The new Protecting Americans’ Data from Foreign Adversaries Act could emerge as a new area for data protection enforcement by the US Federal Trade Commission, with the regulator now investigating multiple data brokers for possible violations and a member of the commission calling out PADFA as a potential new area of enforcement.
The US Federal Trade Commission has a new federal privacy law to enforce, and the regulator has already begun digging into potential violations of one of the first significant restrictions on data brokers’ sharing of Americans’ personal data abroad.The FTC has active investigations into potential violations of the new Protecting Americans’ Data from Foreign Adversaries Act (PADFA), though the total number is fewer than five, MLex has learned. The specific data brokers targeted in those investigations could not be learned.
PADFA, which took effect last June, is a law whose primary concern is national security, although it has a consumer protection element like other privacy laws. In a keynote address late Tuesday in Washington DC at the opening of one of the world’s largest gatherings* of privacy professionals, Republican Commissioner Melissa Holyoak singled out the new law as one of three priority areas of privacy enforcement.
“The Commission has deep experience fighting misleading data sharing practices and deficient information security practices, and I expect enforcement to continue in these areas,” Holyoak said. “But there's another and often overlooked way that foreign adversaries can gain access to American sensitive personal data. They buy it. Foreign adversaries will purchase data, usually in bulk, from data brokers that aggregate, analyze and sell data collected from unwitting individuals.”
Data brokers’ sale of location data, for example, can reveal “our religious beliefs, our political affiliations and even medical conditions of treatment,” and could be a national security threat unless the FTC pushes back through tools like PADFA, Holyoak said.
While aimed at controlling the sale, transfer or exchange of US data with four adversary countries — China, North Korea, Russia and Iran — PADFA carries significant sanctions for violators and broad definitions of personal information and which organizations are classified as “data brokers.”
The law makes it illegal “for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual” to a foreign adversary nation, or entities controlled by that nation (see here).
The law expands what information would be considered “personally identifiable sensitive data” to include private communications — including emails, text messages, call logs — and other information stored on phones, including calendar items, photos and audio recordings.
Violators face a penalty of just over $50,000 per violation. Given the FTC’s focus over the past two years on data brokers, the agency is widely expected to be active and engaged in enforcing PADFA (see here). Along with bolstering the development of artificial intelligence and protecting the safety and privacy of children and teens online (see here), Holyoak invoked PADFA as the third key area of privacy enforcement.
With the US Department of Justice recently finalizing a rule stemming from a Biden Administration executive order that regulates data brokers’ bulk sale of personal data to an even wider circle of adversary nations (see here), Holyoak suggested the two regulators could team up to enforce PADFA and the DOJ rules.
“Additionally, in the future, there may be opportunities to partner with the Department of Justice as it enforces its recently enacted rule that restricts the transfer of American sensitive personal data to countries of concern,” she said.
PADFA was one of two privacy laws Congress passed last year that had roots in national security, with the other more prominent legislation being the law that requires ByteDance to divest the US operations of TikTok from Chinese ownership or face a shutdown of TikTok in the US.
Saying that the divestiture deal “requires more work to ensure all necessary approvals are signed,” President Donald Trump this month extended the deadline to complete the divestiture for another 75 days, pushing the deadline out to mid-June (see here).
An FTC spokesperson declined to comment on the agency’s PADFA investigations, as is the agency’s practice.
* IAPP Global Privacy Summit 2025, Washington, DC, April 22-24, 2025.
Please e-mail editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers.