Balkinization: Would a Prohibition on TikTok Sharing Sensitive U.S.-Person Data with its Parent Company ByteDance be a Viable Alternative?

Would a Prohibition on TikTok Sharing Sensitive U.S.-Person Data with its Parent Company ByteDance be a Viable Alternative?

Marty Lederman

My colleague David Cole has published a very helpful column on the New York Review of Books website, succinctly and clearly summarizing the case for why the Supreme Court should hold that the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFFACAA) violates the First Amendment.

I remain uncertain about what the Court should (or will) do, but in my post here a few days ago I explained why I think TikTok has an uphill battle to persuade the Court why the Government's data-protection rationale is inadequate to justify the law.

David agrees that the Government's interest in protecting against Chinese collection and exploitation of U.S. persons' data "is indisputably compelling." He argues, however, that that compelling objective doesn't justify the Act's requirement of a TikTok divestiture from ByteDance because there's another obvious, and much less restrictive, way of dealing with the problem--namely, for Congress simply to "extend[]" to TikTok the rule it already has enacted that prohibits data brokers from transferring or disclosing "personally identifiable sensitive data of a United States individual" to China or to a company (such as ByteDance) that's domiciled or headquartered in China or that's organized under Chinese laws.

In their reply briefs, the petitioners suggest something similar, but not quite the same. TikTok and ByteDance refer to a law that would prohibit "covered companies" from "sharing sensitive U.S. user data with a foreign adversary," i.e., with the PRC itself. And the Firebaugh petitioners suggest that Congress could prohibit ByteDance "from sharing data with China."

I doubt those particular alternatives would work. There's no need for Congress to prohibit TikTok itself from sharing data with China because (if I understand the facts correctly) that's not the source of the problem: As far as I know, TikTok itself wouldn't ever send data to the PRC directly. The problem is, instead, that ByteDance has access to TikTok's data collection, and ByteDance is subject to PRC control. Yet as the Solicitor General points out in her reply brief, the proposal of a U.S. law that would prohibit ByteDance from sharing data with the PRC isn't an answer because it's "naïve to suggest that Congress could trust ByteDance to comply in good faith with such a restriction." ByteDance "is subject to [PRC] laws that allow the PRC to demand 'full access to [its] data and prohibit ByteDance from revealing such access," and "the Chinese government has a documented history of collecting data through hacking operations that violate U.S. laws."

That appears to be an effective response to the petitioners' alternatives, but it doesn't answer the hypothetical David Cole has suggested: What about a law that would prohibit TikTok Inc., a U.S. company, from sharing U.S. person data not only with the PRC itself but also with ByteDance or any other company that's subject to PRC control? Imagine, for example, that Congress enacted a law imposing such data-sharing restrictions on TikTok Inc., and further provided that in the event TikTok ever violates that prohibition, then TikTok would have to divest from ByteDance in order to continue operations in the U.S. Would that law be a viable, less restrictive alternative? If so, then it's possible at least some Justices would be more sympathetic to the petitioners' arguments.

As far as I can tell, however, the parties' briefs don't directly address the questions this hypothetical raises. For example, in light of the fact that ByteDance effectively owns TikTok Inc., and the fact that ByteDance controls the algorithm TikTok Inc. uses to run its platform, would it even be possible for TikTok Inc. to comply with such a law, particularly if ByteDance directed it to make U.S. persons' data available to ByteDance? If TikTok insists that compliance would be possible, would the U.S. Government be able to detect cases in which TikTok allowed ByteDance to have access to U.S. person data--at least in one or two instances, which is all it would take to trigger my hypothetical statute's divestiture requirement? Are there any other reasons to think that such a statute would be materially less effective than the PAFFACAA when it comes to protecting sensitive data about U.S. persons?

Perhaps the parties will have an opportunity address such questions during the oral argument tomorrow.

Posted 7:51 AM by Marty Lederman [link]