Data Sovereignty in the Age of Digital Nationalism: The Case of TikTok and the Global Fragmentation of the Internet

Aysha Vear

 

I. Introduction

Social media has significantly changed the ways in which individuals both receive information and exchange it. As these applications and platforms have increasingly become part of the everyday lives of citizens and further incorporated into their daily interactions, the issue of social media regulation has been a clear focal point of legal and political discourse. Today there exists a growing concern about American citizens’ data with respect to Chinese influence and intrusion. Consequently, the House of Representatives presented a bill in 2024 to mitigate these fears. H.R. 7521 would force the foreign ownership of TikTok, a social media platform controlled by Chinese parent company ByteDance, to divest or face a broad federal ban.[1]

TikTok is centered on short videos created and uploaded by users who are able to create, share and interact with networks of content,^[2] and it has quickly become one of the most popular apps in the United States.^[3]  It is “a mass marketplace of trends and ideas and has become a popular news source for young people”^[4] with sixty-two percent of eighteen to twenty-nine year olds saying that they use the app^[5] which reached a billion users in 2021.^[6]  The app got its start in the U.S. as an app called “Musical.ly” but was acquired by the Chinese company ByteDance in 2018 and rebranded as TikTok.^[7] ByteDance is headquartered in Beijing and it launched “Douyin,” the Chinese TikTok equivalent in 2016 prior to the “Musical.ly” acquisition. It is this affiliation with China and the Chinese app that flagged concern for United States government officials and this case represents a growing trend of national governments asserting greater control over digital platforms and the content which citizens consume.

This highlights a growing trend toward countries treating data governance as a national security issue. Data sovereignty is a concept that refers to “a state’s sovereign power to regulate not only cross-border flow of data through uses of internet filtering technologies and data localization mandates, but also speech activities . . . and access to technologies.”^[8] Governments are introducing laws to prevent foreign control over citizen data, such as China’s Data Security Law and India’s restriction on data localization. Given that these laws have different aims and approaches to governance as well as shifting priorities, they have increased geopolitical competition between the U.S., China, and the EU. While data sovereignty is a necessary framework for global internet governance, its implementation must balance security concerns with the need to prevent a fragmentation of the internet as we know it. More countries are scrambling to control the flow of data in and out of their national borders and, as such, “the rise in data localization policies has been a contributing factor in declining internet freedom.”^[9] This paper will explore the different approaches of the United States, China, and the European Union in controlling cross-border data flows. Next, looking through a specific lens at the TikTok forced divestiture and attacks on other Chinese entities, it will explore the growing trend of data sovereignty and attempt to find the balance in national security and digital openness. Finally, the paper will suggest possible solutions for the growing need for better collaboration in the digital sphere.

II. The Rise of Data Sovereignty

A. Definition and Principles

The concept of data sovereignty is rooted in concerns surrounding cybersecurity, privacy, and economic protectionism. It is best understood “to articulate a response to growing consolidation and corporate power on the internet . . . to counter the ‘digital colonialism’ of the Global North.”^[10] Policies of digital sovereignty are driven by four objectives: national security and the ability to enforce laws; economic self-determination; protecting rights and empowering citizens and communities; and upholding societal norms and values.^[11] But two distinct approaches have emerged: the Internet Society has defined these as national security driven by state control and economic self-determination driven by economic factors.^[12] Some scholars view the divergence of the approaches as either a natural extension of Western sovereignty or as the catalyst for breaking the global internet apart.^[13]

The key question for data sovereignty remains who controls the data, an inquiry which is further complicated by the borderless nature of the internet. Some governments have mandated data localization to ensure jurisdiction over digital records and to maintain control over global data flows. These aims should be approached with caution though, as “national security interests often co-opt arguments for greater data privacy to justify an expansion of censorship and surveillance powers.”^[14] A clear potential fault of tighter restrictions on data under the guise of  national security is the trustworthiness of the internet and the degradation of accountability if state controls are not transparent in their decision making and reasoning.^[15] This risks damaging the internet by relying on a “command and control” model rather than one based on collaboration and coordination.^[16]

B. Historical Frameworks Governing Cross-Border Data Flows

1. General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) enforces strict rules on how companies transfer EU citizens’ data internationally.^[17] This robust data protection law covers not only companies based out of the EU but also foreign companies that target EU residents and process information about them.^[18] The extraterritorial scope of the GDPR extends to transfers outside of the EU unless an adequacy decision has been made with respect to the level of protection provided by the regulation.^[19] Without an adequacy determination there are other legal means to transfer personal data including Standard Contractual Clauses (SCCs).^[20] Importantly, the GDPR vests inalienable rights to personal data, which is defined as “any information relating to an identified or identifiable natural person,”^[21] and it contains a special callout for especially sensitive data that gives citizens additional controls.

