Congress Cybersecurity & Tech Surveillance & Privacy

Two New Bills on TikTok and Beyond: The DATA Act and RESTRICT Act

Justin Sherman
Wednesday, March 22, 2023, 2:49 PM

Ahead of TikTok CEO Shou Zi Chew’s testimony to the House, two new bills to place restrictio

TikTok on an iPhone. (Plann,; CC BY-NC 4.0,

Published by The Lawfare Institute
in Cooperation With

According to several media reports, the Biden administration has demanded that ByteDance sell TikTok to a U.S. owner or have TikTok face a complete ban on its U.S. operations. This comes right before TikTok CEO Shou Zi Chew will testify on March 23 to the House Committee on Energy and Commerce. Meanwhile, a flurry of legislation around TikTok and non-U.S. technology companies, products, and services adds to the saga around the app.

On Feb. 24, Rep. Michael McCaul (R-Texas) introduced the Deterring America’s Technological Adversaries (DATA) Act, which would provide the president with more authorities to block transactions associated with the import or export of Americans’ “sensitive data” where there are national security risks. The bill quoted previous, public comments from FBI Director Christopher Wray, Director of National Intelligence Avril Haines, and CIA Director Bill Burns that they believe TikTok presents national security risks to the United States. 

Just a few weeks later, on March 7, Sen. Mark Warner (D-Va.) and Sen. John Thune (R-S.D.), along with 10 other senators, introduced the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act. It would authorize the secretary of commerce to review and prohibit certain transactions between persons in the U.S. and foreign adversaries, focused on information and communications technologies (ICTs) that pose risks to U.S. national security—put simply, investigating tech products and services that could pose national security risks. The bill did not name TikTok specifically, but it was clearly one of the companies in mind when the bill was written: Thune’s press comments on the bill mentioned TikTok seven times, and the other co-sponsors mentioned TikTok in press comments as well. The bill could lead to restrictions on TikTok and non-U.S. technology companies, products, and services.

These bills further crowd the legislation on the table in the past couple of years to potentially ban TikTok and other technology companies from operating in the U.S. The RESTRICT Act, in particular, advances a more detailed risk framework for how the Commerce Department would initiate and conduct security reviews of covered, foreign-linked ICTs. Both bills raise questions about the executive power to block or restrict tech companies, products, and services that potentially deliver information to people in the U.S.

There are many elements to the DATA Act and the RESTRICT Act, in the context of the U.S. debates about TikTok, the previously introduced ANTI-SOCIAL CCP Act, and well beyond. (There is a separate article to be written just about these bill’s acronyms.) At their core, the legislative proposals take different approaches to the issue set, including the RESTRICT Act’s proposed framework for understanding the security risks posed by certain tech companies, products, and services.

Significantly, the White House has also broken its relative silence on TikTok by issuing a statement of support, from the president’s national security adviser, for the RESTRICT Act. The release did not name TikTok explicitly. But it strongly urged Congress to pass this bill, which—as part of its new authority-granting to the executive branch—could enable the executive branch to pursue a range of restrictions on apps like TikTok. Meanwhile, congressional opinions on a TikTok ban are widespread and shifting. But White House endorsement for the RESTRICT Act does increase the likelihood there will be more congressional support for the legislation—and it could become the path forward, at least for now, with respect to TikTok’s U.S. operations (although that is still uncertain).

While no proposal is going to be perfect, the RESTRICT Act improves significantly on several past proposals through its risk framework, spectrum of possible responses to risks, and provisions for the U.S. government to declassify evidence of security risks. The implications for U.S. policy on non-U.S. tech companies, products, and services are major and could persist for years.

The DATA Act

The DATA Act takes another swing at the president’s ability to invoke the International Emergency Economic Powers Act (IEEPA) to ban TikTok in the United States. This is the authority that former President Trump invoked in August 2020 when he signed two executive orders that attempted to ban, respectively, TikTok and WeChat in the U.S., citing national security risks. (The TikTok order was later overturned in the courts, and President Biden withdrew the TikTok and WeChat orders in June 2021.) One of the core challenges with this IEEPA approach to banning TikTok has been the “Berman amendments,” or IEEPA’s 50 U.S.C. § 1702(b)(3) provision: It excludes from the president’s IEEPA authorities the ability to prohibit transactions related to “any information or informational materials,” irrespective of the “format or medium of transmission.” Obviously, TikTok is a company whose platform transmits information.

