The Lesson of TikTok

There are not that many things that excite both teenagers and policy wonks at the same time, but TikTok has found a way to do so. The fate of this Chinese‐​owned social media company that has become a phenomenon in America is now in the spotlight. Because of concerns over data security, it appears that the company must either be sold to Microsoft (or some other American company) or be forced to shut down in the United States.

Although there may be some legitimate concerns here, the administration’s unilateralist approach creates a bad precedent. A better way to address the concerns of data security would be for the United States and others to create a set of international rules to govern data protection, which would foster a safe, fair, and stable environment for both businesses and consumers.

My colleague Julian Sanchez offered some good background on the TikTok ban here. In brief, TikTok, a popular short‐​video app used widely by teenagers, is owned by a Chinese company. In 2017, the Chinese company ByteDance acquired Musi​cal​.ly, a video service popular in the Americas and Europe, and later merged it with TikTok, a similar app that was more popular in Asia. Since then, TikTok has become one of the world’s most popular social media platforms and has 80 million active daily users in the United States alone.

The unexpected growth in popularity in recent years, along with the growing tensions and distrust between the United States and China, raises concerns that TikTok will send the data of U.S. users to its parent company in China, ultimately allowing the Chinese government to access the information. (There are also concerns over how TikTok censors its content, but data security seems to be dominating the conversation for now.)

Because ByteDance acquired Musi​cal​.ly, the Committee on Foreign Investment in the United States (CFIUS) has jurisdiction here. CFIUS is an agency set up to review foreign investments in the United States. It was created by President Ford in 1975 through an Executive Order. In 1988, the Exon‐​Florio Amendment to the Defense Production Act of 1950 authorized the president to block foreign investment, and the CFIUS review process was later codified by the Foreign Investment and National Security Act of 2007. The law authorizes the President to block foreign “mergers, acquisitions, or takeovers” when there is a threat to U.S. national security. The law further clarifies that national security “shall be construed so as to include those issues relating to ‘homeland security’, including its application to critical infrastructure” and “critical technologies.”

ByteDance’s acquisition of Musi​cal​.ly did not lead to a CFIUS review, probably because it appeared to carry few national security risks at the time. However, the level of risk the U.S. is willing to take is now lowered, triggering a reevaluation of the ByteDance’s acquisition, after the passage of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), as part of the John S. McCain National Defense Authorization Act for Fiscal Year 2019. FIRRMA broadened CFIUS’s jurisdiction to cover more transactions and adds more factors to consider, including the risk of “expos[ing] personally identifiable information, genetic information, or other sensitive data of U.S. citizens to access by a foreign government or person that may exploit that information to threaten national security,” when determining whether a transaction poses a threat to national security. This gives CFIUS the authority to review investments that involve personal data.

TikTok is not the first Chinese investment to trigger a CFIUS review because of data security concerns under FIRRMA. The administration has in the past used its authority to force Chinese companies to divest for data security reasons. In 2019, the administration ordered Chinese company iCarbonX to divest its stake in PatientsLikeMe, which was a health tech start‐​up, to protect user data collected by the company. In the same year, Chinese gaming company Kunlun was forced to divest its investment in Grindr, a gay dating app, due to concerns over data safety. Earlier this year, the administration requested Chinese company Shiji, a leader in hotel technology, to divest its holdings in StayNTouch because the Chinese company “might take action that threatens to impair the national security of the United States.” Judging from these existing cases, the scope for CFIUS intervention on the basis of securing personal data can be very broad.

CFIUS has been investigating the ByteDance purchase since last year. Although the investigation is still pending, last week President Trump announced that he would ban the app. After a strong backlash from TikTok users, President Trump put the ban on hold until mid‐​September. This delay is designed to give Microsoft, or some other U.S. company, time to negotiate the purchase of TikTok from ByteDance. If successful, TikTok will then be wholly owned in the United States and its Chinese roots will be completely cut off. If a deal cannot be reached by mid‐​September, TikTok will be banned in the United States, because of the national security threat it poses to the United States, according to an Executive Order issued yesterday.

Without more information from the administration, it is difficult for outsiders to judge how much of a threat TikTok poses to national security. TikTok says that it stores its data in the United States, with a backup located in Singapore. According to one analysis, TikTok does not appear to gather more user data than U.S. tech companies, such as Facebook, and there is no proof that it is sharing data with the Chinese government.

Of course, there is always a possibility that ByteDance will be forced by the Chinese government to hand over data in the future. The administration’s fear of Americans’ personal information falling into the hands of another government is legitimate, but without evidence, the decision to ban TikTok appears to be excessive. And the response may be expanded as time goes on. For now, the administration is targeting Chinese companies, but it could extend the approach to companies that have minimal ties to China or that are simply deemed to be providing inadequate data protection.

Coincidentally, the Court of Justice of the European Union recently invalidated the Privacy Shield framework between the United States and the European Union, which allowed more than 5,300 companies to freely transfer data across the Atlantic. The court ruled that the framework lacked adequate protection of EU citizen’s privacy from the U.S. government. Applying the same logic used to ban TikTok, the EU and other countries could ban U.S. companies, such as Google, Facebook and Twitter.

The TikTok case also has the potential to fuel tensions and additional distrust between Washington and Beijing. Secretary of State Mike Pompeo already warned that more actions will be taken to deal with other Chinese companies that fall into the realm of the Clean Network program. Details of these actions remain unclear, but President Trump has broad authority to take actions under a variety of statutes, including the International Emergency Economic Powers Act, as he stated in one Executive order that bans another Chinese social media app WeChat. Citing data security and national security, Beijing could quickly adopt this U.S. practice (as in the trade remedy regime) and use the same logic to conceal protectionist actions. One could argue that China already bans social media platforms like Twitter and Facebook, so there is little room for Beijing to retaliate. However, there are many more American companies that have access to Chinese consumers’ information in China. Right now, Beijing requires most data to be stored domestically. Beijing could follow the U.S. precedent and start banning these Americans companies or force them to sell their business to a Chinese firm. The scale of vulnerable companies would be massive. As Tom Braithwaite from the Financial Times pointed out, “The great uncoupling would cause huge economic pain to hundreds of US tech companies.”

Data security is not just a concern of the United States. Many others, including the European Union, are just as concerned. Instead of taking unilateral actions against companies and creating instability in the market, governments should agree on a set of international rules and find a forum for adjudicating potential violations. A possible platform is the e‐​commerce negotiations at the World Trade Organization. While major economic powers like the United States, European Union, and China are still at odds on what issues should go into the agreement and what the rules should be, the fate of TikTok should serve as a reminder that without a set of common international rules governing data, we will face a fragmented world, rife with uncertainty, that hurts both companies and consumers.