2. Clarifying Lawful Overseas Use of Data (CLOUD Act)

The U.S., unlike the EU, does not have a comprehensive privacy regulation. Due to the fact that global companies have numbers of storage centers in various countries, the CLOUD Act of 2018, was passed to allow the U.S. government to access data stored by American companies abroad for domestic criminal investigations.^[22] Data should be shared under request and with a valid warrant, “regardless of where the data is stored, as long as the company is subject to US jurisdiction and the data is within the company’s ‘possession, custody, or control.’”^[23] The Act is made up of two key elements: the provision for U.S. access to foreign stored data and the provision to create executive agreements for foreign access to U.S. stored data in order to fight crime and terrorism.

Government officials are empowered by the Act to enter into executive agreements where a foreign government must meet certain proficiency standards in privacy and civil protections. Once the agreement is in place, access will be granted. The balance is designed “to ensure that government powers to compel production of electronic data are exercised and overseen in a way that respects the rule of law, protects privacy and human rights, and appropriately reduces conflicts between the laws of the countries concerned.”^[24]

3. China’s Data Security Law

The Chinese Data Security Law (DSL) sets a framework for Chinese national security and regulates the storage and transfer of Chinese data based on data classification.^[25] The DSL defines “core data” as “any data that concerns Chinese national and economic security, Chinese citizens’ welfare and significant public interests,”^[26] and is afforded the highest degree of protection. The regulation applies to all activities within China or extraterritorially if the activities are deemed to impair Chinese national security. Another element of the law is the Personal Information Protection Law (PIPL), China’s first comprehensive regulation protecting personal information that is modeled after the GDPR.^[27]

Provisions for cross-border data transfers are contained mainly in the DSL and PIPL. The DSL rules target both personal information and important data handled by critical information infrastructure operators (CIIOs), while PIPL focuses solely on personal information. As binding laws, both “are vague and need other lower-level texts to be practically applicable,”^[28] thereby requiring implementing rules and guidelines. Importantly, “researchers underline the intertwined nature of the rule of law and the rule of the Party in China,”^[29] highlighting a lack of separation of powers. This in turn leaves questions (and fears) surrounding enforcement, given that the framework “expressly allows the government to access data for state and public security.”^[30]

C. The Tension Between Global Markets and National Regulations

As each approach indicates, multinational tech firms prefer seamless data flows for efficiency, but governments are increasingly imposing restrictions to protect citizens. Further, the conflict between digital free trade and national security concerns complicates global regulatory cooperation. Businesses want cross-border data flows for innovation and efficiency, but this is at odds with data localization which seeks to protect privacy, national security, and economic interests. Differing obligations from various regulations (discussed later in this paper) have led to compliance challenges and legal gray areas. Fragmentation of this kind in the regulatory sphere risks deepening the divide and creating a splinternet where digital governance and compliance is entirely dependent on where one is located. Data sovereignty laws reflect a growing sentiment that global digital governance cannot be laissez-faire, but also highlights the fact that aggressive policies risk fueling economic nationalism and disrupting the global tech ecosystem.

III. The TikTok Case: A Paradigm Shift in Digital Governance

A. Overview of U.S. Concerns: National Security, Data Privacy, and Foreign Influence

The primary fear is that TikTok, or any company with Chinese ownership, could be compelled to hand over user data to the Chinese Communist Party (CCP). Suspicion of Chinese-state influence over the app has increased in part for three reasons: first, the ability to amass data in bulk and the use of algorithms to collect it; second, the technical capacity to mass-collect information about consumer behavior and to exploit it; and third, the fact that ordinary communications have economic value.^[31] In particular, the discourse focuses on the fact that TikTok is subject to Chinese government oversight targeted toward political influence in the U.S.; that the app collects personal data on U.S. citizens; and that the download of TikTok onto U.S. devices risks exposure to malicious Chinese software.^[32] The ability to exploit personal data is of great concern to the U.S. government due to the enactment of the People’s Republic of China’s (PRC) cybersecurity law that creates broad obligations “to assist the government in investigating political and ideological threats to the country.”^[33] This law has been used by the PRC to direct intellectual property theft for imitation or strategic use through “loose enforcement of intellectual property rights and the use of its military to steal intellectual property for Chinese companies to develop.”[34] Nonetheless, U.S. lawmakers are still nervous about this combination of data practices and the company’s ties to China.

B. Legislative and Executive Actions Targeting TikTok

Amidst national security concerns, the Trump administration began a cold war with China over the control of valuable technology and data. In May of 2019, the then-sitting President issued Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain”^[35] (ICTS) which would allow for prohibition of transactions with foreign countries or foreign nationals that pose a risk to national security. It authorized the Secretary of Commerce and other agencies to identify those transactions which would pose an undue or unacceptable threat.[36] Nearly a year later, Trump issued two more Executive Orders to address the threats posed by two apps in particular: TikTok^[37] and WeChat.^[38] With the pair of executive orders the President linked both companies to the previous Executive Order 13873,[39] stating that its issuance declared a national emergency because of the increasing exploitation of vulnerabilities with respect to the storage of sensitive information via malicious cyber-activity.[40] The concern came from TikTok’s ownership and whether or not U.S. data from the application would be subject to the aforementioned cybersecurity laws of China.[41] The government shared these same fears with respect to WeChat. The application is the largest messaging platform and is an “all-purpose” application through which users can shop, make payments, get news, and share information.^[42] While the concerns stemmed from the entity’s data storage practices, the declaration of the national emergency was also viewed as an economic move to force the sale of TikTok to an American-based company.^[43]

In recent years, the president has sanctioned Chinese entities using two tools: the presidential power vested in the International Emergency Economic Powers Act[44] (IEEPA) and a review conducted by the Committee on Foreign Investment in the United States (CFIUS) under the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA).[45] The President’s power to ban applications and software with connections to countries of concern stems from the IEEPA which was enacted “as a new vehicle for adopting economic control during times of declared national emergency.”^[46] Under it, the president can regulate or prohibit transactions which involve foreign-owned property.[47] Importantly, in order to protect Americans’ right to freedom of expression and to limit the president’s ability to exercise the emergency powers, the executive must declare a national emergency and it must be based on “an ‘unusual and extraordinary threat’ to the country’s security or economy.”^[48] In addition, the act cannot be used to regulate “any postal, telegraphic, telephonic, or other personal communication, which does not involve a transfer of anything of value,”^[49] and it also prohibits “regulat[ing] the importation or exportation of ‘any information or informational materials.’”^[50]

The second tool utilized to regulate foreign companies is CFIUS, an interagency body that conducts reviews on investments that could result in foreign control of a U.S.-based business that may pose a national security risk.^[51] In August of 2018, to expand the jurisdiction of CFIUS, Congress passed the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). This expanded its scope to include “non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies; own, operate, manufacture, supply, or service critical infrastructure; or maintain or collect sensitive personal data of U.S. citizens.”^[52] The definition of sensitive personal data goes on to include categories maintained or collected by businesses that target or tailor goods or services to certain populations, collect data on at least one million individuals, or have an objective to collect data on more than one million individuals and that data is an integrated part of the primary product or service and can include financial, geolocation, or health data.^[53]

TikTok had been negotiating with CFIUS since Musical.ly was acquired by ByteDance in 2018.^[54] A key feature of the negotiations was the creation of a new TikTok subsidiary in 2022, U.S. Data Security Inc. (USDS),^[55] which would absorb the parts of the business identified as the greatest risks to national security. Oracle Cloud, a U.S. based company, was recruited to manage the data entering and exiting the business to ensure data movement did not involve national security concerns.^[56] Their role also would include the software code, back-end systems, a recommendation engine, and moderation of platform content, thus mitigating the risk of Chinese influence.[57] To further mitigate the risk of access to U.S. citizens’ data, TikTok proposed a system which replicates their global operations but is localized within the U.S. and overseen by CFIUS. Departments like engineering, user operations, safety, legal, or privacy would be separate and housed entirely within the U.S. with employees required to be citizens or green card holders.^[58]

C. Other Social Media Bans and Regulations

1. The Trump and Biden Administrations’ Policies on Foreign-Owned Apps

The U.S. has restricted Chinese firms’ access to American markets and technology. TikTok’s case could set a precedent for broader digital decoupling.^[59] The TikTok and WeChat actions, alongside the CFIUS review were just the beginning. In January of 2025 the U.S. Supreme Court upheld a law requiring the sale or ban of TikTok in the United States, again citing national security concerns.^[60] This decision underscored the government’s authority to regulate foreign-owned platforms deemed security risks, with the court analysis warning that the decision “must be understood to be narrowly focused in light of these circumstances.^[61]

In the case of another Chinese tech giant Huawei, the U.S. government has cited concern that the tech company could use its substantial reach in the world’s telecommunications networks to commit espionage for the Chinese government.^[62] This fight has “morphed into a broader battle with China for technological supremacy,” given that Huawei receives ample support from the government to develop technologies and expand industries.^[63] This intertwinement with the government stokes fears of cyber espionage, intellectual property theft, trade violations, and domination of the global telecommunications sector.^[64] Other countries have followed suit including Australia, Canada, New Zealand, and the United Kingdom with other allies like Belgium, Denmark, Estonia, France, Lithuania, Poland, Romania, and Sweden restricting the use of the company’s equipment in their 5G networks.^[65]