TikTok in fact cited the Berman amendments in its 2020 court filings challenging the Trump ban, writing in TikTok Inc. et al. v. Donald J. Trump in the U.S. District Court for the District of Columbia that “plaintiffs contend that the Secretary’s prohibitions on the transactions identified in the Commerce Identification represent, at a minimum, the indirect regulation of information materials and personal communications.” The D.C. District Court upheld this claim, finding that “plaintiffs have established that the government likely exceeded IEEPA’s express limitations as part of an agency action that was arbitrary and capricious.” Before that ruling, the U.S. District Court for the Eastern District of Pennsylvania, ruling in Marland v. Trump (2020), a separate lawsuit against the ban brought by TikTok users, found that “because the Identification works to, at minimum, indirectly regulate the exchange of informational materials, it violates IEEPA.” The Berman amendments have been a point of concern for politicians interested in having the president invoke IEEPA again to try to ban TikTok.

To modify this IEEPA restriction, the DATA Act states that the import or export of “sensitive personal data” does not meet the definition of the import or export of “information or informational materials” under IEEPA. It also states explicitly that the direct or indirect import or export of “sensitive personal data” to or from China does not fall under that same IEEPA category. Simply put, the bill tries to carve out “sensitive data” from “information or informational materials,” theoretically addressing the challenge of invoking IEEPA to ban a transaction associated with importing or exporting Americans’ sensitive personal data. (Interestingly, this speaks directly to a point raised by the D.C. District Court in TikTok Inc. et al. v. Donald J. Trump in 2020—that “nothing in § 1708 shows that Congress created a cyber-espionage exception to the informational-materials limitation.”)

There are certainly real national security risks associated with many exports of data on U.S. persons. That said, TikTok collects and transmits both data (such as statistics on users’ daily app usage) and information (such as videos themselves), so it is not clear how much this would empower the president to hypothetically use IEEPA against TikTok. The distinction between “data” and “information” is also interesting and important: For instance, if a user posts a TikTok video describing a health condition of theirs (which happens more than one might think), would that be considered data (for example, health data on a specific medical attribute), or information (because it is part of video content), or both? This distinction could be incredibly tricky to articulate in some cases—and if the bill was passed, many of the debates about IEEPA use against foreign social media platforms and apps could feasibly center on these definitions. Proposing a change to IEEPA’s “informational materials” restriction also raises complicated domestic and foreign policy questions. Those questions span competitiveness, U.S. international economic policy, and executive authority, among others. Amending the Berman amendments in this fashion would impact national security in not just a narrow, tech-focused sense.

For defining “sensitive personal data,” the DATA Act points to 15 CFR § 7.2, the Treasury Department’s final rulemaking on the Foreign Investment Risk Review Modernization Act (FIRRMA) of 2018. FIRRMA expanded the authorities of the Committee on Foreign Investment in the United States (CFIUS)—which screens foreign investments in the U.S. for security risks—and increased CFIUS’s focus on data and technology risks. The DATA Act therefore uses the Treasury Department’s recent regulations on how to define sensitive data. Those “sensitive data” FIRRMA regulations cover, for instance, many forms of genetic data as well as “personally identifiable information” focused on finances, health, and location.

Some parts of the bill draw on existing work concerning the national security risks of certain tech companies, products, and services—like FIRRMA regulations on sensitive data—but it still has elements, like the proposed IEEPA amendment, that raise significant policy questions. It is fairly close, substantively speaking, to the ANTI-SOCIAL CCP Act.



The RESTRICT Act would establish a framework for the secretary of commerce to review covered, foreign-linked ICTs for national security risks and then develop options that could range from no action to restrictions on a tech company, product, or service. It has some broad elements—and much remains to be seen about how the legislation is received—but its risk framework, spectrum of responses, and provisions for the U.S. government to declassify evidence of security risks make it a much stronger bill on non-U.S. tech companies, products, and services than most (if not all) of what Congress has seen in recent years.

