Danielle McNamara
Senior Editor
Loyola University Chicago School of Law, JD 2023
Since 2019, TikTok and ByteDance, its parent company, officials have been negotiating with the Committee on Foreign Investment of the United States (CFIUS) regarding required technical safeguards they will need to adopt to be in compliance with US national security concerns. The popular social media app, which gained traction during the beginning of 2020 amidst the Covid-19 pandemic, has been scrutinized by many officials regarding concerns for user privacy. Currently, the Biden administration has been working to encourage TikTok’s Chinese owners to sell their investment in the app or face a potential national ban in the U.S.. However, Tiktok representatives argue this will not alleviate concerns about user data privacy.
Data protection concerns
The U.S. government’s initial concerns have centered around the ability of employees at Tiktok to access the personal data of the app’s billion-plus users, creating the possibility of the spread of misinformation and threats of espionage. The Federal Communications Commission and the Federal Bureau of Investigation have also warned that ByteDance could share Tiktok user data including location, browsing history, and biometric identifiers with the Chinese government. These concerns arise out of a law implemented by China in 2017 that requires companies give any personal data relevant to the country’s national security. However, there is currently no evidence that Tiktok has turned over user data to the Chinese government.
Trump administration’s failed ban on Tiktok
The Trump administration planned to effectively ban Tiktok and WeChat, another Chinse based app, in the United States via issuance of two executive orders on August 6, 2020. The orders declared that both apps posed threats to national security because they “collected vast swaths of data on Americans and other users and offered the Chinese Communist Party avenues for censoring or distorting information.”
However, the US District Court in San Francisco issued an order in September of 2020 halting both executive orders after granting a group of WeChat users’ motion to stop the ban. The court stated that the plaintiffs had shown there are “serious questions” related to their First Amendment claim, which argued that WeChat represents a virtual public square for Chinese speakers in the United States, and such a ban would harm free speech. Likewise, a separate order by the Commerce Department delayed the Tiktok ban due to a possible deal to give Oracle Corp. oversight of its U.S. user data.
Proposed deal with Oracle Corp.
Since 2019, Tiktok and ByteDance have been working on a proposal to present to CFIUS in an attempt to protect against a United States ban of the social media app. The proposal, titled “Project Texas” includes partnering with software giant Oracle Corp. to store all US user data within the United States and creates a new U.S. government-controlled corporation, US Data Security (USDS), that would monitor the data of U.S. users. This proposal would give Oracle access to audit its content moderation policies and algorithms. The project has involved a team of lobbyists, academic researchers, and think tank writers, in an effort that cost approximately $1.5 billion dollars to create. However, CFIUS has yet to approve the plan in its entirety and has not released any information regarding its decision.
It is also worth noting that in Oracle is currently fighting off a class-action lawsuit where plaintiffs claim that the company tracks and collects the personal information of billions of people, creating revenues of over $40 billion a year. The lawsuit, filed in the US District Court for the Northern District of California, alleges that Oracle has violated the Federal Electronic Communications Privacy Act, California state constitution, and the California Invasion of Privacy Act. However, in the most recent oral arguments Oracle’s counsel claims that plaintiff’s complaint fails for being too generalized a grievance.
Tiktok’s potential divestment
In early March of this year, the CFIUS presented Tiktok with a series of options, one being divestiture, in an attempt to address security concerns in the United States. However, Tiktok representatives have stated that calls for its Chinese owner to divest its stake in the company are unfounded because such as sale would not actually remedy security concerns regarding the app’s handling of US consumer data. One representative states, “If protecting national security is the objective, divestment does not solve the problem: a change in ownership would not impose any new restrictions on data flows or access.” Tiktok instead argues that involvement of third-party monitoring, verification, and vetting of U.S. user data and systems, which it has already started implementing, would provide more comprehensive data protection.
A forced divestiture may also face legal action from ByteDance, as the company was founded by Chinese investors and is not currently controlled by any governmental entity. Approximately 60 percent of ByteDance’s shares are owned by institutional investors, 20 percent by company employees, and 20 percent by the ByteDance founders.
What’s to come?
At the moment, there are almost no national laws in the United States that will prevent people, companies, or governments from harvesting user data for profit or otherwise. Within the recent past, there have been numerous issues arising within the sphere of data brokers, or companies that collect and compile personal data which they then sell to other businesses. This collection is typically done through the gathering of data on social media websites. At least 25 states and Puerto Rico have introduced or considered almost 140 consumer privacy bills in 2023, and of those only five states have actually enacted comprehensive consumer privacy laws.
Whether or not Tiktok is banned in the United States, it seems that data privacy risks are apparent everywhere, and until there is more comprehensive legislation, removing Tiktok from U.S. users’ app stores is only the tip of the ice burg in the grand scheme of data privacy. Although it appears that the federal government’s concerns are primarily focused on national security issues, even if a forced divestiture occurs, it seems that user data would be far from “secure” in the hands of large corporations that stand to make billions for selling user data.