Data privacy and protection has been an issue for as long as data has been aggregated. However, in recent decades this problem has ballooned exponentially as technology like personal computers, the internet, and smartphones have become ubiquitous.
At first, the nature of this data was uncertain, so regulations were difficult to draft, but within the last 10 years, there have been more calls to take action to protect the data collected on individuals, both for their safety and the safety of governments and organizations. One huge step toward more comprehensive data privacy regulations was the implementation of the European Union's General Data Protection Regulation in May 2018, which contains hundreds of regulations about what data can and cannot be collected on individuals, how that data can be stored, and for how long.
In the United States, data privacy has primarily been viewed through very specific lenses, targeting issues like medical privacy and data held by the government. Increasingly, the concern that foreign governments may have access to the data generated on social media and other web-based platforms by Americans has come to the forefront of political discussions, causing the introduction of a slew of data- and social media-related legislation.
Most recently, the social media platform TikTok, owned by parent company ByteDance, has been the target of national legislation. TikTok CEO Shou Chew testified before Congress on March 23, 2023, and fielded many questions about the ability of China's government to access data about users in the U.S. Chew repeatedly insisted TikTok is based in Singapore—not China—despite the fact that parent company ByteDance is based in Beijing and, as the social media platform is a wholly owned subsidiary, appoints its executive board, thereby placing the platform under Chinese oversight.
In February and March 2023, two pieces of data protection legislation were introduced in Congress: the DATA Act and the RESTRICT Act. Since their introduction, the RESTRICT Act has been labeled the "TikTok ban," as it would allow the federal government to potentially remove TikTok from being accessible to U.S. users. Stacker investigated how the so-called "TikTok ban" and other proposed social media and data regulations could restrict internet use by speaking with an expert from the Electronic Frontier Foundation and consulting various news and legislative sources.
What are the RESTRICT and DATA Acts?
The RESTRICT Act and the DATA Act are additional regulations proposed with the intention of protecting data privacy and national security.
The DATA Act requires the executive branch to ban or heavily regulate various commercial transactions and software access if they are connected to or originate from China. The president is in charge of deciding what action is appropriate to take to prevent individuals and companies from communicating or doing business with Chinese entities that may put national security at risk.
The RESTRICT Act is somewhat narrower. It allows the secretary of commerce to identify and investigate information technology companies held by foreign adversaries, which the bill defines as China, Cuba, Iran, North Korea, Russia, and Venezuela. It also says the Commerce Department would be authorized to "identify, deter, disrupt, prevent, prohibit, investigate and mitigate" any national security risk discovered. The mitigation measures allowed are not defined in the bill.
How would these regulations be enforced?
Because of how vague these bills are, it is not entirely clear how the regulations would be enforced; however, both would be handled by some party in the executive branch. The DATA Act proposes no mechanism for enforcing the restrictions of data and digital products from China but does give that authority directly to the president without requiring an investigation, making it "probably unconstitutional on its face," according to David Greene, attorney and civil liberties director for the Electronic Frontier Foundation. The RESTRICT Act details numerous criminal penalties for attempting to carry out business or access software restricted under the bill.
"At least by its language, [the RESTRICT Act] says it makes it a felony to evade any mitigation measure. And we don't know what those mitigation measures are," Greene said. "I think the language leaves open the possibility of including things like if an app is banned for importation to the U.S., if you would use a VPN to download an app ... conceivably, that would violate the technical language of the law and that would be a federal felony."
The current penalties for such violations, as outlined in the RESTRICT Act, include up to 20 years in prison, $250,000 in fines, and forfeiture of property.
What would be the immediate impact on users if either bill passes?
"I think the most immediate impact a user would feel is certain apps would just disappear from the app stores and certain devices wouldn't be available," said Greene, who expressed that, if users already owned a device that was banned, they would likely not be able to receive service to that technology—if they owned a Huawei phone that was banned due to being manufactured by a Chinese company, for example. In turn, users who already had the TikTok app downloaded on their phones might still be able to use the app to a degree, but it would no longer receive software updates and would likely be unavailable in app stores should the user ever wish to re-download it.
From a business standpoint, the DATA Act is concerning because it specifically prevents commercial transactions with China. This could mean widespread bans on activities like manufacturing in and shipping to and from China and even prevent companies from employing anyone who was a Chinese resident or citizen. In addition, it's important to note that apps and products are not the only things the U.S. government could restrict under these regulations. Both bills mention "information," which could be defined very broadly to prevent access to certain websites or even specific content on social media platforms that aren't entirely banned, like Facebook, Twitter, and YouTube.
What are alternatives to this type of legislation that would still protect national security?
Greene suggested a more direct solution to the fear of data being obtained by foreign adversaries would be to pass comprehensive data privacy regulations in the U.S.
"The goal of that is really to restrict the amount of information that companies are able to collect, retain, and use in the first place, rather than focus on what they do with it after they collect, retain, and use it," Greene said.
Additionally, Greene pointed out that even if the U.S. passes the DATA Act, RESTRICT Act, or similar legislation, much of the data collected on social media and other internet platforms is available for purchase through data brokers: "So when we say that this is better addressed by comprehensive data privacy legislation, what we're really saying is: If you're concerned about companies passing information on to a foreign adversary, then what you would do is aim your regulation at the companies in the first instance, not at what happens on the back end."