[co-author: Patrick Diaz*]
On June 9, 2021, President Biden signed an Executive Order (“EO”) revoking Trump’s orders on TikTok and WeChat. In their stead, President Biden’s EO subjects software applications controlled or owned by “foreign adversaries” (i.e., China, Cuba, Iran, North Korea, Russia, and Nicolas Maduro) to a review process led by the Commerce Department to evaluate whether an app presents U.S. national security concerns. This EO fits within the broader confrontation between the United States and China when it comes to emerging technologies, sensitive personal data, and the threats we see from cyberattacks that exploit vulnerabilities in U.S. IT systems.
According to the Biden Administration, the orders issued by Trump (which we discussed here and here) were revoked because they did not provide “intelligible criteria” to evaluate national security risks posed by software applications and therefore were unenforceable. As context, the TikTok and WeChat orders were intensely litigated, though nationwide injunctions of the orders into late summer of 2020. Those cases froze the conflict between the Chinese social media companies and the U.S. government – which is why these apps are still widely available and currently in use in the United States.
Unlike the TikTok and WeChat orders, the recent EO is not directed at any one company. Therefore, any app that is owned by a “foreign adversary” and poses a threat to national security could potentially be subject to restrictions after the Commerce Department review. The review process will be similar to the one outlined in Executive Order (“EO 13873”) related to information and communication technology or services (“ICTS”) involving “foreign adversaries,” where the Commerce Department may prohibit the covered transaction, approve, or approve with conditions (see our discussions about that EO here and here). Ultimately, the end result might be the same: the use of TikTok and WeChat may be restricted in the United States because the U.S. Government determines that TikTok and WeChat pose too great of a national security threat. But, this EO seeks to have a principled review process that would apply to other apps as well (i.e., the next TikTok or WeChat).
What Software Applications will be Covered by the EO?
It’s all about the data. The underlying concern that Trump’s TikTok and WeChat orders were meant to address was the threat posed by Chinese actors having access to sensitive personal data of U.S. citizens. Biden’s EO targets that same concern but covers any app used on mobile devices, tablets, and computers that “collect, process, or transmit data via the internet.” A large swath of apps currently on the market could fall under the purview of the EO. However, a limiting factor is that the apps must also be designed, developed, manufactured, or supplied by persons that are owned or controlled by, or subject to the jurisdiction of a “foreign adversary” – i.e., China, Cuba, Iran, North Korea, Russia, and the Maduro Regime. So, apps like WeChat and TikTok are covered products under the EO.
Criteria for Identifying Apps that May Pose National Security Risks
The EO outlines the following potential indicators of national security risk relating to apps made by foreign adversaries:
||ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
||use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
||ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
||ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
||a lack of thorough and reliable third-party auditing of connected software applications;
||the scope and sensitivity of the data collected
||the number and sensitivity of the users of the connected software application;
||the extent to which identified risks have been or can be addressed by independently verifiable measures.”
Transactions that involve a “heightened risk” would include those apps owned, controlled or managed by people supporting foreign adversary military or intelligence service or when the apps collect sensitive personal data.
So… What Now?
It seems clear that the EO is primarily targeted at apps owned by Chinese companies. Russian apps may also be a concern – we have seen significant instances of Russian criminal groups and Russian intelligence agencies use U.S. technological vulnerabilities for malign activity – but Russian software is not likely in wide, pervasive use in the United States. Three of the other countries listed as foreign adversaries (Cuba, Iran and North Korea) are already subject to comprehensive sanctions and therefore already largely restricted. Thus, even though the Biden EO is certainly broader and more in line with broader national security policy as to countries the United States deems “foreign adversaries,” the impact of the EO will be dominantly on software applications of Chinese origin. The Commerce Department has been ordered to begin their review immediately –but that means there is no immediate impact of this EO until the Commerce Department conducts its review and designates apps under the EO..
For now, U.S. companies that are evaluating their use of software applications developed by China or the other countries should take note of what might be coming down the pike. For a broader discussion about reevaluating your business relationships involving China, see our post here. As always, we will keep you updated on the quickly changing regulatory landscape impacting your international business relationships.
*Patrick Diaz is a summer associate in the Sheppard Mullin Washington D.C. Office.