In the press release on the bill, Warner said that “we need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.” Thune said that “Congress needs to stop taking a piecemeal approach when it comes to technology from adversarial nations that pose national security risks” and “needs a process in place to address those risks.”

Importantly, the RESTRICT Act defines a “covered entity” as a foreign adversary; “an entity subject to the jurisdiction of, or organized under the laws of, a foreign adversary”; or “an entity owned, directed, or controlled by a person” that falls under the prior two categories. The bill defines a “foreign adversary” as “any foreign government or regime”—per the secretary of commerce and based on the risks discussed later in the bill (and below)—that has “engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons.” It explicitly designates China, Cuba, Iran, North Korea, Russia, and Venezuela as countries on the list, with the potential for them to be removed pursuant to the later-discussed risk criteria.

A covered ICT “holding entity” is defined as any entity that (a) owns, controls, or manages ICT products or services and that (b) at any point in the year prior to review has at least 1 million annual, U.S.-based active users or had more than 1 million units sold to U.S. persons. The 1-million-people figure seems to be a theme in these kinds of laws and policies; it appears in several bills on foreign data risks as well as in FIRRMA in 2018. Of course, it begs the question of whether 1 million Americans is the right threshold to denote an enhanced national security risk—and who came up with the 1-million-people figure in the first place.

The bill identifies five main categories of risks—covered transactions that:

  1. Pose an undue or unacceptable risk of:
    1. Sabotage or subversion of ICT products and services in the U.S.
    2. Catastrophic effects on the security or resilience of U.S. critical infrastructure or the U.S. digital economy.
    3. Interfering in or altering the result or reported result of a U.S. federal election (as determined by a specified group of executive branch agencies).
    4. Coercive or criminal activities by a foreign adversary designed to undermine democratic processes and institutions or steer policy and regulatory decisions in favor of a foreign adversary’s objectives (as determined by the specified group).
  2. Otherwise pose an undue or unacceptable to U.S. national security or U.S. persons' safety.

In some ways, delineating covered transactions is far more precise than some previous policy proposals that blurred together distinct risks, such as the risk of a foreign government using a technology product or service to gather data on Americans with clearances, and the risk of that government influencing a foreign platform’s content moderation practices. Most notably, the Trump administration’s TikTok executive order and its subsequent public messaging failed to make these distinctions clear. At the same time, the bill is much broader than previous ones focused on non-U.S. tech companies, products, and services. The bipartisan ANTI-SOCIAL CCP Act introduced in December 2022—which would compel the president to invoke IEEPA to ban TikTok, exempting that invocation from the Berman restriction—focused on distinctions between a foreign actor gathering data and a foreign actor manipulating content (among other things). By contrast, the RESTRICT Act refers broadly to “sabotage or subversion,” “catastrophic effects” on the U.S. digital economy or U.S. critical infrastructure, election interference, and coercive or criminal activities. Data collection and content manipulation would be just one small part of its scope.

Perhaps this approach is better: The RESTRICT Act focuses on broad risk categories that can encompass a range of ever-changing techniques for digital sabotage, subversion, espionage, and influence; it does not pigeon-hole itself into putting the exact tactics of the day into law, which are sure to change and which a foreign actor could then easily dance around. Simultaneously, the risk categories are incredibly broad. While the definition of something like election interference could be relatively scoped, the fourth risk category, including trying to steer policy and regulatory decisions in a foreign government’s favor, is potentially boundless. It is also easy to imagine industry concerns about the broadness of these categories.

In any case, the bill would require the secretary of commerce to review any covered transactions within 180 days of passage, and then reach a decision within 180 days on whether a transaction poses an undue national security risk. The RESTRICT Act makes a major improvement over the ANTI-SOCIAL CCP Act here by allowing for a spectrum of responses to security risks: The secretary could recommend that a covered transaction be prohibited but could also recommend that “any other action” be taken “to mitigate the effects of the covered transaction.” It would not force analysts and policymakers, when they identify a “risk,” to propose a complete and total ban on the company, product, or service—a too-common approach that imprecisely flattens a variety of risks into a “risk” or “no risk” binary, and then funnels the action into a total ban or no ban. The flip side of this improvement in response options, however, is that the RESTRICT Act is far more comprehensive. It has wider policy implications, would impact far more companies into the future than just TikTok, and could interact with CFIUS, “Team Telecom,” and other executive branch, interagency security review processes in unclear ways. This also demands consideration.

