Wow TikTok is Still in the News
For months, every time TikTok is in the news for a potential ban or sale I complain to my wife. That complaint usually goes something like “There’s already a fix for this, I can’t believe we’re still talking about it.” For the uninitiated, the drama supposedly centers on protecting the personal information of Americans using an app created and controlled by a Chinese company. But privacy frameworks exist to different degrees in many jurisdictions and they form a well established set of legal controls for doing the very thing that US lawmakers think they are accomplishing by forcing the sale of TikTok or banning the app altogether.
Now, the current administration — once hailed as the savior of TikTok — has granted another extension for the sale of the app, so its quite likely that the story dies down for a while before coming back ‘round after a sale goes through or another extension, so we will see how this actually plays out. But the thing I would like to highlight is that this is a silly way for lawmakers to go about securing American’s privacy.
Today, the European Union shows us the way to go — using their existing and robust privacy framework called GDPR (General Data Protection Regulation, a legal framework that has been evolving since 1995), they slapped a $600 million dollar fine on ByteDance for illegal data export (data pertaining to citizens of the EU are subject to data protection agreements in order to be exported to a country that does not have equivalent privacy protections). It is absolute silliness for the United States congress to individually police tech companies (and indeed, I’m not convinced protecting American’s privacy is the goal with this saga) and if you think TikTok is the only platform that is harvesting and exporting personal data (quite legally at that) you are very much mistaken. The real answer to this problem is to create a national framework and then enforce it with our existing legal infrastructure.
Granted, it’s true that the US simply doesn’t care very much about privacy. Sure, you can pontificate all you like about it, but since we lack a cohesive framework at the federal level we certainly aren’t doing much more than pontificating about it. Privacy is one of those things we can all agree is a “good” thing; it’s like being a “good person”, we can all agree on it but it’s vague enough where no one need do anything different. And there are a smattering of efforts and laws out there:
HIPAA — protects some forms of health and personal information and requires a data processor (that is, an app) to inform HHS of a data breach
FERPA — protects some forms of educational data
COPPA — restricts the collection of use of children’s information for online services
Dept of Commerce Privacy Framework — a good faith program to enable data export with countries that do take privacy seriously (and thus enable US countries to export services easily)
…And there’s a few other industry specific laws — no overarching, nationwide privacy and compliance framework that applies to all businesses however. These types of laws only exist at the state level (and there’s a bunch), making regulation onerous and compliance even more so since a company’s legal obligations may vary based on the zip code of the end user. It’s kinda like Colorado not having statewide building codes so a contractor in Denver might not be licensed to do business a few miles away in Jefferson County until they learn another set of codes and take another exam and register their business; all of which makes it more expensive to offer their services to everyone. That’s what we’re doing with privacy protections in the United States: we make it weaker and more expensive for everyone and ask the people in congress who likely don’t have the slightest notion of how the internet works to make a flashy show of it when it serves their political interests.