On June 9, 2021, the White House issued a new Executive Order (EO) that revokes three Executive Orders issued in 2020 and early 2021 that were aimed specifically at TikTok, WeChat, and eight other China-linked communications and financial technology software applications.
In place of these EOs, the new EO, “Protecting Americans’ Sensitive Data from Foreign Adversaries,” builds on steps the US Commerce Department has already taken under EO 13873 of May 15, 2019, to protect the information and communications technology and services (ICTS) supply chain against threats from China and other identified foreign adversaries.
As a result of the new EO, the US government will further analyze the risks arising from the use of applications such as TikTok and WeChat – including risks related to the security of Americans’ sensitive data — and could take further steps to mitigate those risks, either through existing ICTS regulations or through additional executive and legislative actions.
Repeal of Three Prior Executive Orders
Section 1 of the new EO repeals three prior Executive Orders: EO 13942 of August 6, 2020 (which directed the US Commerce Department to prohibit certain transactions related to ByteDance/TikTok), EO 13943 of August 6, 2020 (which similarly directed the Commerce Department to prohibit certain transactions related to WeChat), and EO 13971 of January 5, 2021 (which directed the Commerce Department to prohibit certain transactions with the persons who control or develop eight other software applications linked to China).
Pursuant to EOs 13942 and 13943, the Commerce Department published rules in September 2020 that identified prohibited WeChat- and ByteDance-related transactions. Among other prohibited transactions, downloads and hosting of the WeChat and TikTok applications in the United States were to be prohibited. Opponents of these new rules soon brought challenges in US courts and ultimately won injunctions that prevented the rules from taking effect. No rules were published to implement EO 13971.
Under section 2(a) of the new EO, the Commerce Department’s September 2020 rules on WeChat- and ByteDance-related transactions must be rescinded.
New Framework
While the new EO revokes the three prior Executive Orders, it provides new means to reach similar ends – namely, protecting sensitive U.S. data and addressing other national security risks created by apps from identified foreign adversaries.
- Further analysis and recommendations: Under section 2(b) of the EO, the Secretary of Commerce – in consultation with other relevant agencies – must submit a report to the National Security Advisor with recommendations to protect against two identified harms: “harm from the unrestricted sale of, transfer of, or access to United States persons’ sensitive data” and “harm from access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” This report is due by October 7, 2021. Under section 2(c) of the EO, the Secretary of Commerce – again in consultation with other relevant agencies – must submit a second report recommending additional executive and legislative actions to address the risks posed by connected software applications that are designed, manufactured, or supplied by persons owned, controlled, or under the jurisdiction or direction of a foreign adversary. The second report is due by December 6, 2021.
- Continuing evaluation of connected software applications under EO 13873 and the ICTS regulations: Section 2(d) of the new EO requires the Secretary of Commerce to evaluate, on a continuing basis, transactions involving connected software applications that may pose unacceptable risks to US national security, and to take appropriate action under EO 13873 and its implementing regulations (the ICTS regulations). Those regulations, issued as an interim final rule in January 2021 with effect from March 2021, empower the Commerce Department to (i) identify transactions where the acquisition or use of information and communications technology and services linked to foreign adversaries poses unacceptable national security risks, and (ii) impose restrictions on those transactions, or prohibit them altogether.
Conclusion
The new EO reflects continuity in the US government’s view that a national security risk arises from transfers of sensitive personal or commercial data, including transfers that occur through connected software applications linked to foreign adversaries. It also signals that the Biden administration believes the remedies attempted in 2020 regarding TikTok and WeChat (such as attempting to bar downloads of those popular applications) infringed excessively on other fundamental interests, such as freedom of communication.
Although the three EOs that took aim at TikTok, WeChat, and other China-linked applications have been revoked, the new EO reinforces the application of the ICTS regulations to connected software applications, and sets in motion a new policymaking process that could lead to more narrowly tailored restrictions on the handling of sensitive US data by applications linked to China and other identified US adversaries.