Unlike the DATA Act, which seeks to directly amend IEEPA to limit the Berman amendments’ scope, the RESTRICT Act aims to create a separate set of authorities not subject to those restrictions—superseding the Berman amendments. The bill states in Section 14 that all delegations, rules, regulations, orders, determinations, licenses, or other administrative actions taken under IEEPA and Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” shall continue in effect “until modified, superseded, set aside, or revoked under the authority of this Act, without regard to any restriction or limitation under the International Emergency Economic Powers Act.” In this vein,Warner described the RESTRICT Act to Politico as creating a “rules-based process” to short-circuit the Berman amendments and permit presidential restrictions or bans on non-U.S. technologies.

The secretary, if it is “practicable” and consistent with U.S. national security and law enforcement interests, could also work with the director of national intelligence to publish declassified information to explain the reasoning behind a decision. Irrespective of the bill’s tech risk framework, this is a positive and much-needed provision in these kinds of bills. Permitting the executive branch to disclose potentially classified evidence or reasoning behind tech security reviews (of course, if appropriate) could improve transparency to the public, the private sector, and other countries. It also helps reduce the likelihood of a Trump-Huawei-campaign 2.0, where other governments did not trust claims of “national security,” were pushed toward a single “acceptable” option (the U.S. wanted only a complete ban on Huawei 5G equipment), and often did not receive any specific information on supposed risks when they asked.

If the RESTRICT Act were to become law, the secretary of commerce would be obligated to establish regulations articulating the process for these technology security reviews. Similar to CFIUS and other bodies, the relevant executive branch organizations here would conduct reviews, identify scenarios in which they believed there to be an undue or unacceptable national security risk, and refer the final decision to the president. The RESTRICT Act would then allow the president to act—and not by necessarily imposing a complete ban on a tech company, product, or service, as other proposals would have it. Per the bill, the secretary should prioritize reviews where the ICT product or service in question is used in a designated critical infrastructure sector (of which there are 16 in the U.S.), where the review concerns data hosting or computing services with data on more than 1 million U.S. persons within a year prior to review initiation, and more.

Additional provisions cover joint resolutions in the event Congress disagrees with a country’s addition to the “foreign adversary” list and other issues.


Will the U.S. Government Actually Ban TikTok?

There has been mixed media reporting on congressional support for a TikTok ban. With the DATA Act, the bill advanced from the House Committee on Foreign Affairs by a vote of 24-16; every Democrat voted no. On Feb. 28, Rep. Gregory Meeks (D-N.Y.), the top-ranking Democrat on the Foreign Affairs Committee, said that he opposed Congress giving the president the authority to ban apps, including TikTok. He said that the DATA Act is “overly broad” and would “damage our allegiances across the globe.” Meeks asserted that he and his staff received little time to “review a bill that would dramatically rewrite the rules-based international economic order.” A spokesperson also said that Meeks wants to wait until CFIUS completes its security review. House Foreign Affairs Committee ranking Republican Michael McCaul, also talking about the DATA Act, said that Democrats “would prefer to defer to the CFIUS process, where we want to move forward as a Congress” (“we” here ostensibly referring to Republicans).

