Last month, lawmakers peppered TikTok CEO Shou Chew with a barrage of questions as he testified before the House Committee on Energy and Commerce. The hearing was the latest development in a crescendo of concern over the social media platform’s national security implications, and the larger political and diplomatic competition between the United States and China. Though regulatory efforts have worked to curb and monitor the app’s potential as a national security threat so far, politicians on both sides of the aisle are growing impatient.
TikTok’s ties to China, combined with recent international and domestic political developments, have pushed the Biden administration to threaten to completely ban the app in the United States (an effort which failed during the Trump administration). Depending on how the Committee on Foreign Investment in the United States (CFIUS) responds to this threat and simultaneous pressure from Congress to wrap up its ongoing review sooner rather than later, a new bill may allow the Biden administration to circumvent traditional regulatory avenues while instituting a marked expansion of presidential powers over national security and foreign direct investment (FDI).
That bill, the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act is poised to expand the executive branch’s authority to order the sale, or potentially the complete ban, of technology assets tied to “foreign adversaries.” The bill explicitly lists China, Cuba, Russia, Iran, North Korea, and Venezuela as “foreign adversaries,” but allows the Secretary of Commerce to add or remove “any foreign government or regime” that acts adversely to U.S. national security interests. The law’s grant of authority to the Commerce Department and the president would sidestep the more comprehensive, cooperative, multi-agency CFIUS process. Perhaps more chillingly, the Act’s new rulemaking procedures would be exempt from the Administrative Procedure Act’s standard rulemaking procedures, which require federal agencies to provide the public with an opportunity to comment on proposed regulations.
However, even if Congress enacts this new law, the executive branch will encounter significant hurdles if it chooses to ban or force the sale of TikTok, including Chinese technological export regulations and potential political pushback from TikTok users in the United States, both of which stand in the way of a forced sale or an outright ban.
The CFIUS Review Process
CFIUS is a multi-agency committee of expert trade, national security, and technology policy representatives of key executive branch agencies chaired by the Department of the Treasury. It is empowered to review certain foreign investment and real estate transactions involving U.S. assets to determine and mitigate their potential negative effects on national security interests.
CFIUS’ baseline grant of authority, Section 721 of the 1950 Defense Production Act (DPA), provides discretionary authority to review “covered transactions.” Initially, this only included transactions that could be defined as a “merger, acquisition, or takeover” that results in “foreign control” of “entities engaged in interstate commerce in the United States.” However, after the 2018 enactment of FIRRMA, a law modernizing and expanding the CFIUS review process and its authority, the scope of covered transactions expanded to include non-controlling interests acquired by foreign actors. Specifically, FIRRMA directed CFIUS to review transactions involving critical technology, infrastructure, and sensitive personal data regardless of whether an investment resulted in complete foreign control of the entity under review.
Companies engaging in transactions that may be flagged for, and thus hindered by, CFIUS investigation may provide the committee with a “declaration.” This process, which is generally voluntary, allows for an expedited review process that may ultimately earn “safe harbor” status for the transaction, meaning that CFIUS is legally restricted from taking future regulatory actions against transactions it has already cleared.
Some transactions, particularly after FIRRMA reforms regarding tech and data transactions, are subject to mandatoryreporting requirements, meaning companies face a duty to file a “declaration” with CFIUS if a foreign purchaser plans to acquire a “substantial interest” in a company dealing with sensitive U.S. technology.
Upon closing its investigations, CFIUS either publishes “findings” clearing a transaction of national security concerns or enters into an agreement with the company or companies involved including certain limitations on transactions or subsequent investment operations. CFIUS can institute compliance monitoring measures to ensure investments follow these agreements and can penalize infractions. If an agreement is made among interested parties, safe harbor status is earned for the original transaction.
Alternatively, instead of an agreement, CFIUS can refer a matter to the president to block the transaction or take other measures. Past CFIUS-referred Presidential Orders have ultimately demanded, and achieved, divestment.
