Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”)

‍

The key distinction between PADFAA and the DOJ’s Bulk Data Rules is the Data Broker requirement and the lack of bulk thresholds. Once a Data Broker is found, the two rules are similar in that the current list of Sensitive Data and adversary countries are a subset of those covered by the DOJ version (and PADFAA adopts a more sensitive control standard). In contrast, a Data Broker finding is not required under the DOJ version as all parties are covered provided bulk amounts of regulated data are being provided.

‍

The other notable difference is the responsible agency – the FTC. Next to the DOJ rules, this may seem curious at first glance. However, the FTC has a track record of investigating data brokers.

‍

‍

FTC Data Brokerage Oversight Prior to PADFAA

Prior to PADFAA, the FTC regularly investigated domestic data brokerage companies under general regulatory authority for possible unfair or deceptive acts or practices in or affecting commerce. A recent example of this is Federal Trade Commission v. Kochava, Inc., (last updated on February 3, 2025).¹ In that case, the FTC argued that Kochava invaded consumers’ privacy and exposed them to risks of secondary harms by third parties by selling their daily precise geolocation data. The FTC noted sensitive locations included in Kochava’s data such as locations associated with medical care, religious worship, mental health, domestic violence, and addiction recovery. While the FTC’s claim focused on geolocation data, it also noted that variety of other data Kochava has on offer such as names, Mobile Advertising IDs (or “MAIDs”), addresses, phone numbers, email addresses, gender, age, ethnicity, yearly income, economic stability, marital status, education level, political affiliation, app affinity, app usage, and interests and behaviors.

‍

FTC cases like Kochava delve into the intricacies and growing sophistication of the data brokerage industry. These cases illustrate the granularity of data brokerage products and show how data is shared among data brokers to refine their abilities to make inferences on all manner of human behavior.

‍

‍

PADFAA Empowers the FTC Against Foreign Adversaries

The FTC had difficulties making its case against Kochava because it did not initially meet the legal standard under its unfair deceptive practices rules to make a showing of a substantial consumer injury. The court dismissed the FTC’s first claim in Kochava because its complaint required inferences to associate data with individuals, and certain data could be obtained through other legal means. Ironically, this prompted the FTC in an amended complaint to dig much deeper into Kochava and its own marketing claims to show how pervasive their data products may be.

‍

PADFAA eliminates this hurdle by creating a categorical rule when Data Brokers hand over Sensitive Data to adversary countries or persons controlled by them (defined below).

‍

What is a Data Broker?

A data broker is any entity engaging in the act of selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available Sensitive Data that it did not collect directly from individuals to another entity for valuable consideration.

‍

There are two exclusions to this definition. First, entities are carved out of the data brokerage definition if they are merely providing Sensitive Data to services providers who process the data for them. This seems similar to the concept of a “business associate” under the Health Insurance Portability and Accountability Act. However, the service provider definition is technical in that it is limited to entities that only collect, process, or transfer data on behalf of an individual or entity that is not a foreign adversary country or controlled by a foreign adversary (or a U.S. government entity) and it must receive data from such entities in the same capacity. Once again, without the bulk thresholds of the Bulk Data Rules, it appears that certain data processing vendors can themselves become Data Brokers if they transmit one Sensitive Data file to the wrong entity.

‍

In addition, the following entities are specifically excluded from the Data Broker definition:

‍

‍

Foreign Adversary Control

Currently, the following countries are considered foreign adversaries under PADFAA:

‍

‍

An entity or individual is controlled by a foreign adversary where:

‍

‍

Where is the Headquarters of a Company for National Security Purposes?

The use of the domiciliary and principal place of business tests are considerably old standards that can be found in essentially all manner of US law seeking to identify the jurisdiction of individuals and entities. More recently, the reference to headquarters is appearing more often in national security related regulations in relation to identifying the nationality of foreign entities. A WireScreen webinar explores the various national security contexts in which this term is being used lately. Among them, the term was adopted by the TikTok Act, the legislation issued simultaneously with PADFAA. See our blog on It’s Not Just About TikTok for more details.

