Analyzing New International Data Transfer Obligations for U.S. Entities

In recent years, the national security risks posed by foreign adversary access to Americans’ personal information have come into stark relief. News headlines are replete with examples of how bulk datasets of personal information can expose sensitive information about U.S. government personnel and American citizens more broadly—with potentially significant ramifications for U.S. national security.

Both the White House (the prior and current administrations) and Congress have taken steps to address this concern. First, in February 2024, President Biden issued Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), which called for the attorney general to issue regulations restricting data transactions involving access to bulk sensitive personal data or U.S. government-related data by certain foreign entities. This rulemaking process proceeded over the course of the next year, culminating in the finalized regulations (now known as the Data Security Program, or DSP) taking effect in April 2025. Meanwhile, Congress took action of its own in April 2024, including as part of an emergency supplemental appropriations bill the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA), which imposed restrictions on data brokers seeking to make Americans’ personally identifiable sensitive data available to certain foreign adversaries.

Though the DSP and PADFAA regulate similar types of conduct, the specifics of their respective frameworks are distinct. Understanding those distinctions is critical for companies looking to grasp their overlapping compliance obligations under these regimes, particularly with the Department of Justice’s enforcement grace period regarding the DSP having concluded in early July. In this article, we examine several key respects in which the DSP and PADFAA differ, including their coverage of different types of data and entities, applicability to service providers, treatment of “onward transfers,” definitions of data brokerage, treatment of customer consent, and enforcement provisions. The key takeaway that companies should bear in mind is that the DSP, as a general matter, is likely to present a more substantial compliance challenge than PADFAA. Specifically, the DSP applies to a wider range of entities, covers a broader range of data brokerage activity (including onward transfers), does not include key exemptions found in PADFAA and other data privacy legal frameworks (such as exemptions for service providers and customer consent), and features a more punitive penalty scheme.

Types of Data Covered

PADFAA and the DSP cover overlapping, but distinct, categories of sensitive information. The DSP covers six relatively discrete categories of “bulk U.S. sensitive personal data” (including covered personal identifiers, precise geolocation data, biometric identifiers, human “omic” data, personal health data, and personal financial data), as well as “government-related data” (essentially including precise geolocation data for sensitive government locations and sensitive personal data associated with U.S. government personnel). PADFAA, meanwhile, covers many of those data types, but others, as well, such as private communications, calendar information, photos and videos, information about minors, and “[i]nformation identifying an individual’s online activities over time.”

Types of Entities Covered

PADFAA’s prohibitions are focused specifically on data brokers, which it defines as any entity that “for valuable consideration … makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.” The DSP not only defines data brokerage more broadly than PADFAA (as discussed in more detail below) but also applies to any U.S. person who engages in a prohibited or restricted transaction under the regulations. Thus, many entities that are outside the scope of PADFAA’s applicability by virtue of not being a data broker may still find themselves within the ambit of the DSP.

Service Provider Exemptions

PADFAA exempts service providers from its restrictions (specifically by excluding service providers from its definition of “data broker”). In contrast, the DSP creates no such generalized exemption for service providers, though service providers could fall within the scope of other exemptions in the regulations not limited to service providers, such as the exemption related to “corporate group transactions.” In this way, then, the DSP sweeps more broadly than typical privacy law frameworks, which often apply only to data “controllers” (that is, entities that determine the purpose and means of processing personal information), not service providers or “processors,” which only process personal information on behalf of controllers.

Onward Transfers

A key challenge in the foreign data transfer environment concerns the issue of onward transfer, where U.S. persons’ personal data is initially transferred to a nonadversarial foreign country, but then subsequently transferred to an adversarial foreign country. PADFAA does not explicitly address this scenario—its central requirement prohibits data brokers from making U.S. persons’ sensitive data available to foreign adversaries, but would not capture a situation where a data broker transferred that data to a nonadversary foreign entity, which then transferred the data to an adversary. In contrast, the DSP expressly contemplates these types of onward transfers, requiring that U.S. persons engaging in data brokerage with foreign persons contractually require those foreign persons to “refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person” and report violations of these contractual requirements to the Justice Department.

Definitions of Data Brokerage

Both the DSP and PADFAA regulate the activities of data brokers. Data brokers are the primary entity regulated under PADFAA, as the act specifically prohibits data brokers from making personally identifiable sensitive data of U.S. individuals available to foreign adversaries. The DSP, meanwhile, prohibits certain data brokerage transactions with countries of concern and imposes restrictions on data brokerage transactions with foreign persons more generally.

However, the two frameworks feature differing definitions of data brokerage, with the DSP adopting a broader definition. Notably, PADFAA defines a “data broker” as “an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider” (emphasis added). In contrast, the DSP defines “data brokerage” as a commercial transaction “involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” The DSP’s conception of data brokerage is broader than PADFAA’s because an entity that collects data directly from individuals and sells that data to another party would be engaged in data brokerage under the DSP, but not under PADFAA (because the entity in this scenario collected the relevant data directly from the relevant persons). Companies seeking to understand their compliance obligations under these regimes should understand that just because they are not data brokers for purposes of PADFAA does not mean they are not engaged in data brokerage under the DSP.

Consent Exceptions

PADFAA offers a consent-based exemption, excluding from its definition of “data broker” any entity that transmits an individual’s data at said individual’s request or direction. Though PADFAA does not define what it means for an individual to “direct” or “request” a data transaction, even a narrow read of that language has the potential to create a substantial carve-out to the law’s restrictions. The DSP, in contrast, offers no such exemption. In this way, then, PADFAA is more reminiscent of the types of privacy law frameworks that companies are likely used to dealing with, many of which offer these types of consent-based exemptions for various data processing practices. However, companies should be aware that customer consent is no such defense under the DSP.

Enforcement and Penalties

PADFAA is enforceable by the Federal Trade Commission (FTC), with violations of the act treated as an unfair or deceptive act or practice under the FTC Act. The DSP’s penalty regime is stricter, however, in two respects. First, it provides for civil penalties against violators of the regulations, with those penalties capped at the greater of “$368,136 or an amount that is twice the amount of the transaction that is the basis of the violation.” Second, the regulations provide for criminal penalties against violators, as well, including fines of up to $1 million and imprisonment of up to 20 years. Interestingly, it appears that enforcement of the DSP will fall under the auspices of the Foreign Investment Review Section (FIRS) of the Justice Department’s National Security Division. FIRS is a component better known for its negotiation and transactional competencies than its prosecutorial or litigation acumen.

Presently, it is unclear whether either of these frameworks will prove to be federal enforcement priorities. The FTC, for example, has yet to bring an enforcement action related to PADFAA, despite the law having taken effect in June 2024. The Justice Department, meanwhile, has similarly not yet brought an enforcement action under the DSP, though that framework took effect more recently, and the department has taken steps, such as issuing compliance guidance and FAQs, to suggest that enforcement may be forthcoming. It is also worth noting that, though the DSP originated in the Biden administration, the second Trump administration continued to move forward with implementing the DSP even after taking office (despite its skeptical posture toward federal regulation more generally), which suggests the administration does intend to enforce the program.