World map.

Client Alert: The Clock is “TikTok-ing” for U.S. Transactions with ByteDance and Tencent Holdings

By Waqas Shahid, Joseph M. Moyer, Kaitlyn Alessi

August 12, 2020

Summary

On August 6, 2020, President Trump issued two executive orders[1] prohibiting certain future transactions with Chinese technology companies ByteDance (owner of the popular video-sharing application TikTok), and Tencent Holdings with respect to WeChat (a social media/messaging/e-payment application), and their subsidiaries, citing national security concerns. As described in the executive orders, these bans are the latest manifestation of the U.S. government’s growing unease with Chinese technology and telecommunications companies’ operations in the U.S. and their ability to access data about U.S. persons.

Specifically, the executive orders note that WeChat captures “vast swaths of information” and allows Chinese Communist Party access to the data, and that TikTok may enable the Chinese government to track U.S. federal employees and contractors and conduct corporate espionage. The executive orders further note the actions taken by other governments, including India and Australia, to confront the security risks posed by these applications. Although the prohibitions set forth in both executive orders will not take effect until September 20, 2020,[2] U.S. companies with direct or indirect business or technology connections to ByteDance and Tencent, or which use TikTok and WeChat, should review their dealings to ensure compliance with the executive orders.

The executive orders do not define the “transactions” that are subject to the prohibitions, instead requiring the Secretary of Commerce, within 45 days of the executive orders’ issuance, to identify the transactions that will be prohibited, as well as the subsidiaries of ByteDance and Tencent that will be subject to the bans.  Although it remains to be seen what the executive order prohibitions will mean for consumers in practice, the general consensus among commentators is that in addition to the to-be-identified specific transaction prohibitions, TikTok and WeChat will at least have to be removed from Google and Apple app stores in the U.S., as well as from the devices of U.S. users.

These two executive orders follow other recent actions taken by the U.S. government to address perceived national security risks from Chinese telecommunications and technology companies and products, including:

In addition, the U.S. government has also recently introduced export control reforms targeting certain exports to China, and reformed the Committee on Foreign Investment in the U.S. jurisdiction and authority to address risks associated with Chinese investment in U.S. technology and data companies.

What does this mean for companies?

Corporate counsel and compliance functions should assess the impact of these new executive orders on their existing compliance and data security programs. More broadly, they should consider their readiness to address the underlying government concern regarding use of Chinese communication technologies and information applications, and ability to secure data.

Compliance Readiness: Companies should review all existing or potential relationships with ByteDance and Tencent, and their subsidiaries, as well as use of WeChat or TikTok, and determine the applicability of these executive orders to their business operations. For Tencent, understanding whether the transaction is related to WeChat or a different service/product will be critical to identifying compliance obligations. Finally, companies should consider processes to identify replacement vendors or partners in the event the executive orders go into effect on September 20.

Market Risk Assessment: More broadly, companies should also start a review of their existing portfolio of business relationships with Chinese companies. This review should identify the nature of the services or goods provided in the relationship, the potential security risks involved given known connections to the Chinese government, and any access to data, or transfer or exchange of data, as part of the relationship. Depending on the nature of the risk, companies should consider whether additional risk mitigation controls should be put in place.

Electronic Communications: Companies should also carefully assess the security risks associated with electronic communications mediums (email, instant messaging, web conference, file sharing) used for business communications either on company-issued or on personal devices. Compliance functions should work with their IT counterparts to conduct a risk-oriented assessment of available electronic communications mediums. This assessment should include an analysis of tool origin, ownership, built-in security features, ability to layer in additional security protocols, data storage, relation to company recordkeeping[3], and other relevant factors. And, as a further output to this assessment, all applications not authorized should be proscribed.

How Ankura Can Help

Export Controls and Technology Advisory: Our team brings to bear years of legal and operational experience working both inside and alongside global organizations to create efficient, practical solutions for complex trade control problems. We help our clients succeed in increasingly challenging regulatory and risk environments involving the U.S. International Traffic in Arms Regulations, the U.S. Export Administration Regulations, U.S. sanctions and embargoes, and non-U.S. trade controls.

Transactions and Governance Advisory: Our professionals have a depth of expertise in providing companies with transaction, governance, and portfolio advisory services centered on joint ventures and other non-M&A partnerships. Our experienced advisors leverage the most comprehensive database of practices and benchmarks and the best proprietary tools to help clients conduct pre-transaction risk assessments, develop action plans and mitigation road maps to affirmatively address priority risks, and successfully navigate transaction negotiation and structuring, business integration processes, and management of partnership portfolios.

Compliance Program Build-out: Our professionals help clients develop concise policies and processes that implement and operationalize compliance program objectives into existing business processes to reduce cost and maximize impact and sustainability. Our team also works with clients to integrate data analytics and automation into compliance programs, develop effective, role-focused training that communicates organizational values, and institutionalize leading practices in compliance.

Distribution and Supply Chain Diligence: We have a deep, practical perspective on how to identify and mitigate a range of third-party compliance risks and challenges.

Network Security Diligence: We integrate expertise in export controls, data analytics, cybersecurity, and national security to help clients assess and mitigate risks.


[1] Executive Order 13942 is focused on the perceived threats posed by TikTok, but broadly targets the app’s owner ByteDance as it prohibits “any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance … or its subsidiaries….” Executive Order 13943 is focused on the perceived threats posed by WeChat,  prohibiting “any transaction that is related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent … or any subsidiary of that entity.”
[2] Media reports have suggested that the 45-day period may be connected to efforts by Microsoft to purchase TikTok’s U.S. operations, assets, and data by September 15, 2020, thus bringing U.S. user data under U.S. control.
[3] With respect to social media/messaging applications and recordkeeping in particular, the existing Department of Justice policy on FCPA enforcement requires the following for companies to get enforcement credit – “Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms…”