TikTok v. Trump and the Uncertain Future of National Security-Based Restrictions on Data Trade

• Author: Bernard Horowitz & Terence Check
• Position: Law Clerk for Senior Judge Mary Ellen Coster Williams of the United States Court of Federal Claims/Senior Counsel, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security
• Pages: 61-111

TikTok v. Trump and the Uncertain Future of

National Security-Based Restrictions on Data Trade

Bernard Horowitz* & Terence Check**

ABSTRACT

Looking through the lens of the D.C. District Court’s 2020 decision on

President Trump’s TikTok “ban” (TikTok v. Trump), this article assesses

whether U.S. law can address national security concerns raised by cross border

data trade while accommodating the needs of industry.

The type of data valued by foreign rivals of the United States has gradually

shifted in accordance with technological progress and geopolitical dynamics.

During the 2000’s and early 2010’s, cyber-based foreign economic collection

campaigns targeting the U.S. focused on high-value IP data and trade secrets.

However, in the past few years, increasing societal reliance on the internet in

tandem with advances in data processing and algorithms has produced a new

type of data-related security concern: foreign adversarial mass bulk collection

of quotidian U.S. person data, including biometric data (for example, facial

photographs). The apparent threat posed by foreign mass collection of such

data – which has been publicly and prominently emphasized by the U.S.

Intelligence community (“IC”) – gives rise to a philosophical conflict. On one

hand, the IC and privacy advocates regard foreign adversarial access as a

threat. On the other hand, business interests have grown heavily reliant on data

trade. In some industries, such as the music business in the streaming era, data

collection and trade may be pivotal to profitability and growth. TikTok, which

originally began as a music-sharing platform, is alone worth $400 billion.

Reconciling these opposing priorities and formulating a policy solution to such

foreign data collection appears difficult under existing U.S. legal authorities. For

example, the International Emergency Economic Powers Act (“IEEPA”) and the

Committee on Foreign Investment in the United States (“CFIUS”)—under which

foreign access to data might be restricted—may not be cleanly applicable to this

cross-border data trade.

* Law Clerk for Senior Judge Mary Ellen Coster Williams of the United States Court of Federal

Claims. This article does not reflect the views of the Court of Federal Claims or Judge Williams, and

was written solely in the author’s personal capacity and not as part of his court-related duties.

** Senior Counsel, Cybersecurity and Infrastructure Security Agency, Department of Homeland

Security; LL.M in Law & Government, specializing in National Security Law & Policy, American

University Washington College of Law (2015); J.D., magna cum laude, Cleveland State University,

Cleveland-Marshall College of Law (2014); Editor-in-Chief, Cleveland State Law Review (2013-2014).

This article does not reflect the official position of the U.S. government, DHS, or CISA and all

opinions expressed are solely those of the authors. The authors would like to thank friends and

advisors who provided much-appreciated input on this article, including Prof. Sandra Aistars, Ethan

Baer, Thomas Christian, Prof. James Cooper and Prof. Jeremy Rabkin. © 2022, Bernard Horowitz and

Terence Check.

61

IEEPA, which is the main U.S. framework for sanctions, has been tradition-

ally applied to dictatorships and rogue regimes in response to terrorism spon-

sorship, weapons proliferation, slavery, corruption, war crimes, and genocide.

Even though foreign collection of quotidian U.S. person data poses national se-

curity liabilities, the invocation of such a powerful legal mechanism as a

response to bulk data collection may not be considered proportional or reason-

able. Beyond this, the IEEPA statute (passed in 1977) forecloses sanctions pro-

hibiting or constraining “personal communication[s] which do not involve a

transfer of anything of value” or the exportation of “informational materials.”

The D.C. District Court’s 2020 ruling in TikTok v. Trump construed quotidian

U.S. data and TikTok content as falling within this language; thus, the applic-

ability of IEEPA to restricting data trade on national security grounds appears

legally uncertain.

Likewise, CFIUS—the framework for screening foreign adversarial invest-

ments in U.S. companies—does not appear to represent a full solution to regu-

lating foreign adversarial access to quotidian U.S. data. CFIUS was expanded

between 2018-2020 to theoretically cover foreign minority stake investments

giving rise to U.S. data collection. However, in any case, U.S. federal law

widely permits the selling of data, and this is reflected in the emergence of a lu-

crative data brokerage industry. A foreign party seeking U.S. data may not

need to invest in a company if it can simply buy such data from a broker.

