[co-author: Christopher Rivera]
The recent passage of H.R.7521, the Protecting Americans from Foreign Adversary Controlled Applications Act (the “Act”), by the House of Representatives aims to restrict TikTok to U.S. users unless the platform’s parent company, Beijing ByteDance Technology Co Ltd, divests its ownership stakes.[1] This has ignited the debate surrounding national security, data privacy, and the rights of citizens to freely access information and applications. Central to this debate is whether such specific legislation truly achieves its stated goals of securing the data of U.S. citizens or simply provides a temporary solution to the expansive challenge of data privacy and exploitation by both international and national companies. As further discussed below, we will explore why narrowly targeting a single international company, TikTok, is insufficient to address the underlying issues the Act aims to resolve. Instead, we propose that an effective approach to safeguarding U.S. consumer data could be realized through the enactment of a comprehensive federal data privacy law, akin to the European Union’s General Data Protection Regulation (“GDPR”), which would establish extensive policies over the use and control of the date of U.S. citizens.
An Overview of the Act
The Act underlines legitimate concerns regarding data privacy and national security. Mainly, the potential risk of over 100 million U.S. citizens having their personal identifying information (“PII”) transferred to a foreign sovereignty. The Act is predicated on the fear that ByteDance, TikTok's parent company, could be compelled by foreign laws to share user data with the Chinese government, posing a threat to U.S. national security. In order to avert this potential scenario, the Act introduces a legal framework aimed at limiting and potentially discontinuing the operation of digital applications within the United States if they are owned or controlled by entities associated with foreign adversaries.
Upon enactment of the Act, covered entities will be given a 180-day compliance period, during which such entities will be required to facilitate user data transfers out of the affected application prior to the enforcement of any restrictions. Violations of the Act invoke civil penalties of up to $5,000 per user for app-related violations and $500 per user for data portability non-compliance. The enforcement of these penalties and the provisions of the Act are overseen by the Attorney General, who is authorized to conduct investigations and pursue legal action to ensure adherence and uphold compliance with this security-focused legislation.
The Underlying Issues of Taking This Approach
This approach raises several key issues that warrant careful consideration and analysis. Firstly, singling out TikTok is likely too narrow of a focus, as domestic companies such as Meta and Google similarly collect substantial volumes of user data, often without sufficient transparency or explicit user consent. For example, in 2019, the Federal Trade Commission (FTC) imposed a $5 billion civil penalty against Meta for deceiving users about their ability to control the privacy of their personal information, and between 2021 and 2023, the FTC has taken action to address privacy and security threats in several key areas from children’s privacy to geolocation against such companies as Amazon, Microsoft, and, Fortnite maker, Epic Games.[2] This raises concerns about the equity and consistency in addressing data privacy practices across various platforms and companies, both foreign and domestic.
Second, the Act could potentially set a precedent for government intervention in the digital space, which might lead to innovation being stifled and free speech being restricted. This is significant here as millions of U.S. citizens utilize TikTok for various purposes, including business activities, expression, and political engagement. Restricting the use of TikTok outright, as provided within the Act, could remove a crucial platform for citizens, impacting entrepreneurs, public figures, and political organizations alike.
Lastly, there are issues surrounding the enforceability of this type of restriction. While users within the United States may lose access to TikTok through U.S. app stores, users could potentially circumvent these restrictions using virtual private networks (VPNs) and other technological solutions that are readily available in the digital marketplace. This raises doubts about the practicality and effectiveness of completely ending the use of TikTok in the United States, as users may find alternative methods to continue accessing the platform despite the imposed restrictions. Furthermore, with the availability of workarounds allowing users to access TikTok despite restrictions imposed by the Act, there are concerns about the Act's effectiveness in achieving its primary objective of protecting PII. These loopholes expose the inadequacy of the Act to achieve its intended goal of safeguarding user data and raises doubts about the overall impact and efficacy of the legislative measures implemented to address the data privacy concerns the Act itself raises.
The Case for Comprehensive Federal Data Privacy Legislation
In contrast to the approach of the Act, comprehensive federal data privacy legislation would likely provide a more robust and effective solution. As explained above, the central issue here is the security and protection of PII. However, the Act’s focus solely on the actions of foreign entities does not adequately address broader data privacy challenges faced by domestic platforms. Additionally, the Act’s punitive measures against foreign entities could come at significant costs and may not comprehensively address the underlying data privacy issues affecting users across various platforms and services.
