Would a Prohibition on TikTok Sharing Sensitive U.S.-Person Data with its Parent Company ByteDance be a Viable Alternative? [UPDATED on 01/10 to account for oral argument]

Marty Lederman

My colleague David Cole has published a very helpful column on the New York Review of Books website, succinctly and clearly summarizing the case for why the Supreme Court should hold that the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFFACAA) violates the First Amendment.  

I remain uncertain about what the Court should (or will) do, but in my post here a few days ago I explained why I think TikTok has an uphill battle to persuade the Court why the Government's data-protection rationale is inadequate to justify the law.

On the data security point, your friends on the other side make the argument that if that were the concern, Congress could ban TikTok U.S. from sharing data with anyone on pains of penalties that would put people in prison and shut the company down in the future . . . .  Why isn't that a less restrictive means available?

SG Prelogar's response, if I understand it correctly, was that TikTok could not comply with such a data-sharing prohibition absent the sort of divestiture from ByteDance that it is unable or unwilling to make: 

I was surprised to hear Petitioner offer that up today because there was a long course of discussion between the executive branch and ByteDance and TikTok leading up to Congress's enactment of this Act that spanned over four years--an extensive conversation about what limitations could be placed to protect Americans' data.  And it was never a suggestion that there would be any way to create a true firewall that would prevent the U.S. subsidiary from sharing data with the corporate parent.  And the reason for that sounds in the technological features of this application.  I think there can be no reasonable dispute that the source code development and the maintenance of this algorithm rests in China, which is why China has sought to try to control export restrictions with respect to the algorithm.  And what that means is you need substantial data flows between the companies in order to continue to modify that algorithm, refine it, and so forth.

In response to an interjection from Justice Sotomayor, the SG further explained:

You don't have to take my word for it.  You can look at the specific terms of the national security agreement that ByteDance itself proposed.  The relevant definition of the [excepted] data is at JA 239 to 240, and it references categories of information that would of necessity--technological necessity and business necessity--have to flow back to China.  And the relevant categories are in the sealed appendix, but I would really encourage the Court to look this up because it's eye-opening.  It is at the court of appeals sealed appendix, 249 to 252 and 254.  [The SG was referring here not to classified materials unavailable to the petitioners, but instead to proprietary material that is sealed in the record for TikTok's/ByteDance's benefit.]  If you look at that information, it was a wealth of data about Americans that was going to have to go back to China in order for the platform to just continue its basic operations.  There's a legitimate commercial justification for that, but it creates this gaping vulnerability in the system because, once that data is in China, the PRC can demand that ByteDance turn it over and keep that assistance secret.

Noel Francisco, presumably sensing the importance of this question, led with it in his rebuttal:

I'd like to begin with the least restrictive alternative--simply prohibiting TikTok, Incorporated, from disseminating any of the sensitive user data to anyone, including ByteDance, under the threat of massive penalties.  That is definitely a less restrictive alternative. 

Now my friend pointed to the NSA negotiations [i.e., the pre-Act negotiations in which TikTok and ByteDance offered to implement certain proposals to protect U.S. person data].  Well, the sensitive user data that we're talking about and that were of concern in the NSA negotiations were not the type of technical data that she's talking about.  The NSA did allow certain types of nonsensitive technical data to go back and forth, but that wasn't anybody's concern. ...  But, to be clear, if that's a concern, sweep that into the ban, too.  Put in that nonsensitive technical data into the ban, too.  We'll deal with that.  It's a lot better than simply being forced to shut down.  So that is most definitely a less restrictive alternative that would address data security. 

I have to confess that I'm not really sure about the nature of the various different categories of data to which the SG and Francisco were referring.  And I imagine the Justices are similarly uncertain, though perhaps if they review the sealed material to which the SG pointed, they'll have a better understanding.  In any event, Francisco appeared in his rebuttal to be accepting the prospect of a statute that prohibits TikTok from sharing with ByteDance and the PRC any of what the SG referred to as "wealth" of the U.S. person data about which the political branches are concerned.  If so, I'm not clear on whether Francisco was intending to suggest that TikTok could and would comply with such a prohibition if ByteDance continued to control the algorithm.  "We'll deal with that" is ambiguous.  Would/could TikTok comply with such a broad data-sharing prohibition?  Would it argue that that prohibition, too, violates the First Amendment because of the burden it imposes?]