Furthermore, the Federal Trade Commission—responsible for keeping an eye

on data trade in practice – does not appear to have a relationship with CFIUS

and disclaims a “national security”-related role.

In short, TikTok v. Trump traces a challenging reality: even though constitu-

tional law (Dames & Moore v. Regan) confers overwhelming authority on exec-

utive branch administrative national security mechanisms such as IEEPA and

CFIUS, the applicability of these frameworks to properly regulate foreign bulk

data collection, including some highly sensitive personal data, has proven

unclear. Additional new legislation may be necessary to balance security con-

cerns with private sector interests in unrestricted data trade.

INTRODUCTION

For a few months in 2020, a legal fight over the future of social media and the

video sharing app TikTok—whose parent company, ByteDance, is based in

China—radiated out from the arcane confines of trade and national security law

and into broader public discourse. President Donald Trump used his International

Emergency Economic Powers Act (“IEEPA”) authorities to issue Executive

Order 13942 prohibiting TikTok-related transactions and ordering a ban on future

downloads.

1

TikTok soon brought suit in the United States District Court for the

1. Exec. Order No. 13,942, 85 Fed. Reg. 48,637 (Aug. 6, 2020).

62 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 13:61

District of Columbia to enjoin the download bans and other actions required in

the Executive Order from taking effect.

2

The court ruled in favor of TikTok, hold-

ing that the President’s order exceeded his IEEPA authorities because (1)

TikTok’s data transmissions constituted “personal communications which do[]

not involve anything of value” and (2) TikTok content amounted to protected

“informational materials.”

The D.C. District Court’s landmark suspension of an IEEPA Order illustrates

two key challenges for the U.S. government and the technology industry—one

regulatory and the other philosophical. The regulatory challenge is the reality that

the legal framework governing data privacy and trade is outdated, impairing the

capacity to manage the liabilities of foreign collection of quotidian U.S. person

data; such data ranges from straightforward personal information, like names and

dates of birth, to highly sensitive biometric data, such as facial photographs. The

philosophical challenge entails a conflict between the incentives of the U.S. pri-

vate sector on one hand and the national security establishment on the other: the

private sector benefits from unrestricted cross-border data trade, while national

security and privacy concerns lead government stakeholders to seek restrictions

on foreign adversarial access to such data.

Irrespective of these clashing priorities, the TikTok court’s central holding that

social media data amounts to “personal communication[s] which does not involve

a transfer of anything of value,”

3

which thus fall outside the scope of IEEPA, so

severely misaligns with the reality of data value and commerce that this reasoning

may be regarded as an unstable liability from all sides of this philosophical

debate. In other words, a national security hawk who favors barring Chinese

access to U.S. person data might hungrily regard the court’s reasoning as easily

reversed or circumvented with legislation or additional executive action.

Likewise, business interests eager to engage Chinese markets should be wary that

while the TikTok decision is nominally sympathetic, its legal rationale is at least

partially unstable.

Both theoretical positions have merit. Proponents of restricting foreign data

access can point to clear national security threats from such access: China’s for-

eign economic competition against the United States has been prolific for more

than a decade.

4

See, e.g., OFF. OF THE NAT’L COUNTERINTELLIGENCE EXEC., FOREIGN SPIES STEALING US

ECONOMIC SECRETS IN CYBERSPACE (2011), https://perma.cc/JJE9-4MXK.

China’s intense focus on artificial intelligence casts once ordinary

data transfers in new light because the sophistication of algorithm technology—

used to sort and synthesize data—has also been progressing dramatically.

5

In

2018, the U.S. Intelligence community issued public warnings about the dangers

2. TikTok v. Trump, 507 F. Supp. 3d 92, 98 (D.D.C. 2020).

3. See 50 U.S.C. § 1701(b)(1).

4.

5. For example, already in 2012, the ABA Standing Committee on Law and National Security’s

FISA Task Force discussed a potential future amendment (carve-out) to FISA whereby the probable

cause standard for a FISA order (probable cause that a surveillance target is an agent of a foreign power)

could be established based exclusively on computerized algorithmic synthesis of open source data.

American Bar Association Standing Committee on Law and National Security: FISA Task Force

2022] TIKTOK V. TRUMP 63