The TikTok question and the urgency of a Federal privacy law

Last week, the Biden wardship demanded that TikTok, which is owned by the Chinese technology visitor ByteDance, either divest its American operations or squatter the app’s forcing from the US market. I have written well-nigh calls for TikTok to be vetoed domestically in the United States three times:

• What do TikTok and Grindr have in common? (August 2020)
• The right thing for the wrong reasons: the TikTok and WeChat ban (September 2020)
• Is TikTok’s honeymoon over? (July 2022)

The first two of these wares were written in response to the Trump administration’s proposed ban of TikTok (and WeChat) in the United States; the third was written in response to hair-trigger sentiment towards TikTok from a commissioner of the FCC, who had published a letter asking Apple and Google to remove the TikTok app from the US instances of the App Store and Google Play, respectively.

Much of the commentary on a potential TikTok ban points to two aspects of ByteDance’s ownership of TikTok — and its influence over 100MM US-based users — as stuff problematic:

1. ByteDance could be obligated to turn its global user data over to the Chinese government in vibrations with Article 7 of the National Intelligence Law of the People’s Republic of China. While a representative of TikTok claimed in Congressional testimony that the visitor does not share data with the Chinese government, a former employee told a Congressional hearing the opposite, and an internal investigation found that China-based employees had inappropriately accessed data on US-based journalists;
2. ByteDance, through control of TikTok’s content recommendation algorithm, can influence social sentiment in the US in a way that presents a national security threat. This snooping renders the situation particularly flammable given that the Chinese government is unlikely to indulge the algorithm to be conveyed in the event that TikTok’s US operations are divested.

The discussion virtually a potential ban on TikTok has been, to my mind, distracted by an unhelpful strain of whataboutism: “American-domiciled social media platforms collect expansive amounts of data, so why is TikTok of particular concern?” But this line of syllogistics misses the point: ByteDance can be compelled to surrender user-level data to the Chinese government. The telescopic of data placid by TikTok relative to other social media platforms, or the fact that TikTok denies that it shares user data with the Chinese government, is largely abreast the point. The idea that data from American users might be shared with the Chinese government is arresting; that possibility vacated renders comparisons with Meta, Google, Snap, etc. wholly unsuitable.

I believe that two questions should inform any treatment of TikTok at this juncture:

1. Should a visitor be unliable to operate in the US market without restriction if that visitor can be legally obligated through a quirk of its domestic legal environment to share user data with its host government?
2. If the wordplay to question #1 is “no,” then what restrictions must be unromantic to that visitor such that its operations in the US market are permissible from a national security standpoint?

My personal weighing is that, so long as TikTok’s American operations can be comprehensibly and credibly ring-fenced and segmented from the broader TikTok organization, with proper oversight from American regulators, its forced divestiture or an outright and total ban from the United States market seems unnecessary.

It’s important to alimony in mind that Trump’s struggle to ban TikTok was blocked through a legal rencontre and was ultimately revoked early in Biden’s term — so it’s unclear if a ban is plane realistic. On this point, I find this interview with a former intelligence official and current lecturer at Harvard Law School to be instructive. Particularly:

Without congressional action, I think you’d see that same rencontre based on the wording of IEEPA. I think you would probably moreover see First Amendment challenges, maybe challenges under the Administrative Procedures Act. I think it would be tied up in the courts at a minimum, and those challenges might succeed….The way I’d squint at it is, Trump’s ban was really a sledgehammer. It was, in my opinion at least, designed to make headlines, scrutinizingly a form of trolling. As long as you get the headlines well-nigh trying to ban TikTok, whether you succeed or not, maybe that serves the political goal. And maybe Biden has the same motivation. But if what you’re trying to do is write national security concerns, I think you want an tideway that’s increasingly likely to survive a magistrate challenge….But I do think that regulations are increasingly likely to survive in the courts, rather than a unappetizing out ban. Maybe it amounts to the same thing if the tideway is so restrictive that the visitor chooses not to do it. But you have to at least try to show that you can write the concerns in a way other than just by banning it.

While a precedent for forced divestiture exists in the specimen of Grindr, a ban on TikTok simply may be untellable to enforce, per Trump’s attempt. But the reality is that a template for treating cross-border social media data flows once exists, and it was established by the EU with the invalidation of the EU-US Safe Harbor framework and the EU-US Privacy Shield, two successive data transmission frameworks that unliable data to spritz freely between servers in the EU and US. In a series of legal decisions catalyzed by lawsuits from privacy objector Max Schrems, the European Magistrate of Justice struck lanugo the Safe Harbor Privacy Principles in 2015 in a visualization known as Schrems I and then in 2020 supposed that the EU-US Privacy Shield, which was enacted to replace Safe Harbor, was likewise invalid in a visualization known as Schrems II. These frameworks were invalidated as a response to the revelations of Edward Snowden related to the US intelligence apparatus’ worthiness to monitor communications.

As discussed in A deep swoop on European data privacy law, the replacement for the EU-US Privacy Shield — tabbed the Trans-Atlantic Data Privacy Framework — has yet to be ratified by European authorities, meaning that trans-Atlantic data flows may wilt illegal as soon as May. And in fact, there is currently an initiative underway to gravity Meta — which is the subject of the Schrems I and Schrems II lawsuits, although it is not the only visitor to which these decisions wield — to delete any data transferred from the EU to the US since Schrems II was decided in 2020. The EU provides guidance on how to deal with cross-border data flows that might be subject to government observation: combine muscular privacy law with limitations on what can be transferred, and to where.

To my mind, banning TikTok would be a clumsy, sledgehammer policy, and it wouldn’t write the root of the issue. Rather, Congress should enact a Federal privacy law that 1) elides and clarifies the untenable patchwork of state-level privacy laws that companies must currently navigate and 2) sets rigorous standards for how data can be aggregated, activated, and utilized. Worth noting is that China’s domestic data privacy laws are relatively strict, and its government has imposed exacting restrictions on its own technology sector. The US should straight-up a coherent national legal standard for processing user data and not struggle to unstrengthen systemic privacy vulnerabilities with narrow, ad hoc solutions.