For dating company Grinder, the controversy involved individuals’ data. Grindr is an American dating website for gay, bi, trans, and queer people. Sixty percent of the shares of the company were acquired by Chinese company Beijing Kunlun Wanwei Technology Co., Ltd. (Kunlun). The case was seen as a national security concern related to sensitive personal data of U.S. intelligence and military personnel who were also Grindr users. The fear was that the Chinese government could access sensitive information including data about sexual identity, HIV status, and location with its parent company.^[66] The company entered into a “National Security Agreement” with CFIUS which had various requirements including prohibiting personnel from accessing “relevant Grindr sensitive data,” keeping headquarters and operations in the U.S. and requiring it to sell its share of Grindr in 2020.^[67]

In each of these cases the problem was less with the platform itself, but rather the “security risks” that were mitigated by a divestiture. The U.S. government needs procedures to better protect citizens’ data, improve foreign relations, and utilize resources and judicial efforts efficiently and effectively to mitigate real risk.

2. India’s Ban on Chinese Apps Post-Galwan Valley Incident

Following a military clash along the India-China border in the Galwan Valley in June 2020, tension between the two countries resulted in India banning TikTok and 58 other Chinese apps.^[68] The Indian government, through the Ministry of Electronics and Information Technology (MeitY) banned popular Chinese apps citing national security concerns and the fact that Chinese apps pose a threat to India’s sovereignty and security.^[69] The official order was described as a matter of “data security and safeguarding the privacy” of Indian citizens from “elements hostile to national security and defense of India.”^[70] The Chinese government described the bans as discriminatory, arguing they violated World Trade Organization (WTO) rules. Despite protests, India did not reverse its decisions and many companies had to shut down their operations.
India’s ban was implemented without legal challenge^[71] and took place in just two weeks.^[72] This exposed gap in the market left room for Indian social media companies. The country’s technology press was flooded with news about companies like Chingari, Moj, and MX Taka Tak competing for attention in the social media space, splintering the market into different corners.^[73] Ultimately India’s online environment adapted to the absence of TikTok through platforms like Meta’s Instagram “Reels” and Alphabet’s YouTube “Shorts” which quickly gained widespread popularity and market dominance.^[74] Therefore, small companies and start–ups didn’t stand a chance compared to the size and resources of well-established Western counterparts. The list of Chinese apps India has banned continues to grow, now to 509. Some fear that “the ban has built a precedent that has allowed the Indian government to continue blocking access to more web and social media content.”^[75]

3. Russia’s Regulation and Partial Blocking of Western Platforms

Russia has also restricted access to Facebook, Twitter, and other Western platforms, indicating a wariness of an open internet. Russia’s separable internet model, dubbed the “Runet,” mirrors China’s “Great Firewall” approach and grants the government “more control over what its citizens can access.”^[76] The move to Runet has created a push to “isolate the internet within Russia from the rest of the world,”^[77] and was the focus of a Russian internet law signed in 2019. This isolation goes somewhat deeper than other cyber sovereignty measures, including through compelled installation of technical equipment to counter security threats, centralized control, and developing a domestic Domain Name System (DNS).^[78]

What started in response to the Arab Spring uprisings in the early 2010s, resulted in “control strategies [tending] “to be more subtle and sophisticated and designed to shape and affect when and how information [was] received by users, rather than denying access outright.”^[79] This state control approach of the internet is a larger symptom of the perception of the Russian government that foreign actors, through internet openness, threaten and hurt Russia. Academics note that insulation from foreign cyber threats could ensure that Russia may be more willing to target internet systems abroad via cyberattacks and espionage.^[80]

Ultimately, a move toward Runet isolation would have great security implications for the United States and Europe because it will shift Russia’s approach to cyber behavior. Some key issues in operationalizing the isolation include high costs, perceptions of Western values, and the potential to create more assertive cyberattacks abroad. Such a shift by Russia would “harm human rights, shift and increase security risks to the United States and Europe, and possibly undermine the cybersecurity of the Russian internet in the process.”[81]

4. The EU’s Approach Under the Digital Services Act

The EU prefers regulation over outright bans, requiring transparency and accountability for tech companies. One such regulatory tool is the Digital Services Act (DSA) which applies to “intermediaries,” defined to include social media platforms, search engines, online marketplaces, and online service providers, whose services are used by EU citizens.^[82] The Act empowers the European Commission to designate certain entities as “very large online platforms” (VLOPs) and “very large online search engines” (VLOSEs), and requires online platforms to provide transparency reports, appoint points of contact and legal representatives, updates to terms and conditions, and content moderation policies.^[83]

Ultimately, the U.S. stance is shifting toward India’s approach of selective bans but risks resembling Russia’s regulatory controls with increasing regulation and specific targeting of foreign apps and companies. The United States approach centers on free speech, free internet, and incentives to innovate from regulators, but such an approach is not one-size-fits-all.

