Cybersecurity & Tech

The Latest TikTok Order: Comparing the New CFIUS Order to the Prior IEEPA Order

Robert Chesney
Tuesday, August 18, 2020, 3:53 PM

Does it matter that President Trump last Friday night issued a CFIUS order directing ByteDance to divest itself from TikTok, given that a week earlier he already had levied IEEPA sanctions on the company? Yes indeed.

TikTok in the App Store. (Credit: Quinta Jurecic)

Published by The Lawfare Institute
in Cooperation With

Does it matter that President Trump last Friday night issued a Committee on Foreign Investment in the United States (CFIUS) order directing ByteDance to divest itself from TikTok, given that a week earlier he already had levied sanctions on the company? Yes, indeed it does matter, as I’ll explain in this, the third in our ongoing series of primers on TikTok tensions.

1. I Need Context

No problem. Here is the primer on the August 6 International Emergency Economic Powers Act (IEEPA) sanctions against TikTok and WeChat, and here is the primer I wrote prior to those sanctions in anticipation of what the administration might do to TikTok under either IEEPA or CFIUS.

2. TL;DR…please distill that:

No problem:

  • The CFIUS system allows the executive branch not only to prevent or impose conditions on corporate transactions involving a foreign company where the transaction is a threat to U.S. national security or the economy, but also to compel a completed transaction of this kind to be unwound.
  • The IEEPA system allows the executive branch to impose a broad range of sanctions on foreign entities so long as the president has declared a relevant national emergency.
  • ByteDance’s 2018 acquisition of, an earlier version of what is now TikTok, has been under retrospective CFIUS review for some time, but that review was not yet complete at the time when President Trump took action on August 6.
  • The action on the August 6 instead was an IEEPA sanction, set to take effect in 45 days (i.e., mid-September) that would ban all “transactions” with the company.
  • That IEEPA order does not itself clarify just what sort of interactions with TikTok would become illegal at the 45-day mark. Would this be implemented for all the language of the order might be worth, to include employee contracts and maybe even use of the app? Would it be construed narrowly? The August 6 order directed the Secretary of Commerce to issue a clarifying directive at the 45-day mark (not before, alas).
  • This means that many people are in the dark about the scope of the ban. To be sure, it’s easy to make light of teenagers across America wondering if they’ll be criminals for uploading their latest lip-synchs and dance moves or downloading the latest insta-recap of Teen Beach Movie. But the issue is extremely serious from the point of view of TikTok employees, executives, bankers, and lawyers, all of whom are related to TikTok by contract. At the 45-day mark, must those contracts be nullified?
  • To the extent the answer is yes; this looms large over the ongoing prospect that ByteDance will sell TikTok to Microsoft (which is widely seen as the off-ramp that will end this particular dispute; note that there’s no similar off-ramp for WeChat, it seems).

3. So what happened last Friday night?

The President piled-on with a CFIUS order after all, on Friday night. Here’s that order, and here are the central elements of it:

First, there is a formal finding that the CFIUS standard (of a threat to impairment of U.S. national security) is met in the case of ByteDance’s purchase of That’s no surprise, given the similar conclusion in the earlier IEEPA order.

Second, based on that finding, the president issued the following directives:

  • The purchase is prohibited (retroactively).
  • ByteDance is given at least 90 days (with the option for a 30-day extension from CFIUS) to divest itself from
    • the U.S. operations and assets of TikTok, and
    • all data on U.S. users of TikTok (including a written certification to CFIUS that it has destroyed all such data it may have).
  • ByteDance must keep CFIUS notified (with weekly updates) on efforts to sell off the U.S. operations of TikTok.
  • ByteDance and TikTok must allow persons designated by CFIUS complete access to their premises and facilities to conduct monitoring both for compliance and for protection of U.S. national security interests until divestment occurs, including access to records, information systems, and communications and also interviews of employees and agents
  • Any effort to circumvent these limits is itself prohibited

4. Does that accomplish anything that is not already covered by the August 6 IEEPA order?

The August 6 IEEPA order obviously had created conditions that seemed to make divestment inevitable, given that the alternative was that TikTok would become unable as a practical matter to function effectively in the U.S. market. So the August 14 CFIUS order, by compelling divestment, could be viewed as something of a formality. That said, there are distinctions worth attention here.

First: The most obvious difference between the CFIUS order and the earlier IEEPA order is that the new order gives federal personnel sweeping ability to inspect records and conduct interviews. The IEEPA order did not have this effect, and though some degree of information surely was flowing thanks to the ongoing CFIUS investigation that preceded the August 14 order, this likely goes much, much further.

Second, and less obviously, note the difference in timelines between the August 6 IEEPA order and the August 14 CFIUS order. The IEEPA order takes effect after 45 days, meaning mid-September. But the CFIUS order gives ByteDance a full 90 days (from a starting point eight days after the IEEPA order), and possibly another month after that. That takes us to mid-November or even mid-December. Won’t TikTok be out of business in the U.S. long before then? And won’t TikTok’s executives, bankers, and lawyers be unable from mid-September onward to engage in negotiations for the sale of the company? Yes to both, if the IEEPA sanctions that take effect in mid-September are as sweeping as they might be. But remember: The Secretary of Commerce is supposed to issue a clarifying directive at that time, spelling out which sorts of transactions are forbidden and which are not. The timeline of the CFIUS order strongly suggests that the White House intends to allow ByteDance and its suitors (Microsoft, but perhaps others) the remainder of the fall to work things out. That, in turn, suggests that we can expect to see from the Secretary of Commerce a directive designed to enable this to occur despite the IEEPA sanctions that will take effect in mid-September.

5. Great, but my teenager needs to know if they can use the app once the sanctions kick in.

Whether that directive also will exempt users, influencers, and others, well, that remains to be seen. If the list of banned “transactions” is broad enough to kick TikTok off of its US-based servers, that should terminate the app’s functionality in practice (especially since the August 6 IEEPA order immediately bans transactions intended to defeat the effect of the order, and thus TikTok presumably cannot update the app to redirect U.S. traffic to non-U.S.-servers before then). Perhaps the Secretary’s clarifying directive will leave users out of it, in light of this.

Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare