TikTok: Recent Data Privacy and National Security Concerns

March 29, 2023 IN12131




INSIGHTi

TikTok: Recent Data Privacy and National
Security Concerns
March 29, 2023
On March 23, 2023, TikTok CEO, Shou Zi Chew, testified during a House Energy and Commerce
Committee hearing on TikTok’s potential threats to data privacy, national security, and children’s online
safety. TikTok is a social media application (app) for creating and sharing short videos, with over 150
million users in the United States, according to TikTok estimates. TikTok Ltd., with headquarters in Los
Angeles and Singapore, is a subsidiary of ByteDance Ltd., a privately held company headquartered in
Beijing, China. Both TikTok Ltd. and ByteDance Ltd. are incorporated in the Cayman Islands, according
to an updated corporate structure released on March 15, 2023. TikTok has faced scrutiny from
policymakers for its potential privacy and national security risks. Critics allege the government of the
People’s Republic of China (PRC) influences ByteDance and may control content shown to users or
compel TikTok to turn over user data in accordance with various PRC laws that govern cyber and data
security. TikTok has denied these allegations.
Issues and Concerns
Critics are concerned TikTok collects sensitive data on U.S. users and may enable the PRC government to
conduct influence operations to shape public opinion. Technology companies operating in China—
including ByteDance—are subject to the PRC’s various cybersecurity and data security laws, which
enable the government to compel data access and require data be stored and processed in China. In his
testimony to Congress on March 23, 2023, TikTok’s CEO stated allegations TikTok shares U.S. user data
with the PRC are “emphatically untrue.” According to Chew, U.S. user data will be segregated from
operations and employees in China through a $1.5 billion dollar company initiative called “Project
Texas.” However, some critics have voiced skepticism about the project.
Data Collection, Storage, and Access. Some critics argue TikTok’s data collection is excessive, while
others contend that its practices are similar to other social media companies, such as Facebook or Twitter.
Some researchers claim any threat posed by TikTok is “one that applies to all social media, regardless of
the provider’s national origin.”
TikTok has stated that all U.S. user data is now stored in U.S. and Singapore data centers. However,
according to a 2022 Buzzfeed investigation, ByteDance employees in China “repeatedly” accessed
nonpublic U.S. user data.
Congressional Research Service
https://crsreports.congress.gov
IN12131
CRS INSIGHT
Prepared for Members and
Committees of Congress



Congressional Research Service
2
In CEO Chew’s written testimony, he claimed University of Toronto researchers “found that there was no
overt data transmission by TikTok to the Chinese government.” However, the researchers challenged the
company’s characterization, stating their analysis had “no visibility into what happened to user data once
it was collected and transmitted back to TikTok’s servers.”
Influence over Content. National security officials have raised concerns that the PRC may influence
content shown to U.S. citizens through TikTok’s content moderation and recommendation algorithms.
Some Members contend that the PRC may influence TikTok to promote misinformation and propaganda
or censor content.
As part of Project Texas, Oracle is reportedly auditing TikTok’s algorithms to ensure that U.S. user data is
safe from manipulation. Oracle is a U.S.-based company that provides cloud infrastructure for TikTok’s
U.S. user data.
Recent Developments
Federal and State Bans. The Consolidated Appropriations Act, 2023 (P.L. 117-328), banned TikTok and
other ByteDance services on executive agency devices. Many states have also banned the app on some or
all state-owned devices.
Executive Orders and Divestiture. The Trump Administration issued two executive orders targeting
TikTok and WeChat (a China-based messaging service) operations in the United States. Courts issued
preliminary injunctions against two of the executive orders (E.O. 13942 and 13943), which the Biden
administration withdrew in 2021. The divestment order still stands but has not been enforced in court.
Since 2020, the Committee on Foreign Investment in the United States (CFIUS) has been negotiating
with TikTok to allow continued U.S. operations under certain obligations. In a similar case, a PRC
company previously divested its stake in dating app Grindr due to a CFIUS investigation and security
concerns around user data.
The Biden Administration has reportedly demanded PRC divestiture from TikTok. The PRC’s Ministry of
Commerce responded that it would “firmly oppose” a forced sale. For additional discussion of CFIUS and
the executive orders, see this CRS Legal Side Bar.
Congressional Considerations
Congress may consider several options in response to possible risks posed by TikTok.
Total Ban. If Congress wishes to ban TikTok use in the United States, it may consider
several questions. What additional authorities or changes to existing authorities are
necessary? How might these be realized, such as by amending the International
Emergency Economic Powers Act to allow the President to ban TikTok through executive
order or by amending CFIUS processes? Does a total ban of TikTok implicate the First
Amendment? Congress may also consider whether a ban is technically feasible and
enforceable.
Forced Sale. Congress may wish to consider whether CFIUS or another federal entity
could require ByteDance to sell off its TikTok subsidiary to a U.S. company and potential
implications for private sector competition.
Beyond TikTok. Congress may consider how efforts to limit or restrict TikTok may
affect other information and communication technology (ICT) platforms. For example, S.
686, the RESTRICT Act, would create new authorities for the Secretary of Commerce to
review and prohibit certain ICT-related transactions with foreign entities. S. 686 has
received statements of support from the White House and Department of Commerce.

Congressional Research Service
3
 Other bills—such as the No TikTok on United States Devices Act—have focused solely
on restricting TikTok or specific companies from China.
Data Privacy. Congress may consider legislative proposals that attempt to protect U.S.
users’ data privacy. Some observers have noted the enactment of data privacy laws could
affect the data collection and sharing practices of TikTok and other technology
companies. Members have previously introduced broad comprehensive privacy
legislation—such as H.R. 8152, the American Data Privacy and Protection Act, and S.
3195, the Children’s Online Protection Act—while others have introduced bills to restrict
how certain entities, like data brokers, sell and transfer data to foreign countries (S.
4281). Other bills, such as S. 4495, attempt to establish export controls on U.S. data to
other countries, or to create disclosure and transparency requirements.


Author Information

Kristen E. Busch

Analyst in Science and Technology Policy




Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.

IN12131 · VERSION 1 · NEW