New Bill Aims to Shield Military Data: Data Brokers Face Ban on Sales to Foreign Adversaries

Alright, let's break down a new piece of legislation called the "Protecting Military Servicemembers Data from Foreign Adversaries Act of 2025." In a nutshell, this bill is designed to stop data brokers from selling or otherwise providing lists containing the personal information of U.S. military servicemembers—both current and former—to what the bill calls "covered nations" or entities controlled by them. Think countries like China, Russia, North Korea, and Iran, as defined by existing U.S. law (10 U.S.C. 4872(f)). The bill clearly defines a "data broker" as someone who knowingly collects and sells personal info without having a direct relationship with the individuals, and a "military service list" as a compilation of personal data specifically about servicemembers.

The Lowdown: Keeping Military Data Out of Enemy Hands

The core of this bill, found in Section 3, is pretty direct: it makes it illegal for data brokers to provide these military service lists to those designated foreign adversaries or any person or company that is based in, directed by, or even just 20% owned by someone from one of these nations. This isn't just about direct sales; the bill also requires that any contracts involving these lists must prevent their resale to these restricted countries or entities. It also cracks down on attempts to get around these rules, like using shell companies or other sneaky tactics. Essentially, if you're a company that packages and sells personal data, you'll be barred from sending lists of U.S. military personnel to these specific foreign powers. This aims to cut off a potential flow of sensitive information that could be exploited.

The Watchdogs: How This Ban Gets Enforced

So, how does this actually get enforced? Section 4 gives the Federal Trade Commission (FTC) the main job. If a data broker violates this new act, it's treated as a violation of the Federal Trade Commission Act. This means the FTC gets its usual toolkit: they can investigate, bring civil lawsuits, and ask courts for injunctions (orders to stop the activity), compliance orders, and even seek damages or restitution for consumers. The FTC also has a one-year deadline from the Act's passage to issue specific regulations to implement it, following standard public notice-and-comment procedures. Notably, the FTC's enforcement power here extends to nonprofit organizations, which isn't always the case.

State Attorneys General also get a role. They can bring their own civil actions in federal court on behalf of their state's residents if they find a data broker violating the act, seeking similar remedies like injunctions and damages. They're required to notify the FTC before filing suit (unless it's urgent), and the FTC can choose to intervene in these state-led cases. This dual federal-state enforcement approach is designed to give the law more teeth, though a state can't sue if the FTC is already pursuing the same violation against the same defendant.

Looking Ahead: Is This Shield Strong Enough?

Beyond the immediate ban and enforcement mechanisms, Section 5 mandates a review. The Comptroller General of the United States (who heads the Government Accountability Office, Congress's investigative arm) must submit a report to Congress within one year of the Act's enactment. This report will dig into a few key areas: how well the Act is being enforced, whether more resources or stronger enforcement powers are needed to protect U.S. national security from data brokers selling sensitive personal information, and, crucially, whether the Act’s protections should be expanded to cover more individuals or different types of personal information. This built-in review process means there will be an official look at whether this new shield is working as intended and if it needs to be strengthened or broadened in the future to better protect national security interests.