Cybersecurity & Tech

TikTok and the Law: A Primer (In Case You Need to Explain Things to Your Teenager)

Robert Chesney
Sunday, August 2, 2020, 4:07 PM

TikTok is in serious trouble, and teenagers across the land are demanding answers about the legal frameworks at issue.  Well, maybe they are not exactly focused on the legal issues. But in case you are, here’s an explainer.

The Tik Tok application open on someone's phone (Pikist/

Published by The Lawfare Institute
in Cooperation With

Editor's note: A response from a reader prompted the author to amend this post to note an alternative pathway that might support IEEPA sanctions without need to issue a fresh “national emergency” declaration. The new paragraph appears below in bold, italicized font.

TikTok is in serious trouble, and teenagers across the land are demanding answers about the legal frameworks at issue. Well, maybe they are not exactly focused on the legal issues. But in case you are, here’s an explainer.

1. What is TikTok, and why is it in the news?

Never used TikTok? It is an acquired taste, but it is addictively entertaining once you acclimate to it. In brief, it’s a video-hosting app for user-generated content. It’s a bit like a social-media-inflected Youtube in that sense.

But the videos on TikTok are almost entirely super-short (15 second) amateur clips, with lots of content made by and for teens (at least that’s how it is in the US market; I’m less sure if the same is true in other major TikTok markets). Like any other social-media app featuring user-generated content, most of the clips are less-than-compelling, but there’s plenty of brilliant stuff too (I’m particularly attached to the clips where a teen pretends to be a dad spouting clichés at his family during a road trip, every word of which I’ve actually spouted at my family during a road trip).

So what’s the problem? TikTok is owned by ByteDance, a Chinese company that is subject to China’s laws and other forms of coercion. This has given rise to two lines of concern.

First, there is a concern about the user data TikTok collects and the prospect that Beijing can access that data. Like plenty of other social-media apps, TikTok’s terms of service authorize it to collect a remarkable amount of data from its users. Because TikTok is subject to Chinese law, the theory goes, the company can readily be compelled by the government to cooperate in providing access to that data (on a targeted or even a bulk basis).

TikTok argues that this is not the case because data from U.S. users remains exclusively in TikTok’s servers located in America. I’m in no position to weigh in on whether that description is strictly true, still less whether data localization in this case would actually preclude remote access by TikTok personnel outside the United States. But I’m merely trying to convey the nature of this concern, not resolve its merits. Separately, there also is a line of concern about whether TikTok employs content-moderation policies and practices that serve the preferences of the Communist Party of China. Again, I’m not trying to adjudicate the merits of that critique.

Against this backdrop, there have been rumors afoot for some time that the Trump administration might take some action to knock TikTok out of the U.S. market. Now those rumors have evolved into specific warnings of looming action. This Sunday morning, for example, Treasury Secretary Mnuchin expressly stated that “TikTok cannot stay in the current format because it risks sending back information on 100 million Americans…the president can either force a sale or the president can block the app.”

If your teenager is showing a sudden interest in the separation of powers or other legal matters, this is probably why.

2. Can the executive branch force ByteDance to sell TikTok?

Yes. The relevant legal framework here involves the executive branch’s interagency Committee on Foreign Investment in the United States, better known by its acronym CFIUS. Here’s a recent Congressional Research Service report if you want to dive deep on the committee. If you just want to explain the situation to your teenager, though, here are the key points:

It is true that the president has no inherent, unilateral authority to create legally-binding rules relating to foreign investment in the United States. The Constitution confers authority over “foreign commerce” on Congress, not the executive branch. But Congress can and has delegated that authority to the president in various ways. And in 1988, Congress did exactly that in the so-called Exon-Florio Amendment to the Defense Production Act. CFIUS had been around for more than a decade at this point, but this amendment gave it real teeth. The amendment conferred on the President the authority to prohibit “mergers, acquisitions, or takeovers” that threaten national security (and, by extension, the CFIUS review process would now have leverage to impose conditions on such transactions to ameliorate national security concerns). The statutory framework for CFIUS review has expanded in various ways since then, but that’s the key thing to understand: Congress has indeed delegated to the President authority to ban such transactions if the executive branch makes the requisite findings.

