Executive Order Rescinds TikTok and WeChat Prohibitions But Continues to Focus on Vulnerabilities in the ICTS Supply Chain

On June 9, the President issued an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (EO 14034), rescinding three executive orders issued in the previous administration that prohibited transactions with the mobile applications TikTok and WeChat and eight other Chinese-developed and -controlled applications.  At the same time, the EO makes clear that the current administration remains focused on protecting the information and communications technology and services (ICTS) supply chain against threats from foreign adversaries, defined to include China, as set forth in the May 2019 Executive Order 13873 (Securing the Information and Communications Technology and Services Supply Chain) and its implementing regulations.  The EO also identifies criteria for the Department of Commerce to use in evaluating the risks of a connected software application.

Rescission of Executive Orders 13942, 13943, and 13971

With the promulgation of the new EO, there are no longer any current prohibitions that would affect users of either the WeChat or TikTok mobile applications.  According to the fact sheet  accompanying the new EO, the Department of Commerce should instead evaluate foreign adversary connected software under the rules published to implement Executive Order 13873. 

As we discussed here, EOs 13942 (Addressing the Threat Posed by TikTok, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain) and 13943 (Addressing the Threat Posed by WeChat, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain), would have prohibited U.S. persons from engaging in transactions with TikTok and WeChat, respectively.  The prohibitions implementing those orders as announced by the Department of Commerce on September 18, 2020, had been enjoined in their entirety nationwide pending litigation.

A third executive order issued on January 5, 2021 (Addressing the Threat Posed by Applications and Other Software Developed or Controlled by Chinese Companies), prohibited transactions with persons that develop or control eight Chinese connected software applications, including Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.  We discussed that order here.  Implementing regulations had not yet been introduced.  

Notably, this month’s EO did not revoke an order also issued in August 2020 that directed ByteDance Ltd. to divest all of its interests in TikTok.  Although the divestiture deadline has passed, presumably the Committee on Foreign Investment in the United States (CFIUS) remains in discussions with the company. 

Continued Focus on ICT and Software Applications

Citing the ongoing national emergency set forth in EO 13873, the new order underscores the concern that “connected software applications can access and capture vast swaths of information from users, including United States persons’ personal information and proprietary business information.”  Such data collection, according to the order, presents a significant risk should foreign adversaries obtain access to it.   

In this context, the EO sets forth several risk factors for the Commerce Department to use in evaluating ICTS transactions involving software applications that may present an undue or unacceptable national security risk, in addition to those previously identified in EO 13873 and the Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain, which took effect on March 22, 2021 (see our previous analysis of that rule and the related advanced notice of proposed rulemaking here and here).  Those risk factors include:

• ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
• use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
• ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
• ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
• a lack of thorough and reliable third-party auditing of connected software applications;
• the scope and sensitivity of the data collected;
• the number and sensitivity of the users of the connected software application; and
• the extent to which identified risks have been or can be addressed by independently verifiable measures.

The new order also directs the Secretary of Commerce, in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Health and Human Services, the Secretary of Homeland Security, the Director of National Intelligence, and the heads of other agencies as the Secretary of Commerce deems appropriate (the “agencies”), to provide two reports as follows:

1. The first report, due 120 days from the date of the new order, shall contain recommendations to protect against harm from the unrestricted sale of, transfer of, or access to United States persons’ sensitive data, including personally identifiable information, personal health information, and genetic information, and harm from access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.  The Director of National Intelligence and the Secretary of the Department of Homeland Security are directed to prepare threat and vulnerability assessments, respectively, to support the report. 
2. The second report, due 180 days from the date of the new order, shall recommend additional executive and legislative actions to address the risk associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Conclusion

While the new EO rescinds the three EOs targeted at specific mobile and software applications, including WeChat and TikTok, it reaffirms the concerns set forth in EO 13873, premised upon the same national emergency as the now-rescinded EOs, and directs the Commerce Department to use “rigorous, evidence-based analysis” to address any risks that such platforms present.  It subsequently further affirms the use of the regulations implementing EO 13873 to specifically include reviews of transactions involving software applications “that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States” or “pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States,” in addition to more general undue or unacceptable risks to national security.  As such, the EO clearly signals that the administration continues to prioritize addressing national security concerns in the ICTS supply chain, and will continue to use the rules implementing EO 13873 and other regulatory and legislative solutions to address those concerns.