Understanding the Protecting Americans Data from Foreign Adversaries Act

The Protecting Americans Data from Foreign Adversaries Act (PADFAA) is a legislative measure aimed at protecting sensitive American data, including health data, from unauthorized access or exploitation by foreign adversaries. The act generally focuses on enhancing protections against foreign entities that might seek to compromise U.S. data security. 

According to a Journal of the American Informatics Association editorial on the topic of biomedical data privacy, “The arrival of ultra-cheap data collection and processing technologies is fundamentally changing the face of healthcare…Health information is increasingly collected through mobile devices, in personal domains (eg, in one’s home), and from sensors attached on or in the human body.”

Given the increasing digitization and exchange of health information, PADFAA has implications for health data sharing among U.S. healthcare providers by imposing stricter controls and oversight on how data is accessed, stored, and shared. Its application is particularly relevant when foreign entities or technologies are involved. It helps with biomedical data privacy is already a complex domain involving ethical, legal, and technical challenges. 

PADFAA likely adds a national security dimension to these privacy concerns, requiring healthcare providers to implement more rigorous safeguards to prevent foreign adversaries from accessing sensitive health information. Overall, the legislation impacts health data sharing by potentially restricting or monitoring cross-border data flows.

The legislative background 

The introduction of the journal article ‘Effects of the USA PATRIOT Act and the 2002 Bioterrorism Preparedness Act on select agent research in the United States’ published in PNAS notes, “In October 2001, President Bush signed the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism” Act, otherwise known as the USA PATRIOT Act (1). It was followed in June 2002 by the Public Health Security and Bioterrorism Preparedness and Response Act, otherwise known as the 2002 Bioterrorism Preparedness Act.”

Laws like the USA Patriot Act and other national security legislation have established frameworks for monitoring and controlling data access to protect against terrorism and foreign espionage. PADFAA builds on this foundation by specifically targeting the protection of American data from foreign adversaries in the digital age, reflecting concerns over cyber espionage and data breaches that could compromise national security and individual privacy. 

The act likely emerged in response to increasing incidents of foreign cyberattacks and the growing need for data as a strategic asset. It aligns with other federal initiatives like the Pandemic and All-Hazards Preparedness Act (PAHPA), which, although focused on public health emergencies, underscores the government's role in protecting critical health information infrastructure.

The provisions of PADFAA

• PADFAA prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available any “personally identifiable sensitive data” of U.S. individuals to foreign adversary countries or entities controlled by such countries. (Protecting Americans’ Data from Foreign Adversaries Act, Akin, 2024)
• PADFAA defines foreign adversaries broadly to include entities domiciled, headquartered, or incorporated in a foreign adversary country, individuals domiciled in such countries, entities with at least 20% ownership by foreign persons or entities, or those subject to foreign direction or control. (White Paper on Clarifying Definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024, Peter Swire, 2024)
• Entities acting as service providers, processing data on behalf of non-foreign adversary clients or government entities, are generally exempt from being classified as data brokers (White Paper on Clarifying Definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024, Peter Swire, 2024)

Where health data is affected

HIPAA mainly controls the protection of individually identifiable health information and sets standards for its use and disclosure to protect patient privacy. The conclusions  and recommendations chapter from Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research notes, “The HIPAA Privacy Rule sets forth detailed regulations regarding the types of uses and disclosures of ‘protected health information,’ defined as ‘individually identifiable health information’ that is held or transmitted by a ‘covered entity.’”

Health data is explicitly and centrally implicated in the PADFAA. The statute defines “personally identifiable sensitive data” to include a broad range of health-related information, such as health information, biometric and genetic data, and other identifiers that could be used to uniquely identify or profile individuals based on their medical status or history. This means that any data broker, defined as an entity that sells or provides access to such data for valuable consideration, cannot transfer, sell, or otherwise make available this health data to any foreign adversary country (currently China, Russia, Iran, and North Korea) or any entity controlled by such adversaries.

PADFAA’s impact on health data is covers traditional protected health information (PHI) as regulated by HIPAA and de-identified and aggregated health data, which historically could be shared more freely once stripped of direct identifiers. Under PADFAA, even de-identified or encrypted health data may be subject to restrictions if it falls within the broad statutory definitions, particularly when transferred to or accessed by foreign adversaries. As a result, HIPAA covered entities and their business associates must now reassess their data-sharing practices, update business associate agreements and contracts, and implement additional security controls to comply with PADFAA’s requirements.

