The TikTok question and the urgency of a Federal privacy law

Last week, the Biden administration demanded that TikTok, which is owned by the Chinese technology company ByteDance, either divest its American operations or face the app’s banishment from the US market. I have written about calls for TikTok to be banned domestically in the United States three times:

The first two of these articles were written in response to the Trump administration’s proposed ban of TikTok (and WeChat) in the United States; the third was written in response to critical sentiment towards TikTok from a commissioner of the FCC, who had published a letter asking Apple and Google to remove the TikTok app from the US instances of the App Store and Google Play, respectively.

Much of the commentary on a potential TikTok ban points to two aspects of ByteDance’s ownership of TikTok — and its influence over 100MM US-based users — as being problematic:

  1. ByteDance could be obligated to turn its global user data over to the Chinese government in accordance with Article 7 of the National Intelligence Law of the People’s Republic of China. While a representative of TikTok claimed in Congressional testimony that the company does not share data with the Chinese government, a former employee told a Congressional hearing the opposite, and an internal investigation found that China-based employees had inappropriately accessed data on US-based journalists;
  2. ByteDance, through control of TikTok’s content recommendation algorithm, can influence social sentiment in the US in a way that presents a national security threat. This concern renders the situation particularly combustible given that the Chinese government is unlikely to allow the algorithm to be conveyed in the event that TikTok’s US operations are divested.

The discussion around a potential ban on TikTok has been, to my mind, distracted by an unhelpful strain of whataboutism: “American-domiciled social media platforms collect expansive amounts of data, so why is TikTok of particular concern?” But this line of argumentation misses the point: ByteDance can be compelled to surrender user-level data to the Chinese government. The scope of data collected by TikTok relative to other social media platforms, or the fact that TikTok denies that it shares user data with the Chinese government, is largely beside the point. The idea that data from American users might be shared with the Chinese government is arresting; that possibility alone renders comparisons with Meta, Google, Snap, etc. wholly unsuitable.

I believe that two questions should inform any treatment of TikTok at this juncture:

  1. Should a company be allowed to operate in the US market without restriction if that company can be legally obligated through a quirk of its domestic legal environment to share user data with its host government?
  2. If the answer to question #1 is “no,” then what restrictions must be applied to that company such that its operations in the US market are permissible from a national security standpoint?

My personal belief is that, so long as TikTok’s American operations can be comprehensibly and credibly ring-fenced and segmented from the broader TikTok organization, with proper oversight from American regulators, its forced divestiture or an outright and total ban from the United States market seems unnecessary.

It’s important to keep in mind that Trump’s attempt to ban TikTok was blocked through a legal challenge and was ultimately revoked early in Biden’s term — so it’s unclear if a ban is even realistic. On this point, I find this interview with a former intelligence official and current lecturer at Harvard Law School to be instructive. Particularly:

Without congressional action, I think you’d see that same challenge based on the wording of IEEPA. I think you would probably also see First Amendment challenges, maybe challenges under the Administrative Procedures Act. I think it would be tied up in the courts at a minimum, and those challenges might succeed….The way I’d look at it is, Trump’s ban was really a sledgehammer. It was, in my opinion at least, designed to make headlines, almost a form of trolling. As long as you get the headlines about trying to ban TikTok, whether you succeed or not, maybe that serves the political goal. And maybe Biden has the same motivation. But if what you’re trying to do is address national security concerns, I think you want an approach that’s more likely to survive a court challenge….But I do think that regulations are more likely to survive in the courts, rather than a flat out ban. Maybe it amounts to the same thing if the approach is so restrictive that the company chooses not to do it. But you have to at least try to show that you can address the concerns in a way other than just by banning it.

While a precedent for forced divestiture exists in the case of Grindr, a ban on TikTok simply may be impossible to enforce, per Trump’s attempt. But the reality is that a template for treating cross-border social media data flows already exists, and it was established by the EU with the invalidation of the EU-US Safe Harbor framework and the EU-US Privacy Shield, two successive data transmission frameworks that allowed data to flow freely between servers in the EU and US. In a series of legal decisions catalyzed by lawsuits from privacy activist Max Schrems, the European Court of Justice struck down the Safe Harbor Privacy Principles in 2016 in a decision known as Schrems I and then in 2020 declared that the EU-US Privacy Shield, which was enacted to replace Safe Harbor, was likewise invalid in a decision known as Schrems II. These frameworks were invalidated as a response to the revelations of Edward Snowden related to the US intelligence apparatus’ ability to monitor communications.

As discussed in A deep dive on European data privacy law, the replacement for the EU-US Privacy Shield — called the Trans-Atlantic Data Privacy Framework — has yet to be ratified by European authorities, meaning that trans-Atlantic data flows may become illegal as soon as May. And in fact, there is currently an initiative underway to force Meta — which is the subject of the Schrems I and Schrems II lawsuits, although it is not the only company to which these decisions apply — to delete any data transferred from the EU to the US since Schrems II was decided in 2020. The EU provides guidance on how to deal with cross-border data flows that might be subject to government observation: combine muscular privacy law with limitations on what can be transferred, and to where.

To my mind, banning TikTok would be a clumsy, sledgehammer policy, and it wouldn’t address the root of the issue. Rather, Congress should enact a Federal privacy law that 1) elides and clarifies the untenable patchwork of state-level privacy laws that companies must currently navigate and 2) sets rigorous standards for how data can be aggregated, activated, and utilized. Worth noting is that China’s domestic data privacy laws are relatively strict, and its government has imposed exacting restrictions on its own technology sector. The US should erect a coherent national legal standard for processing user data and not attempt to attenuate systemic privacy vulnerabilities with narrow, ad hoc solutions.