Cybersecurity & Tech

TikTok, WeChat, and Biden’s New Executive Order: What You Need to Know

Robert Chesney
Wednesday, June 9, 2021, 1:09 PM

President Biden has revoked the sanctions President Trump famously imposed on TikTok and WeChat. But they may return, and TikTok still has a CFIUS problem.

An image of the TikTok app on a phone screen. (Flickr/Solen Feyissa,; CC BY-SA 2.0,

Published by The Lawfare Institute
in Cooperation With

President Biden has issued an executive order revoking the sanctions President Trump famously imposed in August 2020 on TikTok and on WeChat (as well as less publicized sanctions added to other Chinese “connected software applications” in January 2021). But these companies should not celebrate Biden’s move too much. The sanctions may yet return, and with a stronger foundation. And, in any event, TikTok remains subject to a CFIUS divestment order, at least for now. Here’s what you need to know.

Remind me: What was the situation up to this point?

Here’s the really short version:

President Trump in August 2020 had used his statutory authority under the International Emergency Economic Powers Act (IEEPA) to impose sanctions on TikTok and WeChat operations in the United States, asserting in substance that the companies threatened U.S. security in two ways: their potential for collecting data on users that the Chinese government might be able to access for intelligence purposes, and the possibility that they might be subject to Beijing-directed censorship (or even exploited by the Chinese government to spread disinformation). And a few months later, Trump added an additional order, more broadly addressing Chinese “connected software apps.”

The August 2020 actions were a bolt from the blue in some senses, but not in others. Trump in May 2019 already had issued Executive Order 13873, which declared a national emergency in relation to the general threat that arises when information and communications technology and services used in the U.S. are subject to the control of an adversarial foreign power. Based on that declaration, the same order delegated to the Commerce Department authority to issue IEEPA sanctions if and when appropriate cases are identified. Few if any anticipated that TikTok or WeChat would be hit with such sanctions. But that’s what happened in 2020, more or less; the surprise was just that President Trump issued those designations directly rather than leaving the question up to Commerce.

Some questioned whether there was a strong factual foundation for these determinations. Some questioned the compatibility of the sanctions with certain limits in IEEPA relating to sharing of information. Some questioned the compatibility of the WeChat sanctions, in particular, with the First Amendment. Lawsuits sprouted around the country, and they have not been going well for the U.S. government.

Meanwhile, an entirely separate process involving the federal government Committee on Foreign Investment in the United States (CFIUS) was in the midst of a retrospective review of the original transaction in which the Chinese company ByteDance had acquired the company that it then turned into TikTok. Eventually, CFIUS ordered divestment—the unwinding of that acquisition (regardless of the status of the aforementioned IEEPA sanctions).

Is today’s executive order a rejection of the general concern involved in the May 2019 national emergency declaration, concerning foreign influence over ITS used in the U.S.?

No, quite the opposite. Today’s executive order reaffirms that general concern (and reinforces the corresponding national emergency declaration) set forth in Trump’s May 2019 executive order:

[T]he increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which the Secretary of Commerce acting pursuant to Executive Order 13873 has defined to include the People’s Republic of China, among others, continues to threaten the national security, foreign policy, and economy of the United States.

But today’s order follows that, immediately, with a call for a more rigorous process for determining when specific instances pose unacceptable risks of this kind:

The Federal Government should evaluate these threats through rigorous, evidence-based analysis and should address any unacceptable or undue risks consistent with overall national security, foreign policy, and economic objectives, including the preservation and demonstration of America’s core values and fundamental freedoms.

This is, plainly, responsive to concerns that the actions against TikTok and WeChat were driven more by instinct than analysis. And thus it is perhaps no surprise that today’s order then goes on to retract—for now—the TikTok and WeChat sanctions (as well as the follow-on sanctions).

As to general criteria:

In evaluating the risks of a connected software application, several factors should be considered. Consistent with the criteria established in Executive Order 13873, and in addition to the criteria set forth in implementing regulations, potential indicators of risk relating to connected software applications include: ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities; use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data; ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary; ownership, control, or management of connected software applications by persons involved in malicious cyber activities; a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and the extent to which identified risks have been or can be addressed by independently verifiable measures.

As to process, today’s order sets in motion a series of actions that include three areas of activity.

First, the order sets a four-month deadline for the secretary of commerce (in consultation with many others) to weigh in with recommendations on:

protect[ing] against harm from the unrestricted sale of, transfer of, or access to United States persons’ sensitive data, including personally identifiable information, personal health information, and genetic information, and harm from access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

In support of that, both the director of national intelligence and the secretary of homeland security have two-month deadlines to offer supporting analyses to the secretary of commerce.

Second, the secretary of commerce (again in consultation with many others) has six months to recommend:

additional executive and legislative actions to address the risk associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Third, the order emphasizes that Executive Order 13873 and its sanctions system remains in place despite the revocation of the particular sanctions mentioned above, and it directs the commerce secretary to use it with a regard not just for the general, catch-all category of “unacceptable risks” to U.S. national security but also with specific reference to a pair of risks that smack of the sort of software supply-chain security concerns that have been front-of-mind for so many since the SolarWinds debacle:

sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; … [and the] risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States[.]”

So can they start dancing at TikTok headquarters?

I assume that dancing is par for the course there, but it would be premature to celebrate; ByteDance remains subject to an entirely separate CFIUS divestment order. Today’s action by President Biden does nothing to change that. Of course, it could be that this too will change. Stay tuned on that front.

What does this mean for the various pending lawsuits, and especially for the lower court opinions ruling against the government on First Amendment and IEEPA grounds?

That’s an important question. I mentioned above that the U.S. government has had a bad time in court in the various cases challenging the TikTok and WeChat sanctions. Appeals were under way in those cases, but the Biden administration had sought a stay of proceedings while it conducted a review that ultimately led to today’s actions. Presumably the Justice Department now will seek dismissal of those suits. Will the underlying district court (and magistrate judge) opinions at issue be vacated, too? Stay tuned.

Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare