The ‘Protecting Americans from Foreign Adversary Controlled Applications Act’ (PAFACAA): ‘TikTok Ban’ or New Milestone in US Economic Security Law?

By Paolo Mazzotti, PhD candidate and Research Fellow, Max Planck Institute for Comparative Public Law and International Law (Heidelberg)

The recently adopted ‘Protecting Americans from Foreign Adversary Controlled Applications Act’ (PAFACAA) marks a new step in the evolution of US economic security law. While often referred to as a ‘TikTok ban’, PAFACAA puts in place a legal framework of general and prospective application. In this sense, PAFACAA can be understood as a lex specialis for US economic security law in the ICT domain. The present blogpost highlights the extent to PAFACAA removes legal constraints placed on the US administration’s economic security action by the pre-existing, general regime. The more incisive action made possible by PAFACAA is liable to further the process of fragmentation of the world wide web into a ‘splinternet’ of regional digital environments, segmented along geopolitical lines.[1]

 

On 24 April 2024, a package-deal piece of US legislation was signed into law by President Biden. The bill tied several policies then under discussion to financial and military aid to the US’ strategic partners, effectively securing their entry into force. These policies included the ‘Protecting Americans from Foreign Adversary Controlled Applications Act’ (PAFACAA), a statute which had been approved by the House of Representatives on 14 March 2024, but was having a difficult time being adopted in Senate.

PAFACAA is routinely referred to in the generalist press as ‘TikTok ban’. In fact, PAFACAA caters to long-standing concerns in US policy-making circles at the perceived national security threats posed by the popular Chinese-owned application, ‘TikTok’. With a global user base estimated to range between 1 billion and 2 billion users, TikTok is a mass popular culture phenomenon. TikTok users are allowed to create and share short-duration videos which, from an initial orientation towards entertainment, have rapidly become instruments for, inter alia, promoting business, receiving as well as imparting news, and engaging in political activism.

The success of TikTok mostly revolves around a sophisticated algorithm which collects users’ personal data to reconstruct their preferences, in order to then suggest to them highly individualised content. The very same algorithm, however, underlies the concerns animating the adoption of PAFACAA. While the addictive effects of TikTok’s algorithm are reported to have severe implications for users’ mental health, US policy-makers have mostly been dealing with two risks allegedly posed to the country’s national security at large. These risks flow, specifically, from the Chinese ownership of the popular application, ultimately owned by ByteDance. For one, it is feared that the sweeping collection of personal data carried out by TikTok may enable China to carry out blackmail, espionage, or other destabilising activities after compelling disclosure of those data by ByteDance. On the other hand, it is feared that China might use TikTok to spread polarising, misinforming, or otherwise destabilising content throughout the US – possibly replicating, in the upcoming 2024 Presidential elections, the infamous ‘Cambridge Analytica’ scandal.

While some criticise the extent to which these risks have been conclusively established, their possibility prompted Congress to adopt PAFACAA. At its core, PAFACAA tries to address them through a radical aut-aut: either ByteDance divests its stakes in TikTok, or the application faces restrictions on its operativity in the US. While commentaries have mostly focused on TikTok, however, PAFACAA puts in place a more general legal framework, which might be mobilised again in the future against other ‘foreign adversary controlled applications’ (FACAs).

The present post is devoted to addressing the question of this new framework’s impact on US economic security law. Specifically, it asks whether PAFACAA carves out a specialised framework for US economic security law in the ICT domain, compared to the pre-existing, general regime. Such general economic security law regime results from the interplay of, on the one hand, the International Emergency Economic Powers Act (IEEPA) (50 USC 35), and, on the other hand, the foreign investment screening framework enshrined in §4565 of the Defense Production Act (DPA) (50 USC 55, §4565), as recently reformed through the Foreign Investment Risk Review Modernization Act (FIRRMA).[2] In fact, PAFACAA combines the possibility to restrict economic activities within the US digital economy (as typically possible under IEEPA) with that to introduce limitations on foreign ownership of the companies operating the relevant applications (§4565’s raison d’être). This overlap raises the question whether PAFACAA may determine a shift in action taken by the US government against FACAs, compared to that enabled by the pre-existing authorities.

