarial attempts to acquire American data. Critics also argue that the FTC’s privacy division is underfunded and overstretched, ill-equipped for the task. 

On the other hand, some argue that PADFAA is an unnecessary addition to an already-complex legal landscape concerning the data broker industry. Federal measures like the Fair Credit Reporting Act (FCRA) and state laws such as those in Vermont and  California take steps to protect consumer data from harmful use, and critics of PADFAA argue that those existing measures provide adequate protection. 

Conclusion

PADFAA marks the first step in regulating the data broker industry and protecting against its harmful effects. However, the law does not fully encompass the scale of the issues raised by privacy advocates, such as discretionary data collection, predatory and dangerous uses of individual information, and the lack of transparency in the industry. Nonetheless, the bipartisan support for a policy measure of this kind makes the path for future legislation less opaque.