Earlier this year, the US Congress decided that TikTok, the social media app primarily used for sharing short form video content, was a security risk to the United States. The argument essentially boils down to TikTok being owned by ByteDance, a Chinese company. Because of that, it is argued that the Chinese government could order ByteDance to order TikTok to hand over the personal information of US citizens, including teenagers with whom the app is incredibly popular. In hearings to discuss TikTok, many senators and representatives suggested the need for a federal privacy law, but follow up to that idea has been (and I feel like I am being generous here) lacking. So how does privacy solve this problem?
First, defining what is in the proposed privacy law is important. Both the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA) were shot down based on concerns around preemption. This means that the states, and mostly it would seem California, had concerns that these laws would not provide adequate protections for privacy to that of their laws, the California Consumer Privacy Act (CCPA), and preemption would allow the federal law to supersede the state law. Effectively, it became a states’ rights issue. However, both the proposed acts included language for privacy rights for individuals, such as access or erasure, privacy by design provisions, notice requirements, and similar requirements that we see in emerging state laws such as New Hampshire, New Jersey, or Nebraska. This is essentially where the EU was before GDPR: a patchwork of privacy laws lacking harmonization that the General Data Protection Regulation (GDPR) brought. While it isn’t as fleshed out as the GDPR, a CCPA-like law at the federal level would be acceptable, or at least it would be a good start.
So how does this handle the issues around TikTok? First, we should ask the question, does the US government have the duty to prevent all harm to its citizens? I would argue no, based on a few examples, the most apparent being cigarettes. It is a known fact that cigarettes kill or lead to the death of people by cancer and other conditions related to their use. However, the federal government has never outright banned cigarettes, instead putting significant taxes and a surgeon general warning on them to dissuade individuals from their use. Advertisements for cigarettes are banned in some mediums and ways, such as the infamous Joe Camel ads that targeted children, but not their sale in total.
With that said, if the issue is security of information, couldn’t the US put transfer requirements to prevent data loss, and require a notice that says when and where data may be transferred? Allow the US consumer to make that decision, even if it is a bad one. Additionally, a federal privacy law would allow for audits or investigations of organizations like TikTok to ensure compliance or find malicious activity. As it stands now though, it is impossible to enforce a law that doesn’t exist.
So does a privacy law answer all the problems? Not necessarily, but the idea that individuals must be protected from bad decisions seems to lack any precedent in US law. I can agree the government is right to ban TikTok from government devices, such as the phones or tablets used at any federal agency. Where it concerns the general citizenry of the United States however, I believe this is the equivalent approach of using a sledgehammer to hang up photographs.
Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.