With a view to elucidating this question, the present post proceeds as follows. The main features of IEEPA and §4565 are introduced, before surveying previous attempts by the US government to mobilise those authorities against TikTok. Legal challenges against those attempts evidenced the constraints placed by the pre-existing legal framework on action taken against digital applications used to generate and share content. PAFACAA is therefore analysed and understood as a specific reaction to these constraints. The post concludes by analysing PAFACAA’s implications for future economic security action by the US government in the ICT domain.

 

US economic security law: a (succinct) overview

The US has reportedly been at the forefront of the undergoing shift towards a geoeconomic international economic order, and IEEPA and §4565 were amongst the main pivots of this process.[3] The present Section highlights the main traits of these two instruments, focusing on the issues emerged in the specific case of TikTok (for more detailed analysis of IEEPA, see here; for §4565 as reformed by FIRRMA, see here and here).

Adopted in 1977, IEEPA established itself as the leading authority in US economic security law throughout the 1980s, thanks to its remarkably flexible disciplines (Carter, 1229-1242). IEEPA allows the President to put in place far-reaching restrictions on international economic activities ‘to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States’ (IEEPA, §1701(a)). The President is exclusively competent to declare the existence of a national emergency to face said threat (ibid), as well as to renew it in order to prevent its automatic expiration after one year (50 USC 34, §1622(d)). Once a national emergency is declared, the President can adopt a wide array of restrictive measures (IEEPA, §1702(a)). While the most highly-publicised example thereof is the controversial practice of financial sanctions, action taken under IEEPA includes the freezing of non-financial assets (Alerassool, 30-31), restrictions on international trade (Kerr and Casey, 5; Corcoran, 689), or prohibitions to provide certain services to identified economic operators (see the next Section). Against the background of these broad powers, IEEPA exempts some societally-sensitive economic activities from the President’s sanctioning powers (IEEPA, §1702(b)). For present purposes, it is important to underline that, acting under IEEPA, the President cannot restrict, inter alia:

• ‘Any personal communication (…), which does not involve the transfer of anything of value’ (so-called ‘personal communications exception’);
• ‘The importation (…) or exportation (…) of any information or informational materials’ (so-called ‘informational materials exception’).

On its part, FIRRMA was adopted in 2018 with a view to aligning §4565 with new geopolitical realities, culminating a process of mediation between conflicting stances on the US’ foreign investment policy started in 1975. FIRRMA confirmed the key role of the Committee on Foreign Investment in the United States (CFIUS), an interagency collegial organ set up within the US administration, in screening inward foreign investment on national security grounds. Along with its implementing acts, §4565 (as reformed by FIRRMA) designs an extremely technical regime, which cannot be satisfactorily accounted for in this post. Suffice it to say here that §4565 is applicable to loosely-defined ‘transactions’ as a result of which a foreign actors acquires an interest in a US business or a US plot of land, with a view to assessing whether they may pose an equally loosely-defined threat to the US’ national security (§4565(a)). CFIUS carries out a complex review process (concisely visualised in the table below) which might be conducive to three main outcomes (§4565(b)):

• A clearance of the transaction, if the latter is found not to pose national security threats;
• The imposition of ‘mitigation requirements’, or the negotiation of ‘mitigation agreements’, which allow for the transaction to be cleared, subject to limitations which mitigate the national security risks found to exist; or
• Deferral of the transaction to the President for a decision on the matter, if the transaction is found to pose national security risks not amenable to mitigation.

 

 

If the transaction is referred to the President, the latter ‘may take such action for such time as the President considers appropriate to suspend or prohibit any covered transaction that threatens to impair the national security of the United States’ (§4565(d)). §4565 also goes so far as to maintain that ‘the action (…) and the findings of the President (…) shall not be subject to judicial review’ (§4565(e)), although the case-law has partially downscaled the practical implications of this provision.

 

US economic security law in action: previous attempts at restricting TikTok

Both IEEPA and §4565 were controversially invoked by the Trump administration in 2020 to tackle the national security concerns allegedly raised by TikTok.[4] This litigation exposed constraints on the President’s action under those authorities, which are crucial in understanding the background to PAFACAA’s adoption.

On 6^th August 2020, Trump adopted Executive Order (EO) 13942 under the authority of IEEPA. EO 13942 and its implementing act aimed at preventing operators of the US’ internet infrastructure from providing a whole host of services to TikTok, with a view to curbing the application’s functionality. US economic actors were thus prevented from contracting several services enabling TikTok’s ‘distribution’, ‘maintenance’, ‘functioning’, and ‘optimization’, as well as from integrating TikTok into other digitally-provided services. For practical purposes, the regime was effectively equivalent to a ‘ban’ on TikTok. In fact, the regime would have made it impossible for new users to download the application on their devices (‘distribution’) as well as to update it so as, inter alia, to ensure its interoperability with the devices on which it was installed already (‘maintenance’). Crucially, however, the regime would also have prevented operators of the internet infrastructure from allowing TikTok’s content to be delivered to users through their own technology (‘functioning’ and ‘optimisation’). This would have forced TikTok to rely on its own resources alone to function – a technologically unsustainable effort, in light of the application’s large US user base.

Such ban-equivalent effect of the regime was, however, found to exceed the authority delegated upon the President under IEEPA in two distinct preliminary injunctions which stayed enforcement of the regime. Both the Columbia and the Pennsylvania District Courts found that the regime would, inter alia, restrict the possibility for users in the US to view content generated abroad, and for foreign users to view US-generated content. This was found to prima facie amount to an impermissible restriction on ‘the importation or exportation of information or informational materials’. Additionally, but on the same grounds, the Columbia District Court found the regime to prima facie contravene the IEEPA by restricting ‘personal communication, which does not involve the transfer of anything of value’.[5]

On 14 August 2020, Trump also adopted an order under §4565, which directed ByteDance to divest ‘any tangible or intangible assets or property, wherever located, used to enable or support ByteDance’s operation of the TikTok application in the United States’, The order also mandated ByteDance to relinquish any rights and interests in ‘any data obtained or derived from TikTok application or Musical.ly application users in the United States’. The order maintained that §4565 was applicable because of ByteDance’s acquisition of Musical.ly in 2017. Musical.ly was a US company which had launched in 2014 a service essentially analogous to TikTok on the US market. Amidst rapidly growing popularity, Musical.ly had been taken over by ByteDance in 2017 and merged with TikTok. This allowed TikTok, inter alia, to rely on Musical.ly’s pre-existing user base, in a move largely credited to have been key in TikTok’s global success (Fan and Hemans, 33-35 and 39-41).

However, TikTok challenged Trump’s order through a petition filed on 12 November 2020 with the Columbia Court of Appeals. While TikTok invoked a broad range of constitutional and statutory grounds for its claim, the aspect which is most relevant for present purposes is the allegation that §4565 as a whole was inapplicable. In TikTok’s submission, the order did not relate to a ‘covered transaction’: to the extent that it purported to mandate the divestment of all assets used to operate TikTok in the USA, ‘wherever located’, rather than exclusively those acquired through Musical.ly’s takeover, the order exceeded the limits on which jurisdiction for the CFIUS process is to be grounded. Further, the order did not relate to the takeover’s ‘effects’ on the US’ national security: by its own terms, the order purported to tackle the risk posed by the Chinese ownership of TikTok as such, rather than by any incremental risk posed by Musical.ly’s takeover by ByteDance. Consequently, in TikTok’s submission, the order exceeded the President’s authority under §4565.[6]

All in all, therefore, Trump’s attempts at restricting TikTok showed the limits of the US economic security complex in the ICT domain. Any action taken under IEEPA against applications used to share and generate content is likely to incur into a breach of the ‘personal communications’ and ‘informational materials’ exceptions. Further, §4565 may not easily be mobilised against applications found to pose national security threats because of their foreign ownership as such, without necessarily establishing their presence in the US (mainly) through the takeover of a local business.

PAFACAA as lex specialis?

The present post’s submission is that PAFACAA is to be understood as a deliberate attempt by US policy-makers to overcome the hurdles emerged in the TikTok wave of litigation. Through PAFACAA, Congress put in place a legal framework which allows the US government to take hitherto precluded action in pursuance of economic security objectives in the digital domain.

PAFACAA allows for measures to be adopted against a FACA. This key concept refers to ‘a website, desktop application, mobile application, or augmented or immersive technology application, that is operated, directly or indirectly’ by either:

• Any entity forming part of the ByteDance-TikTok group (Section 2(g)(3)(A)), or
• A ‘covered company that is controlled by a foreign adversary and that is determined by the President to present a significant threat to the national security of the United States’, following a process meant to allow for public and political scrutiny of the designation (Section 2(g)(3)(B)).

‘Covered companies’ are, in turn, defined as companies operating, ‘directly or indirectly’, an application with a large user base which enables users to generate and share content (including ‘text’ and other ‘real-time communications’) (Section 2(g)(2)). ‘Foreign adversaries’ are identified through reference to the military security legislative complex (Section 2(g)(4)): the list currently encompasses China, Russia, North Korea, and Iran, where China amounts to a key priority for US decisionmakers. A covered company is deemed to be ‘controlled’ by such an adversary if it exhibits a variety of links to an adversary’s jurisdiction, which would essentially allow the authorities thereof to exercise influence on the operation of the application (Section 2(g)(1)).

While most of the public attention has been devoted to PAFACAA’s express targeting of TikTok, therefore, the potential reach of the Act is much broader. In other words, PAFACAA puts in place a general regime which might be resorted to against an indefinite number of FACAs found to pose national security risks analogous to TikTok’s. This could ostensibly be the case, for instance, of ‘WeChat’, a Chinese-owned instant messaging application unsuccessfully targeted by Trump in parallel with TikTok and argued by many to present national security risks analogous to TikTok’s. The list of possible PAFACAA targets is, however, not amenable to a priori delimitation, and might encompass the generality of Chinese applications already on the radar of US policy-makers.

Within the scope so defined, PAFACAA’s core normative content lies in a prohibition for economic operators in the US to carry out any of the following (PAFACAA, Section 2(a)(1)):

• ‘Providing services to distribute, maintain or update [a FACA] (…) by means of a marketplace’; or
• ‘Providing internet hosting services to enable the distribution, maintenance, or updating of [a FACA]’.

PAFACAA thus resorts to the IEEPA-resembling strategy, already tested with Trump’s EO 13942, of isolating the target application from the broader US digital infrastructure. At the same time, the intervention hereby envisioned is less radical than that of Trump’s previous attempt: by only targeting the ‘distribution’, ‘maintenance’, and ‘updating’ of the application, PAFACAA does not seem to envisage the immediate curbing of the application’s functionality put in place by Trump’s intervention (although interpretations to the opposite effect have also been advanced: see Sutherland, Benson, and Busch at 20). Rather, PAFACAA’s effect seems to be that of inducing a freezing of the user base and technological state of targeted FACAs, with a view to sending them into a mid-term obsolescence.

The aforementioned regime is only applicable after 270 days, running from PAFACAA’s enactment (in the case of TikTok) or from the date of designation as a FACA (for other applications) (Section 2(a)(2)). Within this time-span, PAFACAA envisages the possibility for a ‘qualified divestiture’ to take place (Section 2(c)(1)(A)). That is, PAFACAA’s regime will not apply if the covered company effectuates ‘a divestiture or similar transaction’ found by the President, ‘through an interagency process’ (read: through the CFIUS process), to remove the identified national security threat and to preclude the establishment/maintenance of any operational relationship with the relevant foreign adversary (Section 2(g)(6)).[7] The qualified divestiture conditionality enshrines the basic bargain struck by US policy-makers: to the extent that FACAs are deemed to pose security risks not as such, but as subject to foreign adversaries’ control, Congress is willing to allow them to keep on being present in the US digital environment insofar as such foreign control is precluded. This posture resembles §4565’s basic functioning, although here the divestiture is just nudged through the ‘ban’ threat and not legally enforceable as such. That said, the extent to which PAFACAA’s divestment-nudging mechanism will be effective can be doubted. This is for sure in the case of TikTok, with Chinese authorities having already declared their intention not to clear the divestment under the Chinese legislation aiming at preventing the transfer of sensitive technologies to foreign governments (on which see Sutter at 9-12). However, against the background of the broader ‘US-China tech rivalry’ (on which see, from different perspectives, Haiyong, Allison et al, and Odgaard), one may reasonably speculate that similar moves will be made in respect of future invocations of PAFACCA.

 

Conclusion

PAFACAA can be seen as explicitly aiming at removing the constraints placed by the US economic security law complex emerged throughout the previous TikTok litigation. Specifically, by envisaging the isolation of FACAs from the US’ digital infrastructure at the statutory level itself, PAFACAA prevents the questions of delegation of powers raised under IEEPA’s ‘personal communications’ and ‘informational materials’ from arising. Further, by detaching the ‘qualified divestiture’ concept from an underlying ‘transaction’, PAFACAA allows for government-nudged relinquishment of private assets beyond the boundaries of §4565. In both respects, therefore, the US administration can now take more incisive action against FACAs.

The confrontation between private and public interests inherent in these economic security measures hence shifts from the realm of administrative law to that of constitutional law: as shown by TikTok’s petition for a review of PAFACAA’s constitutionality, the question now is no longer whether the executive is acting within the confines of the powers delegated upon it by Congress. Rather, the fundamental legal question now is whether the regime designed by Congress itself complies with, inter alia, the freedom of speech and the procedural and substantive guarantees of the rights of private economic actors.[8]

Were PAFACAA’s constitutionality to be confirmed in court, the US executive will be in a position to take more incisive action against FACAs. As noted by some commentators, this might impress a decisive speed-up in the transition towards a ‘splinternet’ – a fragmentation of the world wide web into a patchwork of regional digital environments, segmented along geopolitical lines. China’s recent adoption of measures mirroring PAFACAA, adding an additional layer to the long-standing ‘China great firewall’ in implicit retaliation against PAFACAA, may suggest as much. Time will tell how far the geoeconomic turn in the global economic order will be spill-over onto the global information society.

[1] Research for the present post was carried out in the context of an internship at the Bank of Italy. Nevertheless, the opinions presented throughout the post are exclusively those of the author’s, acting here in his personal and academic capacity. As such, they do not necessarily reflect the views of the Bank of Italy or of the European Central Bank. The author is grateful to Michele Savini Zangrandi and Oscar Borgogno for the support and guidance provided throughout the internship, as well as for the feedback provided on the present post’s first draft.

[2] The third main pillar of US economic security law, on which the present post does not focus because of lesser thematic affinity with the question hereby considered, is the complex and multilayered regime for export controls.

[3] Subject to the disclaimer made in the preceding note.

[4] The present post focuses on action taken under these two authorities, but the reader should be alerted to other dimensions of the long-standing conflict between various level of the US government and TikTok. These include an attempt by the Montana legislature to ban the application within Montana’s territory, found to breach the freedom of speech and several principles concerning US federalism; as well as manifold limitations on the possibility to use TikTok on public-owned devices, which so far appear to have survived legal challenges.

[5] Upon taking office, however, President Biden withdrew EO 13942, such that no final determination was reached on the merits of the cases.

[6] At the time of writing, the case is still pending: TikTok and the Biden administration agreed to hold the case into abeyance on 19 February 2021, with a view to reaching a negotiated solution to the controversy. At the time of writing, no such solution is reported to have been found by the Parties.

[7] PAFACAA also envisages the cessation of the restrictions’ applicability if a qualified divestiture is carried out only after the latter’s entry into force (Section 2(c)(1)(B)).

[8] Although it should be noted that cases against both Trump’s ‘WeChat ban’ and Montana’s ‘TikTok ban’ were argued and won precisely on grounds of the freedom of speech under the First Amendment already.