We Don’t Want China to Have Our Data, But Who Do We Want to Have It?
The TikTok and WeChat bans ordered under somewhat shaky legal grounds by executive order have caused a wave of reflection about what happens to our data. We have reignited concerns about how data travels from phones to governments, and how that data is used to manipulate people. The real benefit that can be drawn from this moment would be to take a look in the mirror. From this moment we might learn how our concerns about Tik Tok and the Chinese government are concerns we ought to have about all apps and most governments.
It is important to note that the US is not as authoritarian as China, and so things aren’t totally equivalent. Data handed by US companies to the United States government doesn’t yet have the same damaging and controlling impact as does data gathered by Chinese companies handed to the Chinese government. But US technology companies handle a lot more of the world’s data outside of the country’s own borders. And if we are concerned about TikTok’s behavior — and we should be — that criticism should be leveled at Facebook, Twitter, and Google as well.
What should we do? Data-gathering by companies needs to be responsibly regulated, the way many countries are already doing. Once the data is gathered, nation-states have proven they can’t keep their fingers off of it, regardless of democratic form or supposed rule of law.
Are we feeling it yet?
The mirror of the TikTok and WeChat saga should show us Americans a clearer view of ourselves. For years, American businesspeople, lobbyists, lawyers, negotiators, and academics have spoken patronizingly to their European counterparts. Germans were horrified by Edward Snowden’s revelations that the United States government had untrammeled access to EU citizens’ data through secret court orders like the FISA court’s rolling orders to cell-phone companies to track and log every call Americans made.
The US response has been largely a shrug: Why should a European care if the NSA gathered and parsed her data? But that bravado has always been untested. Americans have never felt in their gut the threat of a foreign tech company operating within our borders and gathering our data at a massive scale. True social media giants operating in the US have always been located there. Even platforms that have had a huge impact elsewhere in the world have never had the draw TikTok now has in the United States. Thus, the US attitude that “everyone collects data, so it’s not a big deal” turned out to be largely a matter of not having thought things through. Perhaps it takes a few videos posted by ones’ children to a site that is beholden to an authoritarian regime to sort our thinking properly on the issue.
That said, recent US criticism of the European position continues unabated, in fact, increased and sharpened by the recent invalidation of Privacy Shield in Schrems II. That arrangement permitted US companies to process EU citizens’ data as if US law offered equivalent protections to EU law. It doesn’t, never has, and as things are going, never will, which is why the various attempts to paper that fact over continue to fail. But more than that, the EU’s primary concern in the Schrems decisions has been that data gathered by US companies is available to the US government without even the protection of a warrant, and that there is no avenue for recourse or redress by harmed EU citizens.
Concerns about the Chinese government’s access to TikTok and WeChat’s data are absolutely justified. TikTok claims it hasn’t provided data to the Chinese government, but that’s obviously untrue. What is true, and a matter of undisputed public record because of the enhanced transparency and democratic norms of the United States, is that the United States government has sucked vast quantities of data out of US-based social media companies, in a well-trodden end-run around the Constitution, in which service providers can provide data to the US Government without a need for a warrant. The United States Government can’t search all of our online activity, all the time, but Facebook can, and can pass that data off without important constitutional protections.
Again, there is no direct equivalence: historically, the US Government having your data was not as bad as the Chinese Communist Party having it. But there ought to be a moment of reckoning, especially since governments can become corrupt, criminal, and authoritarian. And the data flows are identical. The outcry over the Chinese Communist Party’s access to TikTok and WeChat data ought to at least recognize the fact that the US Government, and, indeed, EU governments all make demands from companies with relatively little law in the way.
This was the most foreseeable problem.
Once the US started down the path of permitting companies to take whatever data they want off of users’ devices, this problem became unavoidable. Companies take more data than they need to provide a service, there are no meaningful restrictions on the extraction of data from consumers’ smart devices, and once the data is gathered, there are no practical restrictions on how long it can be kept, to whom it can be given, and so on. US data practices set that standard, as did the US government in accessing and making use of that data.
Banning TikTok and WeChat will not solve the problem of government access — even Chinese government access — to our data. To do that we need to hold companies responsible for taking more data than they need to provide a service and for where it goes. More, some kinds of data should be presumptively off the table: every app on a smartphone does not need to know where you are at all times. We must impose reasonable boundaries on data collection and use. Data that is not necessary to provide a service should be subject to completely different standards for collection, exploitation, and deletion. Otherwise, we will continue to complain that governments drink deeply at the vast, stagnant pools of data gathered by corporations on the off chance that they can monetize it later.