None of which would be relevant here, of course, unless at some point there is (or was) a corporate transaction subject to CFIUS review.

Well, there was one a little while ago. TikTok (then called “”) was bought by ByteDance in 2018 for nearly $1 billion. Of course, like ByteDance was a Chinese company. So you might think that CFIUS would have no say over that acquisition. But you’d be wrong. For purposes of CFIUS review, a covered “U.S. business” is any entity that engages in interstate commerce in the United States—even if that entity is a foreign corporation. (See 31 CFR 800.252(a) (a “US business…means any entity, irrespective of the nationality of the persons that control it, engaged in interstate commerce in the United States”)). may have been a foreign corporation at the time of its acquisition, then, but it had a robust U.S. presence and certainly qualified under this rule.

ByteDance didn’t seek approval from CFIUS at the time of the acquisition, no doubt because few if any involved in the deal perceived it as having national security implications. But as TikTok’s popularity in the United States exploded, and as the two lines of concern described above began spiking over the past year, the picture began to look quite different. And becauseCFIUS authority extends to retroactive review of prior transactions, it was no surprise when CFIUS opened such a review of the deal in November 2019.

So what happens if CFIUS concludes that ByteDance should not have been allowed to acquire the business now known as TikTok? That situation has arisen many times over the past few years, and the answer normally is that the acquiring entity must divest itself of the acquired entity—or else cease operations in the United States. The same may well be on the verge of happening here, plainly.

3. Can ByteDance litigate such a determination?

Only to a limited extent, and they are not likely to win in the end.

In general, CFIUS orders (like other actions under the Defense Production Act) are not subject to judicial review, at least according to the statute. But the D.C. Circuit has construed that statutory prohibition not to apply to constitutional claims that might be made. As Raffaela Wakeman explained for Lawfare in 2014, the D.C. Circuit’s Ralls decision approved a procedural due process challenge brought by a Chinese company when CFIUS issued a retroactive divestment order involving the company’s acquisition of four American companies. (See Ralls Corp. v. Comm. On Foreign Inv. in US, 758 F.3d 296 (D.C. Cir. 2014)). The decision rejected the argument that CFIUS determinations are entirely immune from judicial review when there is a constitutional challenge at stake, and also rejected the argument that CFIUS determinations should be treated as political questions outside the purview of the courts. Further, the court held that the Fifth Amendment requires that the subject of such orders must be given the chance to confront at least the unclassified evidentiary basis for the CFIUS determination and to present their own evidence.

Has ByteDance had such an opportunity over the past 8 months, as the currently-pending CFIUS review has progressed? I’m not in a position to know, but I strongly suspect that they have. The review has gone on for quite some time, and that may well reflect an ongoing process of evidentiary disclosures and submissions. In short: ByteDance may well be in the midst of receiving all the process that is due to it. Of course, ByteDance could still sue, objecting that it deserved more process than it got and that the ultimate CFIUS determination was arbitrary despite the process that was given. I’m doubtful, however, that they will prevail on either dimension. Sooner or later, in other words, the litigation would run its course and the divestiture order would probably still stand.

4. But there’s also much talk about a simple “ban” on TikTok. Is that just wishful thinking by parents, or is that a thing the President can do?

Yes, it’s a real thing, thanks to the International Emergency Economic Powers Act (IEEPA). But it’s complicated.

IEEPA is another example of Congress delegating to the executive branch an aspect of its constitutional control over foreign commerce. Think of it as a general pre-delegation of authority to impose embargoes as well as more-targeted sanctions against foreign entities—backed by criminal law sanctions—for a broadly-defined array of circumstances in which the president determines that U.S. national interests are at stake. (For a deep-ish dive into IEEPA, check out Episode 133 of the National Security Law Podcast). When the president wants to use this authority, he first must issue a public proclamation of a “national emergency” on a particular situation or subject, under the National Emergencies Act. This opens the door to using IEEPA itself. Under IEEPA, the president (or the executive branch entity acting on the president’s behalf through a further delegation) can investigate, regulate or simply prohibit—that is, ban—an array of activities involving a sanctioned entity (including payments, notably) and can freeze the assets of that entity (thereby prohibiting all dealings with the foreign entity’s interests in those assets). Sometimes this authority is exercised by the president only to the extent of creating a specific sanctions regime, with the actual sanctioning of particular entities to be done at a later date (if it is done at all). At other times, the creation of the sanctions regime is accompanied by at least an initial set of designations of specific entities.