CFIUS Review of ByteDance
In 2019, CFIUS reportedly opened its investigation into the security implications of the acquisition of Musical.ly, a Shanghainese social media company with a significant U.S. presence, by TikTok’s Beijing-headquartered parent company, ByteDance Ltd.
When Musical.ly was first acquired by ByteDance, FIRRMA’s reporting requirements were not yet enacted, and thus the transaction did not have to notify CFIUS of the deal. However, by choosing not to file a declaration, TikTok passed up an opportunity for the expedited review process and, perhaps, reduced scrutiny.
FIRRMA implemented updated directives for CFIUS on the tail of Musical.ly’s rise in popularity among U.S. users. After TikTok and Musical.ly’s apps merged, the unitary TikTok platform saw meteoric growth in the U.S. in 2019 that coincided with both U.S. and Chinese efforts to strengthen domestic cybersecurity and data privacy laws.
Ultimately, these developments drew increased scrutiny from not only CFIUS, but also the Trump administration, which unsuccessfully tried to ban the app from U.S. app stores outside the CFIUS referral process.
CFIUS itself chose to act on its post-FIRRMA mandate to open an investigation into several already-completed tech acquisitions, including the post-closure review and eventual forced sale of the dating app Grindr.
CFIUS’ review process is opaque, particularly while matters remain under investigation. That’s because Section 721 of the DPA binds CFIUS to confidentiality during the transaction notification and review process to protect national security and industry interests. CFIUS is even prohibited from publishing the commencement of an investigation; news of the TikTok investigation was reported anonymously in 2019.
Therefore, for the time being, there is little is known about whether TikTok’s mitigating negotiations are helping to clear the transaction or how much longer the committee might take to complete the review process.
TikTok’s Potential Risks to U.S. National Security
Several factors have ostensibly influenced the bipartisan push to attack TikTok regardless of whether doing so would intrude on CFIUS’ regulatory domain. One issue explicitly addressed in the Mar. 23 congressional hearing with Chew was minor safety. However, two other concerns are most prominent in rallying policymakers: data protection and the app’s powerful recommendation algorithm.
ByteDance’s Ownership of TikTok and China’s Control Over User Data
First, because ByteDance is headquartered in China, there is a risk of subjecting user data collected by the TikTok app to Chinese law and access by the Chinese Communist Party (CCP). New Chinese national security laws impacting data storage, export, and access give legal grounds for concern over Beijing’s ability to monitor and use data held by companies under its jurisdiction in a manner opposed to U.S. interests on the global stage. In some cases, those laws may even open U.S. citizens to Chinese criminal liability for taking actions in opposition to Chinese national security
Though the U.S. has undertaken similar policy initiatives with extraterritorial reach, data storage and access is at the center of negotiations between CFIUS and TikTok. Policymakers are concerned by laws potentially allowing the Chinese government’s access to general user data including, but not limited to, contact information, location, facial recognition data, viewership and engagement history, and related device data such as clipboard contents, or test, images, and other files that have been copied in an app to be pasted elsewhere, and the IP address of the device running the app.
These kinds of data are integral to the operation and continuing development of TikTok’s recommendation algorithm and, as U.S. tech firms demonstrate, can be valuable to third parties who may buy or otherwise access and abuse poorly protected data. Furthermore, in 2020, CFIUS forced the sale of dating app Grindr after it was acquired by a Chinese company. It determined the sale posed a national security risk because of the potential for Chinese actors to access and leverage identified users’ sexual orientation, HIV status, communications, and private photos as blackmail. Though TikTok does not necessarily pose the same risk in terms of data subject matter, there is still some risk regarding leverageable private information that may be shared and stored through the app.
TikTok’s Recommendation Algorithm
Second, TikTok’s powerful recommendation algorithm drives the app’s popularity and inspires fear that malicious (or negligent) manipulation of the algorithm could spread misinformation to both U.S. and global users. TikTok has been accused of censorship by its user base and U.S. policymakers alike; particularly concerning politically divisive content or content directly critical of the CCP. However in his testimony, Chew asserted that TikTok’s U.S. algorithm is stored and operates separately through servers operated and monitored by a U.S. partner, Oracle.
Project Texas is a proposed initiative to mitigate CFIUS’ national security concerns over TikTok’s U.S. operations. According to Chew, it entails storing and operating the U.S. algorithm and user data from Oracle Cloud servers located on U.S. soil. Since summer of 2022, TikTok reports that all new U.S. dataflows have been handled by Oracle’s cloud and that limited user data is stored as a backup in the U.S. and Singapore, but not in China. Furthermore, this data is allegedly in the process of being deleted in favor of full reliance on the U.S.-based Oracle Cloud systems. Chew projects this process will be completed later this year.
Project Texas’ storage and third-party monitoring schemes are designed to alleviate some national security concerns like the use of U.S. user data to further develop TikTok’s valuable algorithm or direct Chinese access to user data for intelligence purposes. Furthermore, Chew promised both in his Congressional testimony and again in a TikTok posted on the @tiktok account, that the company “will ensure that TikTok remains a platform for free expression and that it cannot be manipulated by any government.” Still, U.S. policymakers worry that government-mandated, CCP-affiliated corporate actors within ByteDance or direct coercion by the CCP could influence future abuse of the algorithm to promote Chinese interests.
Sidestepping the CFIUS Process?
While the CFIUS process continues in the shadows, a bipartisan coalition in Congress is poised to expand presidential powers to circumvent CFIUS’ authority and address TikTok’s potential risks directly. Congress passed a law in December banning TikTok from government devices. Officials now threaten either a full public ban, previously tried and failed under the Trump administration, or the forced severance of TikTok’s U.S. operations from ByteDance.
However, the White House could not sidestep the CFIUS process to unilaterally ban TikTok without new legislation; courts blocked president Trump from forcibly removing the app from the marketplace in 2020, and similar measures to snuff out the company’s foothold in the U.S. market would require Congress to provide the Biden administration with new emergency economic authority.
Recent events may motivate Congress to do exactly that. The Chinese spy balloon fiasco and the revelation that rogue, now-terminated ByteDance employees accessed the data of multiple journalists covering the company are pushing a bipartisan bill, the RESTRICT Act, that would grant the Secretary of Commerce and the president the ability to order divestment of certain security-sensitive investments after a limited review outside the multi-agency CFIUS framework.
The bill’s sponsor Senator Mark Warner (D-VA), who also chairs the Senate Intelligence Committee, said the bill is designed to give the Commerce Department tools beyond CFIUS review to address technology that could harm the United States that range from divestment “up to and including a ban,” though how a ban would operate is not explicit under the bill.
Meanwhile, China asserts a forced sale of TikTok to a U.S. firm as a violation of its own export control regulations. Similar to U.S. export regulations on advanced technologies, China regulates algorithms and related intellectual property based as a vital economic and national security interest and, therefore, imposes licensing requirements on transactions like the potential forced sale of TikTok.
Finally, China is not alone in resisting policy action against TikTok. Many in the United States, including creators on the app, are criticizing policymakers for antagonizing the social media company and organizing in support of it. Comparisons have been made between other tech giants such as Google and Meta, who have established histories of mishandling and selling user data. Others see the attack on the Chinese-based tech company as an expression of xenophobia, a new front for Sino-American economic warfare, or a step towards quashing free expression and political mobilization among young voters. And, especially after Thursday’s hearing, many accuse lawmakers and administration officials of being out of touch and under-informed.
Only time will tell what may come of the ongoing CFIUS investigation due to the committee’s confidentiality requirements. A complete failure to come to an agreement with TikTok could yield a forced divestment without a new law, but the social media company’s active steps to mitigate data privacy concerns seem to signal progress towards a future agreement with CFIUS, which would cement the 2017 acquisition into safe harbor status and shield it from future review by the committee. However, preclusion from further CFIUS review may not protect it from the RESTRICT Act if enacted.
Even with the expanded authority the Act would provide, the Biden administration would ultimately still face significant legal obstacles, both international and domestic, if it seeks an outright ban of the app.