IV. The Risk of Internet Splintering: U.S., China, and the Global Digital Divide

A. The Rise of “Cyber-Sovereignty” as a Challenge to a Free Internet

As discussed, China and Russia largely advocate for government-controlled internet models while the U.S. and E.U., in contrast, promote an open internet with a growing list of imposed restrictions. A country that engages in net nationalism “views the country’s internet primarily as a tool of state power,” where “economic growth, surveillance, and thought control … are the internet’s most important functions.”^[84] A classic example of this is internet censorship and surveillance systems which regulate and control access to foreign websites, online content, and certain keywords. This type of internet governance will increase the trend toward a “splinternet”[85] where the availability of certain apps and websites will depend entirely on geographic location and geopolitical ties.

In essence, digital sovereignty is the exercise of control over the internet and many countries are competing for such control. The potential splintering will have great effects on international companies and how they approach business. With differing and perhaps more restrictive measures, doing business could become so complicated that the world would “launch into a technological dark age, where global connectivity would no longer be the norm.”^[86] The “splinternet” would force companies to have to pick a side: align with the U.S. internet or choose the Chinese internet. Instead, tech companies must work together on developing workable solutions and best practices concerning data security issues. Without industry-wide alignment, net nationalism will emerge and the consequences will have lasting impacts.^[87]

B. China’s “Great Firewall” and Internet Governance Model

China blocks Western platforms like Google, Facebook, and Twitter and its digital economy thrives on domestic alternatives like WeChat and Weibo. The country takes a multifaceted approach to digital sovereignty by controlling its physical infrastructure, regulating content, balancing negative impacts to the economy, and building national support for digital sovereignty.^[88] This infrastructure is dubbed the “Great Firewall,” which is the government blocking access to specific content for Chinese citizens. The country’s approach to internet governance can be described as “state-centric multilateralism,” with power maintained by states and not private actors.^[89] The government is empowered to censor “subversive,” “harmful,” “obscene,” or “malicious” content, but exactly what information violates the law remains unclear.[90]

China also has sought to maintain an edge in industry and infrastructure, evidenced by its efforts to advance and develop trade connections and physical infrastructure with developing countries through its “Digital Silk Road.” This has been done through increasing internet access for countries in Africa and Eurasian countries and promoting collaborations in e-commerce and artificial intelligence (AI). By creating soft power for Chinese technology, the country is able to create new markets as a direct response to blockages in other countries.[91]

The current trajectory suggests a future where the internet is divided along geopolitical lines, and such division would undermine global innovation and free information exchange. The World Wide Web Foundation, a coalition joined by Amazon, Facebook, Microsoft, Twitter, and others, has warned against “internet fragmentation” and “techno-protectionist initiatives,” while the Internet Society believes that “having a government dictate how networks interconnect according to political considerations rather than technical considerations, runs contrary to the very idea of the Internet.”^[92] In sum, this regulatory landscape can be viewed on a spectrum “with the United States described as a light touch, the European Union as prescriptive with conditional transfer, and China as being categorized into the restrictive or guarded approach.”^[93] As relations between the U.S. and China continue to decline and net nationalism takes center stage, companies must prepare for a potential splintering.

V. The Case for Balanced Data Sovereignty

A. The Necessity of National Control Over Sensitive Data

There is a new era of communication technology and information protectionism. Digital data has taken on a unique quality with respect to cross-border data flows given the fact that data is ever-more valuable, it is often stored in a different location than the user is located, users have no control over where that storage is, and they often have no knowledge of where it’s located or which jurisdiction controls it.^[94] These tensions highlight concerns over data collection and privacy, but also show that fears over the potential influence of ideas and viewpoints from adversarial foreign governments have “re-emerged in the national security and speech debate.”^[95] There exists growing fear that this might further justify communication and tech infrastructure that hinders access to information under the guise of national security.