The law’s reach is further extended by its broad definitions of “data broker” and “controlled by a foreign adversary,” which can include U.S. service providers if they provide access to sensitive data to a foreign-controlled entity, even inadvertently. This has led to concerns that the law could unintentionally restrict legitimate services and data flows within the U.S. healthcare system, especially as healthcare organizations increasingly rely on global vendors and cloud-based platforms.

The criticism of the legislation 

Legal scholars and privacy advocates have pointed out that the law’s definitions, such as what constitutes a data broker or is controlled by a foreign adversary, are broad and sometimes ambiguous, potentially sweeping in entities that are not traditionally considered data brokers. A few pinpoint criticisms are discussed in the ‘White Paper on Clarifying Definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024’, “It appears possible that use of the term 'individual' is a drafting error in PADFAA…This garbled text thus suggests that the provision was intended to apply only to corporations or other legal persons, and not to a human (a 'natural' person).” 

It could create compliance burdens for a wide range of organizations, including those in the healthcare sector, who may need to overhaul data flows and contractual relationships to avoid inadvertent violations.

Another major criticism is that PADFAA’s enforcement mechanism, placing responsibility with the Federal Trade Commission (FTC), may not be well suited for the national security context the law is designed to address. The FTC is primarily a consumer protection agency and lacks the institutional capacity and security clearances to handle classified intelligence or rapidly respond to evolving national security threats. This could result in enforcement gaps or delays, undermining the law’s effectiveness in preventing foreign adversaries from accessing sensitive American data.

The support 

Supporters of PADFAA, including lawmakers from both parties and national security officials, argue that the legislation is a necessary and overdue response to the risks posed by the largely unregulated data brokerage industry and the threat of foreign adversaries exploiting Americans’ sensitive data. 

According to a Lawfare article by Justin Sherman titled ‘The Pros and Cons of the House’s Data Broker Bill’, “There are several elements of the bill that are noteworthy in this respect, including the fact that its protections are aimed beyond government personnel, it would not carve out sales of covered data below a certain threshold (for example, data set size), and it has a fairly strong definition of sensitive data that it could put into federal law.”

They point out that the U.S. data brokerage ecosystem enables the collection and sale of detailed personal information without meaningful restrictions, making it possible for foreign governments to build dossiers, track individuals, or engage in espionage and blackmail.

Proponents emphasize that PADFAA establishes a clear, national standard for protecting sensitive data from being transferred to countries that pose security risks, closing loopholes in existing privacy laws, and replacing a patchwork of state and sectoral regulations. By defining personally identifiable sensitive data broadly, the law aims to prevent data brokers from exploiting technicalities or narrow definitions to continue risky data transfers. 

Supporters also argue that the law’s focus on national security is justified, given the documented efforts by foreign intelligence agencies to obtain data on U.S. citizens, government employees, and military personnel.

How could it impact data sharing through email

• PADFAA prohibits data brokers from sharing sensitive personal data, including health information and private communications like emails, with foreign adversaries or entities controlled by them.
• Healthcare providers using email services must ensure that these services do not transfer patient data to foreign adversaries, directly or indirectly.
• If an email provider acts as a service provider (storing or transmitting data on behalf of a healthcare provider), PADFAA generally excludes them from being classified as data brokers, but only if they do not share data with foreign adversaries.
• Healthcare organizations must carefully vet their HIPAA compliant email vendors to ensure contractual protections prevent unauthorized foreign access to sensitive health data shared via email.
• The law requires healthcare providers to implement strict controls and monitoring to prevent foreign adversaries from accessing sensitive data in emails, including encryption and access restrictions.

FAQs

Can HIPAA covered entities share PHI across international borders?

Yes, HIPAA does not explicitly prohibit cross-border sharing of PHI, but entities must ensure that any international transfer complies with HIPAA’s Privacy and Security Rules.

What additional restrictions apply to cross-border sharing of health data under new U.S. national security rules?

As of 2025, the U.S. Department of Justice (DOJ) and Cybersecurity and Infrastructure Security Agency (CISA) have introduced rules restricting the transfer of bulk sensitive personal data.

Does de-identified or anonymized health data fall under these new restrictions?

Yes. Unlike HIPAA, which generally allows sharing of properly de-identified data without restriction, the new national security regulations extend restrictions to aggregated, de-identified, or pseudonymized health data if transferred to foreign adversaries or their controlled entities.

What are the penalties for non-compliance with these cross-border data sharing restrictions?

Violations under the International Emergency Economic Powers Act (IEEPA) and related Data Security Program can result in severe civil penalties up to $368,136 per violation or twice the value of the transaction, and criminal penalties including imprisonment for up to 20 years and fines up to $1 million for willful breaches.