‍

Using ByteDance/TikTok as an example of the headquarters phenomenon, we can see in WireScreen that it is a Cayman Islands incorporated company that in turn owns a TikTok branded US operating company. We also know that key officers are located in Singapore and that its shareholders predominantly include a long list of well known international brand name private equity funds, plus founder and employee interests.  The Cayman structure also holds numerous subsidiaries worldwide, including in China, with various executives located in the local country subsidiaries.

‍

‍

Given this offshore Cayman structure and (purposely) diversified executive locations, various arguments are made as to the location of its principal place of business. Borrowing from other legal contexts, where is this company’s “nerve center” or “center of gravity”?² The company clearly originated in China and has substantial operating assets within China but does that go directly to headquarters? Somehow it is intuitive that ByteDance is a Chinese actor but how does that neatly fit within these technical definitions? We have observed at least two technical arguments to conclude that ByteDance is headquartered in China for national security purposes: golden shares and national intelligence law override.

‍

‍

Special management share system?

The special management share system³ (sometimes called “golden shares”) is a program that allows for preference shares which provide a state-related shareholder with rights that are disproportionate to its shareholding percentage. These shares typically represent a 1% interest in the company but provide the shareholder with a board seat.

‍

WireScreen tracks the insertion of special management shares using historical data which reveals a new 1% shareholder that corresponds to the appointment of a new board member having a state background at the same time. These shares may also carry other features such as veto rights over specific issues.

‍

In the case of ByteDance, the state-related shareholder is CIIF Chinese (Beijing) Technology Company Limited (“CIIF” or “Wangtou”). 

‍

As shown below in WireScreen, CIIF’s beneficial owners can be traced back to the government directly.  

‍

In addition, we can see on WireScreen that the board member appointed simultaneously with the special management shares insertion was Wu Shugang (see below).

‍

As the WireScreen data shows, the CIIF interest is not present at the Cayman Islands parent company level. Instead, it is placed at one of ByteDance’s key operating companies under the Cayman structure. Does this rise to the level of the headquarters test?

‍

‍

Chinese national security law override?

In addition to China’s National Intelligence Law of 2017, several other related laws and directives⁴ contain catch-all type provisions that appear to obligate all companies to some level of government support and disclosure in the realm of national intelligence. Presumably, the argument goes that if a company is specifically dealing in matters relevant to national intelligence (such as mass data collection) then those companies have a heightened obligation to cooperate with various systems in place to implement such arrangements. But how far does this argument go? Does it extend to foreign affiliates of a sensitive Chinese business? Notably, PADFAA covers entities having either a 20% direct or indirect shareholding by, and all persons subject to the direction and control, of a Chinese headquartered company.

‍

Similar arguments have been made for quite a while under the Chinese Company Law (Article 18) which provides a mechanism to establish a unit of the CCP in all Chinese incorporated companies regardless of their status. There are also anecdotal reports on how these units are introduced into companies and their practical impact on them, depending on a given company’s sensitivity or profile.

‍

It can be expected that a mixture of these principles will be used to build out the evolving understanding of headquarters for national security purposes. It is quite possible that companies in U.S. allied jurisdictions could be considered as Chinese headquartered in that they have at least a substantial offshore shareholder (e.g., 20%) where that shareholder itself rises to a certain level of sensitivity under China’s various regulations on the subject coupled with political practices.

‍

What is Sensitive Data?

Congress decided that the following data is sensitive for purposes of PADFAA. The standard for data personally identifiable is whether it identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.⁵

‍

‍

¹See Federal Trade Commission v. Kochava, Inc., Docket Number 2:22-cv-00377-BLW, U.S. District Court for the District of Idaho (Kochava’s motion to dismiss second amended complaint denied, February 3, 2025).

²See the US Supreme Court’s case Hertz Corp. v. Friend, 559 US 77 (2010) for an interesting discussion of this jargon which is neither biology nor physics.

³See Article 6 of the 2017 revisions to the Provisions for the Administration of Internet News Information Services in connection with China’s Cybersecurity Law issued by the Cyberspace Administration of China (国家互联网信息办公室) for a recent reference to the special management share system or 特殊管理股制度.

⁴For example, the Cybersecurity Law, Data Security Law, and Counter-espionage Law.

⁵For other data records the FTC has considered within the Data Broker marketplace, see Data Brokers, A Call for Transparency and Accountability, Federal Trade Commission, May 2014, https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf