Vanessa Pappas, chief operating officer at TikTok, Jay Sullivan, general manager of Bluebird at Twitter, and Neal Mohan, chief product officer at YouTube, attend a hearing before the US Senate in Washington on September 14. Photo: Reuters
Aynne Kokas
Aynne Kokas

US piecemeal approach to data security leaves Americans vulnerable to foreign tech companies

  • Joe Biden’s executive order to prevent foreign firms from acquiring Americans’ data offers another limited solution to a pervasive problem
  • US data protection laws are patchy, with a distinct lack of national infrastructure for long-term, bipartisan oversight
On September 15, US President Joe Biden released an executive order designed to address concerns about data-gathering by foreign – specifically, Chinese – tech firms like TikTok

The order directs the Committee on Foreign Investment in the United States (CFIUS), a government panel that reviews the national security implications of foreign investments in US companies, to pay close attention to deals that could give foreign entities access to the sensitive data of Americans.

The need for tougher security laws was highlighted two days earlier on September 13, when social media executives were called to defend their platforms before Congress. Among them was Vanessa Pappas, chief operating officer of TikTok.
During her testimony, Pappas repeatedly dodged questions about whether the Chinese government had access to the data of US nationals. Instead, Pappas argued that TikTok would protect user data in ways that would satisfy the US government’s security requirements.

The Biden administration’s executive order appears as a strong response to the fragmented data security environment in the US. Currently, TikTok and other firms operating in the US can legally export a good deal of data abroad for access by other governments – a kind of “data trafficking”.

Yet while a crucial step toward limiting data trafficking, the order exemplifies three fundamental flaws in US government data practices.


What is CFIUS, anyway?

What is CFIUS, anyway?

First, US data security laws are fragmented and leave huge loopholes in data security. Second, rather than these laws being enforced as part of a long-term, bipartisan effort, enforcement varies by administration.

Finally, US data security laws often get to the issue far too late, not considering data acquisitions that are already occurring. Rather than reflecting the toughness of the US government’s approach, the Biden executive order reflects the limitations of the US approach to data regulation.

The United States protects consumer data in a piecemeal and often counterintuitive fashion. At present, no nationwide data security law exists, covering all types of data. Instead, certain sectors have their own individual protections which often can only be applied to specific situations.

For example, when a patient has their heart rate measured by a doctor, the data collected is protected by the Health Insurance Portability and Accountability Act. Yet that same data collected using an Apple Watch or Xiaomi Mi band is the property of the corporation that is logging it.

Data protection policies also vary by state. Platform users in California have different rights to those in Louisiana. In New York, financial data has special protection. Illinois offers biometric data protection. Such divisions both create significant loopholes and complicate enforcement of existing laws.

Moreover, executive orders exemplify the US government’s short-sighted, reactive approach with respect to China. US policymakers have been responding to the “Made in China 2025” plan for years, yet the Trump administration’s 2020 order on TikTok and WeChat was defunct within months. It is uncertain whether this latest order will survive beyond the Biden administration.

US agency adds Chinese telecoms firms to national security threat list

Even proposed national regulations like the American Data Privacy and Protection Act can only be enforced by lawsuits in the event of a data breach. Lawsuits are expensive, require collective action and place the burden of enforcement on the person or group whose data is being exploited. They don’t create infrastructure for long-term proactive oversight.

Biden’s order for greater scrutiny of future acquisitions that include sensitive data is a good start, but it reflects a mentality that, while supportive of business interests, also fails to account for already existing national security concerns. The order focuses on future data acquisitions, not ongoing ones.

This means that companies like TikTok, which already have, at best, a complex relationship with the data of Americans and the Chinese government, are not covered. And while TikTok draws the most scrutiny, there are many other Chinese-owned firms that gather data about Americans on everything from baby monitors to sex toys.
Popular mobile app TikTok is facing growing scrutiny over how it handles the data of users in the US. Photo: TNS

The Biden executive order additionally does not account for firms already operating in the US that simply seek to expand their operations into connected devices.

Both Congress and the Biden administration are looking in the right direction for policy responses to weak national data security oversight in the US with new proposed Congressional legislation and more targeted executive orders, but fragmented US data security policy still has a long way to go before it can comprehensively counter data gathering by China and other countries.

Aynne Kokas is a senior faculty fellow at the University of Virginia’s Miller Center for Public Affairs and a professor of Sino-US relations at University of Virginia