The U.S. Intelligence Community could borrow from the EU’s DSA risk-based model and “work to identify those categories of personal data that would provide the greatest marginal benefits to Chinese spy agencies”^[96] and direct restrictions according to that risk. Doing so would allow the government to accept more risk for other, less sensitive types of data.^[97] In addition, companies could seek to establish multilateral data sharing agreements and continue to develop and implement standardized compliance measures to self-regulate. Lastly, governments must encourage international regulatory cooperation to avoid retaliatory bans. Other suggestions for mitigating national security concerns with foreign tech companies include ensuring that only U.S. citizens have access to critical company infrastructure, requiring independent audits, and having a more open relationship with regulators.^[98] American companies will need to provide greater transparency to users about how they handle their data, particularly where it’s stored, if data is sold to third parties, and when or if companies would have to provide data to the government or law enforcement.^[99]

B. A Risk-Based Approach to Data Governance Instead of Outright Bans

Instead of bans, governments could require foreign tech companies to adopt stronger transparency measures. A risk-based model would avoid excessive restrictions while addressing security concerns, ensuring safety and transparency. Such an approach would “[avoid] excessive limitations on trade while focusing on legal intervention specifically designed for cases where there are valid reasons for concern or when such concerns are likely to arise soon.”^[100] Theorizing risk in this way would reduce compliance burdens for companies with low-risk data and also lighten the regulatory load for enforcement. By adopting a calculated approach to understanding data flow and associated risk, the government can maintain global relations and digital trade. In this way, “the more explicit policymakers are about the anticipated timing of specific threats the easier it will be for the government to properly allocate resources.”[101] Another way to clarify the importance of such threats is “to specify whether the issue demands proactive measures, defensive responses, or a mix of both.”^[102]

VI. Conclusion

In closing, data sovereignty is essential now that data protection has become a focus of geopolitics. But we must continue to be wary of the reality of a fragmented internet. The internet does not conform to national borders and current processes and global cooperation requires voluntary collaboration among actors and networks. The TikTok case highlights the challenges of balancing national security with digital openness and identifies the need for governments to develop cooperative frameworks to ensure the internet remains a shared global resource. New restrictions on cross-border data flows are emerging each day and such sweeping restrictions have been shown to expand the potential for a country’s surveillance capabilities and eventual erosion of human rights. Tech companies may need to self-regulate in order to combat net nationalism and address workable solutions to modern data exchange. For now, it is likely that data flows to and from China will be subject to strict regulatory constraints.

 

References

[1] Protecting Americans from Foreign Adversary Controlled Applications Act, H.R. 7521, 118th Cong. (2024).

^[2] Lindsay Willson, Tiktok v. Trump: The “Renegade” of Digital Fair Trade, 24 Or. Rev. Int’l L. 263, 265 (2023).

^[3] Joe Swain, Can the U.S. Government Sanction Tiktok Like It Is Iran’s Nuclear Program?, B.C. Intell. Prop. & Tech. F., 1, 5 (2021).

^[4] Id.

^[5] Americans’ Social Media Use, Pew Research Center, Washington, D.C. (Jan. 31, 2024), https://www.pewresearch.org/internet/2024/01/31/americans-social-media-use/.

^[6] Willson, supra note 2.

^[7] Id.

^[8] Anupam Chander & Haochen Sun, Sovereignty 2.0, 55 Vand. J. Transnat’l L. 283, 292-93 (2022).

^[9] Adrian Shahbaz, Allie Funk, & Andrea Hackl, User Privacy or Cyber Sovereignty?, Freedom House (July 2020), https://freedomhouse.org/report/special-report/2020/user-privacy-or-cyber-sovereignty.

^[10] Navigating Digital Sovereignty and its Impact on the Internet, Internet Society (Dec. 2022), https://www.internetsociety.org/wp-content/uploads/2022/11/Digital-Sovereignty.pdf.

^[11] Id. at 27.

^[12] Id.

^[13] Chander, supra note 8, at 287.

^[14] Shahbaz, supra note 9.

^[15] Internet Society, supra note 10, at 15.

^[16] Id.

^[17] Robert L. Rembert, Tiktok, Wechat, and National Security: Toward A U.S. Data Privacy Framework, 74 Okla. L. Rev. 463, 486 (2022).

^[18] Chander, supra note 8, at 299.

^[19] Roxana Vatanparast, Data Governance and the Elasticity of Sovereignty, 46 Brook. J. Int’l L. 1, 21 (2020); Shahbaz, supra note 9, at 3 (Under article 45 of the GDPR, international data transfers of personal data can take place only if the receiving country has adequate protections in place).

^[20] Rembert, supra note 17, at 488.

^[21] Id. at 2.

^[22] Vatanparast, supra note 18, at 26.

^[23] Id.

^[24] Id.

^[25] Ryan Junck et al., China’s New Data Security and Personal Information Protection Laws: What They Mean for Multinational Companies, Skadden Publication (Nov. 3, 2021), https://www.skadden.com/insights/publications/2021/11/chinas-new-data-security-and-personal-information-protection-laws.

^[26] Id.

^[27] Id.

^[28] W. Gregory Voss & Emmanuel Pernot-Leplay, China Data Flows and Power in the Era of Chinese Big Tech, 44 Nw. J. Int’l L. & Bus. 1, 52 (2024).

^[29] Id. at 46-47.