So, can the president sanction ByteDance, and thereby have the effect of banning TikTok within the United States?

The answer is yes, though it might be necessary for the president to make a new “national emergency” declaration that fits with this unusual scenario. The closest fit among the current national emergencies (and their corresponding IEEPA sanctions frameworks) is probably the one for “malicious cyber-enabled activities,” which President Obama proclaimed in 2015’s Executive Order 13694 (and which he updated in 2016 in Executive Order 13757). But the fit is not strong. That framework plainly was motivated by a desire to respond to malicious foreign hacking (especially from China, to be sure), and despite some loose language it is difficult to read it in a way that would encompass a situation in which the underlying concern is that a foreign company (1) has customer data that it might provide to a foreign government or (2) might employ content-moderation policies hostile to U.S. interests.

[As noted above, the following paragraph was added in response to reader feedback on the original post.]

An alternative possibility is that the administration might assert that this situation falls within the scope of Executive Order 13873 (“Executive Order on Securing the Information and Communications Technology and Services Supply Chain”), from May 2019. EO 13873, which was inspired by concerns about Huawei and ZTE, opens with the requisite emergency declaration, stating that

…the unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. (emphasis added)

Invoking IEEPA, EO 13873 then proceeds to prohibit transactions involving such technologies “where the transaction was initiated, is pending, or will be completed after the date of this order [May 2019,” though only if the Secretary of Commerce (in consultation with other officials) makes a finding that the technology or service in question is associated with an entity subject to the jurisdiction or direction of a foreign adversary and that the situation entails an undue risk of (a) sabotage of information and communication services in the US, (b) catastrophic effects on US critical infrastructure or the digital economy, or (c) “otherwise poses an unacceptable risk” to US national security. That third condition—a broad catchall—could plausibly be pushed, perhaps, to encompass the TikTok scenario. But note that the EO by its own terms applies only to transactions initiated on or after May 2019. This is too late to encompass ByteDance’s acquisition of, plainly. That said, one path the Trump administration might now choose would be to supplement EO 13837, building off its existing declaration of a national emergency in order to establish a distinct, additional IEEPA sanctions regime. This would spare the White House from the minor trouble of the first step identified in the next paragraph below.]

Accordingly, if the President wants to ban TikTok directly, he probably will need to announce a fresh national emergency, with a tailored focus on foreign government access to data flows that have U.S. person information, foreign government influence on content moderation policies, or both. This he certainly could do, and it could be that this is in the drafting process as you read this. But there are complications, not least of which is the question whether a sanctions system premised on foreign government access to U.S. person data based on U.S. persons using a foreign company’s services would complicate the formulation of a strong U.S. government response to the European Court of Justice’srecent Schrems II decision.

5. Fine, so he can “ban” it. But it’s on millions of phones in the US already. What would actually happen?

The next question is how such a sanction would play out in the unusual case of a social-media app that already resides on the phones of millions of Americans.

As an initial matter, it’s clear that TikTok would no longer be made available by US companies like Apple and Google through their app stores. But that leaves all the millions of existing users; what about them, given that the vast majority are unlikely to delete the app off their phones?

It won’t matter, for several reasons. First, if the president sanctions the company in the manner outlined above, TikTok could no longer maintain its servers or any other operations or property inside the United States; it will have to operate entirely from foreign locations beyond the reach of IEEPA leverage, which is to say: from China. Of course, it could continue to feed content to U.S. users from there. But what content would that be? TikTok depends on user-generated content, and the U.S. customer base depends largely (though not entirely) on the popularity of users who might no longer feel free to post to TikTok. That certainly will be true for high-profile US-based TikTok “creators” and celebrities with massive TikTok followings. And when Charli D’Amelio and others drop out in favor of whatever might turn out to be the next big platform, they’ll take their audience with them.

Ok, that’s all for now. If I can talk my kids into showing me how, maybe I’ll post a TikTok summary of all this tomorrow. Unless it’s illegal by then.

Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare