White House Issues TikTok and WeChat Executive Orders

The Trump Administration ups the ante again with the PRC through the issuance of directives to ban TikTok and WeChat.  

President Donald Trump and the White House acted against two popular applications from the People’s Republic of China (PRC) on account of purported national security issues created by Americans downloading and using them. The White House issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively, the former being much more popular in the United States (U.S.) than the latter. These bans are also of a piece with the Trump Administration’s narrative that the PRC is responsible for COVID-19 and poses an existential threat to western democracy. In response, the PRC is likely to increase pressure on U.S. and foreign firms operating in that nation or with supply chains rooted in the PRC. In any event, it is not clear how effective these directives will be and the companies being targeted are almost certain to sue to stop enforcement.

These executive orders (EO) are the first of its kind whereby the U.S. government is acting against an application developer. Recently, the Congress and a federal agency barred the use of Kaspersky services and products from federal systems after questions were raised about the Russian Federation’s access to and control over the Russian firm. However, in that case, action was limited to government systems and networks and those of federal contractors. A nationwide ban on transactions is a new use of presidential power that may not be legal.

The President relied on his inherent powers under the U.S. Constitution and a few acts of Congress that provide the executive branch with power to act in emergencies or to manage trade. The Trump White House has pushed beyond previous uses of these powers making a more expansive argument about the reach, breadth, and scope of authority afforded to the President under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.).

Moreover, these EOs rely on a previously issued EO that has until now not been used. In May 2019, Trump signed Executive Order 13873 “Securing the Information and Communications Technology and Services Supply Chain” intended “to protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States” through the declaration of a national emergency. The EO would bar U.S. entities from buying or using the information and communications technology and services (ICT) from “foreign adversaries” if a determination is made that doing so would sabotage or subvert U.S. ICT, place U.S. critical infrastructure or its digital economy at “undue risk,” or “poses an unacceptable risk” to national security or safety.

In the TikTok EO, the White House claimed

TikTok, a video-sharing mobile application owned by the Chinese company ByteDance Ltd., has reportedly been downloaded over 175 million times in the United States and over one billion times globally.  TikTok automatically captures vast swaths of information from its users, including Internet and other network activity information such as location data and browsing and search histories.  This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.

The White House continued

The Department of Homeland Security, Transportation Security Administration, and the United States Armed Forces have already banned the use of TikTok on Federal Government phones.  The Government of India recently banned the use of TikTok and other Chinese mobile applications throughout the country; in a statement, India’s Ministry of Electronics and Information Technology asserted that they were “stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India.”  American companies and organizations have begun banning TikTok on their devices.  The United States must take aggressive action against the owners of TikTok to protect our national security.

In the WeChat EO, the Administration asserted

WeChat, a messaging, social media, and electronic payment application owned by the Chinese company Tencent Holdings Ltd., reportedly has over one billion users worldwide, including users in the United States.  Like TikTok, WeChat automatically captures vast swaths of information from its users.  This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.  In addition, the application captures the personal and proprietary information of Chinese nationals visiting the United States, thereby allowing the Chinese Communist Party a mechanism for keeping tabs on Chinese citizens who may be enjoying the benefits of a free society for the first time in their lives.

Both EOs bar all transactions between U.S. entities and people, starting 45 days after issuance of the EO, with TikTok, WeChat, and their subsidiaries. Specifically, “to the extent permitted under applicable law: any transaction [is prohibited] by any person, or with respect to any property, subject to the jurisdiction of the United States, with [ByteDance and Tencent], or its subsidiaries, in which any such company has any interest…”

The legal basis for the EOs is questionable. Ordinarily, the President may direct the Department of Commerce to sanction entities or use the Committee on Foreign Investment in the United States (CFIUS) process to target foreign entities that pose national security risks as the Trump Administration has used the former against Huawei and ZTE and the latter in ultimately pressuring PRC firm Kunlun in selling the LGTBQ dating app Grindr. There is no preceden for merely banning transactions with foreign entities. The normal course of action is targeting individuals, assets, or funds.

In terms of practical effects, it is not yet clear whether U.S. stockholders or investors in ByteDance or Tencent would have to sell their stock or stake, but presumably, owning or buying the company’s stock or investing would be considered a property transaction. For people with TikTok or Wechat on their phones, is using these apps a transaction with the company? One does share content and one’s data with the companies, which could be construed as a transaction. Moreover, would non-U.S. nationals travelling to the U.S. would be violating this EO by having the app on their device. Will U.S. Customs and Border Patrol start asking if people have TikTok or WeChat?

Coincident with the EO against TikTok was news that Microsoft is in talks to buy part of the company’s worldwide operations, a move seemingly blessed by Trump who suggested the U.S. government may deserve a “finder’s fee” of sorts. Microsoft is said to be discussing taking over the U.S., Canadian, Australian, and New Zealander operations of TikTok. If Microsoft were to buy part or all of TikTok and then pay the U.S. Department of the Treasury, it would be the first time a company has paid the U.S. a fee for acquiring another firm.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Kon Karampelas from Pixabay

Technology Policy Update (10 April)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

Here are the articles from this edition:

  • “Paper” Hearing on COVID-19 and Big Data
  • DOD Revises Cybersecurity Model For Contractors; Accreditation Body Holds Webinar
  • EC Calls For EU-Wide Approach on Big Data and COVID-19
  • EU’s Data Supervisor Calls For Limits On Using Data In Fighting COVID-19
  • EDPB Fast Tracks Privacy and Processing Guidance For COVID-19
  • Warner Asks OMB For Uniform Guidance On Contractors
  • OCR Announces HIPAA Enforcement Discretion
  • Executive Order Formalizes Review of Foreign Investment in Telecommunications
  • CISA Guides Agencies On Telework Best Practices and Security

Michael Kans’ Technology Policy Update (3 April)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here. These are the articles from last week’s issue:

  • CARES Act Largely Bypasses Tech Funding and Issues
  • Revised CISA Essential Workers Guidance
  • U.S. and Other Governments Respond To Privacy and Data Implications of COVID-19
  • OIG Finds More Flaws in FBI FISA Process
  • White House Releases 5G Strategy
  • White House Unveils COVID-19 Technology Initiatives
  • EAC Meeting/VVSG 2.0
  • “White Hat” Hackers May Violate Terms of Service In Order To Carry Out Research, Court Rules
  • U.N. Group Releases Pre-Draft Report On International Cyber Norms
  • Continuation of National Emergency To Allow For Enhanced Cyber Sanctions

Moran Releases Long Awaited Privacy Bill Without Blumenthal

Senator Jerry Moran (R-KS) has released his long-awaited privacy and data security bill, the “Consumer Data Privacy and Security Act of 2020” (S.3456) that is not cosponsored by Senator Richard Blumenthal (D-CT) even though the two Senators have been in talks since late 2018 along with other Senators to draft a bipartisan bill. Of course, Moran chairs the Senate Commerce, Science, and Transportation Committee’s Manufacturing, Trade, and Consumer Protection Subcommittee and so is a key stakeholder with input on any privacy and data security legislation coming from that committee. However, Moran’s bill is likely a nonstarter with Senate and House Democrats because it does not provide people with a private right of action and it would preempt state laws like the “California Consumer Privacy Act” (CCPA) (AB 375). Moreover, the Federal Trade Commission’s (FTC) ability to obtain civil fines would be limited only to situations where the entity in question had actual knowledge of the violations as opposed to the standard many agencies use to enforce: constructive knowledge (i.e. knew or should have known.) This, too, is contrary to not only the Democratic privacy bills but also some of the Republican bills, which would allow the FTC to levy fines on the basis of constructive knowledge.

However, like almost all the other bills, the “Consumer Data Privacy and Security Act of 2020” would require covered entities to obtain express affirmative consent to collect from and process the personal data of people after providing extensive disclosure and notice about who and with whom their personal information would be shared. Likewise, this bill would give people certain rights, such as a right to access, correct, delete, and port their personal data. People would also be granted the right of erasure under which a covered entity must delete or de-identify the personal data of any person who submits a verified request. However, small businesses would be exempted from from granting requests to access and the right to correct. There are, again like many other privacy bills, circumstances under which a covered entity may decline to grant a request to exercise these rights. For example, if doing so would violate a law or legal process, then the covered entity could say no to a person. Likewise, if a person’s life is in imminent danger, then a request could also be denied. There are other such circumstances, some of which privacy and civil liberties advocates will assert will turn out to be such wide loopholes that the rights will cease to be meaningful as they have with some of the other bills.

In terms of who would be subject to the Act, entities covered by the bill would be those currently subject to FTC jurisdiction and non-profits and common carriers. Moreover, the bill has fairly expansive definitions of “personal data” and “sensitive personal data,” like many of the other bills.

Like some of the privacy bills, large covered entities would have additional privacy obligations and responsibilities. For those entities that collect and process the personal data of 20 million or more people per year or the sensitive personal data of 1 million or more a year, then these entities must have a privacy officer to advise the entity on compliance and monitoring. Also, these large entities must also take extra steps for making material changes to their privacy policies, including privacy impact assessments and the development and implementation of a comprehensive privacy policy.

The Consumer Data Privacy and Security Act of 2020 tracks with other privacy bills in requiring that covered entities must also implement data security safeguards to protect the integrity, confidentiality, and security of personal data. There would be a sliding scale of sorts with less sensitive data requiring less rigorous protection and conversely the more sensitive the data, the more stringent the safeguards that must be used. Covered entities must also conduct periodic, regular risk assessments and then remediate any turned up risks. Covered entities must also ensure their service providers and any third parties with whom they are sharing personal data are instituting data security standards but at a lower defined standard than the covered entity itself. For example, the latter entities must only protect the security and confidentiality of the information they hold, collect, or process for a covered entity and are not responsibility for the integrity of the information.

When a covered entity uses a service provider to collect or process personal data, it must use a binding contract and perform due diligence to ensure the service provider has the appropriate procedures and controls to ensure the privacy and security of personal data. The covered entity also has the responsibility to investigate the service provider’s compliance with the act if a reasonable person would determine there is a high probability of future non-compliance.

As noted, the FTC would be the federal enforcer of the Act under the rubric of its current Section 5 powers to seek a range of injunctive and equitable remedies to punish unfair and deceptive practices. The FTC would also be able to seek civil fines of up to $43,530 per violation but only for knowing violations, and there is no language for adjusting the per violation fine amount for inflation, a power the FTC otherwise has. State attorneys general could enforce the Act just as the FTC could.

The bill expressly preempts state laws on privacy and data security and makes clear that state laws may not interfere with HIPAA, Gramm-Leach-Bliley, FERPA, and others. Moreover, the “Consumer Data Privacy and Security Act of 2020” would not affect federal privacy laws like Gramm-Leach-Bliley, COPPA, FCRA, and others, and if entities currently subject to those federal laws are in compliance with the privacy and data security requirements, then they will be deemed in compliance with the Act.

Michael Kans’ Technology Policy Update (27 March)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here. These are the articles from last week’s issue:

  • Key Senator Releases Long Awaited Privacy Bill Without Expected Co-Sponsor
  • Federal Government Spells Out How Agencies Should Accommodate COVID-19 Caused Contract Issues and How Technology Can Help During The Crisis
  • Agencies Release Guidance Documents To Help Determine Essential Operations and Transition To Telework
  • EU Authority Advises Governments and Private Sector Entities On Processing Data To Fight COVID-19
  • Agency Releases Final Draft of Major Risk Management Guidance Document
  • Members Urge President and Vice President To Set Up Privacy Limits For Data Used In COVID-19 Response
  • Audit Finds A Lack of Progress Eight Years After Previous Audit For Pentagon’s Counter Cyber Measures
  • Agencies Illustrates Examples of How Government Can Use Cybersecurity Framework
  • Final EHR Rules Released