^[30] Id. at 47.

^[31] Bernard Horowitz & Terence Clark, TikTok v. Trump and the Uncertain Future of National Security-Based Restrictions on Data Trade, 13 Nat’l Sec. L. & Pol’y 61, 82 (2022).

^[32] James Andrew Lewis, TikTok and National Security, CSIS (Mar. 13, 2024), https://www.csis.org/analysis/tiktok-and-national-security.

^[33] Rembert, supra note 17, at 473.

[34] Swain, supra note 3, at 3.

^[35] Exec. Order No. 13873, Securing the Information and Communications Technology and Services Supply Chain, 84 Fed. Reg. 22689 (May 15, 2019).

[36] Id, at Sec. 2(a).

^[37] Exec. Order No. 13942, 85 Fed. Reg. 48637 (2020).

^[38] Exec. Order No. 13943, 85 Fed. Reg. 48642 (2020).

[39] Supra note 35.

[40] Id.

[41] See Rembert, supra note 17 (“Under Chinese law, the Chinese government may compel companies in China to turn over users’ personal data, and there has been growing U.S. concern that subsidiaries of Chinese companies operating in the United States can transfer U.S. citizens’ personal data to parent companies subject to data requests from the Chinese government.”).

^[42] Id. at 474.

^[43] Swain, supra note 3, at 11.

[44] 50 U.S.C. §§ 1701-07 (1977).

[45] 84 C.F.R. 51327 §801.101 (2018).

^[46] 50 U.S.C. § 1701.

[47] Id. at § 1702(a)(B).

^[48] Ru Hochen, When Your Apps Threaten National Security-A Review of the Tiktok and Wechat Bans and Government Actions Under Ieepa and Firrma, 16 Brook. J. Corp. Fin. & Com. L. 193, 198 (2021).

^[49] 50 U.S.C. § 1702(b)(1).

^[50] Id. at (b)(3).

^[51] Hochen, supra note 48, at 201.

^[52] Gabrielle Supak, Political Posturing or A Move Towards “Net Nationalism?”: The Legality of A TikTok Ban and Why Foreign Tech Companies Should Be Paying Attention, 22 N.C. J. L. & Tech. 527, 541 (2021) (quoting U.S. Dep’t of Treasury, Fact Sheet: Final CFIUS Regulations Implementing FIRRMA 3 (Jan. 13, 2020), https://home.treasury.gov/system/files/ 206/Final-FIRRMA-Regulations-FACT-SHEET.pdf [https://perma.cc/7GFL-YBND]).

^[53] Id.

^[54] Stephen P. Mulligan, Cong. Rsch. Serv., LSB 10940. Restricting TikTok (Part I): Legal History and Background 3 (2023), https://crsreports.congress.gov/product/pdf/LSB/LSB10940 (The negotiations focused on three risk areas: 1) the risk of Chinese access to data on U.S. citizens, 2) the risk of influence on content by the Chinese government, and 3) the risk that TikTok maintains untrustworthy software and systems.).

^[55] Id.

^[56] Matt Perault & Samm Sacks, Project Texas: The Details of TikTok’s Plan to Remain Operational in the United States, LawFare (Jan. 26, 2023), https://www.lawfaremedia.org/article/project-texas-the-details-of-tiktok-s-plan-to-remain-operational-in-the-united-states.

[57] Id.

^[58] Id.

^[59] Jon Bateman, U.S.-China Technological “Decoupling,” Carnegie Endowment for Int’l Peace 5 (2022) https://carnegie-production-assets.s3.amazonaws.com/static/files/Bateman_US-China_Decoupling_final.pdf.

^[60] Amy Howe, Supreme Court Upholds TikTok Ban, SCOTUS Blog (Jan. 17, 2025, 11:09 AM), https://www.scotusblog.com/2025/01/supreme-court-upholds-tiktok-ban/.

^[61] Id.

^[62] Yuan Gao & Edwin Chan, Huawei’s Pivotal Role in the US-China Tech War, from 5G to Chips, Bloomberg (May 2, 2024, 12:46 PM), https://www.bloomberg.com/news/articles/2024-04-29/huawei-s-growing-role-in-the-us-china-tech-war-from-5g-to-semiconductors; Noah Berman et. al., Is Huawei a Threat to U.S. National Security?, CFR (Feb. 8, 2023, 1:00 PM), https://www.cfr.org/backgrounder/chinas-huawei-threat-
us-national-security.

^[63] Gao, supra note 62 (“In 2023, the company, long a leader in networking and mobile technology, also leapt to the forefront of China’s nationwide semiconductor effort.”).

^[64] Id.

^[65] Id.

^[66] Voss, supra note 28, at 17.

