Before Banning TikTok, U.S. Government Needs to Look Closely at the State of Data Privacy in the U.S.

On March 15th, 2023, the Biden administration demanded that the Chinese company ByteDance sell their app TikTok to an American company, or risk having TikTok banned in the United States. The announcement came as lawmakers and government officials expressed concern about the security of users’ data. Though the Biden administration has not threatened to ban TikTok before, the Trump administration did attempt to ban the app in 2020, also citing security concerns. By the end of March 2023, TikTok will be banned on all government devices.

When Trump tried to ban TikTok in 2020, federal judges ruled that the Trump administration must prove that TikTok is enough of a national security threat to outweigh Americans’ First Amendment rights. The Biden administration may take a slightly different approach: a bill with bipartisan support was introduced in mid-March that would allow the Secretary of Commerce to ban any foreign technology that posed a threat to national security. The U.S. Government is concerned that China could access that personal information that TikTok collects from American users.

It is not yet clear how a ban of TikTok would work, but this bill would give Biden the power to ban any American business proceedings with TikTok, which could prevent anybody in the United States from accessing the app. TikTok has over 150 million American users, and the app is closely intertwined with American culture. Thus, a ban would cause major cultural upheaval. 

There is plenty of evidence that TikTok misuses user data. In 2022, it was discovered that engineers in China had access to U.S. data at least from September 2021 to January 2022, despite ByteDance’s claims that all U.S. data does not leave U.S. borders. Anton Dahbura, the director of the Johns Hopkins University Information Security Institute, stated in an interview that “the locations of users of the app can be used by foreign actors to determine whether someone works in a facility that may be of interest, such as a military or other government facility,” but that there are many other sectors that are also of interest to the Chinese government and other foreign actors. 

The U.S. still lacks an up-to-date blanket federal law concerning data privacy, even though 84% of Americans are at least somewhat concerned about the safety of the data they provide on the internet. Instead, the burden falls on consumers to make sure that their data is not being shared or misused. Internet users are often instructed to be mindful of cookies, use secure browsers, and take other precautions to maintain their privacy online. 

To make matters more complex, there is no national law that outlines if a company must notify consumers of a data breach, and in most states, companies can share consumer data without disclosing this information to the public. U.S. laws on data privacy currently use an opt-out consent model—meaning consumers must go out of their way to exercise their right to privacy. (Federal laws use this model in large part because of lobbying on behalf of the Internet Association, a group that represents big tech companies like Meta, Amazon, and Google.) Experts advocate for an opt-in model, also known as “privacy by default.” Under this model, it would be up to the user to opt-in to settings that could allow apps or companies to access their data, which is far safer for users, although it is less profitable for companies.

The European Union (EU), on the other hand, already uses the opt-in model in their laws regarding data privacy, which is much more up to date and comprehensive. Often referred to as the “rights-based approach,” the EU uses this model because of their history with data collection—Nazi Germany and fascist Italy collected personal information and used it to commit large scale human rights atrocities; East Germany’s secret police also collected personal information in a similar way, allowing them to arrest dissidents and conduct espionage.

In 1983, the German Federal Constitutional Court established a Constitutional right for “informational self-determination.” It is with this background that Germany spearheaded the creation of the General Data Protection Regulation (GDPR). The GDPR imposes regulations on any company, site, or app that serves customers in the EU. Some American states have drawn from the GDPR to craft their own data privacy statutes—California already enforces one, and four other states will begin enforcing their own this year. 

Our current federal laws regarding data privacy and consumer protection were not made recently enough to address the new threats posed by widespread internet use and the possibility of foreign actors abusing their access to Americans’ data. It is time for Congress to create national data privacy laws like those in the EU—laws that put consumers’ right to privacy first, rather than the interests of tech companies. With more comprehensive data privacy laws in place, it would not be necessary to ban apps like TikTok.