On the other hand, a comprehensive federal data privacy law would establish a unified regulatory framework, mandating guidelines for the collection, use, storage, and transfer of PII by companies operating within the nation without the consequential outcomes the Act imposes. This would not only help prevent the underlying concerns of the Act, but also promote more ethical data privacy practices by all companies that collect and maintain the PII of U.S. citizens.
Moreover, such a law would empower U.S. citizens by granting them greater control over their data, including the right to request and obtain a copy of their PII held by such organizations, the right to correct inaccuracies or incomplete data held by such organizations, and the right to request the deletion or removal of their PII under certain circumstances. By providing these rights, comprehensive federal data privacy legislation would strengthen consumer protections, promote accountability among businesses, and foster a more transparent and equitable digital ecosystem where individuals have greater agency over their personal information. This approach aligns with global data protection standards and frameworks, such as the European Union's General Data Protection Regulation (GDPR), which emphasizes empowering individuals with robust rights and control over their data. By enforcing accountability and providing clear limitations on data usage, a federal data privacy law would adequately address the data privacy concerns raised by the Act and ensure that personal information is handled securely, thus safeguarding citizens against the overreach of data practices from both foreign and domestic entities.
The American Privacy Rights Act
On April 7, 2024, a draft of the American Privacy Rights Act (“APRA”) was introduced by Congresswoman Cathy McMorris Rodgers and Senator Maria Cantwell. This proposed law signifies a legislative initiative to standardize data privacy protection for U.S. citizens while simultaneously dissolving the varied state-level privacy statutes currently in place.[3]
The APRA confers upon U.S. citizens comprehensive rights that provide more control over their PII. These rights include the ability to access, correct, delete, and export their data, understand where and why their data is transferred, internally or to third-parties, and have their requests processed within defined timeframes. Additionally, the APRA enables citizens to opt-out of profiling and targeting advertising.
An essential principle of the APRA is data minimization, which limits a company’s collection of data to only such data that is essential for the provision of such company’s services to the specific user. This aspect of the legislation is particularly pertinent in the context of companies like TikTok, which, under the stipulations of APRA, would be prohibited from indiscriminately harvesting user data, thereby reducing the amount of PII that potentially could be exposed.
The requirement for explicit consent before any transfer of PII also places a substantial check on the dissemination of information to foreign entities. By mandating these rigorous data collection and processing standards, the APRA lays down a legal framework that could significantly diminish the likelihood of U.S. citizens' PII falling into the possession of foreign governments.
In the case of a potential breach of privacy or unauthorized transfer of data, the APRA empowers the Federal Trade Commission, state attorney generals, and private citizens to pursue legal action. This enforceable right would help ensure that companies remain compliant with the privacy standards set forth, under the scrutiny of not only regulatory bodies but also the vigilant eye of the populace whose data they manage. The introduction of these legal avenues for recourse transforms privacy rights from abstract principles to actionable claims, providing a robust mechanism for holding entities accountable.
The issues that the Protecting Americans from Foreign Adversary Controlled Applications Act aims to address are directly tackled by the APRA through its comprehensive governance structure. By setting a high bar for consent, data minimization, and legal enforcement, the APRA could effectively reduce the risks associated with the transfer of PII to foreign governments. While the TikTok ban focuses on a singular platform and the potential threats it poses, the APRA offers a more expansive, systematic approach to safeguarding the privacy of U.S. citizens across all digital platforms. Through these measures, the APRA not only answers the immediate privacy and national security challenges but also fortifies the digital ecosystem against future threats.
Conclusion
While the motivations behind the Protecting Americans from Foreign Adversary Controlled Applications Act are grounded in legitimate concerns for national security and data privacy, its narrow focus and potential implications for free expression and innovation suggest that it may not be the most sufficient means of protecting the data of U.S. citizens. Alternatively, a comprehensive federal law, such as the APRA, would offer a more balanced and effective framework for safeguarding PII against foreign adversaries as well as domestic companies that may be engaging in unethical data practices. Such legislation would not only address the immediate concerns surrounding TikTok but also provide a robust foundation for the ongoing protection of American data privacy in the digital age.
[1] https://www.congress.gov/bill/118th-congress/house-bill/7521/text
[2] https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook; https://www.ftc.gov/news-events/news/press-releases/2024/03/ftc-releases-2023-privacy-data-security-update.
[3] American_Privacy_Rights_Act_of_2024.pdf