^[67] Id. (“Grindr was sold to San Vicente Acquisition in March 2020.”).

^[68] Alex Travelli & Suhasini Raj, What Happened When India Pulled the Plug on TikTok, New York Times (Apr. 25, 2024), https://www.nytimes.com/2024/03/22/business/tiktok-india-ban.html.

^[69] Krutika Pathi, Here’s What Happened When India Banned TikTok, PBS (Apr. 24, 2024, 11:30 AM), https://www.pbs.org/newshour/world/heres-what-happened-when-india-banned-tiktok.

^[70] Travelli, supra note 60.

^[71] Thomas Germain, The Ghosts of India’s TikTok: What Happens When a Social Media App is Banned, BBC (Dec. 6, 2024), https://www.bbc.com/future/article/20240426-the-ghosts-of-indias-tiktok-social-media-ban. (“There are numerous reasons for China’s response to the Indian ban. One is the fact that India’s tech industry is essentially non-existent in China. America’s tech industry, on the other hand, offers plenty of opportunities for a reciprocal attack. China has already launched an effort to “delete America” and replace US technology with domestic alternatives.”).

^[72] Id.

^[73] Id.

^[74]  Travelli, supra note 60 (“The country is now the biggest market for both YouTube (almost 500 million monthly users) and Instagram (362 million), with roughly twice as many users as either has in the United States, though they earn far less revenue per consumer.”).

^[75] Andrew Chow, Here’s What Happened When India Banned TikTok, TIME (Jan. 18, 2025, 12:24 pm), https://time.com/7208112/what-happened-when-india-banned-tiktok/.

^[76] Supra note 8, at 300 (quoting Jane Wakefield, Russia ’Successfully Tests’ Its Unplugged Internet, BBC News (Dec. 24, 2019), https://www.bbc.com/news/technology-50902496 (quoting Professor Alan Woodward)).

^[77] Justin Sherman, Reassessing RuNet: Russian Internet Isolation and Implications for Russian Cyber Behavior, Atlantic Council (July 12, 2021), https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/reassessing-runet-russian-internet-isolation-and-implications-for-russian-cyber-behavior/.

^[78] Id.

^[79] Id. (quoting Ronald Deibert & Rafal Rohozinski, Control and Subversion in Russian Cyberspace, in Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace 16 (Ronald Deibert, et. al. ed., 2010)).

^[80] Sherman, supra note 69.

[81] Id.

^[82] Regulation 2022/2065, of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and Amending Directive 2000/31/EC (Digital Services Act), 2022 O.J. (L 277) Art. 3(g); Grant Baker, “The EU Digital Services Act: A Win for Transparency,” Freedom House (Apr. 4, 2024), https://freedomhouse.org/article/eu-digital-services-act-win-transparency.

^[83] “The Digital Services Act: Practical Implications for Online Services and Platforms,” Latham & Watkins LLP, https://www.lw.com/admin/upload/SiteAttachments/Digital-Services-Act-Practical-Implications-for-Online-Services-and-Platforms.pdf (last visited Mar. 30, 2025).

^[84] Supak, supra note 45, at 558 (quoting Tim Wu, A Tik Tok Ban is Overdue, N.Y. Times (Aug. 18, 2020), https://www.nytimes.com/2020/08/18/ opinion/tiktok-wechat-ban-trump.html [https://perma.cc/G625-DWUW]).

[85] Id. at 564.

^[86] Id.

^[87] Id. at 568.

^[88]  Supra note 8, at 294.

^[89]  Id. at 295.

[90] Chander, supra note 31, at 297.

[91] Id. at 298.

^[92] Bateman, supra note 51, at 39 (quoting Internet Society Statement on U.S. Clean Network Program, Internet Society (Aug. 7, 2020), https://www.internetsociety.org/news/statements/2020/internet-society-statement-on-u-s-clean-network-program/).

^[93] Voss, supra note 28, at 66.

^[94] Vatanparast, supra note 19, at 15.

^[95] Michael Park, A Fear of Ideas? Social Media, Foreign Influence, and National Security in A New Era of Great-Power Competition, 35 Fordham Intell. Prop. Media & Ent. L.J. 244, 249 (2025).

^[96] Bateman, supra note 51, at 67.

^[97] Id.

^[98] Supak, supra note 45, at 569.

^[99] Id.

^[100] Daniel Leufer & Fanny Hidvegi, The Pitfalls of the European Union’s Risk-Based Approach to Digital Rulemaking, 71 UCLA L. Rev. Discourse 156, 165 (2024).

[101] Daniel Drezner, How Everything Became National Security And National Security Became Everything,  Foreign Affairs (Aug. 12, 2024) https://www.foreignaffairs.com/united-states/how-everything-became-national-security-drezner.

^[102] Id.