It would be inaccurate (and too simplistic) to suggest there is no bipartisan congressional interest in TikTok as a possible national security risk. Some Democrats who are concerned, though, have a wide variety of perspectives on whether the response should be a total ban. Rep. Raja Krishnamoorthi (D-Ill.) last year co-sponsored the ANTI-SOCIAL CCP Act, which would completely ban TikTok. Sen. Michael Bennet (D-Colo.) wrote Apple and Google in February, asking them to remove TikTok from their app stores for U.S. users; he told NPR that he is concerned about the app and would be willing to consider “what changes [TikTok] would want to try to make the United States feel secure about its presence in our country” but that he hadn’t seen that “so far.” The office of Sen. Warner, who co-led the RESTRICT Act, told Vox in January that he would prefer legislation that establishes a set of standards for any app that falls under certain criteria, instead of just banning a single app or company from the U.S. market—but he has made clear he does in fact support a ban on TikTok. Some members of the Biden administration are clearly pushing for a ban as well. But there still seems to be more interest in TikTok as a national security risk among Republicans than among Democrats; and among Democrats interested in the issue, not all propose a ban. Nonetheless, many legal questions persist, including the aforementioned limitations on IEEPA, possible First Amendment challenges, and questions of whether ByteDance or TikTok would challenge a targeted piece of legislation as a bill of attainder—legislation that determines guilt and inflicts punishment on an identifiable individual without judicial trial.

Significantly, until just recently, the White House had been relatively quiet about the public and policy debate on TikTok—and perceived risks to U.S. national security. This matters because CFIUS does not make a final decision about security reviews per se but instead reaches a finding and makes a recommendation to the president (or submits its conflicted findings to the president). Of course, the White House’s public silence on the CFIUS process is a good thing and a return to long-standing practice; CFIUS reviews are not supposed to be discussed let alone fought in public, like TikTok’s was during the Trump administration. Nonetheless, at some point, President Biden will have to decide whether to attempt to ban TikTok in the U.S.—whether because CFIUS-TikTok negotiations stall or because CFIUS recommends that the president accept or reject a mitigation agreement. It is therefore highly significant, in light of the White House’s lack of major comment on TikTok, that National Security Adviser Jake Sullivan issued a statement in support of the RESTRICT Act the day of its introduction. The release read:

This bill presents a systematic framework for addressing technology-based threats to the security and safety of Americans. This legislation would provide the U.S. government with new mechanisms to mitigate the national security risks posed by high-risk technology businesses operating in the United States. Critically, it would strengthen our ability to address discrete risks posed by individual transactions, and systemic risks posed by certain classes of transactions involving countries of concern in sensitive technology sectors. This will help us address the threats we face today, and also prevent such risks from arising in the future.

It concluded: “We look forward to continue working with both Democrats and Republicans on this bill, and urge Congress to act quickly to send it to the President’s desk.” The press release did not name TikTok or any other company, product, or service. It remains to be seen how much the White House is interested in having more authorities to restrict non-U.S. tech companies, products, and services in the U.S. versus how much it also could be supportive of restrictions on public TikTok use.

Deputy Attorney General Lisa Monaco also released a statement of support for the RESTRICT Act. She stated, “[B]y directing a coordinated and analytic process across the federal government to evaluate risks, the RESTRICT Act would employ a forward-thinking, evidence-based approach in a constantly changing technology landscape. In giving the President and the Secretary of Commerce key authorities to protect the American people, the RESTRICT Act would provide the federal government a strong legal foundation to combat current and evolving threats.” CNN reports that the RESTRICT Act was developed in “close consultation” with the White House National Security Council and the departments of Commerce, Treasury, and Justice. TikTok even issued a statement on the legislation that appears to lightly support the legislation without outright endorsing it: “We appreciate that some members of Congress remain willing to explore options for addressing national security concerns that don’t have the effect of censoring millions of Americans,” spokesperson Brooke Oberwetter said. (Obviously, if given the choice between the two, TikTok would prefer the RESTRICT Act, because it could lead to something less than a ban, over a measure to just ban TikTok from the U.S.)

The coming weeks will indicate how much congressional interest there is in this legislation. The DATA Act is another proposal in a long line looking at TikTok and perceived security risks, but it did not even receive the support of a single Democrat on the House Foreign Affairs Committee. By contrast, the RESTRICT Act has a relatively notable amount of initial support in both parties. Among other open questions is whether White House support will prompt more Democrats to get on board—and whether more Republicans will sign on to the risk framework approach that does not immediately and necessarily impose a ban on TikTok in the U.S. Of course, the other essential player, and arguably the essential player here, is the executive branch. Its interest in the coming weeks in pursuing a TikTok ban or other restrictions will greatly shape this debate.

Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare