President Issues Executive Order Revoking TikTok and WeChat Executive Orders and Addressing Access by Foreign Adversaries to U.S. Personal Data

President Issues Executive Order Revoking TikTok and WeChat Executive Orders and Addressing Access by Foreign Adversaries to U.S. Personal Data

June 10, 2021, Covington Alert

On June 9, 2021, President Biden signed an Executive Order (the “Order”) that purports to address national security risks related to the increased use of certain connected software applications designed, developed, manufactured, or supplied by persons that are owned or controlled by a “foreign adversary,” which the Order defines as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.” The Order affirms the national emergency measures provided in Executive Order 13873 of May 15, 2019 (“Securing the Information and Communications Technology and Services Supply Chain”) and revokes other related executive orders issued by the Trump Administration. Our prior client alert reporting on implementation of Executive Order 13873 is available here.

The Order explains that the national emergency declared in Executive Order 13873 “arises from a variety of factors, including the continuing effort of foreign adversaries to steal or otherwise obtain United States persons’ data.” The Order further explains that this continuing effort “constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States,” and that the United States must protect against risks to personal data associated with a connected software application, which the Order defines as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the Internet.” The Order describes foreign adversary access to large repositories of U.S. personal data as posing “a significant risk.”

The Order also affirms that the U.S. Government seeks to promote accountability for serious human rights abuse. Specifically, the Order explains that the U.S. Government may impose consequences through separate action from this Order “if persons who own, control, or manage connected software applications engage in serious human rights abuse or otherwise facilitate such abuse.”

Principal Elements of the Order

Revocation of Prior Presidential Actions

The Order revokes three prior Executive Orders issued by President Trump:

• Executive Order 13942 of August 6, 2020 (“Addressing the Threat Posed by TikTok, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain”);
• Executive Order 13943 of August 6, 2020 (“Addressing the Threat Posed by WeChat, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain”); and
• Executive Order 13971 of January 5, 2021 (“Addressing the Threat Posed by Applications and Other Software Developed or Controlled by Chinese Companies”).

Relatedly, the Order directs the Director of the Office of Management and Budget and the heads of federal agencies and departments to (i) rescind any measures that implement or enforce the revoked orders and (ii) abolish any personnel positions, committees, task forces, or other entities established under the revoked orders.

Transaction Reviews

The Order directs the Secretary of Commerce to evaluate transactions involving connected software applications that may:

• pose an undue risk of sabotage or subversion related to the “design, integrity, manufacturing, production, distribution, installation, operation, or maintenance” of U.S. information and communications technology or services;
• pose an undue risk of catastrophic effects related to the security or resiliency of U.S. critical infrastructure or digital economy; or
• otherwise pose an unacceptable risk to U.S. national security or the security and safety of U.S. persons.
• The Order provides several factors for evaluating the risks of a connected software application, including:
• ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
• use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
• ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
• ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
• lack of thorough and reliable third-party auditing of connected software applications;
• the scope and sensitivity of the data collected;
• the number and sensitivity of the users of the connected software application; and
• the extent to which identified risks have been or can be addressed by independently verifiable measures.

Based on these ongoing evaluations, the Order directs the Secretary of Commerce to “take appropriate action in accordance with Executive Order 13873 and its implementing regulations.” As explained more fully in our prior client alert, Executive Order 13873, grants the Secretary of Commerce the authority to prohibit or require mitigation measures for certain transactions, including commercial transactions, involving information and communications technology and services (“ICTS”) that have been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” and that pose an “undue or unacceptable risk to the national security of the United States.” The Department of Commerce has issued an Interim Final Rule, explained in our prior client alert, that outlines the specific processes and procedures by which the Secretary of Commerce is to review transactions under Executive Order 13873.

Next Steps

The Order directs the following actions to be taken over the next six months:

• Within 60 days: the Director of National Intelligence will provide threat assessments, and the Secretary of Homeland Security will provide vulnerability assessments, to the Secretary of Commerce in order to support the development of the report detailed below.
• Within 120 days: the Secretary of Commerce, in consultation with certain other agency heads, will provide a report “with recommendations to protect against harm from the unrestricted sale of, transfer of, or access to United States persons’ sensitive data, including personally identifiable information, personal health information, and genetic information, and harm from access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”
• Within 180 days: the Secretary of Commerce, in consultation with certain other agency heads, will provide a report recommending executive and legislative actions that will “address the risk associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”

If you have any questions concerning the material discussed in this client alert, please contact the members of our firm.