The United States’ commitment to an open society — championing free markets, freedom of speech, and association — has fostered collaboration, innovation, and immense economic growth. While open societies lead to the free flow of data, they can be even more susceptible to adversarial nations’ exploitation of personal data and to potential content manipulation, which is what has currently put TikTok in the crosshairs.
Congress attempted to shed some light on concerns surrounding the popular platform in a hearing on Mar. 23, 2023, titled “TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms,” during which TikTok’s CEO answered a variety of questions for nearly five hours. After the hearing, it remains unclear what the next step is and if any solution would be amenable to US policymakers. While there are multiple paths forward, only one helps get at the major underlying problem: a comprehensive federal data privacy and security law.
THE INCOMPLETE APPROACHES
The focus on banning TikTok to prevent the Chinese Communist Party from accessing data does not solve the problem. Adversarial nations will always attempt to exploit different applications, software, or hardware that can collect and share US users’ data –– or just access US data from a third party like a data broker –– and pose a national security risk. Ideas to address TikTok range from fully banning it in the United States to more niche legislation like providing notice when data is sent to China, among other proposals.
There is no comprehensive federal privacy and security law in the United States, leaving data reservoirs open to a digital Wild Wild West in which there are few rules on how data can be collected, used, and shared.
One proposal receiving significant attention is the Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act (RESTRICT), which aims to address the current threats posed by foreign adversaries’ technology. If enacted, it would provide unprecedented and broad authority to the Secretary of Commerce to take action directed at communications and technology products of concern, including establishing appropriate rules and regulations, issuing guidance, and investigating violations.
The legislation’s broader approach is helpful in that it avoids focusing on just one country and type of technology. However, if enacted, this scheme could potentially face a legal challenge for free speech infringement, although the US Supreme Court has precedent for giving deference to the executive in cases of national security. The authority vested in a federal agency also brings about risks.
The RESTRICT Act is favored by the Biden administration, prompting a statement from its National Security Advisor claiming it would “prevent certain foreign governments from exploiting technology services operating in the United States in a way that poses risks to Americans’ sensitive data and our national security.” The irony is that the administration also favors permitting alternate app stores outside of Apple and Google and supports users’ ability to delete pre-installed apps. However, once Apple and Google are forced to open their app ecosystem, it will be difficult to regulate which apps are installed by users, even if those apps are banned under the RESTRICT Act. Sideloading apps could allow users to install apps banned under the RESTRICT Act, or non-vetted apps containing malicious malware installed on devices from unsuspecting users.
THE NECESSARY APPROACH
There is no comprehensive federal privacy and security law in the United States, leaving data reservoirs open to a digital Wild Wild West in which there are few rules on how data can be collected, used, and shared. Instead, the country operates through a confusing maze of state-level privacy laws and other regulations that focus only on specific sectors like finance or health care. This means most Americans fall outside of protection and are vulnerable to both privacy and security harms. US lawmakers should focus on enacting a comprehensive federal privacy and security law that will protect all Americans’ data — one similar to the 117th Congress’ American Data Privacy Protection Act (ADPPA), which made significant progress but ultimately stalled.
A bill like ADPPA goes beyond simply enacting consumer privacy protections — it also has direct national security benefits. It would embrace a data minimization structure where the amount of data collected is limited in the first place, mandate protections for how data is secured, and put consumers on notice when data is transferred to select adversarial countries like China and Russia, among other benefits.
Appetite for such a law continues in the 118th Congress, with House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) saying, “A ban is only a short-term way to address TikTok. The data privacy bill is the only way to stop TikTok from ever happening again in the United States.” Support for a comprehensive approach was reiterated by a majority of House Energy and Commerce Committee members in recent hearings. The chair of the Senate Commerce Committee, Senator Maria Cantwell (D-Wash.), has noted her primary concern is a data privacy bill as well.
TikTok is currently in the spotlight, but other companies or products will present similar concerns in the future. Any action directed at TikTok would just be a temporary or partial solution. Holistic action to address data privacy and security is the way to avoid the same situation, all while better protecting Americans.
Brandon Pugh is the policy director and resident senior fellow for the R Street Institute’s Cybersecurity and Emerging Threats team.
Steven Ward is a data privacy and security fellow for the R Street Institute’s Cybersecurity and Emerging Threats team.